Alistair Sloan, Advocate – Criminal law, family law, information law and public law

Request or Ruse? When SARs Cross the Line

March 25th, 2026
The European Court of Justice issued its judgment in Brillen Rottler GmbH & Co KG v TC (case C-526/24) last week (19 March 2026). This is an important judgment in relation to subject access requests and, in particular, when they can be deemed “excessive” pursuant to Article 12(5) of the GDPR.

Background

In March 2023, TC, who resides in Austria, subscribed to the newsletter of a family run opticians in Arnsberg, Germany (Brillen Rottler) by entering his personal data into a form on the company’s website for this purpose. Less than two weeks later, TC sent a subject access request to the company. The request was refused by the company, within the initial month allowed for a response, on the basis that it considered the request to be abusive in terms of Article 12(5) of the GDPR and called on TC to withdraw his request. TC pressed for a response to his subject access request and, in addition, now sought compensation in terms of Article 82 of the GDPR in the amount of €1,000. The company raised proceedings in the Local Court in Arnsberg seeking declarator that TC was not entitled to any compensation.

In support of its position, the company asserted that TC systematically and abusively makes requests for access to his personal data for the sole purpose of obtaining compensation for an alleged infringement, which he himself deliberately provokes. The company asserted that TC’s approach was to subscribe to a newsletter, then makes a subject access request and finally submit a claim for compensation.

Reference to the European Court of Justice

The Local Court in Arnsberg referred eight questions for a preliminary ruling under Article 267 of the TFEU. In essence, those questions sought a preliminary ruling on the following issues:
1. Whether it is possible that a first subject access request made to a controller by a data subject may be regarded as excessive within the meaning of Article 12(5) and, if so, in what circumstances.
2. Whether the right to compensation under Article 82 of the GDPR conferred a right to compensation resulting from an infringement of the right of access provided for in Article 15.
3. Whether Article 82(1) of the GDPR includes non-material damage suffered by the data subject for the loss of control over their personal data or their uncertainty as to whether the data have been processed.
4. Whether a subject access request from a data subject constitutes processing within the meaning of Article 4 of the GDPR.
Judgment of the European Court of Justice

The first issue: abusive subject access requests

The ECJ answered this in the affirmative holding that a first subject access request by a data subject can be regarded as excessive where the data subject has an abusive intention in making the request. The starting point for the ECJ was that, in the absence of a definition of what amounts to excessive in the GDPR, it was necessary in interpreting the concept “to consider not only the wording of article 12(5) of that regulation, by reference to its usual meaning in everyday language, but also the context in which that provision occurs and the objectives pursued by the rules of which it is part.” [24] This approach by the ECJ is entirely in line with the domestic approach to statutory interpretation and therefore the ECJ’s answer is likely going to be a very good indication as to the approach the domestic courts will take in interpreting the equivalent provision in what is now the United Kingdom General Data Protection Regulation (“UK GDPR”).

The court went on to hold that the everyday meaning and usage of the word “excessive” did not rule out the possibility that a first request made to a controller by a data subject may be excessive. [25] The use of the words “repetitive character” in Article 12(5) was only by way of an example, there does not need to be a large number of requests to the controller from a data subject before a request may be deemed excessive. [26]

The court then went on to hold that this conclusion was supported by the context of the provision. Article 12(5) provides an exception to the obligation on controllers to facilitate the rights of data subjects (in this context, the right of access) in the face of a request which is manifestly unfounded or excessive. [29] The court went on to state that the interpretation of the concept of “excessive requests” in Article 57(4) could be transposed to the present case, under reference to the court’s judgment in Österreichische Datenschutzbehörde v FR. [30] Therefore, even in relation to a first request, a controller can rely upon the exception to their general obligation found in Article 12(5) where they establish that there has been an abusive intention on the part of the data subject. [31] In this context abusive refers to an abuse of rights rather than to the content of the request being abusive. The court goes on to state, at [34], in the context of the non-absolute nature of the right to protection of personal data and the need to balance it against other fundamental rights:

“Therefore, in order to ensure that that balance is achieved by means of that exception, and that it is effective, the relevant criterion for a finding of abusive conduct is the excessive character for the request for access, which is to be assessed qualitatively, in accordance with paragraph 26 of the present judgment, and which cannot depend solely on the number of requests for access made by the data subject and thus on whether it is the data subject’s first request.”

Turning to the specific circumstances in which a data subject’s first subject access request may be excessive within the meaning of Article 12(5), the court pointed to the aim of Article 15, as read with recital 63, “is to confer on a data subject the right of access to personal data which have been collected concerning him or her and to exercise that right easily and at reasonable intervals in order, inter alia, to be aware of the processing of those personal data and to verify the lawfulness of that processing, thereby enabling the data subject to exercise, depending on the circumstances, his or her right to rectification, right to erasure or right to restriction of processing, and his or her right to object and right of action where he or she suffers damage.” [37]

The court state that, in relation to the subjective element, the controller will require to “establish, having regard to all the relevant circumstances of each case, that there has been an abusive intention on the part of the data subject.” [40] It continued that where the request has been made for a purpose other than that of being aware of the processing being undertaken and verifying the lawfulness of that processing, in order to enable the protection of the data subject’s other rights under the GDPR, may be a situation where a request might be excessive within the meaning of Article 12(5). [40] The court confirmed that, in the present case, public information about TC’s tactics could be taken into account in determining whether there had been an abusive intention to the request. [43]

Second issue: compensation resulting from an infringement of the right of access

The court also answered this issue in the affirmative. Article 82 refers to an infringement rather than to a right to compensation in relation to damage arising from the processing of personal data, therefore the right in Article 82 cannot be limited to the latter. [48]

This conclusion, the court states, is supported by a contextual analysis of Article 82 when read along with recitals 141 and 146. [49]-[50] Therefore, where there is an infringement of the GDPR that does not, in effect, involve the processing of personal data there still exists a right to compensation under Article 82, subject to the need to prove actual damage (material or non-material). [54]

Third issue: compensation for loss of control or uncertainty

The court confirmed that, subject to the data subject proving that they have actually suffered non-material damage, the right to compensation under Article 82 does encompass the loss of control over personal data or a data subject’s uncertainty as to whether their personal data has been processed. [67]

Fourth issue: whether a subject access request constitutes processing

In light of how it treated what I have termed in this post “the second issue” (being questions five and six of the referring court), the court considered that there was no need to answer this question in the context of this reference.

Application to the UK GDPR

Since the UK left the European Union, judgments of the European Court (in relation to EU law remaining part of the domestic law in the UK) which have been issued after 31 December 2020 are not binding on courts in the UK, but remain persuasive in terms of the European Union (Withdrawal) Act 2018.

