![[2024] UKUT 105 (AAC)](https://backend.juristeca.com/files/emisores/logo_3a2BKne.png){kind=logo}
Enforcement notices and appeals against them
Enforcement notices and appeals against them
Under s149(1) DPA 2018, where the Information Commissioner is satisfied that a person “has failed, or is failing” in one of the ways set out in sub-section (2), the Information Commissioner may give the person a written notice (the EN) which requires the person
to take steps specified in the notice, or
to refrain from taking steps specified in the notice, or both.
The types of “failure” set out in s149(2) include where a controller or processor has failed, or is failing to comply with a provision of Part II or Articles 12 to 22 of UK GDPR.
An EN must state what the person has failed or is failing to do and give the Information Commissioner’s reasons for reaching that opinion: s150(1). Under s150(2), in deciding whether to give an EN in reliance on s149(2), the Information Commissioner must consider whether the failure has caused or is likely to cause any person damage or distress. An EN given in reliance on subsection (2) may only impose requirements which the Commissioner considers appropriate for remedying the failure: s149(6).
Section 163 confers a right of appeal to the FTT on a person who is given an EN. The FTT may review any determination of fact on which the EN was based. If the FTT considers –
that the EN is not in accordance with the law, or
to the extent that the EN involved an exercise of discretion by the Information Commissioner, that the Information Commissioner ought to have exercised the discretion differently,
the FTT must allow the appeal or substitute another enforcement notice which the Information Commissioner could have given. Otherwise, the FTT must dismiss the appeal.
The GDPR
- Heading
- THE HON. MRS JUSTICE HEATHER WILLIAMS DBE
- Hearing dates: 6-8 February 2024
- The structure of the Upper Tribunal’s decision
- Abbreviations
- Glossary
- The nature of Experian’s data processing
- The Information Commissioner’s Enforcement Notice
- Experian’s appeal to the First-tier Tribunal
- The Information Commissioner’s case before the First-tier Tribunal
- The hearing before the First-tier Tribunal
- The First-tier Tribunal’s decision
- The First-tier Tribunal’s findings
- The First-tier Tribunal’s conclusions
- The Substituted Enforcement Notice
- The Information Commissioner’s grounds of appeal to the Upper Tribunal
- The legal framework
- The Upper Tribunal’s “error of law” jurisdiction
- Adequacy of reasons
- Enforcement notices and appeals against them
- Recitals to the GDPR
- Proportionality
- The European Data Protection Board: decisions and guidelines
- Summary of relevant aspects of the transparency principle in the GDPR
- The parties’ overarching submissions
- Ground 1
- Experian’s submissions
- Alleged overarching errors: discussion and conclusions
- Alleged failure to address Article 5(1)(a) GDPR
- Alleged failure to identify the applicable standard of transparency
- The nature of the processing
- Relevance of the reasonable expectations of data subjects
- Alleged specific errors: discussion and conclusions
- Use of hyperlinks to the CIP
- Suggestion that people do not care about what happens to their data
- How the FTT addressed the reasonable expectations of data subjects
- Concluding observations on Ground 1
- Ground 2
- Experian’s submissions
- Alleged overarching error: discussion and conclusion
- Alleged specific errors: discussion and conclusions
- Article 14(5)(a) and whether the data subject already “has” the information
- The route from the third party suppliers to the CIP
- Article 14(5)(b)
- Concluding observations on Ground 2
- Ground 3
- Experian’s submissions
- Discussion and conclusions
- Ground 5
- Experian’s submissions
- Discussion and conclusions
- Conclusions