The First-tier Tribunal (FTT) has struck out an appeal brought by disability rights campaigner Doug Paulley after finding there was “no reasonable prospect” of establishing any procedural failing by the Information Commissioner in its handling of his data protection complaint.
In Paulley v Information Commissioner [2026] UKFTT 189 (GRC) , the FTT ruled that it had no jurisdiction to revisit the substance of the ICO’s decision and that the Commissioner had already issued a valid “outcome” to the complaint, placing the matter outside the scope of s.166 of the Data Protection Act 2018 (DPA).
Mr Paulley had complained to the ICO in July 2025 after a third-party controller refused his rectification request. Dissatisfied with the ICO’s response, he lodged an appeal in January 2026 seeking an order under s.166 requiring the Commissioner to take “appropriate steps” to investigate the matter further.
Section 166 of the Data Protection Act 2018 is a procedural remedy allowing a complainant to ask the Tribunal to require the ICO to take specific procedural steps where the Commissioner has failed to progress a complaint, failed to communicate required notifications, or failed to take “any steps at all” to address the complaint.
The ICO applied to strike out the appeal, arguing that the Tribunal lacked jurisdiction and that the claim had no realistic prospect of success.
S166 is regarded as a narrow provision and Judge Barrett reiterated the well‑established limits of s.166, citing Killock & Veale and subsequent authorities. The provision, he said, is “explicitly limited to the supervision of procedural matters rather than substantive ones” and cannot be used to challenge the merits or adequacy of the Commissioner’s investigation.
The Tribunal noted that the ICO had provided a substantive outcome on 14 January 2026, explaining its investigation and confirming that no further regulatory action would be taken.
Mr Paulley argued that the ICO had failed to investigate properly, but the Tribunal found this “completely untenable”, holding that the Commissioner enjoys a wide discretion as to the extent of any inquiry and that the investigation need not align with the complainant’s expectations.
Judge Barrett also observed that the dispute stemmed from a “fundamental misunderstanding” of how the right to rectification applies to “opinion data”, and that the appellant’s procedural arguments were, in substance, an attempt to challenge the outcome itself.
The judgment emphasised that s166 is a “forward‑looking” remedy aimed at addressing ongoing procedural defects and that once the ICO has issued an ‘outcome, the Tribunal cannot order retrospective steps that would effectively reopen or alter that outcome. Challenges to the legality or rationality of an ICO decision must be brought by judicial review in the High Court, the FTT added, while any attempt to enforce rectification against the controller must be brought separately under s167 DPA in the County Court or High Court.
Concluding that the complaint process was complete and that the Tribunal had no power to revisit the substance of the ICO’s decision, Judge Barrett struck out the appeal under Rule 8(3)(c) of the Tribunal Procedure Rules.
