• Home
  • Insights
  • Closing the door on the third appeal against the ICO’s first UK GDPR fine

20 Sep 2023

Closing the door on the third appeal against the ICO’s first UK GDPR fine

Linkedin

In a recent Privacy Laws & Business article, data protection partner Katie Hewson and associate Amarveer Randhawa analyse the failed appeal case of Doorstep Dispensaree, and lessons learned.

On 17 December 2019, Doorstep Dispensaree Ltd (DDL), a company that operated several pharmacies, was issued with the first GDPR monetary penalty notice (MPN) from the Information Commissioner’s Office, primarily for inappropriately storing special category data. DDL contested the fine and managed to reduce it to £92,000. However, it failed on its third attempt to convince the Upper Tier Tribunal (Tribunal) to overturn the fine completely. In particular, DDL was unsuccessful in proving that a criminal standard of proof (as opposed to a civil standard) was applicable.

Aside from establishing the applicable standard of proof, the appeal raised six other key issues. This article will explore the seven arguments raised in the appeal and discuss the broader lessons for organisations to consider when handling personal data.

Background

DDL’s sole director and shareholder was also the sole director of Joogee Pharma Ltd (JPL), a company which collected and disposed of pharmaceutical records. In July 2018, DDL formally engaged JPL for its collection and disposal services. Shortly after this, the Medicines and Healthcare Products Regulatory Agency raided JPL’s premises and found approximately 500,000 pharmaceutical and related documents located in disposal bags and crates outside the premises.

The Information Commissioner (Commissioner) initially issued an MPN of £400,000, which was later reduced to £275,000 to reflect DDL’s financial position. At this point, the Commissioner also issued an Enforcement Notice against DDL. During the First-tier Tribunal hearing, DDL was unsuccessful in appealing the Enforcement Notice but managed to reduce the MPN to £92,000. This was mainly due to the fact that out of the 500,000 documents found, only 67,000 documents were relevant, with 13% constituting personal data and 11% special category data.

The seven issues

1. What does the requirement to pay “careful attention” to the Commissioner’s reasons mean?

In R (Hope and Glory Public House Limited) v City of Westminster Magistrates’ Court [2011] EWCA Civ 31 (Hope & Glory), Hope and Glory Public House Ltd brought a claim against Westminster Magistrates’ Court with respect to the court’s dismissal of its appeal relating to its licence conditions. The Court of Appeal rejected Hope and Glory Public House Ltd’s appeal, and stated that it was “… right in all cases that the magistrates’ court should pay careful attention to the reasons given by the licensing authority…[as] Parliament has chosen to place responsibility for making such decisions on local authorities”.

DDL argued that the First-tier Tribunal’s reliance on exercising “careful attention” when reviewing the Commissioner’s reasoning was misplaced as the context of Hope & Glory was distinct from current context. DDL claimed that such reliance leads to significant penalties being imposed in a way that is (i) free from external scrutiny and (ii) tipped towards the regulator’s view.

The Tribunal disagreed with DDL’s interpretation of what constitutes “careful attention”. It should be noted that “careful attention” does not mean that an authority’s decision is free from external scrutiny, in this instance the First-tier Tribunal did not improperly re-hear the facts or fail to consider DDL’s merits afresh. The appeal clarified at what point the dice is rolled in favour of a regulator – this would only occur if, as a matter of course, a degree of positive weight was applied to their reasoning.

2. Was the burden of proof of secondary importance to the proceedings?

According to the Commissioner, describing the burden of proof as of secondary importance was a matter of common sense, given that an infringement proven by the Commissioner naturally passes to an appellant to counter once evidence of an infringement has been adduced. DDL argued that the evidential burden should remain with the Commissioner, as otherwise this would create an uneven playing field.

The Tribunal confirmed that the burden of proof should be viewed as of secondary importance to proceedings. Having a strict approach to the burden of proof may prevent a tribunal from properly discharging its responsibilities to decide facts or exercise fresh discretion. This line of thinking echoes the Data Protection Act 2018 (DP Act 2018) which provides that a tribunal is tasked with (i) finding out the facts and (ii) deciding whether an MPN is appropriate and setting that at the right level.

The common-sense approach endorsed by the Commissioner was also confirmed. Had the Commissioner had to meet more than the initial evidential burden, it would have nullified the fact that a controller should be responsible for answering questions about their data protection compliance.

3. Is the law of agency relevant?

DDL argued that the relationship between a controller and processor as prescribed by the UK GDPR is akin to the relationship between a principal and an agent. In consequence, JPL’s arrogation of responsibilities to itself by determining the means of processing should have been analysed with the law of agency in mind [i.e the legal relationship between two parties in which one gives the authority to act on behalf of the other]. DDL’s reasoning was two-fold: (i) the UK GDPR explicitly refers to a processor acting on behalf of controller, thereby putting a controller in a position of legal responsibility like a principal; and (ii) Article 28 UK GDPR requires that a controller and processor enter into a contractual relationship, synonymous with the principles of agency.

The Tribunal rejected the notion that JPL arrogated responsibilities to itself. Like the Commissioner, the Tribunal concluded that the UK GDPR principles and the law of agency are not a mirror image. The GDPR was designed to apply across all EU Member States (including the UK at the time of its passing) and a level of consistent protection was intended, whereas the law on agency is a concept created for application within England and Wales.

4. Which standard of proof applies?

Under the DP Act 2018, there are two distinct penalty regimes with separate standards of proof:

  • The civil standard of proof for breaches of section 155(1), under which the MPN regime for GDPR breaches falls; and
  • The criminal process for breaches of sections 196-200, which concern deliberate data protection breaches outside the scope of the UK GDPR.

