Alistair Sloan, Advocate

When Two Exemptions Tango: The Supreme Court weighs in on the correct approach to balancing the public interest

July 24th, 2025
Yesterday the Supreme Court (Lords Lloyd-Jones, Sales, Burrows, Richards and Sir Declan Morgan) gave its judgment in Department for Business and Trade (Respondent) v The Information Commissioner (Appellant). In this case the Supreme Court was concerned with a discrete issue in relation to the public interest test and how it is to work where more than one qualified exemption applies to information that falls within the scope of a FOI request.

Background

On 15 November 2017 Brendan Montague, an investigative journalist, made a request to what was then the Department for International Trade (now the Department for Business and Trade) for information concerning trade working groups that had been established by the Department as part of the work being undertaken in preparation for the United Kingdom leaving the European Union following the 2016 referendum. The request ended up before the First-tier Tribunal on an appeal by Mr Montague against a decision of the Information Commissioner upholding the decision of the Department to withhold information. Before the FtT the main issue was whether the contents of agendas and minutes should have been withheld or disclosed. The exemptions in play were sections 27 (international relations) and 35 (formulation of government policy) of the Freedom of Information Act 2000 (FOIA). The First-tier Tribunal issued its decision, allowing the appeal in part, in July 2020.

Both Mr Montague and the Department appealed to the Upper Tribunal, which allowed the appeal by Mr Montague and dismissed the appeal by the Department. By this time the issue of how the public interest test should be approach where multiple qualified exemptions apply to the same information was a primary area of focus. The Upper Tribunal held that that the FtT had misdirected itself when it decided that it could and should aggregate the public interests in maintaining different exemptions rather than considering the public interest in relation to each exemption separately.

The Department appealed to the Court of Appeal, which allowed the appeal determining that the Upper Tribunal had been wrong to reject the aggregated approach which had been adopted by the First-tier Tribunal.

The Information Commissioner appealed to the Supreme Court with Mr Montague intervening in the appeal. The Supreme Court, by a majority of 3-2 (Lord Richards and Sir Declan Morgan dissenting), dismissed the appeal upholding the decision of the Court of Appeal.

Judgment of the Supreme Court

The majority judgment was given by Lord Sales and Lord Burrows (with whom Lord Lloyd-Jones agreed). The majority recognised that the interpretation advanced by the Information Commissioner and Mr Montague was not one which was impossible to take; however, they took the view that it is not the correct one. [34]

The majority judgment states, at [35]:

It is particularly important to have in mind that one is ultimately concerned under section 2(2)(b) with a public interest assessment. Given that that is so, it is a natural inference, because it enables a more complete and accurate picture of the public interest to be obtained, that all the specified public interest reasons for non-disclosure of the information, under the identified qualified exemptions, ought to be taken into account and weighed against the public interest favouring disclosure of the information. One is otherwise ignoring relevant public interest considerations against disclosure of the information even though they have been specified in FOIA as reasons for non-disclosure of the information.

In their judgment, the majority give six textual indications in section 2(2) that the the cumulative, or aggregate, approach is to be preferred over the individual approach advanced by the Information Commissioner and Mr Montague:
1. Section 2(2)(b) uses the words “any provision of Part II” rather than “a provision of Part II”. The words used refer to one or more provisions of Part II and that this approach is supported by section 6 of the Interpretation Act 1978. [38]
2. That the words “in maintaining the exemption” do not relate to the exemption in part II, but rather, relate to the exemption from the duty of disclosure in section 1(1)(b). That the words used by parliament indicate that the issue is the overall result of the public interest balancing exercise. [39]
3. That the words “the public interest in maintaining the exemption” refers, on a natural reading of the words, to the public interest across all the relevant provisions. [40]
4. The exercise in section 2(2)(b) is one of balancing the public interest in maintaining the exemption from the duty of disclosure and the public interest in disclosure of the relevant information. The exercise requires “an evaluation of the strength of the public interest for and against disclosure.” It is a natural inference that where two or more exemptions apply to the same information that the strength of evaluating the public interest in non-disclosure have to be brought together. [41]
5. The balancing exercise under section 2(2)(b) requires balancing different aspects of the public interest, recognising that multiple factors may weigh for and against disclosure. Leaving out aspects of the overall argument against disclosure while considering all of the public interest factors in favour of disclosure would lead to an unbalanced an inaccurate assessment, especially in circumstances where Parliament has identified multiple exemptions as relevant to non-disclosure. [42]
6. Weight requires to be given to the words “in all the circumstances of the case” in section 2(2)(b). Where more than one exemption applies to particular information, several aspects of the public interest in favour of non-disclosure of the information apply and those constitute part of the circumstances of the case. It is unclear what those words add were the independent approach advanced by the Information Commissioner and Mr Montague the correct approach. [43]
The majority in the Supreme Court also considered that the structure of section 17 follows the structure of sections 2(1) and (2) and therefore is consistent with the view that the aggregate approach is the correct approach to adopt in relation to the public interest balancing exercise. [47] They also considered that the aggregate approach was a much simpler approach to adopt than the individual approach advocated by the Information Commissioner and Mr Montague. [49]-[50]

While the focus of the appeal had been on the public interest in relation to disclosure, the structure of section 2(1)(b) and 2(2)(b) mean that the effect of the balancing exercise is the same when considering whether to issue a “neither confirm nor deny” response. [44]

Therefore, the correct approach to be adopted to the public interest balancing exercise where more than one qualified exemption applies to the same information is to look at the public interest holistically aggregating the public interest factors for and against disclosure in relation to all exemptions that apply rather than looking at each exemption individually.

The minority view

This was not, as indicated earlier, a unanimous decision of the Supreme Court with two members of the bench disagreeing with the majority. Lord Richards and Sir Declan Morgan gave a joint dissenting judgment and it is worth looking at some of what they said. They disagreed with with the majority and with the Court of Appeal below that there was a “natural inference” which was capable of being a basis for arriving at the correct construction. [79] They continued at [79], that :

[i]t is entirely plausible that Parliament’s purpose was to require the balance of public interests to be struck by reference to the factors relevant to each exemption relied on by the public authority. If the public interest in non-disclosure was insufficient to overcome the public interest in disclosure in the case of each exemption, there is nothing surprising in a policy that the information should be disclosed. It is not often that two or more failures are said to create a success.

Lord Richards and Sir Declan Morgan were also critical of the idea that looking at the individual exemptions separately would create an unbalanced assessment of the public interest. They stated that “this too is based on a presumption as to the policy that Parliament would have been likely to adopt.” [81] They also considered the words “in all the circumstances of the case” in section 2(2)(b) to be “at most a neutral point.” [89]

They also thought that the view of the Commissioner that real practical difficulties would be caused for both him and public authorities deserved respect on account of his and his office’s “immense experience.” [102] Senior Counsel for the Department (Sir James Eadie KC) did not, they record, dismiss that concern and accepted that there were some public interest factors against disclosure that would be very difficult to combine. This, the minority felt, “tells against an interpretation which, without clear words, would permit or require aggregation on a piecemeal basis.” [102]

They would have allowed the appeal. [103].

It will be interesting to see how those cases are dealt with where some of the public interest factors against disclosure are difficult to combine. The commissioner clearly foresees there being some difficulties in the approach that he is now required to adopt in light of the majority decision.

^{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
When ‘Unreasonable’ Doesn’t Cut It: SIC Requires a Response to a Manifestly Unreasonable Request

July 18th, 2025
I rarely cover decisions from either the Information Commissioner or the Scottish Information Commissioner in relation to FOI/EIR matters on this blog. However, I want to look at an interesting decision of the Scottish Information Commissioner from May which, I think, acutely highlights some of the major differences between the Freedom of Information (Scotland) Act 2002 (“FOISA”) and the Environmental Information (Scotland) Regulations 2004 (“Scottish EIRs”)

Decision 132/2025 of the Scottish Information Commissioner concerned a request for information to Scottish Forestry about a scheme known as the Stobo Hope Woodland Creation Scheme. Scottish Forestry had responded to most of the request, but refused to comply with the last part of the request citing the exception at Regulation 10(4)(b) of the Scottish EIRs – that the request was manifestly unreasonable. The exception in Regulation 10(4)(b) is broadly the equivalent of the vexatious requests provision in FOISA. However, unlike the provision in FOISA concerning vexatious requests, the manifestly unreasonable exception in the Scottish EIRs is subject to the public interest test.

Decision 132/2025 is an example of how that difference between the two pieces of legislation can result in a materially different outcome. In this case, the Commissioner agreed that the request was manifestly unreasonable; however, went on to decide that the public interest in the information outweighed the public interest in maintaining the exception. Scottish Forestry was therefore required to respond to the request despite it being manifestly unreasonable.

