This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo

Heather Peto vs The Information Commissioner

Case Notes
Share:
Heather Peto vs The Information Commissioner

By

High Court dismisses judicial review application concerning GDPR enforcement and potential prosecution threats

Background and Legal Context

The High Court recently ruled on a judicial review application brought by Heather Peto against the Information Commissioner. The case centred on two primary issues: the alleged threat of prosecution under the Data Protection Act 2018 and the Information Commissioner's decision not to prosecute a data controller for GDPR breaches.

Claimant's Position

Heather Peto, acting as a litigant in person, challenged the Information Commissioner's stance on prosecuting her under section 170 of the Data Protection Act 2018. She argued that she faced a threat of prosecution if she informed 120 individuals about breaches of their GDPR rights. Additionally, she contested the Commissioner's decision not to prosecute the data controller responsible for the alleged breaches.

Defendant's Position

The Information Commissioner, represented by Mr Leo Davidson, maintained that the warning given to Peto was a genuine expression of the legal position under the Act. The Commissioner argued that the decision not to prosecute was based on insufficient evidence and fell within the discretion afforded to the office as a specialist body.

Judgment Overview

Mrs Justice Stacey delivered the judgment, dismissing Peto's application. The Court found that the warning regarding potential prosecution was a legitimate expression of the law and not a definitive threat. The Court also upheld the Information Commissioner's decision not to prosecute, citing a lack of compelling evidence and the broad discretion granted to the Commissioner.

Analysis of the Court's Decision

The Court emphasised the hypothetical nature of Peto's concerns about prosecution, noting that any determination of legality would depend on specific future actions and circumstances. The Court also highlighted that the Information Commissioner’s decision-making process was not irrational or unlawful, given the evidence presented.

Implications for Data Protection Enforcement

This ruling underscores the challenges individuals face when contesting prosecutorial discretion in data protection matters. The judgment reinforces the notion that the Information Commissioner has wide latitude in determining whether to pursue legal action against alleged data breaches.

Costs and Further Proceedings

The Court ordered Peto to pay the Information Commissioner's costs, amounting to £1,620, within 56 days. The Court acknowledged Peto’s limited means and health conditions but found the costs reasonable given the complexity of the case.

Conclusion

The case highlights the complexities involved in GDPR enforcement and the limited scope for judicial intervention in prosecutorial decisions. The judgment serves as a reminder of the evidentiary burdens required to challenge decisions made by regulatory bodies.

Learn More

For more information on data protection, see BeCivil's guide to English Data Protection Law.

Read the Guide