This judgment is therefore likely to be highly persuasive to courts in the UK who are faced with questions concerning the meaning of Article 12(5) of the UK GDPR and also in relation to Article 82 of the UK GDPR. As indicated above, the approach adopted in relation to the interpretation of the GDPR as it relates to the first issue, is in all material respects in line with the modern domestic approach to statutory interpretation as set out in cases such as R (N3 and another) v Secretary of State for the Home Department; therefore, the domestic courts are likely to reach a the same conclusion even without reference to this judgment.

The judgment, especially when considered alongside the amendments made to data protection law by the Data (Use and Access) Act 2025, is likely to give controllers a great deal of latitude in refusing a request, particularly where they have evidence to suggest that a data subject is making a request for purposes other than a genuine attempt to establish the nature and extent of the processing of personal data concerning them and the lawfulness of any such processing. However, a controller who wrongly applies the exemption in Article 12(5) (and thus infringes the UK GDPR by not providing a substantive response) could, subject to the data subject proving material or non-material damage, open themselves up to a claim for compensation. It does not seem that this judgment conflicts with domestic case law, such as Dawson-Damer v Taylor Wessing LLP which concern “collateral” purposes rather than a purely abusive exercise of rights.

_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
Scottish Government Consultation on FOI and Care Home Services

January 8th, 2026

The Scottish Government has opened its long-awaited consultation on designating the private and third sector providers of care home and care at home services as Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002 (“FOISA”) and the Environmental Information (Scotland) Regulations 2004 (“Scottish EIRs”). The consultation opened on 5 January 2026 and will run until 30 March 2026.

The discussion on whether care homes operated by private and third sector organisations should be covered by freedom of information legislation has been going on for some years now. The question came to prominence in 2020 during the Covid-19 pandemic; however, it would be fair to say that it was going on even before the pandemic.

Scottish Ministers have specific powers under section 5 of FOISA to designate, by order, certain persons as Scottish public authorities for the purposes of FOISA (and consequently the Scottish EIRs as well). Three orders have been made under section 5 of FOISA by the Scottish Ministers, the most recent being in 2019 which designated Registered Social Landlords as Scottish public authorities.

In Scotland both care home services and care at home services require to be registered with Social Care and Social Work Improvement Scotland (“the Care Inspectorate”) who is responsible for registering and regulating care services in Scotland. As the consultation notes, there are existing statutory definitions of care home services and care at home services in schedule 12 to the Public Services Reform (Scotland) Act 2010. Under the 2010 Act, it is the individual service rather than the provider which is registered with the Care Inspectorate. For example, if a single company operates 10 separate care homes in Scotland, each care home has to be separately registered with the Care Inspectorate as a service.

It doesn’t seem clear from the consultation document whether the Scottish Ministers are intending on designating individual services as Scottish public authorities or the provider themselves. The ministerial forward states that “the Scottish Government has been clear that it sees a case in principle that these services may be considered to be public functions, and that statutory FOI obligations should therefore be extended to private and third sector providers of such services.” (my emphasis) However, the consultation then goes on to refer to the statutory definitions in the 2010 Act, and the consultation question asks about services (my emphasis) which are operated by private and third sector organisations rather than the providers of such services. Designation of the individual services rather than the provider of the services may not be within the Scottish Minister’s powers; section 5 of FOISA confers a power to designate a person or persons exercising functions of a public nature (section 5(2)(a)) rather than designation of services of a public nature. Some clarity will be needed around this if designation is to go ahead.

There is to be a general election to the Scottish Parliament on 7 May 2026 and so it will be for whoever forms the next administration in Edinburgh to consider the results of the consultation and make a decision on whether (and to what extent) to exercise the powers under section 5 of FOISA in relation to care homes and care at home services. It will therefore be some time before we know what the results of the consultation are and what decision the Scottish Government will take on the question. If the eventual decision is to designate, it is unlikely that designation will take place before 2027 allowing for the election period and any period allowed for designees to prepare for becoming a Scottish public authority after the order has been made (when the designation power in section 5 has been used in the past, there has been a period of around six months between the order being made and it coming into force).

_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
Section 166: a continued disappointment for dissatisfied data subjects

January 6th, 2026

In my first blog post of 2026, I return to a subject that I have written about before: section 166 of the Data Protection Act 2018.

Those who frequently look at decisions of the First-tier Tribunal exercising its information rights jurisdiction will be well aware that in 2025 there were a substantial number of applications under section 166 of the Data Protection Act 2018 struck out by the tribunal (and that this is a continuing trend from previous years). The end of 2025 was no exception with a number of such decisions being published over the Christmas and New Year period.

There continues to be a wide-spread misunderstanding by data subjects as to what section 166 provides. Data subjects have a right, under Article 77 of the UK GDPR and/or section 165 of the Data Protection Act 2018, to complain to the Information Commissioner about how a controller has dealt with a request to exercise their rights (most commonly their right of subject access but it could be other rights such as rectification or erasure). In response to such a complaint the Commissioner has an obligation to investigate the complaint “to the extent appropriate” and to inform the data subject about the progress of the complaint, including whether any further investigation is necessary. If the Commissioner does not provide an update or outcome within three months (or at intervals of three months after each update if no outcome has been reached), the First-tier Tribunal has the power, under section 166(2) of the Data Protection Act 2018 to make an order which requires the commissioner to either take appropriate steps to respond to the complaint or to inform, within a period specified in the order, the data subject of the progress of the complaint or of the outcome of the complaint.

Section 166 does not provide a substantive right of appeal against the outcome of such a complaint. It is a procedural jurisdiction only and is concerned with ensuring that data subjects get a final response to their complaint and are kept up to date with the progress of any investigation that the Commissioner deems to be appropriate. The Court of Appeal (England and Wales) determined in R (Delo) v Information Commissioner that the Commissioner is provided with a broad discretion to decide the level of intensity of any investigation and what action, if any, to take in response to such a complaint (including a decision to take no further action in response to a complaint). The terms of section 166 of the Data Protection Act 2018 therefore do not confer a jurisdiction on the First-tier Tribunal to review the decision of the Commissioner similar to that which is conferred on it by section 57 of the Freedom of Information Act 2000.

It is well known in data protection circles that the Commissioner rarely, if ever, takes any formal enforcement action in response to an individual complaint. Indeed, his office rarely, if ever, carries out an investigation of sufficient intensity to, for example, require a data controller to disclose material withheld in response to a subject access request. The Commissioner does have the tools and power to do so; but does not use his resources in that way. It is open to people to agree or disagree with the Commissioner’s approach, and I shall refrain from commenting on that debate in this post.

During the passage of the Data (Use and Access) Act 2025 attempts were made, notably by Liberal Democrat Peer Lord Clement-Jones, to introduce provisions which would have conferred upon the First-tier Tribunal a substantive jurisdiction in relation to data subject complaints. In essence, Lord Clement-Jones’ proposals would have had the effect of transferring the compliance order and compensation jurisdictions from the courts to the First-tier Tribunal. The proposals were not adopted by Parliament.

