[2023] UKUT 132 (AAC)

At first glance, this ground may appear to have merit but, on closer analysis, I am satisfied that it is not made out.

Firstly, it is necessary to consider in more detail the role played by Article 24(1) of the GDPR in the Commissioner’s reasons for imposing an MPN and in setting the penalty amount (I have already described Article 24(1) role in the Tribunal’s analysis: see paragraphs 23 to 29 above).

Paragraph 2 of the MPN recited, “the penalty is being issued because of contraventions by Doorstep Dispensaree of: a. Articles 5(1)(f), 24(1) and 32…[and] b. Articles 13 and/or 14 GDPR”.

Paragraphs 36 to 46 of the MPN were headed “The Contraventions”. Much of the analysis in this section was by reference to what the notice described as ‘the Breach’. This was defined by paragraph 37: “It is clear that the data were not processed securely: the documents were left outside, in unlocked containers (“the Breach”).”. Having explained why the Commissioner found a contravention of the data processing principle in Article 5(1)(f) (security of processing), the MPN added, at paragraph 42, “for the same reasons that Doorstep Dispensaree has infringed Article 5(1)(f) GDPR, the processing is also a contravention of Article 24(1) GDPR” and, at paragraph 43, “for the same reasons, the processing is also a contravention of Article 32(1)”. At paragraph 45, the MPN stated that, due to inadequate data protection policies and inadequate records of processing activities and security measures, “Doorstep Dispensaree is unable to demonstrate that its processing is performed in accordance with GDPR: a further infringement of Article 24(1) GDPR”.

Paragraphs 47 to 67 of the MPN were headed “Factors relevant to whether a penalty is appropriate, and if so, the amount of the penalty”. For the most part, the Commissioner’s analysis of the considerations specified in Article 83(2) of the GDPR was by reference to ‘the Breach’. Express mention was made of the Appellant’s obligations under Articles 13 and/or 14 (paragraphs 50, 54, 55, 56, 57 and 59). At times, ‘the Breach’ and Articles 13/14 were addressed together such as in paragraph 57 where the MPN stated, “the Commissioner has treated both the Breach and Article 13 and 14 infringements as a case of a negligent rather than a deliberate infringement”. At paragraph 60, the MPN addressed the Appellant’s compliance with the requirements of Articles 25 and 32. There was no mention of Article 24(1) in this section of the MPN.

Article 83 of the GDPR identifies the maximum permitted administrative fines for breach of specified provisions of the GDPR. Article 24 is mentioned in neither paragraph (4) nor (5) of Article 83 and it is presumably for this reason that section 155(1) does not mention it either.

Article 24(1) requires a controller to “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation”. That requirement relates to the entirety of a controller’s other obligations under the GDPR in relation to the processing of personal data.

The Tribunal found that the Appellant failed to implement the measures required by Article 24(1). That failure was also a breach of Article 32 (which is a penalisable breach) in that the Appellant failed to implement appropriate measures to ensure a level of security appropriate to the risks involved.

It seems to me that, in most cases, any contravention by a controller of the GDPR will entail a breach of Article 24(1). For this not to happen, a controller’s breach would need to have occurred despite the implementation of appropriate technical and organisational measures to ensure that processing is performed in accordance with the GDPR. This seems unlikely.

In determining that issuing a MPN was an effective, proportionate and dissuasive response, the Tribunal relied on its finding that the Appellant’s contraventions were largely due to its negligence in relation to its obligations under Article 24(1) and 32. I note that a breach of Article 32 is bound to involve a breach of Article 24(1). A controller’s failure to implement appropriate measures to ensure an appropriate level of security (Article 32) is bound to entail a controller’s failure to implement appropriate measures to ensure that processing is performed in accordance with the GDPR (Article 24(1)). I am therefore satisfied that, in deciding that a MPN was appropriate, if the Tribunal relied on a finding that Article 24(1) had been contravened, it was of no real consequence. On my reading of the Tribunal’s reasons, the breach of Article 32 was, in substance, also the breach of Article 24(1). In other words, I am satisfied that the Tribunal would have decided a MPN was appropriate even if it had left out of account its finding that Article 24(1) had been contravened.

The next question is whether the Tribunal’s finding that the controller breached Article 24(1) influenced its determination of the amount of the penalty. I must first consider the extent to which the Commissioner relied on his finding that the Appellant had contravened Article 24(1) when setting the amount of the penalty. There is no mention of Article 24(1) in the section of the MPN that addressed the appropriate penalty amount. ‘The Breach’ featured heavily in the Commissioner’s analysis but, by this, the MPN meant simply not processing data securely by leaving documents outside in unlocked containers. The MPN’s definition of ‘the Breach’ made no causal link with deficient technical and/or organisational measures. In other words, ‘the Breach’ definition was not connected with any of the Articles of the GDPR that require various types of appropriate technical and organisational measures to be taken. At paragraph 60, the MPN found that the Appellant had contravened the requirements of Articles 25 and 32 both of which require certain appropriate technical and organisational measures to be taken. But, in the section of the MPN which addressed the appropriate penalty amount, there was no mention of Article 24(1). While the MPN did not say so in terms, the only sensible reading of this section of the MPN is that the Commissioner ascribed ‘the Breach’ to the Appellant’s failure to take the appropriate technical and organisational measures required by Articles 25 and 32. The Commissioner did not, when setting the amount of the penalty, rely on his finding that the Appellant had contravened the requirements of Article 24(1).

The reason why I have laboured over the role played by Article 24(1) in the MPN is because it demonstrates that, when the Commissioner came to determine the amount of the penalty, he did not take into account his finding that the Appellant had contravened Article 24(1). In other words, the Tribunal was not presented with a a decision whose analysis of the appropriate penalty amount improperly took into account a finding that Article 24(1) had been contravened.

I now turn to consider whether the Tribunal’s determination of the penalty amount took into account the Appellant’s contravention of Article 24(1) of the GDPR. In this respect, I note that the Tribunal did not proportionately reduce the penalty amount set by the Commissioner in accordance with its finding that only some 67,000 documents had been seized by the MHRA rather than the 500,000 assumed by the Commissioner. As mentioned above, had the Tribunal made a pro rata reduction, it would have imposed a penalty of £36,000 rather than £92,000. Another way of looking at it is that the Commissioner’s penalty amounted to 55 pence per breach document whereas the Tribunal’s penalty was £1.73 per document. Does this demonstrate that the Tribunal, unlike the Commissioner, took into account a finding that the Appellant had contravened Article 24(1)? I decide that it does not.

Had the Tribunal failed to explain why its per document penalty was greater than the Commissioner’s, the Appellant may have had a better chance of persuading me that the Tribunal impermissibly relied on a breach of Article 24(1) in determining the penalty amount. However, the Tribunal did provide an explanation which made no reference, direct or indirect, to Article 24(1). The Tribunal justified not making a pro rata reduction in the amount of the penalty by reason of its additional finding of a contravention of Article 5(1)(e) of the GDPR and the “long list of aggravating factors”. The Tribunal’s reasons for setting the penalty amount at £92,000 made no mention of Article 24(1) and I am satisfied that it was not taken into account at that stage of the Tribunal’s analysis.

In my judgment, the Tribunal did not err in law, as the Appellant argues, by relying on a breach of Article 24(1) either when deciding that a MPN was appropriate or when setting the amount of the penalty. Ground 5 is not made out.