Section 166 DPA 2018: McDonnell and the Tribunal Jurisdiction Boundary
In short: Section 166 DPA 2018 is the only route a data subject has to take the Information Commissioner to a tribunal over how she handles a complaint. McDonnell [2026] UKFTT 524 (GRC), 9 April 2026, confirms the tribunal can push the ICO to act, but cannot make it change its answer. DUAA 2025 does not alter that line.
When a customer or employee complains to the ICO about how an organisation has handled their personal data and is unhappy with the regulator’s answer, can they take the ICO to a tribunal to overturn it? On 9 April 2026, the First-tier Tribunal said no. Its decision in Kevin McDonnell v The Information Commissioner [2026] UKFTT 524 (GRC) confirms that section 166 of the Data Protection Act 2018, the only tribunal route a data subject has against the ICO, is procedural only. The tribunal can push the ICO to deal with a complaint, but it cannot make the ICO change its answer. With the ICO handling over 15,000 data protection complaints a year and the Data (Use and Access) Act 2025 tightening the complaints regime, that line matters for any organisation whose response to a data subject becomes the subject of an ICO complaint.
The statutory framework: sections 165, 166 and 167
Three provisions in Part 6 of the Data Protection Act 2018 carry the architecture of data protection complaints, and they do different things. Section 165 requires the Commissioner to take “appropriate steps to respond” to a complaint, to inform the complainant of the outcome, and to inform the complainant of the rights under section 166. The duty to take “appropriate steps” includes, under section 165(5), investigating “to the extent appropriate” and informing the complainant about progress. The Commissioner is not required to determine the substantive merits of every complaint.
Section 166 is the procedural lever. It permits a data subject to apply to the First-tier Tribunal for an order requiring the Commissioner to take appropriate steps to respond, or to inform the complainant of progress or outcome, where the Commissioner has not done so within three months (or within a further three-month period). The Tribunal’s orders can specify steps to be taken or a deadline by which an investigation must be concluded. Section 167 sits on a different track entirely. It is a court compliance order against the controller or processor for substantive infringement, available on application by the data subject under Article 79 UK GDPR. It is for courts, not the First-tier Tribunal, and it goes to the merits.
The DUAA 2025 reformed Part 5 of the Data Protection Act 2018 to add a new 30-day controller-side acknowledgement duty for data protection complaints, and reshaped the ICO’s enforcement and governance framework, as set out in the firm’s earlier analysis of the DUAA’s commencement and the ICO’s enforcement playbook. What the DUAA did not do was disturb the section 166 architecture: the procedural triggers, the Tribunal’s available orders and the cross-reference to section 165(5) “appropriate steps” stand exactly as enacted in 2018.
Why the section 166 DPA 2018 jurisdiction stops at the procedural gate
The Tribunal struck out McDonnell on two alternative grounds: rule 8(2)(a) of the General Regulatory Chamber Rules 2009 (no jurisdiction) and rule 8(3)(c) (no reasonable prospect of success). The reasoning in the judgment draws on a settled line of authority. In Killock and Veale v Information Commissioner [2021] UKUT 299 (AAC), the Upper Tribunal Administrative Appeals Chamber held that section 166 is “strictly procedural” and that any attempt to divert the Tribunal towards the substantive merits “must be firmly resisted”. The Upper Tribunal described the Commissioner as an “expert regulator” uniquely placed to assess the regulatory context, and that framing has carried through every subsequent decision.
The Court of Appeal endorsed the Commissioner’s discretion in R (Delo) v Information Commissioner and Wise Payments Ltd [2023] EWCA Civ 1141, upholding the High Court at [2022] EWHC 3046 (Admin). Warby LJ held that the Commissioner has a “very wide scope” in deciding how to investigate complaints, including the power to take no further action even on a non-spurious complaint, and that an “outcome” includes any decision concluding the Commissioner’s handling of a complaint, even where it does not resolve the underlying merits. Sections 165 and 166 do not require the Commissioner to determine the substantive merits at all.
Two further decisions narrow the field. In Mahmood v Information Commissioner [2023] UKFTT 1068 (GRC) the Tribunal held that, once an outcome has been issued, an order compelling further investigative steps would improperly “unpick or unwind” that outcome, which the Tribunal has no power to do. In Smith v Information Commissioner [2025] UKUT 74 (AAC) the Upper Tribunal observed that the scope to find an “appropriate step” omitted after an outcome has been provided is “limited”, because section 166 cannot be used as a back door to relief available only through judicial review or a claim against the controller. McDonnell applies the line: where the Commissioner has issued outcomes, or has properly requested further information from the complainant pending an outcome, no procedural failure remains. A challenge to the substance of the outcome dressed as a procedural complaint is not within the Tribunal’s section 166 jurisdiction and has no reasonable prospect of success even if it were.
What the section 166 DPA 2018 boundary means for controllers
The first point for in-house counsel and DPOs is that the ICO complaint route is procedurally narrow on the data subject’s side. Once the Commissioner has issued an outcome, even an outcome that records “no further action will be taken” or that confirms an organisation has provided an “appropriate response”, the data subject’s tribunal route is effectively spent. The realistic recourse is judicial review of the Commissioner (a high threshold and rarely cost-effective) or a court claim against the controller direct under Article 79 UK GDPR or section 167 DPA 2018. In risk-calculus terms, the section 166 application is unlikely to add a tier of exposure to the controller once the Commissioner has closed the file.
The second point is that the practical hold in the ICO process sits at the outcome stage, not at the post-outcome tribunal stage. Substantive engagement with the Commissioner before an outcome issues is what shapes the controller’s position. An outcome that records “appropriate response” closes the procedural door under section 166. Conversely, an outcome that requires remedial action by the controller carries weight, and the Commissioner has wide latitude to issue such outcomes without making a definitive merits determination. For organisations with complaint-volume exposure, the meaningful preparation is at the case-handling stage with the Commissioner.
The third point is that the DUAA 2025 30-day controller acknowledgement duty is a separate compliance line, not a section 166 issue. Controllers must acknowledge a complaint received directly within 30 days, regardless of any later ICO involvement. Failure to acknowledge is itself a DUAA breach. For controllers with complex multi-team structures, a defined intake route for data protection complaints distinct from general customer complaints is now necessary. The firm’s earlier analysis of controller obligations under the DUAA complaints regime sets out the practical steps. Where a complaint to the ICO becomes an investigation, the firm’s investigations and enforcement support page sets out how we engage on the regulator-facing side.
Viewpoint
The line on section 166 is now firm. Five years from Killock and Veale through Delo, Mahmood and Smith to McDonnell, the procedural-versus-substantive boundary has hardened, and the DUAA 2025 reforms do not soften it. In our experience advising controllers on ICO interaction, the practical implication is that the meaningful point of engagement is at the case-handling stage with the Commissioner. Once the file is closed, the data subject’s appetite for tribunal escalation is met by a doctrine that gives them no merits route. The harder commercial question for high-volume DSAR handlers is not the section 166 risk but the volume risk. The ICO is moving from individual case handling towards sector-aggregated supervision, which is a qualitatively different exposure that the section 166 boundary does not address. For controllers with systemic complaint exposure, the live risk is sector-aggregation, not tribunal escalation.
For advice on responding to ICO complaints, escalation under section 166 DPA 2018, or controller-side complaint handling under the DUAA 2025, contact Rob Bratby at Bratby Law.