Data subjects almost never have legal advice or representation when they make applications under section 166 of the Data Protection Act 2018 to the First-tier Tribunal. It is very easy to see how an unrepresented data subject could read section 166 as conferring such a right (especially if they are familiar with the First-tier Tribunal’s role in relation to decisions of the Commissioner made under section 50 of the Freedom of Information Act 2000) and would proceed without knowledge of the existence of key decisions such as Delo and Killock v Information Commissioner.

So, what options are open to a dissatisfied data subject following a complaint to the Information Commissioner (soon to be replaced by the Information Commission)? Well, specifically in relation to the Commissioner’s decision there is the option of judicially reviewing it in the High Court, the High Court in Northern Ireland or the Court of Session depending on where the data subject is located. That is likely to be an unattractive option because judicial review is also concerned with process and procedure rather than a review of the substantive decision; a successful judicial review would most probably only result in the Commissioner’s decision being reduced/quashed and him having to make a new decision exercising his broad discretion. In short, a judicial review is very unlikely to result in a data subject, for example, receiving personal data withheld in response to a subject access request.

The other option doesn’t involve the Commissioner at all and can be taken without even complaining to the Commissioner: to seek a compliance order against the controller under section 167 of the Data Protection Act 2018. Compliance orders can be sought in the Sheriff Court or Court of Session (in Scotland) or the County Court or High Court (in England and Wales or Northern Ireland). The courts can, in response to an application under section 167 perform what might be termed “a full merits review” of the controller’s handling of the request. The courts can specifically order, for example, the disclosure of incorrectly withheld information (in response to a subject access request) or the rectification or the erasure of personal data where that has been incorrectly refused. The Data (Use and Access) Act 2025 has fixed a lacuna that has existed since 2018 making it clear that the courts can require controllers to make available such information as is available to the controller for inspection by the court without it being disclosed to the data subject until after a final determination in favour of the data subject.

Whether either of these solutions are realistic given their costs and, where it is technically possible to get, the availability of solicitors willing to provide legal aid services for such applications is an entirely separate matter on which I shall offer no commentary in this post. Section 167 applications appear comparatively rare; whether that is down to their cost (and the potential for an adverse award of expenses/costs if unsuccessful), a lack of knowledge on the part of data subjects or a combination thereof is not clear.

I suspect that 2026 will continue to see a flow of struck out section 166 applications as data subjects dissatisfied (rightly or wrongly) with the decision of the controller in relation to their request and the outcome of their complaint to the Commissioner continue to seek to challenge those decisions.

_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
Clarifying Costs: The Proper Approach under Section 12 of the Freedom of Information (Scotland) Act 2002

October 12th, 2025

Last week the Second Division of the Inner House of the Court of Session (Lord Justice Clerk and Lords Malcolm and Armstrong) refused an appeal under section 56 of the Freedom of Information (Scotland) Act 2002 (“FOISA”) against a decision of the Scottish Information Commissioner. The decision appealed against concerned the application of section 12 of FOISA by the Police Investigations and Review Commissioner (“PIRC”) in relation to the appellant’s request for information to PIRC.

The Appellant had made a request for information to PIRC seeking the information as to the number of police officers it had arrested since it came into being in 2013. PIRC issued a response to the Appellant advising that the cost of complying would be £108,390, well in excess of the £600 limit applicable in terms of FOISA and the Regulations. PIRC said that in order to comply with the request for information it would need to review 433,588 files as the information requested was not recorded as a matter of routine. Unhappy with this response, the Appellant eventually made an application to the Scottish Information Commissioner for a decision in terms of section 47(1) of FOISA. The Commissioner issued a decision notice upholding the decision of the PIRC; however, the Commissioner also found that PIRC had failed to provide advice and assistance in terms of section 15 of FOISA. The Appellant thereafter appealed to the Court of Session.

The Appellant argued that the Commissioner had failed to take into account the public interest in disclosure of the information in reaching decision that he did. The Court held, at [4], that this proposition was “misconceived.” The public interest test only arises “if a request is refused because of an exempt category of information” in Part 2 of FOISA. [4] Section 12 applies to all request and there was no reliance upon an exemption within Part 2 of FOISA in relation to the Appellant’s request. [4]

The Appellant sought a declarator from the court that PIRC owed a duty of care to keep the public informed as to police officer’s conduct. The court held, at [5], that it had no power to make such a declarator. The functions of PIRC are set out in section 62 of the Police and Fire Reform (Scotland) Act 2012. The court was concerned, in this case, with an appeal against a decision of the Scottish Information Commissioner and whether the Commissioner had erred in law (see [3] and [5]). In any event PIRC were not party to the proceedings (which is very much the norm in Scottish FOI appeals given that the Court of Session does not have the power to order disclosure of withheld information, merely to reduce the decision of the Commissioner and remit it back to him for a fresh determination if the Commissioner has erred in law); the court was unable to “embark upon a review of its performance in general, nor of its record-keeping and data retrieval systems.” [5]

The Appellant argued, in what the court considered as “an arguable error of law” [6], that the Commissioner had erred in law because he had based his decision on PIRC’s current systems for the storage of data. The Appellant considered that PIRC’s systems were “out of date, highly efficient and conducive to a lack of transparency and accountability.” [6] The Appellant argued that the cost estimate given by PIRC “could not be regarded as sensible, realistic and supported by cogent evidence.” The Appellant continued that the Commissioner ought to have had regard to modern automated systems potentially allowing for a less costly response to her system; the Commissioner should have sought expert advice on the subject as part of his investigation.

In refusing the appeal, the Court had regard to the decision of the Upper Tribunal in Kirkham v Information Commissioner [2024] UKUT 127 (AAC), which concerned the equivalent provisions within the Freedom of Information Act 2000 (“FOIA”). The Court, at [10]-[11], cited, with approval, paragraphs 17-20 of Kirkham. In essence, the cost estimate is based upon the way in which the authority actually holds the information at the time the request is made. The Court held that “the Commissioner would have erred had he concluded that the information should be disclosed because the cost of compliance could be reduced to an amount below the limit if PIRC upgraded its systems.” [11] It is not the Commissioner’s role to police the data management procedures of public authorities such as PIRC; his only role is to consider whether it has complied with its duties under FOISA and that is a question which depends upon the terms of the Act. [11]

The Appellant also challenged the Commissioner’s finding that PIRC had failed to comply with the requirements of section 15 of FOISA. The Court was not satisfied that these amounted to an error of law on the part of the Commissioner. [14] These were matters for the Commissioner as a specialist. [14]

The Appellant made other challenges which did not have any merit to them and are dealt with, briefly, at paragraph [12] of the court’s opinion.

