Your views on our approach

7 To what extent to do you agree that ‘our proposed approach to complaint handling’ clearly explains how we’ll handle complaints?

Strongly disagree

If disagree / strongly disagree / not sure, please explain:

The proposal does explain, to an extent, how the ICO would handle complaints. Here, it is worth stressing that the policy outlined in this document is unlawful, as it extends the discretion of the ICO well beyond what case-law has accepted.

Your consultation document states that “In 2023, the Court of Appeal confirmed that we have broad discretion in deciding the appropriate extent of an investigation, including the form of the outcome”. The hyperlink provided refers to Delo vs. The Information Commissioner which, whereas does provide broad discretion to the ICO, also reaffirms the duty to uphold rational decision-making. In the case at hand, the ICO decision to drop the complaint was found to be “rationale” on the basis that “The Commissioner’s assessment that there was nothing to suggest that [the Controller] had operated a blanket approach is legitimate on its face. Mr Delo has not identified any basis for supposing, rather than speculating, that a more detailed investigation might falsify that conclusion”.

In other words, Delo affirmed that the ICO can legitimately close a complaint if there is no evidence of infringements, and that it is not the Commissioner’s duty to pursue an investigation that may, speculatively, overturn the lack of evidence provided by the complaint. The judgement does, however, say that the ICO must “reach and express a view about the likelihood” of an infringement. Further, the judgement does not say, that it would be rationale (and thus lawful) for the ICO not to investigate a complaint where evidence of infringements is provided, or where context clearly suggest that this should be the case. Likewise, the Upper Tribunal found, in Smith vs. The Information Commissioner, that the law imposes an “objective test [of] what is ‘appropriate’ by way of investigation” on the ICO.

The ICO proposed approach to complaints handling, however, does expressly foresee the closing of complaints without any substantive investigation where evidence of rights infringement or harm is provided (or, indeed, is even obvious and established). This contradicts much of what case-law mentioned above establishes, as well as the ICO primary responsibilities under the law.

8 Is there anything else you think we should include in our proposed approach to complaint handling?

Yes

If ‘Yes’, please explain:

The proposed approach to complaint handling should go back to the drawing board.

9 To what extent do you agree that the proposed framework document clearly explains how we will handle complaints.

Strongly disagree

Please explain your response:

Notwithstanding the remarks made in question 7, the proposed framework fails to provide an objective and rational framework to determine which cases would be escalated to an investigation and which would not. In particular, the proposed framework:

– Establishes thresholds which are both vaguely defined and arbitrary, such as “high level of harm”, or “significantly affecting people”, or “substantial number of people”, or “significantly improve the way the organisation uses personal information or enhance data protection rights”.

– Introduces the “ICO strategic priorities” among the criteria used to assess the investigation of a complaint. This is spurious and extra-legal, and suggest the ICO wants discretion not to remedy situations that may cause harm or affect large number of people unless it aligns with its own internal agenda.

– Includes “Is it in the public interest for us to make enquiries?” among the assessment criteria. This is rather odd, as it suggests the ICO is seeking discretion not to investigate complaints unless they relate to a matter of public interest. This would pervert the role of complaints under the GDPR: although individual may decide to use complaints strategically and to pursue matters of public interest, the primary function of a complaint is to remedy and infringement of the rights of the complainant.

Overall, the framework fails to establish clear and substantive criteria upon which the ICO decision-making can be scrutinised against.

Further, complaints are a remedy given to the individual to address infringement of their rights. Their rationale is rooted in the difficulty that individuals may have in collecting evidence and uphold their rights against situations that are technically complex, or in situation where there is an obvious imbalance of power—e.g. because the complaint involves powerful public or private entities. Against this background, the proposed framework takes very little consideration of individuals and their rights, and focuses instead on establishing criteria which are useful to the ICO themselves, or to serve the interest of the organisations against which a complaint may be filed.

10 Is there anything else you think we should include in this proposed framework document?

Yes

If ‘Yes’, please explain: :

The proposed framework should be brought back to the drawing board

11 To what extent do you agree with the ‘criteria’ we’ll consider when assessing complaints:

Strongly disagree

Please explain your response:

See answer to question 9

12 Is there anything else you think we should include in our criteria?

Yes

If ‘Yes’, please explain: :

See answer to question 10

13 To what extent do you agree with the proposed plans of what we would do with the information we collect from complaints?