Reading the decision, it is fair to say, I think, that the Commissioner was not at all impressed with the approach taken to the question of the public interest by Scottish Forestry. The decision states that “the Authority has taken a cursory and casual approach to the public interest in its review and in its submissions to [the Commissioner].” [59] The decision goes on to state that “[t]he very existence of the public interest test in relation to this exception suggests that a real demand on public resources will not necessarily be the sole, or even the primary, determining consideration.” [59] The decision continues, at [60]:

“Here, while the Authority has acknowledged the particular public interest in woodland creation schemes and their impact, it does not appear to have gone beyond that to address the particular facts and circumstances of the scheme to which the request under consideration here relates: it is important that any analysis of the public interest, whatever the exception, is specific to the circumstances and not unduly generic.”

Earlier in the decision, reference is made to the Aarhus Convention Implementation Guide and states that the guide “makes it clear that volume and complexity alone do not make a request “manifestly unreasonable” and, indeed, regulation 7 of the EIRs provides additional time for authorities to respond to voluminous and/or complex requests.” [43]

The genesis of the Scottish EIRs (like the Environmental Information Regulations 2004, which apply to public authorities that are not “Scottish public authorities”) is very different to that of FOISA; they implement an EU Directive which required to be implemented when the United Kingdom was a member of the European Union. That Directive itself implemented an international convention known as the Aarhus Convention (hence the reference to the Aarhus Convention Implementation Guide in the decision), to which the United Kingdom is a signatory in its own right.

The Aarhus Convention is designed to guarantee the rights of access to information in relation to environmental matters as well as public participation in decision-making and access to justice in environmental matters. Access to information is of importance in ensuring that there can be public participation in decision-making and also access to justice in environmental matters.

The Scottish EIRs provide for a right of access to information held by Scottish public authorities in relation to the environment and the definition of “environmental information” is wide (it can catch some rather surprising information). Scotland could do a lot more on the access to justice front in relation to environmental matters, but that is outwith the scope of this post.

It is definitely worth remembering, whether you are a public authority or requester, that the Scottish EIRs are manifestly different from FOISA in many important respects, including:
- there are no absolute exceptions in the Scottish EIRs – all exceptions are subject to the public interest test (Regulation 10(1)) [personal data is dealt with separately from the exceptions in Regulations 10(4) and 10(5)];
- there is an explicit presumption in favour of disclosure inbuilt into the Scottish EIRs (Regulation 10(2)(b)); and
- there is a statutory requirement to construe the exceptions narrowly (regulation 10(2)(a)).
Decision 132/2025 is worthwhile reading in full for the approach adopted by the Commissioner. This was the first time in 20 years that the Scottish Information Commissioner has required a public authority to respond to a request that was manifestly unreasonable. So, while exceptionally rare, it is a useful decision on the need to properly and fully consider the public interest when applying exceptions, including the manifestly unreasonable one, and also the fundamental differences that apply when considering requests for environmental information versus non-environmental information.

^{_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}}
Police Misconduct Panels and the Definition of ‘Court’ under FOIA: Clarification from the Upper Tribunal

July 9th, 2025

The Upper Tribunal has issued an interesting decision in which it considered whether police misconduct panels are courts within the meaning of section 32(4)(a) of the Freedom of Information Act 2000 (FOIA).

Background

In January 2021, the appellant made a request for information to Hampshire Constabulary concerning a misconduct panel that had been convened under the Police (Conduct) Regulations 2012 (which have since been revoked by the Police (Conduct) Regulations 2020) between October 2020 and January 2021. The misconduct panel had been convened to consider allegations of gross misconduct made against six police officers based within the constabulary’s Serious and Organised Crime Unit. As a result of the misconduct hearing three officers were dismissed, one was issued with a final written warning and two would have been dismissed had they remained serving officers.

The appellant had requested from the Constabulary an electronic copy of the written outcome, the decision on sanction and the transcript (or if there was no transcript the audio recording of the proceedings). The misconduct panel had been held in public, but due to the ongoing Covid-19 pandemic the proceedings were viewable by live-link from a separate venue. There was also media coverage of the proceedings.

In responding to the appellant’s request, the Constabulary sent him a link to a short summary of the outcome but refused to disclose the transcript of the audio recording citing section 31(1)(g) of FOIA in reliance upon section 31(2)(a) and (b). The decision was upheld on internal review and by the Information Commissioner in a subsequent decision (by which time the Constabulary was additionally relying on sections 32 and 40 of FOIA).

The appellant appealed to the First-tier Tribunal which held that a police misconduct panel was a court for the purposes of section 32 of FOIA and dismissed the appeal on the basis that this absolute exemption applied. The appellant further appealed to the Upper Tribunal and permission to appeal was granted by the Upper Tribunal in relation to eight grounds (which are summarised at [13] of the Upper Tribunal’s decision).

Positions before the Upper Tribunal

The appellant did not appear at the substantive hearing due to caring responsibilities; however, he indicated that he adopted the Information Commissioner’s submissions and had had also made some written submissions by E-mail. At the hearing, the Commissioner argued that the First-tier Tribunal had made material errors of law while the Constabulary argued that there had been no material errors of law made by the First-tier Tribunal and invited the Upper Tribunal to uphold the decision of the First-tier Tribunal. The submissions made by Counsel for the Information Commissioner are summarised at [32]-[50] of the Upper Tribunal’s decision meanwhile the submissions of the Constabulary are summarised at [51]-[80].

Decision of the Upper Tribunal

The Upper Tribunal held at [81] that the First-tier Tribunal had made a number of errors of law in its decision and, at [88], that they were material. The First-tier Tribunal had correctly identified the need to conduct a holistic assessment of the functions of the misconduct panel [82]. However, it had failed to address the distinction found in the case law between the exercise of the judicial power of the state and acting judicially which amounted to a misdirection of the law [83]. It had also failed to provide adequate reasons to confirm the application of the correct legal test [83].

The First-tier Tribunal also considered matters that were immaterial in reaching its decision [85]. Specifically, it had looked at the functions and powers of the people subject to the jurisdiction of the misconduct panel (police officers) rather than the functions of the misconduct panel itself. The First-tier Tribunal used this approach to allow itself to distinguish police misconduct panels from other professional regulators, such as the General Medical Council. Such an approach was not supported by any authority and was inconsistent with the holistic assessment that it had correctly identified it needed to carry out [84].

The Fist-tier Tribunal further erred by treating the fact that police misconduct panels having legally qualified chairs as a relevant factor for satisfying the definition in section 32 of FOIA because this conclusion was based on the composition of the panel rather than its functions and powers [86]. It had also failed to give adequate reasons for why it considered that the presence of a legally qualified chair was a decisive indicator of whether the police misconduct panel was exercising the judicial power of the state [87].

The Tribunal went on, at the request of the parties, to determine whether police misconduct panels are courts within the meaning of section 32 of FOIA. The Upper Tribunal’s analysis of the question begins at [122] of the decision. Applying the holistic assessment that the Upper Tribunal was required to undertake, it concluded that misconduct panels are exercising a disciplinary function regarding matters of conduct on behalf of chief officers of police forces [176]. The panels are required to act judicially, essentially that they have to act in a way that is fair to all parties and apply an impartial and independent mind to their tasks [177]. The Upper Tribunal concluded that police misconduct panels do not satisfy the definition of a court for the purposes of section 32(4)(a) of FOISA noting that a police misconduct panel “acts in the public interest and has to act judicially when it does so, but it does not exercise the judicial power of the state.” [179]

The Upper Tribunal allowed the appeal and remitted it to the First-tier Tribunal for a fresh constitution of it to consider the other exemptions relied upon by the Constabulary. The Upper Tribunal further directed that that the First-tier Tribunal approach the appeal on the basis a police misconduct panel is not a court for the purposes of FOIA. [180]-[181]

_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
TikTok v Information Commissioner: Preliminary Issues Before the First-tier Tribunal (Part 2)

July 8th, 2025

Yesterday I wrote about the decision, published last week, of the First-tier Tribunal in relation to a preliminary issue raised in TikTok’s appeal against the penalty notice issued by the Information Commissioner in 2023. In yesterday’s blog post I looked at two of the four matters that the Tribunal decided it required to determine as part of the preliminary issue. In this post, I look at the remaining two, namely (a) the Special Purposes Issue and (b) the Consequences Issue.

Special Purposes Issue

The Tribunal deals with this issue at [131]-[155] of its decision. In this part of its decision, the Tribunal considers whether the processing with respect to which the penalty was issued by the Commissioner was for the special purposes.

The Tribunal had heard evidence from three witnesses. First from James Stafford who is the Global Head of Content for TikTok. The Tribunal summaries his evidence to the Tribunal at [23]-[30] of its decision. Second from Professor Catherine Abell, who is Professor of Philosophy of Art and Fellow of Queen’s College, Oxford. The Tribunal summaries the evidence of Professor Abell at [31]-[40]. Both of these witnesses were called by TikTok. The third witness was Professor Jan Krämer, Professor of Information Systems at the University of Passau, Germany. The Tribunal summarises Professor Krämer’s evidence at [41]-[45] of its decision.

