A very significant data protection subject access judgment was recently handed down in the High Court, in the case of Harrison V Cameron & Another. As a judgment of the High Court it has binding effect, and unless appealed, its findings must be followed.
It clarifies, or confirms, some key points for all those who make, respond to or advise on such requests, whether they are made under the UK GDPR or - in the case of subject access requests to law enforcement authorities – under part 3 of the Data Protection Act 2018.
Key rulings were made in particular to the effect that;
- requesters are entitled, in principle, to be informed of the identities of the recipients of their personal data (not just the categories of recipient)
- the subject access regime has a “specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her personal data unlawfully infringes privacy rights and, if so, to take such steps as the data protection law provides”
- a director of a company, when acting as such, will not be a “controller”.
The underlying details of the case are striking. A director of a gardening company (Mr C) had covertly recorded threatening calls made by a wealthy homeowner working in the property investment industry (Mr H) with whom the company was coming into dispute, and subsequently circulated the recordings to a limited number of unnamed family members and others.
The recordings found their way to a wider circle of people, including some of Mr H’s peers and competitors in the property investment sector. Mr H contended that the circulation of the recordings had caused his own company to lose out on a significant property acquisition. Accordingly, he made subject access requests, under Article 15 of the UK GDPR both to Mr C and to Mr C’s company (“ACL”). Those requests were rejected on the grounds that i) Mr C, when circulating the recordings, was processing Mr H’s personal data in a “purely personal and household” context, and so the processing was out of scope of the UK GDPR, ii) Mr C was not personally a controller under the UK GDPR, and iii) ACL could rely on the exemption to disclosure where it would involve disclosing information relating to another individual who did not consent to disclosure, and where – in the absence of such consent – it was not reasonable in the circumstances to disclose, when having regard to the backing test required under Article 15(4) of the UK GDPR and paragraph 16 of Schedule 2 to the Data Protection Act 2018 (DPA 2018).
In a lengthy judgment (dealing mostly with the facts and evidence) Mrs Justice Steyn held that Mr C’s processing was not for purely personal and household reasons: he was clearly acting as a director of ACL in making the recordings and circulating them. However, she agreed that he was not a controller – he was acting in his capacity as a director, and – following the case law in Ittihadieh and In re Southern Pacific Loans – a director processing data in the course of their duties for their company is not a controller; the company is.
A crucial part of the judgment, in terms of wider relevance, is on the interpretation of Article 15(1)(c) of the UK GDPR. This provides that a data subject should be given information on “the recipients or categories of recipient” to whom personal data have been or will be disclosed. Many practitioners, and lawyers, have taken this to be an option available to the controller (i.e. the controller can decide whether to provide information on the specific recipient or just on categories thereof). Not so, said Steyn J, agreeing with the CJEU in the Austrian Post case (which, as a post-Brexit case, wasn’t binding on her, but to which she could have regard, so far as it was relevant to the issues (see section 6(2) of the EU (Withdrawal) Act 2018)): the choice lies with the data subject, and, if the data subject chooses to receive information on individual recipients, he or she is entitled, in principle, to that information, unless it would be impossible or manifestly excessive to do so.
Notwithstanding this, Mr H was not entitled in this case to have the identities. Mr H had previously sent subject access requests individually to at least 23 employees of ACL, and he had an intention to pursue further legal options other than under the UK GDPR, if he was able to identify potential claimants. ACL believed that disclosing identities of recipients of the recordings would put them at “significant risk of being the object of intimidating, harassing and hostile legal correspondence and litigation”. The judge agreed that it was “not unreasonable for the Defendants to give significant weight to [Mr H’s] sustained and menacing behaviour in considering whether to protect or disclose the identities of friends, colleagues and family members”. The fact that “hostile litigation”, against the third parties to whom the recordings were disclosed, was being contemplated was a relevant factor to take into account when balancing their interests with Mr H’s access rights, under paragraph 16 of Schedule 2. The judge agreed with the court in the case of X v The Transcription Agency that the subject access regime, “has a specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her ‘personal data’ unlawfully infringes privacy rights and, if so, to take such steps as the DPA 2018 provides…[and so] it was reasonable for the Defendants to give weight to their desire to protect family, friends and colleagues from hostile litigation going beyond the exercise of rights under the UK GDPR and the DPA 2018.”
It has long been a subject of debate, under the UK GDPR and the prior law, whether a requester’s motive is relevant when responding to a subject access request rears its head again. The judge’s analysis in Harrison v Cameron is compelling, and so it certainly appears that – at the very least when it comes to the balancing test implied by paragraph 16 of Schedule 2 of the DPA 2018 – the motive is capable of being taken into account.