In a landmark decision on 10 October 2023, the England and Wales Court of Appeal made a significant ruling in Delo, R. (On the Application Of) v. The Information Commissioner1. An earlier high court decision, arguing that the UK’s data protection regulator, the Information Commissioner’s Office (ICO), is not obligated to arrive at concrete decisions for every DSAR complaint, was upheld. The Court of Appeal further substantiated that the ICO has the latitude to exercise broad discretion, a prerogative that it found the ICO had utilised. Delve further into the details here.
This ruling may shift some of the expectations and responsibilities of the ICO when it comes to handling subject access requests. Analysis suggests that the ICO’s remit is not rigidly defined and that decisions made will rely on the context of each case. It effectively presents a change in how the regulator is expected to act and may also change how corporations and law firms engage with DSAR complaints, given the potential for complaints not to receive a conclusive decision.
Legal professionals, particularly those within corporations and law firms handling large volumes of data, should take note of this decision. Data protection procedures and policies may need to be examined in the light of this judgement. Practitioners must consider how this broad discretion could impact their handling of DSAR and how best to prepare for potential disruption to previously predictable outcomes.
The implications of this case are significant, and its impact will continue to unfold. Legal professionals across the field should observe developments closely as they grapple with the potential ramifications of this judgement. This case undoubtedly marks a moment of change in the realm of data protection and regulation in the UK.