The Tribunal accepted that a broad approach required to be adopted to what is meant by the special purposes, one of which is artistic purpose. [132] TikTok accepted that not all forms of creative endeavour would qualify as being artistic in nature for the purposes of section 174(1) of the Data Protection Act 2018 (DPA2018). [134] It argued that the real question for the Tribunal in this case was how that threshold fell to be identified or characterised and it drew upon principles from copyright law for its argument. [134] TikTok argued that these principles should apply because they reflected an approach which was based on common-sense, properly recognised the limits of the court’s competence and reflected the principles approved in Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and Satamedia Oy (Case C-73/07) that a wide and flexible approach is to be applied in respect of special purpose concepts. TikTok further argued that the opinion of Professor Abell should carry considerable weight. She had considered that 48 of 100 videos reviewed by her on TikTok were artistic.

In relation to the evidence of Professor Abell, it was argued on behalf of the Commissioner that her report did not go to any point that was in dispute before the Tribunal. In particular, it said nothing about how, or for what purpose, personal data with which the penalty was concerned was actually processed by TikTok. The Commissioner invited the Tribunal to afford Professor Abell’s opinion very little weight in the context of the preliminary issue.

The Tribunal agreed with the Commissioner’s submission that the question before the Tribunal, in this context, was not whether content posted on TikTok is artistic in nature. [137] The Tribunal stated at [137]:

Whilst the fact that content is artistic may indicate the possibility that there may be some sort of processing for an artistic purpose going on, the Tribunal’s task is to determine whether the specific processing which is the subject of the MPN was for the special purposes. The presence of some artistic content is not enough by itself to replace the need to carry out this task.

TikTok also argued that its service was one that provided a free expression service; in particular, it acted as an online intermediary service enabling tens of millions of people to exercise their free speech rights on the internet. It argued that its service was firmly and deliberately orientated towards the creative and artistic; this was in contrast to other ISPs (such as Google) which operated in a content neutral way. TikTok argued that it sought to encourage its users to create, share and consume content that is “inherently creative” and artistic. TikTok also sought to argue that it differed fundamentally from other video-sharing platforms such as YouTube. TikTok accepted that it had to meet, for the purposes of the special purposes test, something more than a vague connection with the special purposes and argued that it did so.

For the Commissioner it was argued that the processing undertaken by TikTok for the purposes of delivering targeted advertising to underage children was not processing for the purposes of journalism, or academic, artistic or literary purposes. It was contended by the Commissioner that processing by TikTok for the purposes of monetising its user base and delivering targeted advertising had no journalist or artistic purpose, it was only for a commercial purpose. The Commissioner also argued that processing by TikTok for the purpose of attempting to prevent underage children from accessing its service or for detecting and removing any underage children on its service was not processing for the special purposes; it was for the purpose of preventing underage children from gaining access to and using its platform.

The Tribunal was ultimately persuaded by the arguments advanced on behalf of the Commissioner “that by definition TikTok’s purpose in processing the data of those Underage Children cannot be to facilitate their use of its platform for any purposes at all, including any special purposes.” [152] The Tribunal concluded “that TikTok’s processing in relation to Underage Children, which was the processing with respect to which the MPN was issued, was not for the special purposes.” [153] The Tribunal stated, at [155]:

We therefore conclude that the processing of personal data by TikTok in respect of which the MPN was made was not for the special purposes. Accordingly, the IC was not required to obtain leave from a court under section 156 before issuing the MPN and the MPN was not issued ultra vires. This is because the MPN concerns – and was given “with respect to” (the language of section 156 DPA) – specific processing of data by TikTok that was not “for the special purposes”.

Comment on Special Purposes Issue

TikTok comprehensively lost on this issue, which was not unexpected in light of the Tribunal’s conclusions in relation to the first two issues. Although I was somewhat critical of the strength of one of the Tribunal’s reasons in relation to the “Processing Issue”; I do not think that criticism is in any way material to the overall conclusions of the Tribunal. The Tribunal does not seem to have been the least bit persuaded that the processing with which the penalty notice was concerned was in a deliberate or intentional way processing for the special purposes.

Consequences Issue

The Tribunal deals with this issue at [156]-[164] of its decision. This issue is fairly straightforward and is really secondary to the first three issues in light of the Tribunal’s decision. In essence, the consequence of the Tribunal’s decision is, subject to any appeal by TikTok against this decision, that the entire penalty notice falls to be determined by way of a substantive hearing. [156] The Tribunal held that because it had determined that the processing in respect of which the Commissioner had issued the penalty notice was not for one or more of the special purposes, the Commissioner did not need to follow the procedure set out in section 156 of the DPA2018 before issuing the penalty. [157]

TikTok had raised concerns in its written and oral submissions to the Tribunal about the Commissioner’s findings in the penalty notice on the targeted advertising processing, in particular that they had not been fully set out in the Notice of Intent which the Commissioner was required to issue before issuing the penalty. The Tribunal doesn’t appear to have been particularly persuaded by those concerns. It stated, at [160]:

It is frequently the case that an enforcement case brought by a regulator will evolve during the various stages of the case from how it was initially raised with the subject, often reflecting representations made by the subject. Any procedural unfairness (such as that flowing from Article 6 ECHR) which arises when the formulation of the regulator’s case changes from how it was pleaded at an earlier stage of the process (here the NOI) can be corrected by the statutory right to challenge the later iteration of the case (the MPN) by way of appeal and make representations in that context.

Under reference to the Court of Appeal’s judgment in Financial Conduct Authority v BlueCrest Capital Management (UK) LLP the Tribunal stated that in its view the targeted advertising “has a real and significant connection with the subject matter of the MPN and therefore of the appeal.” [163] The Tribunal went on to state, at [163]:

The statutory appeals process gives an opportunity for TikTok to challenge the MPN as it stands, irrespective of what was in the earlier notice. We therefore do not accept that it would be unfair to allow the IC to rely on an MPN which has evolved out of a differently framed NOI, because the current appeal process allows TikTok to make any representations it wishes relating to the MPN, so there is no procedural unfairness.

The Tribunal concluded that it did not “accept TikTok’s argument that the IC should not be allowed to rely on the allegations around targeted advertising set out in the MPN.” [164]

Conclusion

The Tribunal having disposed of the preliminary issue and determined it wholly in favour of the Commissioner it can now, in theory, move on to deal with TikTok’s substantive appeal against the penalty issued by the Commissioner. While this was a lengthy decision, it should not be taken to mean that the Commissioner will ultimately be successful in resisting the substantive appeal by TikTok; this decision was, ultimately, about whether the penalty notice was valid or whether it was invalid because the Commissioner should have followed the procedure set out in section 156 but had not done so.

As noted earlier in this post, and my one from yesterday, TikTok could seek leave to appeal to the Upper Tribunal against the First-tier Tribunal’s decision. These are weighty issues of significant importance, not only for the operation of the Commissioner’s regulatory powers but for the basic operation of data protection law in relation to special purpose processing. I would not at all be surprised if TikTok seeks permission to appeal to the Upper Tribunal against this decision and nor would I be surprised if the issues ultimately ended up before the Supreme Court – there is, of course a long way to go before the parties reach there with lots of potential twists along the way.

In short, I do not think we will be getting a decision on the substantive appeal against the penalty anytime soon and this appeal will certainly outlive both the office of Information Commissioner and its current incumbent (in the sense that he will have long demitted office by the time these issues are finally resolved).

^{_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}}
TikTok v Information Commissioner: Preliminary Issues Before the First-tier Tribunal (Part 1)

July 7th, 2025
In April 2023, the Information Commissioner served a Penalty Notice, in the sum of £12.7m, on TikTok Information Technologies UK Limited and TikTok Inc (TikTok). The decision to issue a Penalty Notice and the amount of the penalty are appealable to the First-tier Tribunal and TikTok has exercised its right of appeal. Last week, the First-tier Tribunal published its decision in relation to a preliminary issue raised by the TikTok appeal. The issue concerned whether the Penalty Notice issued by the Commissioner related to processing of personal data for the special purposes within the meaning of sections 156 and 174 of the Data Protection Act 2018 (“DPA2018”). The First-tier Tribunal, on the preliminary issue, found against TikTok and in favour of the Information Commissioner.

The Tribunal’s decision on the preliminary issue runs to 165 paragraphs over 57 pages and so it is a lengthy decision. The decision itself is very much worthwhile reading in full. It should be noted that the period that the penalty notice was concerned with ended before ‘IP Completion day’; therefore we are dealing with GDPR rather than the UK GDPR. However, the Tribunal’s decision remains relevant for the purposes of the UK GDPR.

The Special Purposes

Section 174 of the DPA2018 defines the special purposes as one or more of: (a) the purposes of journalism, (b) academic purposes; (c) artistic purposes; and (d) literary purposes. Section 156 of the DPA2018 places restrictions on the Information Commissioner in relation to the issuing of penalty notices to controllers or processors where the personal data concerned was being processed for the special purposes.