As will be known to anyone familiar with FOISA and FOIA, an appeal against a decision of the Scottish Information Commissioner is only on a point of law; there is no full merits appeal from his decisions in the way there is of decisions of the Information Commissioner under FOIA. The Court of Session took the opportunity to affirm that as the Commissioner is a specialist statutory decision-maker, it will afford a degree of institutional respect in relation to decisions within his area of competence. [3] and [14]

The Opinion of the Court in this appeal confirms that the approach to section 12 of FOISA is the same the approach to section 12 of FOIA as explained in Kirkham. If a Scottish public authority has a records management system that is so inefficient and out-dated that it results in it being too costly to search, locate and retrieve information that falls within the ambit of a request for information then the requester simply has to take the authority’s records management system as it exists.

_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
First-tier Tribunal Gives Short Shrift to FOI Enforcement Notice Appeal

August 8th, 2025

In March 2024, the Information Commissioner issued an Enforcement Notice to Bristol City Council under section 52 of the Freedom of Information Act 2000 (FOIA) following the issuing of a practice recommendation to the Council in August 2023. The Enforcement Notice was concerned with the Council’s compliance with the requirements of section 10 of FOIA and, in particular, the sizeable number of requests not responded to by the Council within the statutory period. The Council exercised its right of appeal to the First-tier Tribunal which has now (after refusing two strike-out applications made by the Commissioner) dismissed the Council’s appeal.

The issue for the First-tier Tribunal was a narrow one which essentially boiled down to whether the Commissioner ought to have exercised his discretion differently when he decided to issue the Enforcement Notice. The Council contended that there was an error in the Enforcement Notice about what had been required by the practice recommendation previously issued by the Commissioner in relation to the creation, by the Council, of an action plan. The Enforcement Notice stated that the practice recommendation required an action plan which incorporated a recovery plan concerning the backlog of FOIA requests that the Council had. The Council, on appeal, argued that the practice recommendation did not reference the backlog.

The Tribunal gave, it is fair to say, the Council short shrift stating at [32]:

“Having considered all the evidence, we refuse the Appellant’s appeal and conclude that the ICO exercised it’s discretion correctly (it is not suggested that the decision was not in accordance with the law and we do not find that it was). Even if we are wrong on this, we have reviewed the evidence and made our own assessment.”

The Tribunal continued at [34]:

“In the Practice Recommendation, the Council were being asked to achieve 90% compliance – the ICO did not state this was only in relation to the new applications, we note in particular that the ICO did not explicitly exclude the backlog from this 90% target. We have particular regard to the fact that a vast number of messages were exchanged between the parties specifically on the subject of the backlog before the enforcement notice was issued.”

The Tribunal recognised, at [33], that an enforcement notice is not issued solely because a public authority has failed to comply with a practice recommendation and that there is no requirement that the failures to comply with Part 1 of FOIA must have been explicitly raised in a practice recommendation. [33] An Enforcement Notice is not something to ensure compliance with a practice recommendation issued by the Commissioner; it is a tool to ensure compliance with Part 1 of FOIA and carries with it the potential of being dealt with as if in contempt of court if it is not complied with.

What, I think, is far more significant than the overall result in this case, is what the First-tier Tribunal stated at [36] of its decision. It challenges directly a complaint that is often made by stretched public authorities when it comes to FOI: that takes resources away from other areas. Some public authorities continue to see FOI more as a “nice to have” rather than a core statutory requirement. The First-tier Tribunal states:

“We accept the difficulties public authorities have in allocating their scarce resources we accept that complying with these requirements takes resources away from other areas, however the requirement to do so is a regulatory requirement and relates to the statutory right of applicants. It is vital that a public authority abides by such requirements. Significant delays can cause real difficulties to applicants, who often need information within a particular period of time for important reasons.”

This is a clear reminder from the First-tier Tribunal, some 20 years after FOIA entered into force, that FOI is part of every public authority’s core functions. Both FOIA and the Freedom of Information (Scotland) Act 2002 contain carefully calibrated provisions to ensure that FOI spending doesn’t present an unacceptable level of burden on a public authority’s resources; the balance between spending on this core function and on other core functions has been struck by Parliament in the legislation.

_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
The Data (Use and Access) Act 2025: Implementation Begins

July 28th, 2025

After much procedural back and forth between the House of Commons and the House of Lords, the Data (Use and Access) Act 2025 (“DUAA”) was enacted by Parliament back in June. The vast majority of the DUAA requires to be commenced by way of Regulations made by the Government and so its implementation will happen in tranches. On 21 July 2025, The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025 were made bringing into force, with effect from 20 August 2025, a number of important provisions of the Act pertaining to data protection. The provisions of the 2025 Act which are coming into force are set out in Regulation 2. There are provisions coming into force on 20 August 2025 which I think deserve particular mention.

Court’s Powers in subject access and data portability cases

The newly inserted section 180A of the Data Protection Act 2018, inserted by section 104 of the DUAA, will be in force from 20 August 2025. This provision relates to proceedings brought in the courts concerning subject access requests under Article 15 of the UK GDPR, section 45 of the Data Protection Act 2018 or section 94 of the Data Protection Act 2018 as well as data portability rights under Article 20 of the UK GDPR . This was a provision that I was surprised was not commenced right away, but it is in the first tranche of provisions to be commenced by way of Regulations.

Section 180A of the 2018 Act will, from 20 August 2025, give courts the power to require a controller to make available to the court, for inspection by it, information which is available to the controller where there is a dispute about whether the data subject is entitled to that information under those data subject rights. It also provides, expressly, that until the substantive question of whether the data subject is entitled to the information has been determined in favour of the data subject, the information made available to the court under this section is not to be disclosed to the data subject or their representatives (including by way of recovery of documents). The court cannot require the controller to carry out a search that is more extensive than the reasonable and proportionate search which the controller would ordinarily be required to carry out.

This provision is important because courts could very well be required to consider whether personal data has been properly withheld and, in the vast majority of situations, they cannot (certainly at first instance) really be expected to do so without seeing the withheld information. Supplying the withheld information to the data subject would defeat the object of the proceedings and so, it cannot really be lodged with the court (at least in Scotland) in the normal way.

Consideration will need to be given as to how these procedures will work in practice to avoid issues arising under Article 6 of the European Convention on Human Rights. If the court is going to be determining issues in relation to material that only it and one other party has seen an issue of fairness arises. There may well, in the future, be an Act of Sederunt setting out a procedure to be followed in the Scottish courts, but whether one will come and whether it will be in place in time for the 20 August 2025 remains to be seen. Controllers who find themselves on the receiving end of a section 167 application which challenges the application of exemptions in the context of a subject access request (and those representing them) will likely need to turn their minds early to whether an order under section 180A will be necessary and, especially in the early days if there is no Act of Sederunt, have suggestions as to how the process can be conducted in a manner that is Article 6 compliant and which does not restrict the principles of open justice any more than is strictly necessary.

