Jashu Vestani (Appellant) – Court Ruling (United Kingdom, 2023)

On 2 November 2020, Capital Letters (London) Limited informed its employee, Jashu Vestani, that he was the victim of a data breach affecting the company. Mr. Vestani later experienced cyber attacks and other fraudulent activities which he concluded had resulted from Capital Letters' data breach. On 4 January 2023, Vestani submitted a complaint about the data breach to UK DPA - the Information Commissioner's Office (ICO). On March 14, 2023, the ICO decided not to investigate the complaint further, due to lack of evidence directly linking the attacks to the breach. On 23 June 2023, Vestani appealed the ICO's decision to the First-Tier Tribunal. The ICO argued that under Section 166 of the Data Protection Act, the Tribunal cannot examine the underlying merits of the original complaint, only whether the ICO took appropriate action. As the expert regulator, the ICO has wide discretion in handling complaints that the Tribunal cannot override without evidence of mishandling. The core legal dispute centred on the scope of the Tribunal's authority to review the ICO's processing of data breach complaints and whether it can evaluate the regulator's decision itself or merely the appropriateness of internal procedures followed. The First-tier Tribunal decided that it can only review the actions of the ICO carrying out its obligations under section 165 of the UK Data Protection Act 2018, as empowered to do so by section 166 of the UK Data Protection Act 2018. The Commissioner has wide discretion as the expert regulator in complaint investigations. The Tribunal held its role was limited under the law to assessing the “appropriateness” of steps taken by the Commissioner, not re-examining the actual merits or substance of Mr. Vestani’s complaint itself. Accordingly, the Tribunal struck out the application.