UK Court of Appeal allows data subject access requests to be made in furtherance of litigation

Under the UK Data Protection Act 1998 (“DPA“), data subjects have rights to obtain copies of their personal information through a data subject access request (“DSAR”). Data subjects frequently use DSARs to obtain information in the context of non-data protection disputes with data controllers. There has been much controversy over this practice, particularly as the £10 maximum fee the data controller may charge can dwarf the cost of complying with the request, and two relevant Court of Appeal decisions.

On 16 February 2017 in Dawson-Damer v. Taylor Wessing LLP, [2017] EWCA Civ 74, the English Court of Appeal ordered a law firm, Taylor Wessing LLP (“TW”), to comply with the Appellants’ DSARs. TW were the English solicitors to Grampian Trust Company Limited (“Grampian”), a Bahamian sole trustee of a discretionary trust of which Ms Dawson-Damer was a beneficiary. Grampian made certain substantial payments of funds from the trust which Ms Dawson-Damer and her children challenged as invalid, submitting DSARs for copies of all personal data held on them by TW. The claimants subsequently brought proceedings in the Bahamas challenging the validity of Grampian’s payments, and sought from the English court (i) declarations that TW had failed to comply with their DSARs; and (ii) orders requiring them to comply.

On 3 March 2017 the Court of Appeal handed down judgment in the joint hearing of Ittihadieh v Cheyne Gardens & Ors and Deer v University of Oxford [2017] EWCA Civ 121. In Ittihadieh a resident disputed the response provided to their DSAR by the residential management company responsible for their building. Deer related to a DSAR made against the data subject’s former employer, in the context of Employment Tribunal proceedings.

In this article we cover the key issues considered by the Court of Appeal in both of these judgments, namely:

• whether the court can use its discretion not to compel compliance with a DSAR made in furtherance of litigation;
• what amounts to “disproportionate effort” under the DPA; and
• the extent of the DPA’s legal professional privilege exemption.

The Court of Appeal in Dawson-Damer considered whether a court can use its discretion under section 7(9) of the DPA not to compel compliance with a DSAR where the data subject’s real motive is to use the personal data to assist in litigation. Overturning the first-instance decision that data subjects could not use DSARs as a tool to obtain documents to assist with litigation proceedings as this was not a “proper purpose”, the Court of Appeal rejected the notion that the court’s discretion should be limited based on the underlying purpose of the DSAR. As the DPA does not limit the purposes for which a DSAR may be made, the Court of Appeal concluded that it would be “odd” to conclude that the sole purpose of a DSAR must be to verify the accuracy of the data subject’s personal data. Such a “no other purpose” rule would have undesirable consequences, such as non-compliance by data controllers on the basis that the data subject had an ulterior motive for making the DSAR and satellite litigation to determine the purpose of the DSAR. Provided that a DSAR did not amount to an abuse of the court’s process (which the court noted the mere holding of a collateral purpose would not normally give rise to) or result in a conflict of interest, the court could not use the purpose of a DSAR as a reason to limit the exercise of its discretion to compel a data controller to respond under section 7(9) DPA.

In Ittihadieh and Deer the Court decided that although the underlying purpose of a DSAR is for the data subject to check the accuracy of their personal data and to see if it is being processed lawfully, the right of access is not subject to “any express purpose or motive test.” Following Dawson-Damer, it was held that the fact the data subject may have “collateral purposes”, such as litigation, when making the DSAR will neither invalidate it nor relieve data controllers from their obligation to respond. Unlike Dawson-Damer, however, the Court of Appeal in this judgment indicated that the data subject must also wish to check the accuracy of their personal data for the request to be valid, effectively emphasising the “collateral” nature of any additional litigation purpose.

In terms of the court’s discretion to order a data controller to respond, Ittihadieh and Deercited a number of factors which the court may take into account, including:

• whether there is a more appropriate route to obtaining the requested information, such as disclosure in legal proceedings;
• the nature and gravity of the data controller’s breach;
• the absence of a legitimate reason for the DSAR (even though a collateral purpose of assisting in litigation is not an absolute bar);
• where the application is an abuse of rights, for example where litigation is pursued merely to impose a burden on the data controller;
• where the personal data is of no real value to the data subject;
• the potential benefit to the data subject; and
• whether or not the data subject was the author or recipient of the document in question.

However, in the absence of any of these factors, where it is clear that the data subject legitimately wishes to check the accuracy of his or her personal data, or simply provided that a DSAR is submitted in a valid form (namely a request made in writing – including via email or social media), that is a good enough reason for the court to exercise its discretion in the data subject’s favour.

In Dawson-Damer, the Court of Appeal examined whether TW was justified in refusing to search for documents across 30 years of client files on the basis that it would involve disproportionate effort for the purposes of section 8(2) of the DPA. Here, noting that the first-instance decision had erroneously determined the scope of documents protected by legal professional privilege as addressed below, the Court of Appeal found that, to date, TW had done no more than review their files; they had produced no evidence to show what they had done to identify personal data or that it would involve disproportionate effort to take any further steps to do so. Thus, the mere assertion that it would be too difficult to search through voluminous papers was not enough to justify TW’s reliance on the section 8(2) exemption. The Court of Appeal did, however, indicate in this case that the “disproportionate effort” test applies to the search as well as the mere supply of copies of the results (which widens the exemption beyond the UK Information Commissioner’s current guidance).