Duties of the Information Commissioner in carrying out his functions

Sections 120A, 120B, 120C and 120D of the Data Protection Act 2018 will also be coming into force on 20 August 2025. Section 120A is worth particular mention because it provides that the Commissioner’s principal objective when carrying out his functions under the data protection legislation is to (a) secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest, and (b) to promote public trust and confidence in the processing of personal data. However, this is somewhat tempered by section 120B where the interests of data subjects, other than children, are completely absent.

Sections 120A, 120B, 120C and 120D, at the time of writing, do not appear on the version of the Data Protection Act 2018 published on legislation.gov.uk and so reference will, for the time being, need to be had to section 91 of the DUAA for the wording of the sections. Hopefully, the version of the Data Protection Act 2018 on legislation.gov.uk will be updated to include these provisions before 20 August. Whether these provisions will have any material impact upon the way in which the Information Commissioner regulates and enforces under the UK GDPR and Data Protection Act 2018 remains to be seen, but I suspect that they will not.

Establishment of the Information Commission

The Information Commission will also formally be established as a body corporate on 20 August 2025. It will not, however, replace the office of the Information Commissioner on that date. The provisions of the DUAA which are coming into force with respect to the Commission are those which establish it, not the assumption of the Commissioner’s powers.

With the Commission being formally established, it will allow the necessary preparatory work to be undertaken to enable the Commission to get into a position whereby it can assume the powers, duties and responsibilities of the Information Commissioner. It will allow, for example, the appointment of non-executive members of the Commission by the Secretary of State under Paragraph 3(2)(b) of Schedule 12A to the Data Protection Act 2018. John Edwards doesn’t need to be appointed separately as Chair of the Commission because he will automatically, by operation of law, be the first Chair of the Commission as the person holding office as Information Commissioner on 19 August 2025 (unless something dramatic happens in the next 3 weeks or so).

Amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003

Some, but not all, of the DUAA amendments in relation to Privacy and Electronic Communications (EC) Directive Regulations 2003 (PECR) are coming into force on 20 August 2025. Regulation 5A(2) will be amended to require notification to the Information Commissioner of personal data breaches under PECR to be made without undue delay “and, where feasible, not later than 72 hours after having become aware of it.” Currently only the “undue delay” requirement appears in Regulation 5A.

^{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
When Two Exemptions Tango: The Supreme Court weighs in on the correct approach to balancing the public interest

July 24th, 2025
Yesterday the Supreme Court (Lords Lloyd-Jones, Sales, Burrows, Richards and Sir Declan Morgan) gave its judgment in Department for Business and Trade (Respondent) v The Information Commissioner (Appellant). In this case the Supreme Court was concerned with a discrete issue in relation to the public interest test and how it is to work where more than one qualified exemption applies to information that falls within the scope of a FOI request.

Background

On 15 November 2017 Brendan Montague, an investigative journalist, made a request to what was then the Department for International Trade (now the Department for Business and Trade) for information concerning trade working groups that had been established by the Department as part of the work being undertaken in preparation for the United Kingdom leaving the European Union following the 2016 referendum. The request ended up before the First-tier Tribunal on an appeal by Mr Montague against a decision of the Information Commissioner upholding the decision of the Department to withhold information. Before the FtT the main issue was whether the contents of agendas and minutes should have been withheld or disclosed. The exemptions in play were sections 27 (international relations) and 35 (formulation of government policy) of the Freedom of Information Act 2000 (FOIA). The First-tier Tribunal issued its decision, allowing the appeal in part, in July 2020.

Both Mr Montague and the Department appealed to the Upper Tribunal, which allowed the appeal by Mr Montague and dismissed the appeal by the Department. By this time the issue of how the public interest test should be approach where multiple qualified exemptions apply to the same information was a primary area of focus. The Upper Tribunal held that that the FtT had misdirected itself when it decided that it could and should aggregate the public interests in maintaining different exemptions rather than considering the public interest in relation to each exemption separately.

The Department appealed to the Court of Appeal, which allowed the appeal determining that the Upper Tribunal had been wrong to reject the aggregated approach which had been adopted by the First-tier Tribunal.

The Information Commissioner appealed to the Supreme Court with Mr Montague intervening in the appeal. The Supreme Court, by a majority of 3-2 (Lord Richards and Sir Declan Morgan dissenting), dismissed the appeal upholding the decision of the Court of Appeal.

Judgment of the Supreme Court

The majority judgment was given by Lord Sales and Lord Burrows (with whom Lord Lloyd-Jones agreed). The majority recognised that the interpretation advanced by the Information Commissioner and Mr Montague was not one which was impossible to take; however, they took the view that it is not the correct one. [34]

The majority judgment states, at [35]:

It is particularly important to have in mind that one is ultimately concerned under section 2(2)(b) with a public interest assessment. Given that that is so, it is a natural inference, because it enables a more complete and accurate picture of the public interest to be obtained, that all the specified public interest reasons for non-disclosure of the information, under the identified qualified exemptions, ought to be taken into account and weighed against the public interest favouring disclosure of the information. One is otherwise ignoring relevant public interest considerations against disclosure of the information even though they have been specified in FOIA as reasons for non-disclosure of the information.

In their judgment, the majority give six textual indications in section 2(2) that the the cumulative, or aggregate, approach is to be preferred over the individual approach advanced by the Information Commissioner and Mr Montague:
1. Section 2(2)(b) uses the words “any provision of Part II” rather than “a provision of Part II”. The words used refer to one or more provisions of Part II and that this approach is supported by section 6 of the Interpretation Act 1978. [38]
2. That the words “in maintaining the exemption” do not relate to the exemption in part II, but rather, relate to the exemption from the duty of disclosure in section 1(1)(b). That the words used by parliament indicate that the issue is the overall result of the public interest balancing exercise. [39]
3. That the words “the public interest in maintaining the exemption” refers, on a natural reading of the words, to the public interest across all the relevant provisions. [40]
4. The exercise in section 2(2)(b) is one of balancing the public interest in maintaining the exemption from the duty of disclosure and the public interest in disclosure of the relevant information. The exercise requires “an evaluation of the strength of the public interest for and against disclosure.” It is a natural inference that where two or more exemptions apply to the same information that the strength of evaluating the public interest in non-disclosure have to be brought together. [41]
5. The balancing exercise under section 2(2)(b) requires balancing different aspects of the public interest, recognising that multiple factors may weigh for and against disclosure. Leaving out aspects of the overall argument against disclosure while considering all of the public interest factors in favour of disclosure would lead to an unbalanced an inaccurate assessment, especially in circumstances where Parliament has identified multiple exemptions as relevant to non-disclosure. [42]
6. Weight requires to be given to the words “in all the circumstances of the case” in section 2(2)(b). Where more than one exemption applies to particular information, several aspects of the public interest in favour of non-disclosure of the information apply and those constitute part of the circumstances of the case. It is unclear what those words add were the independent approach advanced by the Information Commissioner and Mr Montague the correct approach. [43]
The majority in the Supreme Court also considered that the structure of section 17 follows the structure of sections 2(1) and (2) and therefore is consistent with the view that the aggregate approach is the correct approach to adopt in relation to the public interest balancing exercise. [47] They also considered that the aggregate approach was a much simpler approach to adopt than the individual approach advocated by the Information Commissioner and Mr Montague. [49]-[50]

While the focus of the appeal had been on the public interest in relation to disclosure, the structure of section 2(1)(b) and 2(2)(b) mean that the effect of the balancing exercise is the same when considering whether to issue a “neither confirm nor deny” response. [44]

Therefore, the correct approach to be adopted to the public interest balancing exercise where more than one qualified exemption applies to the same information is to look at the public interest holistically aggregating the public interest factors for and against disclosure in relation to all exemptions that apply rather than looking at each exemption individually.

