The Court of Appeal in England and Wales has recently given judgments in two cases relating to the rights and limitations attaching to data subject access rights ('DSARs'). This is a vexed issue for data controllers who receive large volumes of widely formulated DSARs, and who struggle to understand the boundaries attaching to the rights of access and the associated exceptions. The cases bring some useful clarity, particularly in relation to the 'disproportionate effort' exemption and the relevance, or otherwise, of the data subject's motive in making the request.
Dawson-Damer v Taylor Wessing
This case, an appeal of a High Court decision, considered three issues which regularly arise in the context of contentious DSARs.
- Privilege: The application of legal privilege to certain documentation held by a UK law firm (Taylor Wessing) in relation to an international family trust.
- Disproportionate effort: It also considered the application of the 'disproportionate effort' exemption in the UK Data Protection Acts 1998 (which is almost identical to the wording in the Irish Data Protection Acts 1988 and 2003).
- Data subject's motive: Finally, the case dealt with the relevance of the data subject's motive in making the request.
Given the precedent value of the case, the UK Information Commissioner intervened and provided oral and written submissions.
On the first issue, the Court of Appeal concluded that the legal professional privilege exception relieves the data controller from complying with a DSAR, only to the extent that the relevant privilege exists under UK law. As the UK DPA does not contain an exception for documents not disclosable to a beneficiary of a trust under trust law principles, such documents remained potentially in scope for DSAR purposes. This aspect of the case is of narrow precedent value, given the uniqueness of the facts.
The Court's determination of the second issue, the 'disproportionate effort' exemption, is of greater precedent value.
The Information Commissioner had argued that the fact that the process of finding personal data would be costly or time-consuming should not be a reason for not complying with a DSAR, and that the 'disproportionate effort' exemption applies only to the process of the supply of data. This distinction also arises under section 4 of the Irish DPAs, and the Office of the Data Protection Commissioner has in the past tended to adopt a similar view to that expressed by the Information Commissioner.
The Court disagreed with the Information Commissioner; it did not consider that the challenges that may be taken into account in determining whether the supply of information in permanent form would be disproportionate for a data controller should be limited to those which arise in the process of producing a copy of a document. Instead, in determining disproportionate effort, a data controller could take into account the difficulties which occur in the process of complying with the request. The Court said "this is consistent with EU law, which would apply proportionality to all stages of the process of compliance".
Taylor Wessing could not ignore the DSAR entirely, simply because there was a large volume of documents in scope, and/or that many of them would be subject to the legal privilege exception. On the contrary, the Court determined that the firm must produce evidence to show what it has done to identify the material and to work out a plan of action. As it had failed to do this and so had not discharged the onus on it, the disproportionate effort exemption was not yet available.
In relation to the final issue — the data subject's motive — the Court noted that Recital (10) to the Data Protection Directive (95/46/EC) makes it clear that the rights given by the Directive are to protect fundamental rights conferred by EU law. Nothing in the UK DPA or the Directive limits the purpose for which a data subject may request his data, or provides data controllers with the option of not providing data based solely on the requester's purpose. Whilst the position might be different if the DSAR was an abuse of the Court's process, this was not the case here.
From an Irish perspective, this aspect of the case is unsurprising. Its reasoning follows a similar line adopted by Hedigan J in Dublin Bus v Data Protection Commissioner. In that case, the High Court concluded that the existence of proceedings between a data requester and the data controller did not preclude the data requester from making a DSAR, nor justified the data controller in refusing the request.
Cheyne Gardens RTM Company Ltd & Ors
This case also considered the 'disproportionate effort' exemption in response to a DSAR. In considering the proportionality of a search in response to a DSAR, the Court of Appeal stated that:
- "[B]oth the Directive and the DPA have, as an underlying assumption, that personal data can be sufficiently retrieved and made ready for disclosure to the data subject at the touch of a few buttons. Experience shows that this assumption is fundamentally unsound";
- "while the principle of proportionality cannot justify a blanket refusal to comply with a SAR, it does limit the scope of the efforts that a data controller must take in response. That was also the conclusion of this court in Dawson -Damer"; and
- "the result of such a search does not necessarily mean that every item of personal data relating to an individual will be retrieved as a result of such a search. There may be things lurking beneath another stone which have not been turned over. Accordingly, the mere fact that a further and more extensive search reveals further personal data relating to that individual does not entail the proposition that the first search was inadequate."
Whilst the Court clarified that it is not necessarily a response to a DSAR to say that the data subject already knows the information, the above points do support the view that data controllers are not intended to go to the ends of the earth to find every morsel of personal data relevant to a DSAR.
As in Dawson-Damer, the Court also confirmed that the motive of the data subject was irrelevant.
Although each of the rulings made by the UK Court of Appeal have persuasive value, they do not have direct authority in the Irish Courts. At one end of the scale, it is clear that a data controller must take reasonable action in order to properly rely on the 'disproportionate effort' exemption, while at other end, the courts will likely take a reasonable approach in assessing whether a DSAR requires 'disproportionate effort' on the part of a data controller. What is also clear beyond doubt is that data controllers cannot refuse a DSAR on the basis that most of the documentation in question is likely exempt from disclosure or because the motives of the requester are not centred on privacy concerns.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.