In my first blog post of 2026, I return to a subject that I have written about before: section 166 of the Data Protection Act 2018.

Those who frequently look at decisions of the First-tier Tribunal exercising its information rights jurisdiction will be well aware that in 2025 there were a substantial number of applications under section 166 of the Data Protection Act 2018 struck out by the tribunal (and that this is a continuing trend from previous years). The end of 2025 was no exception with a number of such decisions being published over the Christmas and New Year period.

There continues to be a wide-spread misunderstanding by data subjects as to what section 166 provides. Data subjects have a right, under Article 77 of the UK GDPR and/or section 165 of the Data Protection Act 2018, to complain to the Information Commissioner about how a controller has dealt with a request to exercise their rights (most commonly their right of subject access but it could be other rights such as rectification or erasure). In response to such a complaint the Commissioner has an obligation to investigate the complaint “to the extent appropriate” and to inform the data subject about the progress of the complaint, including whether any further investigation is necessary. If the Commissioner does not provide an update or outcome within three months (or at intervals of three months after each update if no outcome has been reached), the First-tier Tribunal has the power, under section 166(2) of the Data Protection Act 2018 to make an order which requires the commissioner to either take appropriate steps to respond to the complaint or to inform, within a period specified in the order, the data subject of the progress of the complaint or of the outcome of the complaint.

Section 166 does not provide a substantive right of appeal against the outcome of such a complaint. It is a procedural jurisdiction only and is concerned with ensuring that data subjects get a final response to their complaint and are kept up to date with the progress of any investigation that the Commissioner deems to be appropriate. The Court of Appeal (England and Wales) determined in R (Delo) v Information Commissioner that the Commissioner is provided with a broad discretion to decide the level of intensity of any investigation and what action, if any, to take in response to such a complaint (including a decision to take no further action in response to a complaint). The terms of section 166 of the Data Protection Act 2018 therefore do not confer a jurisdiction on the First-tier Tribunal to review the decision of the Commissioner similar to that which is conferred on it by section 57 of the Freedom of Information Act 2000.

It is well known in data protection circles that the Commissioner rarely, if ever, takes any formal enforcement action in response to an individual complaint. Indeed, his office rarely, if ever, carries out an investigation of sufficient intensity to, for example, require a data controller to disclose material withheld in response to a subject access request. The Commissioner does have the tools and power to do so; but does not use his resources in that way. It is open to people to agree or disagree with the Commissioner’s approach, and I shall refrain from commenting on that debate in this post.

During the passage of the Data (Use and Access) Act 2025 attempts were made, notably by Liberal Democrat Peer Lord Clement-Jones, to introduce provisions which would have conferred upon the First-tier Tribunal a substantive jurisdiction in relation to data subject complaints. In essence, Lord Clement-Jones’ proposals would have had the effect of transferring the compliance order and compensation jurisdictions from the courts to the First-tier Tribunal. The proposals were not adopted by Parliament.

Data subjects almost never have legal advice or representation when they make applications under section 166 of the Data Protection Act 2018 to the First-tier Tribunal. It is very easy to see how an unrepresented data subject could read section 166 as conferring such a right (especially if they are familiar with the First-tier Tribunal’s role in relation to decisions of the Commissioner made under section 50 of the Freedom of Information Act 2000) and would proceed without knowledge of the existence of key decisions such as Delo and Killock v Information Commissioner.

So, what options are open to a dissatisfied data subject following a complaint to the Information Commissioner (soon to be replaced by the Information Commission)? Well, specifically in relation to the Commissioner’s decision there is the option of judicially reviewing it in the High Court, the High Court in Northern Ireland or the Court of Session depending on where the data subject is located. That is likely to be an unattractive option because judicial review is also concerned with process and procedure rather than a review of the substantive decision; a successful judicial review would most probably only result in the Commissioner’s decision being reduced/quashed and him having to make a new decision exercising his broad discretion. In short, a judicial review is very unlikely to result in a data subject, for example, receiving personal data withheld in response to a subject access request.

The other option doesn’t involve the Commissioner at all and can be taken without even complaining to the Commissioner: to seek a compliance order against the controller under section 167 of the Data Protection Act 2018. Compliance orders can be sought in the Sheriff Court or Court of Session (in Scotland) or the County Court or High Court (in England and Wales or Northern Ireland). The courts can, in response to an application under section 167 perform what might be termed “a full merits review” of the controller’s handling of the request. The courts can specifically order, for example, the disclosure of incorrectly withheld information (in response to a subject access request) or the rectification or the erasure of personal data where that has been incorrectly refused. The Data (Use and Access) Act 2025 has fixed a lacuna that has existed since 2018 making it clear that the courts can require controllers to make available such information as is available to the controller for inspection by the court without it being disclosed to the data subject until after a final determination in favour of the data subject.

Whether either of these solutions are realistic given their costs and, where it is technically possible to get, the availability of solicitors willing to provide legal aid services for such applications is an entirely separate matter on which I shall offer no commentary in this post. Section 167 applications appear comparatively rare; whether that is down to their cost (and the potential for an adverse award of expenses/costs if unsuccessful), a lack of knowledge on the part of data subjects or a combination thereof is not clear.

I suspect that 2026 will continue to see a flow of struck out section 166 applications as data subjects dissatisfied (rightly or wrongly) with the decision of the controller in relation to their request and the outcome of their complaint to the Commissioner continue to seek to challenge those decisions.

_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}