The minority view

This was not, as indicated earlier, a unanimous decision of the Supreme Court with two members of the bench disagreeing with the majority. Lord Richards and Sir Declan Morgan gave a joint dissenting judgment and it is worth looking at some of what they said. They disagreed with with the majority and with the Court of Appeal below that there was a “natural inference” which was capable of being a basis for arriving at the correct construction. [79] They continued at [79], that :

[i]t is entirely plausible that Parliament’s purpose was to require the balance of public interests to be struck by reference to the factors relevant to each exemption relied on by the public authority. If the public interest in non-disclosure was insufficient to overcome the public interest in disclosure in the case of each exemption, there is nothing surprising in a policy that the information should be disclosed. It is not often that two or more failures are said to create a success.

Lord Richards and Sir Declan Morgan were also critical of the idea that looking at the individual exemptions separately would create an unbalanced assessment of the public interest. They stated that “this too is based on a presumption as to the policy that Parliament would have been likely to adopt.” [81] They also considered the words “in all the circumstances of the case” in section 2(2)(b) to be “at most a neutral point.” [89]

They also thought that the view of the Commissioner that real practical difficulties would be caused for both him and public authorities deserved respect on account of his and his office’s “immense experience.” [102] Senior Counsel for the Department (Sir James Eadie KC) did not, they record, dismiss that concern and accepted that there were some public interest factors against disclosure that would be very difficult to combine. This, the minority felt, “tells against an interpretation which, without clear words, would permit or require aggregation on a piecemeal basis.” [102]

They would have allowed the appeal. [103].

It will be interesting to see how those cases are dealt with where some of the public interest factors against disclosure are difficult to combine. The commissioner clearly foresees there being some difficulties in the approach that he is now required to adopt in light of the majority decision.

^{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
When ‘Unreasonable’ Doesn’t Cut It: SIC Requires a Response to a Manifestly Unreasonable Request

July 18th, 2025
I rarely cover decisions from either the Information Commissioner or the Scottish Information Commissioner in relation to FOI/EIR matters on this blog. However, I want to look at an interesting decision of the Scottish Information Commissioner from May which, I think, acutely highlights some of the major differences between the Freedom of Information (Scotland) Act 2002 (“FOISA”) and the Environmental Information (Scotland) Regulations 2004 (“Scottish EIRs”)

Decision 132/2025 of the Scottish Information Commissioner concerned a request for information to Scottish Forestry about a scheme known as the Stobo Hope Woodland Creation Scheme. Scottish Forestry had responded to most of the request, but refused to comply with the last part of the request citing the exception at Regulation 10(4)(b) of the Scottish EIRs – that the request was manifestly unreasonable. The exception in Regulation 10(4)(b) is broadly the equivalent of the vexatious requests provision in FOISA. However, unlike the provision in FOISA concerning vexatious requests, the manifestly unreasonable exception in the Scottish EIRs is subject to the public interest test.

Decision 132/2025 is an example of how that difference between the two pieces of legislation can result in a materially different outcome. In this case, the Commissioner agreed that the request was manifestly unreasonable; however, went on to decide that the public interest in the information outweighed the public interest in maintaining the exception. Scottish Forestry was therefore required to respond to the request despite it being manifestly unreasonable.

Reading the decision, it is fair to say, I think, that the Commissioner was not at all impressed with the approach taken to the question of the public interest by Scottish Forestry. The decision states that “the Authority has taken a cursory and casual approach to the public interest in its review and in its submissions to [the Commissioner].” [59] The decision goes on to state that “[t]he very existence of the public interest test in relation to this exception suggests that a real demand on public resources will not necessarily be the sole, or even the primary, determining consideration.” [59] The decision continues, at [60]:

“Here, while the Authority has acknowledged the particular public interest in woodland creation schemes and their impact, it does not appear to have gone beyond that to address the particular facts and circumstances of the scheme to which the request under consideration here relates: it is important that any analysis of the public interest, whatever the exception, is specific to the circumstances and not unduly generic.”

Earlier in the decision, reference is made to the Aarhus Convention Implementation Guide and states that the guide “makes it clear that volume and complexity alone do not make a request “manifestly unreasonable” and, indeed, regulation 7 of the EIRs provides additional time for authorities to respond to voluminous and/or complex requests.” [43]

The genesis of the Scottish EIRs (like the Environmental Information Regulations 2004, which apply to public authorities that are not “Scottish public authorities”) is very different to that of FOISA; they implement an EU Directive which required to be implemented when the United Kingdom was a member of the European Union. That Directive itself implemented an international convention known as the Aarhus Convention (hence the reference to the Aarhus Convention Implementation Guide in the decision), to which the United Kingdom is a signatory in its own right.

The Aarhus Convention is designed to guarantee the rights of access to information in relation to environmental matters as well as public participation in decision-making and access to justice in environmental matters. Access to information is of importance in ensuring that there can be public participation in decision-making and also access to justice in environmental matters.

The Scottish EIRs provide for a right of access to information held by Scottish public authorities in relation to the environment and the definition of “environmental information” is wide (it can catch some rather surprising information). Scotland could do a lot more on the access to justice front in relation to environmental matters, but that is outwith the scope of this post.

It is definitely worth remembering, whether you are a public authority or requester, that the Scottish EIRs are manifestly different from FOISA in many important respects, including:
- there are no absolute exceptions in the Scottish EIRs – all exceptions are subject to the public interest test (Regulation 10(1)) [personal data is dealt with separately from the exceptions in Regulations 10(4) and 10(5)];
- there is an explicit presumption in favour of disclosure inbuilt into the Scottish EIRs (Regulation 10(2)(b)); and
- there is a statutory requirement to construe the exceptions narrowly (regulation 10(2)(a)).
Decision 132/2025 is worthwhile reading in full for the approach adopted by the Commissioner. This was the first time in 20 years that the Scottish Information Commissioner has required a public authority to respond to a request that was manifestly unreasonable. So, while exceptionally rare, it is a useful decision on the need to properly and fully consider the public interest when applying exceptions, including the manifestly unreasonable one, and also the fundamental differences that apply when considering requests for environmental information versus non-environmental information.

