Ensuring Legal Accountability of the UK Data Protection Authority: From Cause for Data Subject Complaint to a Model for Europe?
In the context of data protection in Europe the role of the Data Protection Authority (DPA) in ensuring relief for data subjects has long been emphasized. However, taking the UK case as an example, this report demonstrates that authorities can often adopt a highly discretionary and selective approach to data subject complaints. Although such a stance may appear justified by both the myriad types of potentially impactful processing and often generally poor compliance, it is precisely this environment which makes a reasonably comprehensive regulatory approach crucial. However, whilst both the EU General Data Protection Regulation and increasingly Court of Justice jurisprudence specify important procedural and substantive duties for DPAs in relation to complaints, a severe practical accountability gap generally remains. It is argued that the UK’s recent empowerment of its accessible tribunal system to order the DPA to progress complaints could, in principle, provide a valuable model of European DPA accountability going forward even after the Brexit transition period. Unfortunately, however, case law from both the UK First-tier and the Upper Tribunal has adopted a purely procedural interpretation of this provision which, unless reversed, will effectively neuter its value to data subjects.