Questions raised by the preliminary issue

The Tribunal sets out at [18] of its decision that it considered that there were four questions arising from the preliminary issue that it must answer. Those questions are:
1. What the scope, meaning and purpose of section 156 (which the Tribunal referred to as the “Construction Issue”).
2. What was, as a matter of fact, the processing with respect to which the penalty was issued by the Commissioner (which the Tribunal referred to as the “Processing Issue”)
3. Was the processing in respect of which the penalty issued for the purpose of one ore more of the special purposes (which the Tribunal referred to as the “Special Purposes Issue”)
4. What consequences flow from the Tribunal’s findings in relation to the first three issues (which the Tribunal referred to as the “Consequences Issue”)
In this post, to prevent it from getting too long, I will focus on the first two of these questions. A second post will follow, tomorrow, looking at the third and fourth questions.

The Construction Issue

The Tribunal deals with the Construction Issue at [46]-[97] of its decision. Under this issue, five key issues were raised (which the Tribunal sets out at [46] of its decision).

The five key issues identified under the Construction Issue were: (a) the legislative history of section 156 and what it was intended to achieve; (b) whether it matters that TikTok is a commercial entity; (c) whether section 156 can apply to an internet service provider (ISP); (d) the interaction between sections 156 and 174, including whether the processing needs to be only for the special purposes in order to fall within section 156(1) of the DPA2018; and € the interaction between section 156 and Article 10 of the European Convention on Human Rights (ECHR).

After making some general observations concerning statutory interpretation at [47], the Tribunal goes on to consider the first of the five key issues raised by the Construction Issue at [48]-[55] of its decision.

The Tribunal records at [49] that it was common ground between the parties that sections 156 and 174 were part of a suite of provisions enacted within the DPA2018 in order to implement Article 85 of the GDPR.

It was argued on behalf of TikTok that there was no hierarchy between the various special purposes. The Tribunal agreed and stated at [50] that “the special purposes as defined in the statute do not give more weight to one form of purpose than to another.”

It was argued, on behalf of the Commissioner, that section 156 was a reconciliation by Parliament of the competing rights under Article 85(1) rather than being the type of specific exemption mandated under Article 85(2). Section 156 replicates, with no material difference, what was found in section 46 of the Data Protection Act 1998 (“DPA1998”) and Parliament was seeking to reconcile the data protection rights under the GDPR with the competing fundamental rights in relation to the identified forms of expression. In doing so, Parliament created a specific procedure to be followed for regulatory enforcement in respect of those specific identified forms of expression. It was contended on behalf of the Commissioner that what became section 46 of DPA1998 and then section 156 of the DPA2018 were a careful set of checks and balances.

At [55], the Tribunal stated that it was persuaded by the arguments advanced on behalf of the Commissioner in relation to what Parliament intended. The Tribunal agreed “that Parliament had decided in enacting DPA 2018 exactly how it wished to balance the competing rights in play, including Article 10 EHCR.” [55] It also agreed with the Commissioner’s contention that it is “not for the Tribunal to second-guess this balancing exercise.” [55]

The second of the five key issues under the Construction Issue was whether it mattered that TikTok was a commercial entity. The Tribunal answered in the negative concluding that “the fact that TikTok was a commercial entity does not mean that it cannot be found to be processing personal data for special purposes within section 156.” [58]

In relation to whether section 156 could apply to an ISP, the Tribunal took issue with TikTok’s presentation of what the Commissioner was arguing, stating, at [65], that it appeared to the Tribunal

“that, contrary to TikTok’s assertions, the IC is not trying to say that section 156 can never apply to an ISP like TikTok as a matter of principle. Rather, [the Commissioner’s] position is that whether section 156 applies is fact-specific and concerns the actual processing with which the MPN in question is concerned.”

The Tribunal concluded that “it is necessary to consider the specific processing” that is the subject of a penalty; whether or not section 156 is engaged is determined by the factual context. [66] The Tribunal also concluded, at [67], that:

“Parliament did not intend section 156 to apply any differently to ISPs to the way in which it applies to other data processors. If it wished there to be a difference in how the statute should apply, that would be a matter for Parliament, not for the Tribunal.”

Therefore, the Tribunal concluded that “section 156 can apply to an ISP.” [67]

In relation to the fourth of the five key issues under the broader “Construction Issue”, the Tribunal agreed with the common position between the parties that section 156 of the DPA2018 does not require that the processing with which a penalty notices is concerned should be only for special purposes. [80] In essence, it can apply where the processing is for both special purposes and purposes other than special purposes.

The Tribunal was of the view that the special purposes regime required a narrow interpretation which is consistent with the terms of Article 9 of the GDPR which required that derogation should only be made where it was necessary. [82] Whether processing is for a special purpose is a question of fact, but that there should be a degree of intention; incidental or accidental processing is unlikely to be done for one or more of the special purposes. [82] Therefore, there must be more than an accidental or incidental connection to the special purposes for the protections in section 156 to apply. [82]

At [83] of its decision, the Tribunal stated:

“In our view, this requires a narrow and purposive approach to construing section 156. Taking into account all the evidence and the parties’ submissions we do not consider that the fact that TikTok’s stated mission and overall purpose is concerned with the encouraging of creativity and creation of artistic and journalistic content to be sufficient to render all its processing of personal data as being “for the special purposes”. Instead, in order to apply section 156 correctly, we must first establish as a matter of fact the processing concerned and then consider the question of whether it is for the special purposes in that specific context”

On the fifth of the five issues under the broader Construction Issue, the Tribunal, in line with what it had decided earlier in its decision on the Construction Issue, was “not persuaded that greater weight should be given to Article 10 by the Tribunal than was given to it by Parliament in seeking to reconcile it with the right to data protection.” [96] In the context of the preliminary issue raised in the TikTok appeal, the Tribunal is concerned with exactly what processing by TikTok the penalty related to and whether that processing was carried out for the special purposes. [96] Even if the Tribunal was wrong on this, it did not consider that Article 10 of the ECHR alters the decision it reached on the preliminary issue. [97]

Comment on the Construction Issue

Drawing all that the Tribunal had to say about the Construction Issue in its decision, the following, I think, can be said:
- Section 156 is a carefully calibrated balancing of the competing rights of protection for personal data and expression in relation to the special purposes.
- It is not for the Tribunal to second-guess the balance struck by Parliament within the legislation
- Whether section 156 applies is a matter of fact that depends upon the exact processing with which the penalty is concerned
- Section 156 can apply to an ISP such as TikTok and it does not apply differently to ISPs from any other controller or processor
- For processing to be carried out for one or more of the special purposes there must be an intention for it to be processed for special purposes; incidental or accidental processing for special purposes is not enough.
The Processing Issue

The Tribunal addresses the Processing Issue at [98]-[130] of its decision. Here three distinct matters were considered: (i) what processing the penalty notice was issued in relation to; (ii) processing for the purposes of targeted advertising; and (iii) whether the findings in relation to transparency were processing.

Under reference to paragraphs 37, 59, 62, 90, 157, 158, 177, 201(i), 201(b) and 208 of the Penalty Notice, the Tribunal concluded that the notice “read as a whole, was given in relation to the alleged unlawful processing by TikTok of the personal data of Underage Children.” [108] The Tribunal said that this was at “the very heart of the reasoning” in the notice. [108]. TikTok had sought to argue, under reference to paragraphs 5(b) and 28 of the notice, that the penalty notice concerned the processing of personal data of all of its UK users. In relation to paragraph 5(b), the Tribunal concluded that this set out the background to TikTok, how it works and the basic regularly context [100]. The Tribunal did “not find that paragraph 5 is determinative of what the MPN relates to.” [100]

In relation to paragraph 28 of the penalty notice, the Tribunal found that it “was not addressing the specific processing for which the MPN was given, it was setting out background and concerns re harmful content for children under the age of 13.” [102]

TikTok had also argued that it was impossible to divorce the notice from the processing undertaken by them for the purposes of delivering its services to its users. It argued that the processing attacked in the penalty were an integral part of delivering its services to all its users. The Tribunal was unpersuaded by this. The Tribunal noted that in terms of TikTok’s terms of service, children under the age of 13 are not permitted to be on its platform. Therefore, the Tribunal stated that it cannot be said that the processing activities attacked by the Commissioner in the penalty notice were in relation to a service being delivered to all of TikTok’s users; children under 13 are not permitted to be users of the platform. [109]

The Tribunal therefore held that those parts of the notice which dealt with what the Commissioner found to be violations of Articles 5 and 8 of the GDPR related to the processing of personal data by TikTok in relation to “Underage Children.” [110] It pointed out that whether the processing amounts to breaches of Articles 5 and 8 is outwith the scope of the preliminary issue being addressed in its decision. [110]

On the targeted advertising question, the Tribunal was “satisfied that at least some of the processing which the MPN is concerned is processing of personal data of Underage Children in connection with the provision of targeted advertising.” [115] The Tribunal held that the notice “was explicitly concerned with the processing of” targeted advertising. [116] TikTok had argued that the notice had dealt with targeted advertising only very briefly and had made no effort to identify the specific targeted advertising operations which were in issue nor any harm that flowed therefrom. These are, however, matters for the substantive hearing and went beyond what the Tribunal required to determine in the context of the hearing on the preliminary issue. [117]

In relation to the transparency matters, the Commissioner had argued that this aspect of the notice could not fall within the ambit of section 156 because that section only applies where a penalty notice is given in respect of the processing of personal data. The Commissioner argued that Articles 12(1) and 13 do not impose a duty to process personal data in any particular way rather they were concerned with information that controllers have to provide about the processing of personal data. On the other hand, TikTok had argued that the transparency obligations could not be detached from any particular processing operation that was underlying them. They had argued that it was necessarily anchored to the processing operations to which the duty related.