Strongly disagree

If ‘Yes’, please explain:

There is obvious value in keeping track of number of complaints filed against a controller for the purpose of determining what would constitute an effective and dissuasive enforcement action against them. For instance, repeated offences or infringements of rights are useful criteria to determine the

amount of monetary penalties being issued, or to issue an enforcement notice instead of a reprimand. Counting the number of complaints is not, however, a rational criteria to assess whether the ICO should pursue an investigation or drop and “record” the complaint instead.

Notwithstanding what we explained in our answer to question 7, here it is worth stressing that this policy will lead to Controllers breaking the law and not facing the consequences of their non-compliance until the number of complaints against them hasn’t reached a certain threshold. This is dis-educative, as it favours the adoption of unlawful or substandard data management practices, which would not be challenged until such practices have entrenched into the organisation’s internal culture and developed into a “bad habit”. This would also prevent the ICO from begin effective and dissuasive in their oversight role, as their intervention would become reactive and delayed by default, rather than aiming to educate controllers and prevent infringements from occurring.

Likewise, this policy will inevitably increase the volume of complaints received by the ICO: as Controllers will develop bad habits and break the law more often, individuals’ rights will also be breached more often and the volume of complaints will likely increase.

14 Is there anything else you think we should consider when using the information we collect from complaints?

Yes

If ‘Yes’, please explain: :

As argued before, the number of complaints should not be used a criteria to determine if and to what extent substantive action is needed upon receiving a complaint. Instead, the ICO should consider the available evidence provided to them by the complaint, and determine the likelihood and potential gravity of such infringement.

Questions to assess the impact of our proposed approach

15 Do you agree with the identified list of the affected groups in Section 5.4 of the impact assessment?

Strongly disagree

16 Are there any other groups of stakeholders that you think will be affected by the proposed data protection complaints handling approach?

No

17 Do you agree with the assessment of costs and benefits outlined in the impact assessment?

Strongly disagree

Please explain your response:

The cost-assessment estimates that this policy would have an impact on “c.42,315 – c.55,000 people” who raise complaints with the ICO and “Up to 3.3 million data controllers”. This makes the whole assessment irrational, since:

– Either the ICO wants to measure the impact of their proposal against the UK as a whole, in which case the policy would have an impact on 66,940,559 people (as recorded by the latest census). Or,
– The ICO wants to assume that this policy will impact only those stakeholders who have raised a complaint in the past. In this case, the ICO should factor how many controllers where targeted by a complaint, rather than the whole amount of controllers who reside in the UK.

The decision to measure the whole population of controllers against an arbitrary fraction of UK data subjects who have exercised their right to lodge a complaint under the GDPR is, frankly, extraordinarily suspicious. Indeed, it is obvious that the “cost” of exposing 66 million individuals to repeated data protection harms and until certain arbitrary threshold have been reached would invariably outweigh whatever benefits the ICO claim this may bring to a small fraction of controllers or to themselves.

18 Are there any other costs and/or benefits that you think should be considered?

No

If yes, please provide details below and any evidence you might have to illustrate this: :

See answer to question 17

19 Do you think the proposed data protection complaints handling approach will result in any additional costs or benefits for you / your organisation? (These could be financial or non-financial)

Cost(s)

20 Please describe the types of additional costs and / or benefits you / your organisation might incur, including a rough estimate where possible.

If applicable, please describe the types of additional costs and/or benefits you/ your organisation might incur, including a rough estimate where possible.:

Additional litigation costs (judicial reviews).

21 Is there any other evidence or information on potential impacts that you would like us to consider?

No

23 Are there any terms or sections in the proposed approach you found unclear or overly technical?

Yes

If ‘Yes’, please explain::

The proposed framework as a whole is unclear, as most criteria rest on subjective assessments conducted by the ICO concerning what is “high” or “significant” or reaches a threshold that warrants regulatory oversight.

24 Would you be happy for us to contact you if we have any follow up questions based on your responses to this consultation?

Yes

If ‘Yes’ please provide your name / email address / preferred contact details.:

Mariano delli Santi, mariano@openrightsgroup.org