In Ittihadieh and Deer it was noted that there is no express provision of the DPA which relieves a data controller from the obligation to supply personal data on the ground that it would be disproportionate to do so. However, while the principle of proportionality cannot justify a blanket refusal to comply with a SAR, it was held that it does limit the scope of the efforts that a data controller must take in response. Going further than Dawson-Damer, the Court of Appeal held that the “obligation to search is limited to a reasonable and proportionate search”, and is not an “obligation to leave no stone unturned”. Consequently, the result of a search does not necessarily mean that every item of personal data relating to an individual will be retrieved as a result of a search. “There may be things lurking beneath another stone which has not been turned over”, and the mere fact that a further and more extensive search reveals further personal data relating to the data subject does not necessarily mean that the first search was inadequate.

In Dawson-Damer, TW responded with a blanket claim of privilege based on the legal professional privilege exemption to the production of personal information under the DPA. TW also argued that, in circumstances where they had been Grampian’s lawyers for some thirty years, it was neither reasonable nor proportionate for them to carry out a full search to determine whether a particular document was covered by privilege. At first instance, the judge held that the legal professional privilege exemption covered all documents that Grampian would be entitled to withhold in the Bahamian proceedings. It was therefore not reasonable or proportionate to expect TW to carry out any search for personal data or to determine which documents were privileged as this was a matter of Bahamian law that would be time-consuming and costly to resolve.

Again reversing the first instance approach, the Court of Appeal in Dawson-Damer took a narrow approach to the legal professional privilege exemption in paragraph 10 of schedule 7 of the DPA, holding that it only applies to documents protected by legal professional privilege as a matter of English law in the context of legal proceedings in the UK. Furthermore, the exemption did not extend to documents that are subject to a right of non-disclosure (such as certain documents that are not disclosable to a beneficiary under trust law), but which are not also protected by legal professional privilege. This latter point does not come as a surprise as the DPA expressly states that DSAR rights apply notwithstanding any rule of law prohibiting disclosure other than where covered by an exemption.

In Ittihadieh and Deer the Court confirmed there is no obligation to search for material covered by legal professional privilege, although a data controller will be expected to conduct a proportionate search to identify and separate out any non-privileged personal data.

Although the Court of Appeal in Ittihadieh and Deercited Dawson-Damer as the leading authority on a number of key DSAR principles, in many ways this later judgment has opened the door to further arguments which data controllers might potentially use to counter data subject access requests which appear particularly onerous and unreasonable. 

On the one hand, the Court of Appeal’s decision in Dawson-Damer, influenced in large part by the intervention of the Information Commissioner, dashes hopes and signals “business as usual” to data controllers faced with DSARs in the UK. As the Information Commissioner submitted, “The cost of compliance is the price data controllers pay for processing data”. The decision confirms not only that the legal professional privilege exemption will be narrowly construed, but also that data controllers cannot avoid compliance by arguing that responding would be expensive or time-consuming – albeit that the ruling does enable data controllers to argue thatthe “disproportionate effort” exemption applies to the search process as well as to the supply of data. This decision has also made clear that a data controller cannot refuse to comply with a DSAR based on a data subject’s alleged ‘real motive’, not least to avoid the risk of satellite litigation to determine the motive for a DSAR in the first place.

On the other hand, although the Court of Appeal’s latest judgment in Ittihadieh and Deer follows Dawson-Damer in a number of key aspects, it does appear to give more comfort to data controllers in various ways, including that data subjects should be able to show a legitimate reason for making the DSAR (even if there is also a collateral purpose); that the principle of proportionality does limit the scope of the efforts that a data controller must make in response and does not oblige data controllers to leave no stone unturned; and that the court will take the broader factual matrix into account when deciding whether or not to use its discretion to compel a data controller to respond to a DSAR.

Ittihadieh and Deer also sends a warning to data subjects on costs. In this case, the costs award in Deer’s favour was reduced at first instance by 25% because of the judge’s assessment of her motive in pursuing the litigation as “essentially antagonistic”. The Court of Appeal agreed with this approach, citing CPR Part 44.2(4)(a) which requires the court to take into account a party’s conduct in deciding what order to make about costs. In this case, balancing what Deer had achieved against the cost involved (disclosure of 33 further documents following a review of over 500,000 documents at a cost to Oxford University of £116,116), coupled with Deer’s overall conduct, the Court of Appeal found that the judge had been entitled to deduct costs as he did.

Thus, at least for now (and potentially also under the General Data Protection Regulation, which envisages the possibility of data controllers refusing to act on a “manifestly unfounded or excessive” request), data controllers may have new grounds to argue against complying with unreasonable requests, or broad requests for all personal data held about a particular individual, which cause the largest burden on data controllers.

The GDPR will prohibit data controllers from charging a fee to respond to data subject requests, shorten response time frames from 40 to 30 days, provide harsher penalties for non-compliance, and likely increase the costs of complying with DSARs and the new data subject rights (data portability and right to be forgotten), particularly for those controllers holding large quantities of personal data about individuals. Although it remains to be seen whether courts will follow the harsher line in Dawson-Damer or the more lenient approach in Ittihadieh and Deer, at a minimum all EU data controllers should have a strategy for locating, searching for, and parsing data sets to comply with DSARs and the other new rights when the GDPR comes into effect in the UK in May 2018.