The Commissioner submitted to the Tribunal that it was not for them to determine whether Article 12 and 13 could be said to relate to any processing; what section 156 required the Tribunal to consider was whether, in this case, the penalty notice was given in respect of processing of personal data for special purposes.

The Tribunal held that “the sections dealing with Articles 12 and 13 were not given in respect of breaches of processing of personal data but given with respect to breaches of procedural obligations.” [125] and [130] The Tribunal did accept, however, the submission by TikTok that Articles 12 and 13 arise in connection with the processing of personal data [129] but that, in agreement with the Commissioner’s submission, that this does not mean that Articles 12(1) and 13 “regulate the processing of personal data.” [129]

Comment on the Processing Issue

This section of the Tribunal’s decision is not one from which wider principles can necessarily be drawn as it was very much concerned with the specifics of this case rather than anything much more fundamental. There is an interesting discussion around the nature of transparency information and its relationship with processing; however, the issue for the Tribunal, at least at this stage, was a much more narrow one.

I do not think that the conclusions at [109] of the decision around children under the age of 13 who are on TikTok are not its users are particularly persuasive. That part of the Tribunal’s decision, in contrast to other aspects of it, seemed weak. The parties will have no doubt said much more to the Tribunal in submissions than was captured in the Tribunal’s decision, but regardless of that (on the assumption that the Tribunal has set out the parties’ submissions in sufficient detail to ensure that the decision is intelligible) it doesn’t seem to me to be the strongest of the Tribunal’s conclusions.

The Tribunal certainly agreed with some of TikTok’s criticisms of the parts of the notice that this issue concerned; however, it did no more than agree with the observations. What effect this has on the overall notice wasn’t a matter for the Tribunal at this stage and so we shall have to wait until the Tribunal issues a decision on the substantive aspects of the appeal to see what effect, if any, these deficiencies have in relation to the notice.

_{^{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}}
Bundle Wars: FTT Directions, the ICO, and the Upper Tribunal’s Take

July 2nd, 2025

Decisions by the Upper Tribunal on whether to grant or refuse permission to appeal to it are rarely of any note; however, last month Upper Tribunal Judge Wikeley directed that his decision on the Information Commissioner’s application for permission to appeal to the Upper Tribunal against case management directions of the First-Tier Tribunal be given a neutral citation in order that it could be published.

The application for permission to appeal related to directions made by the First-tier Tribunal concerning who was to make up the bundles in an appeal by the Department for Health and Social Care (DHSC) against one of the Commissioner’s decisions. Two sets of directions had been made in relation to the bundles; the last of which clarified that the Commissioner (as respondent) was to make up the open bundle and the DHSC (as appellant) was to make up the closed bundle. The requester, Access Social Care, did not participate in the hearing before the Upper Tribunal.

The Commissioner was, in effect, challenging the application of guidance issued by the General Regulatory Chamber in relation to bundles, known as the Bundles Guide. This guidance applies to the full range of cases heard by the GRC and not just those within the Information Rights jurisdiction. At 2.1 the guide states:

“In this Tribunal, because the Respondent (the regulator) is a public body and is usually represented by legal professionals or other officials, they will normally be expected to put together the bundle and send it to you and the Tribunal. Even though you will not usually be expected to produce a bundle, you might still find it helpful to read the Notes for Bundle Providers section below.

Sometimes the Respondent may ask the Tribunal to direct that you should provide the bundle, but that is unusual. If that happens a decision will be made by a Tribunal registrar or judge, after considering any comments you have.”

The expectation that the regulator will prepare the bundle in appeals is also repeated at the beginning of Part 3 of the guide.

The Commissioner was taking issue with the directions in this case on two fronts. Firstly, that the failure of the FTT judge to give reasons for her direction and had misdirected herself as to the relevant law. The second was that the Judge’s direction was unreasonable and contrary to the overriding objective. The Upper Tribunal held a “rolled-up” hearing in relation to the application for permission to appeal.

Ground 2
The Upper Tribunal first turned to the second ground of appeal by the Commissioner. The Commissioner argued that, in this case, the DHSC should have been required to prepare the bundles. Counsel for the Commissioner advanced four arguments in support of this: (1) the DHSC was a well-resourced public body which was represented by legal professionals; (2) the DHSC had access to all the relevant documents; (3) it was the choice of the DHSC to bring the appeal whereas the Commissioner had no choice but to be a party; and (4) that if the DHSC had instituted judicial review proceedings, it would have borne the burden of preparing the bundles.

The Upper Tribunal found none of these arguments to be persuasive. In relation to the first argument, the UT Judge said that the “argument assumes that the explanatory consideration in paragraph 2.1 of the Bundles Guide necessarily underpins the usual expectation in Part 3 that the regulator prepares the bundles.” [ 27] The UT Judge pointed out that Part 2 of the guidance was confined to giving guidance to unrepresented parties whereas Part 3 applied across all of the GRC’s jurisdictions. [27]. The UT Judge further went on to state that the guide set out “clear delineation of the default (and usual but not immutable) position of the regulator’s responsibility for bundle preparation.” [27].

In relation to the second argument advanced by counsel for the Commissioner, the UT Judge held that it was “simply not correct” [28]. Counsel for the DHSC had argued that no single party had access to all the documents. In FOI cases, there would usually be correspondence passing between the requester and the Commissioner that the public authority sees for the very first time in the hearing bundle. [28]

Turning to the third argument advanced on behalf of the Commissioner, the UT Judge noted that in every FOI appeal before the First-tier Tribunal that the Commissioner is a “conscript rather than a volunteer”, that is the case whether the appellant is the requester or the public authority. [29] Under reference to Browning v IC and Department for Business, Innovation and Skills and Greenwood v IC and the Commissioner of the Police for the Metropolis the UT Judge concluded that this position reflected the Commissioner being the effective statutory guardian of the Freedom of Information Act 2000. [29]

Finally, addressing the fourth argument advanced on behalf of the Commissioner, the UT Judge considered that it didn’t take the Commissioner’s argument anywhere. The UT Judge stated that “[t]he FTT jurisdiction is consciously different from Part 54 CPR proceedings, and in any event in the latter arena the Department would be at risk of all costs and not just the cost of producing the bundle.” [30]

The UT Judge made it clear that what the Upper Tribunal was faced with in these proceedings was not an application for judicial review of the bundle guidance by the Commissioner [31] (which would be very much out of time, the bundle guide having been issued by the GRC President more than a year ago). What the Upper Tribunal was concerned with here was the much narrower question as to whether the direction in relation to the preparation of bundles in this specific case was plainly wrong. [31]. The UT Judge concluded that he did “not regard it as arguable that the FTT’s bundles direction was Wednesbury unreasonable.”

The Commissioner’s challenge to the directions, insofar as it was based on the overriding objective was equally unsuccessful. Here, it was argued on behalf of the Commissioner that the First-tier Tribunal had essentially disregarded rule 2(2)(a) of the Tribunal’s rules of procedure which required the Tribunal, as part of the overriding objective, to take account of the parties resources. In response to that argument, the UT Judge stated, at [33]

“There are at least three difficulties with this submission. The first is that the logical end-point of this submission is that the FTT should have considered the comparative budgets of the parties, a task which is completely unrealistic in practice. The second is that although consideration of resources is in very general terms relevant to the overriding objective, and underpins paragraph 2.1 of the Bundles Guide, it provides no real assistance in differentiating between the situation of the Information Commissioner and a central government department, each of which will face competing calls on their doubtless limited budgets to defend their decisions in litigation. The third is that in any event rule 2 mandates a multi-factorial assessment of competing considerations, not all of which may point in the same direction. The balancing of those considerations when making case management directions is quintessentially a matter for the good judgement of the tribunal charged with the conduct of the proceedings.”

Ground 1
The Commissioner’s reasons challenge did not fare any better. It was common ground that the FTT Judge had not given reasons at the time of giving the amended direction which required the Commissioner to produce the open bundle and the DHSC to produce the closed bundle. At paragraph [40], the UT Judge held that “[t]he default position, therefore, is that there is no categorical expectation in the statutory scheme governing the FTT’s procedural rules that reasons need to be given for a tribunal’s case management direction.”

