Although the Court of Appeal in Ittihadieh and Deercited Dawson-Damer as the leading authority on a number of key DSAR principles, in many ways this later judgment has opened the door to further arguments which data controllers might potentially use to counter data subject access requests which appear particularly onerous and unreasonable.
On the one hand, the Court of Appeal’s decision in Dawson-Damer, influenced in large part by the intervention of the Information Commissioner, dashes hopes and signals “business as usual” to data controllers faced with DSARs in the UK. As the Information Commissioner submitted, “The cost of compliance is the price data controllers pay for processing data”. The decision confirms not only that the legal professional privilege exemption will be narrowly construed, but also that data controllers cannot avoid compliance by arguing that responding would be expensive or time-consuming – albeit that the ruling does enable data controllers to argue thatthe “disproportionate effort” exemption applies to the search process as well as to the supply of data. This decision has also made clear that a data controller cannot refuse to comply with a DSAR based on a data subject’s alleged ‘real motive’, not least to avoid the risk of satellite litigation to determine the motive for a DSAR in the first place.
On the other hand, although the Court of Appeal’s latest judgment in Ittihadieh and Deer follows Dawson-Damer in a number of key aspects, it does appear to give more comfort to data controllers in various ways, including that data subjects should be able to show a legitimate reason for making the DSAR (even if there is also a collateral purpose); that the principle of proportionality does limit the scope of the efforts that a data controller must make in response and does not oblige data controllers to leave no stone unturned; and that the court will take the broader factual matrix into account when deciding whether or not to use its discretion to compel a data controller to respond to a DSAR.
Ittihadieh and Deer also sends a warning to data subjects on costs. In this case, the costs award in Deer’s favour was reduced at first instance by 25% because of the judge’s assessment of her motive in pursuing the litigation as “essentially antagonistic”. The Court of Appeal agreed with this approach, citing CPR Part 44.2(4)(a) which requires the court to take into account a party’s conduct in deciding what order to make about costs. In this case, balancing what Deer had achieved against the cost involved (disclosure of 33 further documents following a review of over 500,000 documents at a cost to Oxford University of £116,116), coupled with Deer’s overall conduct, the Court of Appeal found that the judge had been entitled to deduct costs as he did.
Thus, at least for now (and potentially also under the General Data Protection Regulation, which envisages the possibility of data controllers refusing to act on a “manifestly unfounded or excessive” request), data controllers may have new grounds to argue against complying with unreasonable requests, or broad requests for all personal data held about a particular individual, which cause the largest burden on data controllers.
The GDPR will prohibit data controllers from charging a fee to respond to data subject requests, shorten response time frames from 40 to 30 days, provide harsher penalties for non-compliance, and likely increase the costs of complying with DSARs and the new data subject rights (data portability and right to be forgotten), particularly for those controllers holding large quantities of personal data about individuals. Although it remains to be seen whether courts will follow the harsher line in Dawson-Damer or the more lenient approach in Ittihadieh and Deer, at a minimum all EU data controllers should have a strategy for locating, searching for, and parsing data sets to comply with DSARs and the other new rights when the GDPR comes into effect in the UK in May 2018.