UK Data Protection Act

Under the UK Data Protection Act 1998 (“DPA“), data subjects have rights to obtain copies of their personal information through a data subject access request (“DSAR“). Data subjects frequently use DSARs to obtain information in the context of non-data protection disputes with data controllers. There has been much controversy over this practice, particularly as the £10 maximum fee the data controller may charge dwarfs the cost of complying with the request.

On 16 February 2017. In Dawson-Damer v. Taylor Wessing LLP, [2017] EWCA Civ 74, the English Court of Appeal ordered a law firm, Taylor Wessing LLP (“TW“), to comply with the Appellants’ DSARs. The Court’s order unanimously overturned the first instance decision that held that a data controller could refuse to respond to a DSAR on the basis that it would be costly or time consuming to do so, or because the data subject has made the DSAR in furtherance of litigation.

In this post we cover the key issues considered by the Court of Appeal, namely:

  • the extent of the DPA’s legal professional privilege exemption;
  • what amounts to “disproportionate effort” under the DPA; and
  • whether the court can use its discretion not to compel compliance with a DSAR made in furtherance of litigation.