Having dealt with what the rules required, the UT Judge then went on to consider whether there was any basis in the case law for reasons being required. Counsel for the Commissioner had relied heavily upon the judgment of Underhill LJ in R (LND1 & Ors) v Secretary of State for the Home Department. Counsel for the Commissioner did recognise that the subject matter facing the Court of Appeal was very different from that which was before the Upper Tribunal. LND1 concerned whether an Afghan judge qualified to be relocated to the United Kingdom. It was a judicial review challenge to an administrative decision by the Home Office in a matter that could potentially be, quite literally, life and death for the Afghan judge concerned. The Court of Appeal’s judgment was consequently “of very limited assistance in the current proceedings.” [42]

The UT Judge went on to consider the judgments of the Court of Appeal in Carpenter v Secretary of State for Work and Pensions and of the Upper Tribunal in KP v Hertfordshire CC (SEN) and Information Commissioner v Experian Limited. The UT Judge considered that the FTT Judge was dealing with a “tutored audience” who perfectly well understood where the battle lines were. The necessary and inevitable inference from the decision of the FTT Judge was that the submissions for the DHSC had been preferred for the reasons that it had given in its submissions. [48]

Permission to appeal was therefore refused on both grounds.

It is easy to see why the Commissioner might have taken this fight to the Upper Tribunal. His office is involved in a significant number of FOI appeals to the First-tier Tribunal every year. The default position is that in those cases his office bears the burden of making up the bundles. That takes time and there is therefore a cost associated with it in a jurisdiction where costs/expenses are typically not recoverable. If the Commissioner could shift that cost in at least some of the cases away from his office onto others, then that would represent a saving to his office’s budget.

However, it is also equally easy to see why the bundle guidance is what it is. Taking Information Rights cases as an example, in that jurisdiction many of the appeals are brought by requesters who are invariably not legally represented (if they are represented at all). Tribunals are supposed to be more informal, more flexible and less complicated than the courts and so, there is a justification for removing the burden of producing a bundle from individuals who know little about how courts and tribunals work and may, in the days of electronic bundles, lack software to put together a bundle. This is particularly true in a jurisdiction which is of constitutional importance.

The Bundle Guide lays down a default position, but it is not a position that cannot be changed in an appropriate case. The UT recognised that it was not an immutable position at [27]. It remains open to the Commissioner to suggest to the First-tier Tribunal that a public authority appellant ought to produce the bundles in such cases and the Tribunal retains the discretion to make such a direction. However, if the Tribunal chooses not to then it’s not going to be a decision that is open to challenge with any great prospect of success. So, for now at least, the Commissioner appears to be stuck with the burden of making up bundles in all, or at least nearly all, FOI appeal cases before the First-tier Tribunal.

_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
Pleading data protection claims: A Scottish perspective

June 30th, 2025
Judgments from the Scottish courts in relation to data protection cases are much rarer than they are from other jurisdictions in the United Kingdom, but last week a judgment, from April, was published in relation to an action raised in Lanark Sheriff Court against the Chief Constable of the Police Service of Scotland under sections 167 and 169 of the Data Protection Act 2018 and at common law. The pursuer (Mr Prentice) had raised proceedings against the defender (the Chief Constable) seeking:
- a declarator that the defender had failed to comply with her statutory obligations under section 45(1) and (2) [of the Data Protection Act 2018] to fully and properly respond to subject access requests made on 17 November 2021, 22 February 2022, 31 July 2023 and 11 September 2023.
- a compliance order under section 167 of the Data Protection Act 2018
- damages of £5,000 for damage and distress suffered as a result of the defender’s failure to respond to the pursuer’s subject access requests.
The judgment followed a debate at the instance of the defender who sought to argue that the pursuer’s case was bound to fail and that it should be dismissed. A debate focusses on the pleadings and an action will only be dismissed after debate in circumstances where the pursuer is bound to fail even if they prove all that they offer to prove; it is a relatively high bar to meet. There was mixed success with only the issue of a compliance order being allowed to proceed to proof (for those not familiar with Scots law, a hearing on the merits of the action at which parties lead evidence).

It is a useful case as it considers pleadings in data protection cases from a Scottish perspective where pleadings take on a specific and important role and about which there are many important rules.

Turning first to the issue of declarator, the Sheriff determined that the crave for declarator was incompetent. At paragraph [43] the Sheriff encapsulates the Scots law in relation to declarators, stating:

“As per MacPhail, at Chapter 20 and Walker at Chapter 8, a crave for declarator is one which seeks that a right be declared in favour of the pursuer, or that it declares non-existent what appears to be an existent right. The pursuer must have an interest in the declarator sought, and the court will only grant a declarator in respect of a live, practical issue. It is incompetent to bring an action to have a fact declared which has no legal consequences for the pursuer, or to seek a judicial opinion on an abstract question of law. Similarly, to do so where the right is not challenged, or doubted (Walker at page 105, MacPhail 20.01, Scott v Kate Frame (ibid) paragraph 88).”

The Sheriff continued, at para [44]:

“Crave 1 of the application does not seek a declarator of the rights provided by section 45 of the 2018 Act. What is sought amounts to a finding in fact and law that on specified dates the defender failed to comply with her obligations in terms of that section. That is not a competent declarator. (…) As per Walker, MacPhail and Scott v Kate Frame the court should not make declarators of rights which are not doubted. The existence of section 45 rights, their availability to the pursuer, and the concurrent obligations they impose on the defender are not challenged in this case. What is challenged is the pursuer’s assertion that the defender failed to comply with her obligations.”

Here we have a clear expression from the Sheriff that seeking a declarator from a Scottish court that a controller has failed to comply with their statutory obligations under the Data Protection Act 2018 is incompetent. This is only a first instance decision that is not binding upon any other court in Scotland; however, this doesn’t seem to me to be a controversial position for the Sheriff to have arrived at. The function of a declarator is to declare that someone has a right or that a right that appears to exist does not, in fact, exist. There is, and must be, some practical effect to the pursuer seeking the declarator (such as establishing that they have a particular right or that a right that appears exercisable against them is not, in fact, exercisable against them).

A declarator that a data subject has a right to have their subject access request responded to by the controller would do nothing more than state what the law already clearly provides. Where a data subject has made a subject access request which has not been responded to by the controller (or where the data subject contests some or all of the exemptions applied by the controller when responding to the request), data protection law provides two remedies: firstly, a complaint to the Information Commissioner and secondly, an application to the court for a compliance order. A declarator would do nothing for the pursuer in that it would not, nor could it, force the controller to address any deficiency in their handling of the subject access request.

Turning to the pursuer’s third crave, which was for damages in the sum of £5,000. This was dismissed by the Sheriff on the grounds of a lack of specification. In Scots law, a party is entitled to know the case that they must meet and so sufficient facts must be pled by each party to give the opponent fair notice of their respective cases. At paragraph [53] of his judgment, the Sheriff sets out what was lacking in respect of the pursuer’s averments concerning his claim for damages. The Sheriff states:

“Section 169(5) of the Act defines damages available under the Act as including financial loss and damage not involving financial loss, such as distress. Those heads of claim are identified in the averments but not in a way that provides fair notice. The existence of distress, stress, anxiety, and frustration, are all averred, but no averments are provided as of how, or when, or where, they manifested themselves. The financial loss (styled as “detriment” by the pursuer) is averred to be the instruction of solicitors, however the legal expenses incurred are not specified at all. Neither do the averments as to the purported “disadvantage” suffered during the successful appeal against the revocation of the pursuer’s firearm license explain the loss suffered, if indeed this head of claim is available as per section 169(5) at all.”

It is of note that right at the very end of this paragraph, the Sheriff raises some doubt as to whether some of the “disadvantage” the pursuer had allegedly suffered was something that could be competently claimed in an action under section 169 of the Data Protection Act 2018. However, the Sheriff dismissed the pursuer’s third crave on the basis of a lack of specification, rather than on any question of the competency of the remedy sought. It would seem from the Sheriff’s judgment that despite the Record (the document which brings both parties pleadings together) running to 38 pages there was little in the way of specification in relation to the sum sought for damages. It seems that it was not clear how much of the £5,000 was attributable to financial loss and how much was attributable to non-financial damage such as distress. It also appears, from the terms of the Sheriff’s judgment, that there was nothing about how each head of claim had been calculated (see, for example, the reference to there not being specification of how much the legal fees referred to in the pursuer’s pleadings were).

