The FTT has just delivered two concise and punchy, procedural reminders: s166 DPA 2018 appeals are strictly for procedural challenges, not for re-running a losing data protection complaint, writes Aaron Moss.
The twin decisions in Razak v Information Commissioner [2025] UKFTT 1086 (GRC) and Bryden v Information Commissioner [2025] UKFTT 1130 (GRC) confirm that if the Information Commissioner (ICO) decides not to act on your complaint, the FTT’s job is to check the ICO’s homework, not to substitute its own judgment on the data controller’s compliance. For Appellants, this procedural straightjacket is tightening.
Razak: Disagreement isn’t an error of law
In Razak, the Appellant was simply unhappy with the ICO’s conclusion. She fundamentally disagreed with how the Commissioner assessed the facts of her case against the data controller.
The FTT swiftly shut down this approach. It reiterated the established principle that the s166 appeal against a ‘no-action’ decision is not a merits review. The FTT isn’t there to substitute its judgment or tell the ICO how to run its enforcement shop.
Unless the Appellant can demonstrate that the Commissioner’s process was so deeply flawed—say, by misinterpreting a key legal term or failing entirely to consider a major part of the complaint—the appeal won’t get off the ground. Disagreement with the outcome? That’s not a procedural flaw, it’s just disagreement.
Bryden: The bar for “materiality” is high
Bryden presented a slightly more nuanced attempt, with the Appellant alleging various procedural defects in the ICO’s handling of evidence and correspondence. While the FTT accepts that the Commissioner can, of course, make procedural errors, Bryden confirms that those errors must meet a high bar of materiality.
It’s not enough to point out minor administrative hiccups or sloppy drafting in a letter. The Appellant has to show that the alleged procedural error was so fundamental that, had the Commissioner acted correctly, the ‘no-action’ decision would have been realistically different. If the FTT concludes that the ICO was always going to reach the same result, regardless of the procedural misstep, the appeal fails. Don’t miss the wood for the procedural weeds.
The final word
These two cases are a clear warning: the FTT will not allow its procedure to be used as a backdoor route for a merits-based assessment of a data breach complaint. If the Commissioner has exercised their discretion reasonably and followed a sound process, the Tribunal will back that decision.
Aaron Moss is a barrister at 5 Essex Chambers.