To determine whether a breach of section 155(1) has occurred, the Commissioner needs to be “satisfied” that such an established breach or suspected breach occurred.

In DDL’s view, the First-tier Tribunal was wrongly influenced by the “satisfied” test in section 155(1) DP Act 2018. The test appeared to be the only relevant standard of proof despite the existence of DP Act 2018 provisions that allow criminal prosecutions.

To assist DDL’s argument that the criminal standard should have applied, DDL reflected on Lord Hoffman’s judgement in Re B (Children) [2008] UKHL 35 (Hoffman), a case concerning the sexual abuse of children, where it was held that the serious consequences in that case meant the criminal standard of proof applied.

Contrary to DDL’s reading of Hoffman, the Commissioner argued that the MPN did not result in serious consequences. Instead, the civil standard of proof applied per HM Revenue & Customs v Khawaja [2013] UKUT 353 (TCC) (Khawaja). In Khawaja, it was held that a financial penalty did not meet the standard of serious consequences despite a serious allegation being involved with consequences arguably pointing to the criminal standard of proof. Other precedents involving large penalties, notably Hackett v HM Revenue & Customs [2020] UKUT 0212 (TCC) which concerned a £13 million penalty, likewise concluded that the serious behaviours and sizeable fine under consideration did not suggest the application of the criminal standard of proof.

The Tribunal concluded that there is a categorical difference between Hoffman and cases involving penalties, with the former solely acting as a guide, rather than as binding precedent on what serious consequences of proceedings means. It involves a restriction on an individual’s freedom of movement and activity, but the MPN imposed by the Commissioner was not serious enough to justify its inclusion within the “serious consequences” category.

As to DDL’s interpretation of the “satisfied” test in section 155(1) DP Act 2018, it is important to note that the term “satisfied” was of “neutral consideration” and so did not import the criminal standard of proof, especially as it was not coupled with words such as “beyond criminal doubt” or the “balance of probabilities”.

5. Did the First-tier Tribunal incorrectly rely on a breach of Article 24(1) UK GDPR?

DDL argued that the First-tier Tribunal made a mistake by wrongly assuming that the MPN was based on a breach of Article 24(1) UK GDPR. The Tribunal analysed the terms of the MPN and found that the MPN included descriptions of breaches relating to several UK GDPR articles, such as Articles 5(1)(f) and 32 UK GDPR – it did not refer to a breach of Article 24(1) UK GDPR. The imposition of the penalty was found to not be based on Article 24(1) UK GDPR either.

In terms of the penalty size, the Tribunal found that the First-tier Tribunal’s finding that Article 24(1) UK GDPR had been breached did not impact its reduction of the fine.

6. Was the amount of the fine calculated incorrectly?

DDL contested the amount of the fine, on the basis of flaws in the Commissioner’s methodology, their withholding of primary material from the case, and the fact that its director’s evidence did not pertain to the MPN (which in itself was diminished in quality due to the director’s lapse of memory). DDL noted that it was an error on the part of the First-tier Tribunal to calculate the amount of the penalty on points of law that resulted in unfair procedure, especially as there was a lack of evidence aside from the director’s account.

The Tribunal found that DDL’s concerns about the lack of evidence and the low credibility of the evidence presented was irrelevant to the penalty amount. It held that it was unproven that the Commissioner had committed serious methodological flaws and erred on points of law. The Tribunal reminded DDL that the evidence under question was actually adduced by them, and concerns over the qualitative and quantitative nature of the evidence was within their remit.

7. Did the delay in the tribunal’s decision render the outcome unsafe?

According to DDL, the time taken by the First-tier Tribunal to reach its decision resulted in their decision being rendered “…unsatisfactory, unfair and unsafe” per Bangs v Connex South East [2005] EWCA Civ 14, a case which involved a three-month delay. DDL’s decision was reached eight months after the tribunal hearing and seven months after the post-hearing submissions were heard.

The Tribunal held that even with the delay there was no actual risk of a procedural or material irregularity under law – DDL failed to present a finding that showed the decision had been simply unsafe or wrong.

The seven lessons

Following the rejection of DDL’s appeal, organisations challenging enforcement notices from the Commissioner should remember that:

  • A tribunal’s “careful attention” to the Commissioner’s reasoning does not mean that the Commissioner’s view will be favoured. Tribunals will still note the Commissioner’s expertise.
  • The burden of proof is of secondary importance to proceedings. Organisations should be prepared to prove their case.
  • The law of agency is not relevant. Organisations should bear in mind that although the arrogation of their legal responsibilities is possible, they should not look to the law of agency to interpret this.
  • The criminal standard of proof does not apply. Organisations should keep in mind that the Commissioner only needs to meet the lower civil standard of proof and be “satisfied” of an established breach or suspected breach.
  • Reductions in fines are not always made pro rata. A tribunal only needs to explain why any penalty it decided to impose differed from the Commissioner’s.
  • It’s critical that an organisation adduces high quality evidence to prove its case. Organisations should develop robust recordkeeping processes to retain evidence to a standard that could be used in a tribunal or court setting.
  • Proving the impact of a delay at first instance may not affect the outcome of an appeal. This would only be successful if the decision can be proved to be unsafe or wrong under law.

INFORMATION The appeal decision is at www.gov.uk/administrative-appealstribunal- decisions/doorstep-dispensareeltd- v-the-information-commissioner-2023- ukut-132-aac

Authors

Katie Hewson is a partner and Amarveer Randhawa is an associate at Stephenson Harwood LLP.

© PRIVACY LAWS & BUSINESS September 2023

Linkedin

KEY CONTACT