^{_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}}
Police Misconduct Panels and the Definition of ‘Court’ under FOIA: Clarification from the Upper Tribunal

July 9th, 2025

The Upper Tribunal has issued an interesting decision in which it considered whether police misconduct panels are courts within the meaning of section 32(4)(a) of the Freedom of Information Act 2000 (FOIA).

Background

In January 2021, the appellant made a request for information to Hampshire Constabulary concerning a misconduct panel that had been convened under the Police (Conduct) Regulations 2012 (which have since been revoked by the Police (Conduct) Regulations 2020) between October 2020 and January 2021. The misconduct panel had been convened to consider allegations of gross misconduct made against six police officers based within the constabulary’s Serious and Organised Crime Unit. As a result of the misconduct hearing three officers were dismissed, one was issued with a final written warning and two would have been dismissed had they remained serving officers.

The appellant had requested from the Constabulary an electronic copy of the written outcome, the decision on sanction and the transcript (or if there was no transcript the audio recording of the proceedings). The misconduct panel had been held in public, but due to the ongoing Covid-19 pandemic the proceedings were viewable by live-link from a separate venue. There was also media coverage of the proceedings.

In responding to the appellant’s request, the Constabulary sent him a link to a short summary of the outcome but refused to disclose the transcript of the audio recording citing section 31(1)(g) of FOIA in reliance upon section 31(2)(a) and (b). The decision was upheld on internal review and by the Information Commissioner in a subsequent decision (by which time the Constabulary was additionally relying on sections 32 and 40 of FOIA).

The appellant appealed to the First-tier Tribunal which held that a police misconduct panel was a court for the purposes of section 32 of FOIA and dismissed the appeal on the basis that this absolute exemption applied. The appellant further appealed to the Upper Tribunal and permission to appeal was granted by the Upper Tribunal in relation to eight grounds (which are summarised at [13] of the Upper Tribunal’s decision).

Positions before the Upper Tribunal

The appellant did not appear at the substantive hearing due to caring responsibilities; however, he indicated that he adopted the Information Commissioner’s submissions and had had also made some written submissions by E-mail. At the hearing, the Commissioner argued that the First-tier Tribunal had made material errors of law while the Constabulary argued that there had been no material errors of law made by the First-tier Tribunal and invited the Upper Tribunal to uphold the decision of the First-tier Tribunal. The submissions made by Counsel for the Information Commissioner are summarised at [32]-[50] of the Upper Tribunal’s decision meanwhile the submissions of the Constabulary are summarised at [51]-[80].

Decision of the Upper Tribunal

The Upper Tribunal held at [81] that the First-tier Tribunal had made a number of errors of law in its decision and, at [88], that they were material. The First-tier Tribunal had correctly identified the need to conduct a holistic assessment of the functions of the misconduct panel [82]. However, it had failed to address the distinction found in the case law between the exercise of the judicial power of the state and acting judicially which amounted to a misdirection of the law [83]. It had also failed to provide adequate reasons to confirm the application of the correct legal test [83].

The First-tier Tribunal also considered matters that were immaterial in reaching its decision [85]. Specifically, it had looked at the functions and powers of the people subject to the jurisdiction of the misconduct panel (police officers) rather than the functions of the misconduct panel itself. The First-tier Tribunal used this approach to allow itself to distinguish police misconduct panels from other professional regulators, such as the General Medical Council. Such an approach was not supported by any authority and was inconsistent with the holistic assessment that it had correctly identified it needed to carry out [84].

The Fist-tier Tribunal further erred by treating the fact that police misconduct panels having legally qualified chairs as a relevant factor for satisfying the definition in section 32 of FOIA because this conclusion was based on the composition of the panel rather than its functions and powers [86]. It had also failed to give adequate reasons for why it considered that the presence of a legally qualified chair was a decisive indicator of whether the police misconduct panel was exercising the judicial power of the state [87].

The Tribunal went on, at the request of the parties, to determine whether police misconduct panels are courts within the meaning of section 32 of FOIA. The Upper Tribunal’s analysis of the question begins at [122] of the decision. Applying the holistic assessment that the Upper Tribunal was required to undertake, it concluded that misconduct panels are exercising a disciplinary function regarding matters of conduct on behalf of chief officers of police forces [176]. The panels are required to act judicially, essentially that they have to act in a way that is fair to all parties and apply an impartial and independent mind to their tasks [177]. The Upper Tribunal concluded that police misconduct panels do not satisfy the definition of a court for the purposes of section 32(4)(a) of FOISA noting that a police misconduct panel “acts in the public interest and has to act judicially when it does so, but it does not exercise the judicial power of the state.” [179]

The Upper Tribunal allowed the appeal and remitted it to the First-tier Tribunal for a fresh constitution of it to consider the other exemptions relied upon by the Constabulary. The Upper Tribunal further directed that that the First-tier Tribunal approach the appeal on the basis a police misconduct panel is not a court for the purposes of FOIA. [180]-[181]

_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
TikTok v Information Commissioner: Preliminary Issues Before the First-tier Tribunal (Part 2)

July 8th, 2025

Yesterday I wrote about the decision, published last week, of the First-tier Tribunal in relation to a preliminary issue raised in TikTok’s appeal against the penalty notice issued by the Information Commissioner in 2023. In yesterday’s blog post I looked at two of the four matters that the Tribunal decided it required to determine as part of the preliminary issue. In this post, I look at the remaining two, namely (a) the Special Purposes Issue and (b) the Consequences Issue.

Special Purposes Issue

The Tribunal deals with this issue at [131]-[155] of its decision. In this part of its decision, the Tribunal considers whether the processing with respect to which the penalty was issued by the Commissioner was for the special purposes.

The Tribunal had heard evidence from three witnesses. First from James Stafford who is the Global Head of Content for TikTok. The Tribunal summaries his evidence to the Tribunal at [23]-[30] of its decision. Second from Professor Catherine Abell, who is Professor of Philosophy of Art and Fellow of Queen’s College, Oxford. The Tribunal summaries the evidence of Professor Abell at [31]-[40]. Both of these witnesses were called by TikTok. The third witness was Professor Jan Krämer, Professor of Information Systems at the University of Passau, Germany. The Tribunal summarises Professor Krämer’s evidence at [41]-[45] of its decision.

The Tribunal accepted that a broad approach required to be adopted to what is meant by the special purposes, one of which is artistic purpose. [132] TikTok accepted that not all forms of creative endeavour would qualify as being artistic in nature for the purposes of section 174(1) of the Data Protection Act 2018 (DPA2018). [134] It argued that the real question for the Tribunal in this case was how that threshold fell to be identified or characterised and it drew upon principles from copyright law for its argument. [134] TikTok argued that these principles should apply because they reflected an approach which was based on common-sense, properly recognised the limits of the court’s competence and reflected the principles approved in Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy (Case C-73/07) that a wide and flexible approach is to be applied in respect of special purpose concepts. TikTok further argued that the opinion of Professor Abell should carry considerable weight. She had considered that 48 of 100 videos reviewed by her on TikTok were artistic.