The defender’s challenge to the averments supporting the second crave (for a compliance order under section 167) was not successful. The defender contended that the 17 November 2021 communication was not a subject access request. The Sheriff was directed to no authority which would enable the court to determine that issue at debate and took the view that the matter was one for proof [46]. More generally, the Sheriff took the view that the pursuer’s case that the exemptions were not properly applied was not bound to fail. At paragraph [51], the Sheriff stated that he “was persuaded that there was sufficient information and circumstances pled pertaining to the subject access requests to allow the court to consider finding in facts that the exemptions were not properly applied.” The Sheriff went on to state, at paragraph [51] that “crave 2 would not necessarily fail if all of the pursuer’s averments pertaining to it were proved.” That is, of course, not to say that the pursuer will surely succeed, only that he is not bound to fail.

In relation to the data protection case, the pursuer appears to have been unrepresented throughout and the Sheriff has addressed the issue of equal treatment at paragraphs [55] – [57] of his judgment under reference to the judgment of the UK Supreme Court in Barton v Wright Hassall LLP and the opinion of the Sheriff Appeal Court in Royal Bank of Scotland PLC v Aslam.

Overall, a rare and interesting data protection judgment emanating from Lanark Sheriff Court. The importance of properly framing pleadings in any civil case in Scotland, including data protection claims, cannot be understated. A poorly drafted data protection case can come unstuck at an early stage and result in a data subject being unable to even attempt to prove their case against the controller.

_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
Transparency Recast: How the Freedom of Information Reform (Scotland) Bill could change FOI in Scotland

June 6th, 2025

On Monday 2 June 2025, Katy Clark MSP introduced her long-awaited Freedom of Information Reform (Scotland) Bill into the Scottish Parliament.

Katy Clark MSP, a Member of the Scottish Parliament for the West of Scotland, opened a consultation in November 2022 on a proposal to introduce a Members Bill to the Scottish Parliament to amend the Freedom of Information (Scotland) Act 2002 (FOISA). That consultation closed on 14 March 2023, extended from 2 February 2023 to coincide with the Scottish Government’s own consultation. A total of 96 responses were submitted to the consultation spanning the public, private and third sector as well as academics, professionals with relevant experience and members of the public. The analysis of the consultation response can be found on the Scottish Parliament’s website here. The consultations by Katy Clark MSP and the Scottish Government followed on from the post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002 carried out by the Parliament’s Public Audit and Post-legislative Scrutiny Committee which was carried out between 2019 and 2020; this, in turn, followed on from a vote in the Scottish Parliament in June 2017. It has, in short, taken almost 8 years to get to this stage. FOISA was last amended by the Freedom of Information (Amendment) (Scotland) Act 2013.

The Bill contains a number of important proposals; however, it should be borne in mind that this is not a Government Bill. The SNP administration is a minority administration and so they would need at least one other party to vote with them to defeat the Bill (more if it was the only Alba Party and/or independent MSP who voted with them to defeat the Bill). The proposal to introduce the Bill was supported by MSPs from three of the opposition parties. No SNP MSP supported the proposal to introduce the Bill.

General entitlement

The Bill proposes inserting a new subsection (5A) into section 1 of FOISA which would, if adopted by the Scottish Parliament, require a public authority to apply a presumption in favour of disclosure when considering a qualified exemption (i.e. one that is subject to the public interest test). This would bring FOISA into line with the Environmental Information (Scotland) Regulations 2004, which governs the access to environmental information held by Scottish public authorities, which provides for such a presumption in Regulation 10(2)(b).

The Scottish Government has previously taken the view that such an amendment is not necessary because there is already a presumption in favour of disclosure inbuilt within FOISA. However, the Court of Session held otherwise (for full disclosure, I appeared for the unsuccessful appellant in that case, which can be seen on the face of the court’s opinion) and permission to appeal to the Supreme Court was refused. The decision of the Court of Session means that, contrary to the view of the Scottish Government, there is no such presumption (a view which they continued to express in December 2023 (para 83), after the Court of Session had resolved the question). If the Scottish Government is of the view that there ought to be such a presumption in FOISA, or that it was the intention of Parliament when it legislated in 2002 that there was to be such a presumption, then it is difficult to see how they could not support this proposal unless they are proposing their own amendments in their own Bill.

Designation of Scottish public authorities

There are a number of ways in which people or bodies not covered by the FOISA can be covered. The first is for the person or body to be added to Schedule 1 (as typically happens when new public bodies are created by statute), either in primary legislation or through section 4 of FOISA. The other is by way of an order under section 5 of FOISA.

The Bill would insert a new section 5A into FOISA which would establish another new way of designating Scottish public authorities: parliamentary resolution. This power would apply where the person is not listed in Schedule 1 nor be capable of being added under section 4 and is neither a public body nor holder of any public office. Furthermore, the person would need to either appear to be exercising functions of a public nature or be providing, under a contract made with a Scottish public authority, any service whose provision is a function of that Scottish public authority.

This provision is, as the policy memorandum confirms, is to enable the Scottish Parliament “to take the initiative on the pace and detail of designation” while ensuring that “designation is measured, understandable and enforceable.”

This appears to be a novel provision whereby Parliament could designate a person as a public authority without the need to pass an Act of the Scottish Parliament. There is a requirement for prior consultation by a committees or sub-committee before it makes such a resolution.

Publicly-owned companies

The Bill contains a provision to fix a lacuna in relation to publicly-owned companies. The Bill would mean that companies which are owned by the Scottish Ministers and any other schedule 1 authority (except where such an authority is listed only in relation to information of a specified description) would be a Scottish public authority.

Pro-active publication

The publication scheme model adopted by the Freedom of Information Act 2000 and FOISA has often been criticised as being out-dated and not going far enough when it comes to pro-active publication. This Bill, if passed into law, would amend FOISA by repealing the sections relative to publication schemes and instead create a duty upon Scottish public authorities to take reasonable steps to “(a) organise and keep up to date the information, relevant to its functions, which it holds, and (b) make that information available to the public in an accessible form and manner.” In doing Scottish public authorities would be required to have regard to a statutory code of practice issued by the Scottish Information Commissioner (and any revised version thereof).

Compliance with this new code would be policed by the Scottish Information Commissioner who would gain enforcement powers in relation to this new code of practice (along with the existing codes of practice issued under sections 60 and 61 of FOISA).

Freedom of Information Officers

The final proposal in the Bill that I wish to look at in this post (there are, of course, more proposals in the Bill) is the one to require Scottish public authorities to appoint a Freedom of Information Officer. This proposal is based on the role of the Data Protection Officer in the UK GDPR.

The policy memorandum states that the “objective is to embed a professional culture, underpinned by sufficient resource and authority, within organisations when it comes to handling requests and publishing information.” The policy memorandum also points to the requirement under section 1(2) of the Public Records (Scotland) Act 2011 as support for this proposal.

As stated at the outset of this post, the Bill has not been introduced by the Scottish Government (which previously ruled out primary legislation in its response to the consultation that it held on FOI reform) and so it is therefore not guaranteed to become law. Bills introduced by back-bench and opposition MSPs typically have a greater chance of success than their equivalent (Private Members Bills) do in the UK Parliament. Furthermore, the current Scottish Government is a minority administration which also increases its chances. However, MSPs from only three parties represented within the Scottish Parliament supported the proposal for the Bill.

The next elections to the Scottish Parliament are scheduled for May 2026 so it will be interesting to see whether this Bill makes it through Parliament during what is the final gasp of this session of the Scottish Parliament and what it looks like should it become an Act of the Scottish Parliament.

_{Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.}
Privilege without purpose: Law firm fined by Information Commissioner following cyber-attack

April 16th, 2025

In the recent past there has been a spate of law firms falling victim to cyber-attacks. In August 2024, the Law Society Gazette reported that the number in the UK had risen from 538 to 954. Law firms remain vulnerable to cyber-attacks, not just in relation to client accounts but also in relation to IT systems storing client files.

In 2022, DPP Law, based in Bootle with additional offices in Birmingham, Liverpool, London and Tolworth, was subject to a cyber-attack which resulted in 791 client files being uploaded onto the dark web; this included files in relation to criminal cases, family and matrimonial cases as well as actions against the police. On 14 April 2025, the Commissioner served a penalty notice (“PN”) on the law firm in the amount of £60,000 having found that the firm breached Articles 5(1)(f) and 33 of the UK General Data Protection Regulation. In doing so, the Commissioner had regard to the judgment in VB v Natsionalna agentsia za prihodite (Case C-340/21) [2024] 1 WLR 2559 that the fact that a cyber incident took place is not sufficient to make a finding that a controller has infringed Articles 5(1)(f) and 32 (see PN §38).

At the core of this breach was a user account which had access privileges far greater than was necessary. The account was an administrator account for a legacy case management system. The account had a limited role on the firm’s network; however, had full administrator rights across the network. The firm had been aware of the existence of the account for at least 11 years prior to the cyber-attack, but did not know the password and could not reset it – the password was only known by a third-party supplier. The legacy case management system was taken out of service in 2019 and the service agreement with the new supplier in relation to the legacy system account came to an end in 2021. This period seems to have been insufficient to meet the terms of the firm’s data retention policy because it argued that the system remained operational because the firm still required access to data in the legacy system. The firm appears from the terms of the penalty notice to have attempted to minimise its own role in the incident and shift blame onto its external IT suppliers. This apparent argument was given short shrift by the Commissioner. The full penalty notice is worthy of reading as it contains a number of useful lessons for not just law firms, but all data controllers.

