Data Protection Report - Norton Rose Fulbright

Under the UK Data Protection Act 1998 (“DPA“), data subjects have rights to obtain copies of their personal information through a data subject access request (“DSAR“). Data subjects frequently use DSARs to obtain information in the context of non-data protection disputes with data controllers. There has been much controversy over this practice, particularly as the £10 maximum fee the data controller may charge dwarfs the cost of complying with the request.

On 16 February 2017. In Dawson-Damer v. Taylor Wessing LLP, [2017] EWCA Civ 74, the English Court of Appeal ordered a law firm, Taylor Wessing LLP (“TW“), to comply with the Appellants’ DSARs. The Court’s order unanimously overturned the first instance decision that held that a data controller could refuse to respond to a DSAR on the basis that it would be costly or time consuming to do so, or because the data subject has made the DSAR in furtherance of litigation.

In this post we cover the key issues considered by the Court of Appeal, namely:

  • the extent of the DPA’s legal professional privilege exemption;
  • what amounts to “disproportionate effort” under the DPA; and
  • whether the court can use its discretion not to compel compliance with a DSAR made in furtherance of litigation.

Background

TW were the English solicitors to Grampian Trust Company Limited (“Grampian“), a Bahamian sole trustee of a discretionary trustof which Ms Dawson-Damer was a beneficiary. Grampian made certain substantial appointments of funds from the trust which Ms Dawson-Damer and her children challenged as invalid. Ms Dawson-Damer submitted DSARs for copies of all personal data held on them by TW.

TW responded with a blanket claim of privilege based on the legal professional privilege exemption to the production of personal information under the DPA. TW also argued that, in circumstances where they had been Grampian’s lawyers for some thirty years, it was neither reasonable nor proportionate for them to carry out a full search to determine whether a particular document was covered by privilege.

The claimants subsequently brought proceedings in the Bahamas challenging the validity of Grampian’s appointments, and sought from the English court (i) declarations that TW had failed to comply with their DSARs; and (ii) orders requiring them to comply.

First Instance Decision

At first instance, the judge held that the legal professional privilege exemption covered all documents that Grampian would be entitled to withhold in the Bahamian proceedings. It was therefore not reasonable or proportionate to expect TW to carry out any search for personal data or to determine which documents were privileged as this was a matter of Bahamian law that would be time-consuming and costly to resolve. Furthermore, the judge refused to exercise his discretion to compel TW to respond, concluding that data subjects could not use DSARs as a tool to obtain documents to assist with litigation proceedings.

Court of Appeal Decision

The Court of Appeal reversed the approach taken at first instance on all three issues:

Extent of the Legal Professional Privilege Exemption

The Court of Appeal took a narrow approach to the legal professional privilege exemption in paragraph 10 of schedule 7 of the DPA, holding that it only applies to documents protected by legal professional privilege as a matter of English law in the context of legal proceedings in the UK. Furthermore, the exemption did not extend to documents that are subject to a right of non-disclosure (such as certain documents that are not disclosable to a beneficiary under trust law), but which are not also protected by legal professional privilege. This latter point does not come as a surprise as the DPA expressly states that DSAR rights apply notwithstanding any rule of law prohibiting disclosure other than where covered by an exemption.

Disproportionate Effort

The Court of Appeal then examined whether TW was justified in refusing to search for documents across 30 years of client files on the basis that it would involve disproportionate effort for the purposes of section 8(2) of the DPA. Here, the Court held that the first-instance decision erroneously determined the scope of documents protected by legal professional privilege. The Court of Appeal noted that, to date, TW had done no more than to review their files; they had produced no evidence to show what they had done to identify personal data or that it would involve disproportionate effort to take any further steps to do so. Thus, the mere assertion that it would be too difficult to search through voluminous papers was not enough to justify TW’s reliance on the section 8(2) exemption. Perhaps the only positive for data controllers in the case was a finding that the “disproportionate effort” test applies to the search as well as the mere supply of copies of the results (which widens the exemption beyond the UK Information Commissioner’s current guidance).

Purpose of a DSAR

Finally, the Court of Appeal considered whether a court can use its discretion under section 7(9) of the DPA not to compel compliance with a DSAR where the data subject’s real motive is to use the personal data to assist in litigation. Here, the Court of Appeal rejected the notion that the court’s discretion should be limited based on the underlying purpose of the DSAR. Because the DPA does not limit the purposes for which a DSAR may be made, the Court of Appeal concluded that it would be “odd” to conclude that the sole purpose of a DSAR must be to verify the accuracy of the data subject’s personal data. Such a “no other purpose” rule would have undesirable consequences, such as non-compliance by data controllers on the basis that the data subject had an ulterior motive for making the DSAR and satellite litigation to determine the purpose of the DSAR. Provided that a DSAR did not amount to an abuse of the court’s process (which the court noted the mere holding of a collateral purpose would not normally give rise to) or result in a conflict of interest, the court could not use the purpose of a DSAR as a reason to limit the exercise of its discretion to compel a data controller to respond under section 7(9) DPA.

Our Take

The Court of Appeal’s decision, influenced in large part by the intervention of the Information Commissioner,  dashes hopes and signals “business as usual” to data controllers faced with DSARs in the UK. As the Information Commissioner submitted, “The cost of compliance is the price data controllers pay for processing data”. The decision confirms not only that the legal professional privilege exemption will be narrowly construed, but also that data controllers cannot avoid compliance by arguing that responding would be expensive or time-consuming. However, the ruling  enables data controllers to argue that the “disproportionate effort” exemption applies to the search process. Thus, at least for now (as the GDPR does not expressly include a disproportionate effort exemption to DSARs), data controllers may have new grounds to argue against complying with requests for “all personal data held about the individual”, which causes the largest burden on data controllers.

In addition, the Court of Appeal has made clear that a data controller cannot refuse to comply with a DSAR based on a data subject’s alleged ‘real motive.’ As the GDPR will prohibit data controllers from charging a fee to respond to data subject requests, shorten response time frames from 40 to 30 days, and provide harsher penalties for non-compliance, the Dawson-Damer decision is an unwelcome wake up call for UK (and possibly EU) data controllers, because the costs of complying with data subject access requests and the new data subject rights (data portability and right to be forgotten) will likely increase, particularly for those controllers holding large quantities of personal data about individuals. At a minimum, all EU data controllers should have a strategy for locating, searching for, and parsing data sets to comply with DSARs and the other new rights when the GDPR starts to apply in May 2018.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.