In relation to the evidence of Professor Abell, it was argued on behalf of the Commissioner that her report did not go to any point that was in dispute before the Tribunal. In particular, it said nothing about how, or for what purpose, personal data with which the penalty was concerned was actually processed by TikTok. The Commissioner invited the Tribunal to afford Professor Abell’s opinion very little weight in the context of the preliminary issue.

The Tribunal agreed with the Commissioner’s submission that the question before the Tribunal, in this context, was not whether content posted on TikTok is artistic in nature. [137] The Tribunal stated at [137]:

Whilst the fact that content is artistic may indicate the possibility that there may be some sort of processing for an artistic purpose going on, the Tribunal’s task is to determine whether the specific processing which is the subject of the MPN was for the special purposes. The presence of some artistic content is not enough by itself to replace the need to carry out this task.

TikTok also argued that its service was one that provided a free expression service; in particular, it acted as an online intermediary service enabling tens of millions of people to exercise their free speech rights on the internet. It argued that its service was firmly and deliberately orientated towards the creative and artistic; this was in contrast to other ISPs (such as Google) which operated in a content neutral way. TikTok argued that it sought to encourage its users to create, share and consume content that is “inherently creative” and artistic. TikTok also sought to argue that it differed fundamentally from other video-sharing platforms such as YouTube. TikTok accepted that it had to meet, for the purposes of the special purposes test, something more than a vague connection with the special purposes and argued that it did so.

For the Commissioner it was argued that the processing undertaken by TikTok for the purposes of delivering targeted advertising to underage children was not processing for the purposes of journalism, or academic, artistic or literary purposes. It was contended by the Commissioner that processing by TikTok for the purposes of monetising its user base and delivering targeted advertising had no journalist or artistic purpose, it was only for a commercial purpose. The Commissioner also argued that processing by TikTok for the purpose of attempting to prevent underage children from accessing its service or for detecting and removing any underage children on its service was not processing for the special purposes; it was for the purpose of preventing underage children from gaining access to and using its platform.

The Tribunal was ultimately persuaded by the arguments advanced on behalf of the Commissioner “that by definition TikTok’s purpose in processing the data of those Underage Children cannot be to facilitate their use of its platform for any purposes at all, including any special purposes.” [152] The Tribunal concluded “that TikTok’s processing in relation to Underage Children, which was the processing with respect to which the MPN was issued, was not for the special purposes.” [153] The Tribunal stated, at [155]:

We therefore conclude that the processing of personal data by TikTok in respect of which the MPN was made was not for the special purposes. Accordingly, the IC was not required to obtain leave from a court under section 156 before issuing the MPN and the MPN was not issued ultra vires. This is because the MPN concerns – and was given “with respect to” (the language of section 156 DPA) – specific processing of data by TikTok that was not “for the special purposes”.

Comment on Special Purposes Issue

TikTok comprehensively lost on this issue, which was not unexpected in light of the Tribunal’s conclusions in relation to the first two issues. Although I was somewhat critical of the strength of one of the Tribunal’s reasons in relation to the “Processing Issue”; I do not think that criticism is in any way material to the overall conclusions of the Tribunal. The Tribunal does not seem to have been the least bit persuaded that the processing with which the penalty notice was concerned was in a deliberate or intentional way processing for the special purposes.

Consequences Issue

The Tribunal deals with this issue at [156]-[164] of its decision. This issue is fairly straightforward and is really secondary to the first three issues in light of the Tribunal’s decision. In essence, the consequence of the Tribunal’s decision is, subject to any appeal by TikTok against this decision, that the entire penalty notice falls to be determined by way of a substantive hearing. [156] The Tribunal held that because it had determined that the processing in respect of which the Commissioner had issued the penalty notice was not for one or more of the special purposes, the Commissioner did not need to follow the procedure set out in section 156 of the DPA2018 before issuing the penalty. [157]

TikTok had raised concerns in its written and oral submissions to the Tribunal about the Commissioner’s findings in the penalty notice on the targeted advertising processing, in particular that they had not been fully set out in the Notice of Intent which the Commissioner was required to issue before issuing the penalty. The Tribunal doesn’t appear to have been particularly persuaded by those concerns. It stated, at [160]:

It is frequently the case that an enforcement case brought by a regulator will evolve during the various stages of the case from how it was initially raised with the subject, often reflecting representations made by the subject. Any procedural unfairness (such as that flowing from Article 6 ECHR) which arises when the formulation of the regulator’s case changes from how it was pleaded at an earlier stage of the process (here the NOI) can be corrected by the statutory right to challenge the later iteration of the case (the MPN) by way of appeal and make representations in that context.

Under reference to the Court of Appeal’s judgment in Financial Conduct Authority v BlueCrest Capital Management (UK) LLP the Tribunal stated that in its view the targeted advertising “has a real and significant connection with the subject matter of the MPN and therefore of the appeal.” [163] The Tribunal went on to state, at [163]:

The statutory appeals process gives an opportunity for TikTok to challenge the MPN as it stands, irrespective of what was in the earlier notice. We therefore do not accept that it would be unfair to allow the IC to rely on an MPN which has evolved out of a differently framed NOI, because the current appeal process allows TikTok to make any representations it wishes relating to the MPN, so there is no procedural unfairness.

The Tribunal concluded that it did not “accept TikTok’s argument that the IC should not be allowed to rely on the allegations around targeted advertising set out in the MPN.” [164]

Conclusion

The Tribunal having disposed of the preliminary issue and determined it wholly in favour of the Commissioner it can now, in theory, move on to deal with TikTok’s substantive appeal against the penalty issued by the Commissioner. While this was a lengthy decision, it should not be taken to mean that the Commissioner will ultimately be successful in resisting the substantive appeal by TikTok; this decision was, ultimately, about whether the penalty notice was valid or whether it was invalid because the Commissioner should have followed the procedure set out in section 156 but had not done so.

As noted earlier in this post, and my one from yesterday, TikTok could seek leave to appeal to the Upper Tribunal against the First-tier Tribunal’s decision. These are weighty issues of significant importance, not only for the operation of the Commissioner’s regulatory powers but for the basic operation of data protection law in relation to special purpose processing. I would not at all be surprised if TikTok seeks permission to appeal to the Upper Tribunal against this decision and nor would I be surprised if the issues ultimately ended up before the Supreme Court – there is, of course a long way to go before the parties reach there with lots of potential twists along the way.

In short, I do not think we will be getting a decision on the substantive appeal against the penalty anytime soon and this appeal will certainly outlive both the office of Information Commissioner and its current incumbent (in the sense that he will have long demitted office by the time these issues are finally resolved).

^{_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}}