The way in which the Commissioner calculated the penalty that it imposed is also worthy of consideration. The Commissioner does not issue that many financial penalties for breaches of the UK GDPR or Data Protection Act 2018, so it is always useful to gain an insight into how it applies its policy in practice. The Commissioner adopts a five-step approach, and this is dealt with at §§ 135-164 of the PN. Taking into account the seriousness of the contraventions and the firm’s turnover, the Commissioner determined that the starting point for computation of the penalty was £23,800. This represented 0.68% of the firm’s turnover for the 2023/24 financial year. In terms of aggravating and mitigating factors, the Commissioner decided that there were no mitigating factors and that there were not aggravating factors which merit adjustment of the amount.

However, the Commissioner determined that a penalty of £23,800 would be neither effective nor dissuasive (see PN §157). The Commissioner considered that a penalty of £60,000 would be more appropriate, which would represent 1.7% of the firm’s turnover for the 2023/24 financial year (PN §160). The firm sought to argue that the Notice of Intent (which was in the sum of £60,000) was not inline with the Penalty Notice issued to another firm of solicitors in 2022 and sought to argue that a penalty of £20,000 would be more appropriate. The Commissioner rejected this position for a number of reasons, including that the 2022 penalty notice was calculated under previous guidance for calculating monetary penalties and that it is not appropriate to compare enforcement action in previous cases because each case turns on its own individual facts and circumstances. (PN §163(a)). Furthermore, in calculating the fine to be imposed, due regard had to be given to all of the factors set out within Article 83(2) and that these differ between cases requiring consideration on the facts of each individual case (PN §163(c)).

The controller has 28 days to appeal the PN and/or the amount imposed in the PN to the First-Tier Tribunal or must pay the penalty by 19 May 2025.

Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.
FOI Information Notices: Insights from the First-Tier Tribunal

March 13th, 2025

Earlier this week, the First-Tier Tribunal issued a decision in relation to two appeals against information notices served on the Cabinet Office by the Information Commissioner in relation to requests by journalists connected to the Good Law Project and the Times.

The first appeal arose out of a request made by someone described as a journalist at the Good Law Project for the name of the investment fund based in the United States of America that had been operating a blind management or trust arrangement in relation to the former Prime Minister, The Rt. Hon Rishi Sunak. The second appeal concerned a request for information made to the Cabinet Office by a journalist at the Times which sought disclosure of the then Prime Minister’s full declaration of interests document, including all the interests submitted to the Independent Adviser on Ministerial Interests as at the date of the request for information.

In relation to both requests, the Cabinet Office had withheld the information and the respective requesters had complained to the Information Commissioner under section 50 of the Freedom of Information Act 2000.

As is standard practice for the Commissioner, the Cabinet Office was written to with various questions as well as a request to provide a full unredacted copy of the information that was held by the Cabinet Office which was in scope. The Cabinet Office refused to provide a full unredacted copy of the former Prime Minister’s completed ministerial declaration of interest documents. It did so citing the “hugely significant sensitivities in terms of personal data and potential security implications.” The Cabinet Office explained that the documents were “handled extremely carefully within government, with only a very small number of people having access to it, on a strictly need-to-know and ‘hard copy’ basis.”

The Commissioner and the Cabinet Office then entered into correspondence and meetings took place between the Commissioner and a senior official from the Cabinet Office. The Commissioner then served information notices on the Cabinet Office pursuant to his powers under section 51 of the Freedom of Information Act 2000. The Cabinet office exercised its right of appeal, under section 57(2) of the Freedom of Information Act 2000, against the Commissioner’s decision to issue the information notices.

The first ground of appeal dealt with by the tribunal (referred to as Ground 1A in the Tribunal’s decision) was that the Commissioner’s power to issue an information notice is subject to a requirement that he reasonably require the information. The Cabinet office contended that the Commissioner had not identified any sensible basis upon which parliament might have intended a different operation of section 51(1)(a) and section 51(1)(b). Section 51(1)(a) provides that where the Commissioner has received an application under section 50 he may serve an information notice on the public authority whereas section 51(1)(b) confers a power upon the commissioner to issue an information notice where he “reasonably requires” information (i) “for the purpose of determining whether a public authority has complied or is complying with any of the requirements of Part I” or (ii) “for the purpose of determining whether the practice of a public authority in relation to the exercise of its functions under this Act conforms with that proposed in the codes of practice under sections 45 and 46.”

The Tribunal did not accept this proposition from the Cabinet Office. At [40], the tribunal found “no ambiguity” and accepted “the proposition that what the Cabinet Office is seeking to do is to read words into a statute which are not there and which are not necessary for it to make sense.” The Tribunal continued noting that there is a clear textual difference which can be seen by the use of the word “or” at the end of section 51(1)(a) and from the way in which the different duties had been separated out.

In essence, the Tribunal was satisfied that where the information notice is issued in circumstances where the Commissioner had received a complaint under section 50, the only limitations on his powers to issue an information notice are the usual public law ones.

The second ground considered by the Tribunal in its decision (referred to as Ground 1B in its decision) concerned the Cabinet Office’s contention that the Commissioner receiving and using the information would involve the unlawful processing of personal data. While the Tribunal accepted, at para [41], the contention that the Commissioner receiving the information and then using it to determine the section 50 complaints would amount to the processing of personal data under both the UK General Data Protection Regulation and the Data Protection Act 2018, it did not accept the submission on behalf of the Cabinet Office that (i) the processing by the Commissioner would not satisfy any of the conditions in Article 6(1) of the UK General Data Protection Regulation or (ii) that it would be unfair to the former Prime Minister in that it would be contrary to reasonable expectations of confidentiality that he had.

At [49] of its decision, the Tribunal recorded that it had “no reason to doubt the acceptance that ministers would or should be aware of Freedom of Information legislation and of course on the way in which a request would be handled including the way in which a complaint would be handled by the Commissioner and his office and the applicable exemptions.” In other words, although ministers, such as the Former Prime Minister, had a reasonable expectation of confidence in relation to the information they would be aware that the contents may be the subject of requests for information and that it would likely be disclosed to the Information Commissioner were a complaint made concerning a refusal to provide information within the declarations of interests.

The final ground of appeal dealt with by the Tribunal (referred to as Ground 2 in its decision), concerned the question of whether the Commissioner should have exercised his discretion to serve an information notice differently. The Tribunal noted that there was an overlap between this and what it refers to as ground 1B. The Tribunal began by finding, at [52], “that it would be an unusual case in which the Commissioner would simply accept a public authority’s assurance that the exemptions sought were made out.”

The Tribunal concluded, at [63], that it would not be possible for the Commissioner to determine any of the exemptions relied upon were made out without an examination of the material. It is a core element of the Commissioner’s duties when dealing with a complaint under section 50 to consider whether any exemption cited by the public authority applies to any or all of the withheld information.

Earlier in its decision the Tribunal had noted the terms of section 132 of the Data Protection Act 2018. That section prohibits, without lawful authority, the disclosure by the Commissioner or any member of his staff of information which (i) has been obtained by, or provided to the Commissioner, in the course of or for the purposes of discharging his functions, (ii) relates to an identified or identifiable individual or business and (iii) is not available to the public from other sources at the time of the disclosure and has not previously been publicly available from other sources. It also makes it an offence to knowingly or recklessly disclose such information (section 132(3)). This section provides a clear safeguard against the onward disclosure of information which has been provided in confidence to the Commissioner as part of his discharge of his functions under the Freedom of Information Act 2000.

It had also been argued that the service of the information notices had been premature. The Tribunal determined, at [57], that it was not satisfied, on the evidence, that the request was premature. The Tribunal stated, at [57], that the information notices were only issued “after a sustained period of negotiation and in any event provided 30 calendar days for compliance.” The Tribunal also noted that the Cabinet Office had also been given time to arrange for inspection of the information, which they had initially indicated was acceptable.

The Tribunal dismissed the appeals against the information notices.

The Tribunal had joined the Good Law Project as a party, but only in relation to what is described as the first appeal. The Tribunal considered that the submissions on behalf of the Good Law Project “added little of substance” to what had been said in the submissions on behalf of the Cabinet Office and the Information Commissioner and that much of the submissions made on behalf of the Good Law Project related to a matter that was “manifestly out with the scope of this appeal” (specifically the extent to which any exemptions might apply). Where an appeal has been brought against the service of an information notice, requesters may wish to consider whether they really need to be involved in such an appeal and what, if anything, they could realistically add to assist the Tribunal. Such an appeal does not really offer an opportunity to argue against the application of any exemptions or where the public interest lies in relation to maintaining any qualified exemptions.

Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.