Appeals Against an Enforcement Notice

October 3, 2022

Faced with an Enforcement Notice from the Information Commissioner’s Office (ICO), what is a data controller to do?

First and foremost of course, and assuming the controller doesn’t believe they have any real grounds for challenging  the notice, it should comply, fully and promptly.

The Notice will have specified a date by which the controller must have completed the various steps that it sets out.

As one might expect from any regulatory regime there are consequences for non-compliance. In this case, failure to comply with an enforcement notice can result in a hefty (not to say eye-watering) fine of up to £17.5 million (or 4% of the undertaking’s global turnover, whichever is the higher).

But what should a controller do if genuinely believes (probably on legal advice) that the decision is wrong?

The answer lies in section 162 of the Data Protection Act 2018. It provides a right of appeal to the First Tier Tribunal.

It’s important to prepare the grounds of appeal carefully so that the Tribunal can properly intervene and re-examine the ICO’s decision.

It is also important to act fast; the deadline for making an appeal is 28 days from the date the Notice was sent by the ICO.

Once submitted to it, the Tribunal will either “allow the appeal” and say what was wrong with the enforcement notice; it can substitute its own decision (on the basis that it considers the ICO should have exercised its discretion differently) or it can dismiss the appeal altogether.

There are numerous examples of the Tribunal dismissing appeals simply because they cite the wrong statutory provision.

Identifying the right legal grounds for an appeal; writing the appeal submission itself and presenting it to the Tribunal in a way that is both authoritative and compelling is best left to the lawyers who specialise in the field.

Tim Heywood, FRSA is a partner at gunnercooke llp specialising in data protection, cyber and information law.