English Court reviews the ICOs first GDPR fine (again)

Nick Frank Jackson, Charlie Weston-Simons
A&O Shearman
Contact
LinkedIn
Facebook
X
Send
Embed

A&O Shearman

In December 2019, the UK Information Commissioner’s Office (ICO) imposed a fine of £275,000 on Doorstep Dispensaree Limited (DDL) for multiple contraventions of the GDPR. On December 9 2024, five years on and three judgments later, the English Court of Appeal confirmed DDL’s liability for the reduced amount of £92,000.

Background

In July 2018, a search warrant on the premises of a company which destroyed waste on behalf of DDL uncovered thousands of documents stored in unlocked crates and bags. A significant proportion of these documents contained “special category” personal data relating to health. The ICO subsequently imposed a fine of £275,000 on DDL for breaching Articles 5(1)(f), 24(1) and 32 GDPR by failing to process personal data in a secure manner, and for breaching Articles 13 and 14 GDPR by failing to provide data subjects with information required by those Articles. DDL and the waste company had a common owner and DDL was the data controller.

DDL appealed to the First-tier Tribunal (FTT), which reduced the fine to £92,000 because the number of documents recovered was substantially lower than had been thought. DDL then appealed the FTT’s decision to the Upper Tribunal, without success, and then to the Court of Appeal. The grounds of appeal were that the FTT had:

  • failed to recognise that the burden of proof when appealing a fine rested with the ICO, not DDL; and
  • given undue weight to the ICO’s reasoning, instead of deciding independently whether a penalty should be imposed.

Judgment

The Court of Appeal agreed with the ICO that:

  • the burden of proof rested with DDL, also observing that the FTT will normally be able to decide whether a penalty is justified without resort to the burden of proof; and
  • it was open to the FTT to attach weight to the ICO’s conclusions, finding that the FTT may “take a view that the Commissioner’s role and experience are such as to have given them insight into what penalty would be “effective” and “dissuasive” and in keeping with previous penalties”.

Comment

Barring a further appeal to the Supreme Court, this judgment should finally bring the saga of the ICO’s first GDPR fine to an end. Given the amount in issue (£92,500) and the gravity of the contraventions, it is perhaps surprising that this case reached the Court of Appeal. Regardless, we do now have clarity on two issues concerning the way in which the FTT should approach its task.

In the period since the ICO imposed the fine, there has also been considerable change in the enforcement landscape. For example, it is an open question whether, under the current Commissioner, DDL would have “only” received a reprimand, or whether a different amount would have been calculated under the ICO’s fining guidance issued earlier this year.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© A&O Shearman

Written by:

A&O Shearman
A&O Shearman
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

A&O Shearman on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide