The property investor, the gardener, his wife and her friends: Subject Access Requests just got interesting

The words  “colourful” and “Subject Access Request” rarely, if ever, appear in the same sentence. However, the recent and very significant High Court case in Harrison v Cameron and ACL [2024] EWHC 1377 (KB) which dealt with a disputed Subject Access Request (“SAR”), has it all. The case captured an impressively diverse range of data protection issues and will almost certainly be seen as precedent here in the UK so has become a “must read” for anyone dealing with or advising on SARs.

Case Overview

The Judgement of Mrs Justice Steyn DBE included the following three key points, the first of which is the most prominent:

  1. Requesters are entitled, in principle, to be informed of the identities of Recipients with whom their personal data has been shared, (not just the categories of Recipient).
  2. The Subject Access regime has a “specific and limited” purpose which is to enable a person to check whether a Controller’s processing of his or her personal data unlawfully infringes privacy rights and, if so, to take such steps as the data protection law provides.
  3. Where a company director is processing personal data in the course of their duties on behalf of the company, for the purposes of UK GDPR, the company is the “Controller” of that personal data whereas the individual company director, is not. It follows that where a company director is processing personal data on behalf of the company, that processing cannot be said to be for a purely personal or household activity and therefore outside the scope of UK GDPR. (Article 2(2) of UK GDPR).

What was the case about?

Mr Harrison, a wealthy individual working in the property investment sector, employed Mr Cameron’s company, ACL, as landscape gardeners, but they fell out in spectacular fashion.

They spoke several times on the telephone during which Mr Harrison threatened him and his family. Mr Cameron recorded two of those conversations without Mr Harrison’s knowledge. You can read the transcripts of the recorded calls here.

Mr Cameron subsequently shared the telephone recordings with certain friends, family and colleagues. The recordings then somehow found their way to a wider group of Recipients including Mr Harrison’s business peers and competitors in the property industry. Mr Harrison alleged that as a direct result of this dissemination, his business reputation was tarnished, and he lost out on a large business deal causing him significant financial loss. Mr Harrison made a SAR to Mr Cameron/ACL to establish the identity of those with whom Mr Cameron had shared the recordings. Mr Cambell refused to cooperate.

The data protection legal issues

In court, Mr Cameron argued that when he made and shared the recordings he was acting in a personal not business capacity, and therefore UK GDPR, including the right of subject access, didn’t apply.

(Article 2 of the UK GDPR addresses the material scope of the Regulation. It provides that GDPR does not apply where personal data is being processed purely for personal or household activities.)

Mrs Justice Steyn rejected that argument and following the decisions in Ittihadieh and In re Southern Pacific Loans  held that when Mr Cameron made the recordings of his telephone conversations with Mr Harrison, he did so in his capacity as a Director of ACL. Therefore, the processing of Mr Harrison’s personal data was clearly not purely for personal and household activities but fell squarely within scope of UK GDPR. Mr Cameron may not have been a Controller, but ACL most definitely was.

The most prominent question in the legal claim was whether Mr Cameron (or his company, ACL), in response to Mr Harrison’s SARs, was required to disclose to him the names of those 15 people to whom the telephone recordings (or transcripts) had been shared.  Mrs Justice Steyn ruled that in principle, the answer to that question was, “yes”.  Agreeing with the CJEU in RW v Österreichische Post AG (C-154/21) (‘Austrian Post ‘)  Austrian Post *,  Article 15(1)(c) of GDPR must be interpreted as giving the Requester the choice whether to request information on the actual identity of those Recipients to whom their personal data has been shared or the mere categories of Recipients. If the Requester asks to know the actual identity of those Recipients then the Controller is obliged to provide that information unless it is impossible to do so, or the Controller demonstrates that the request is manifestly unfounded or excessive within the meaning of Article 12(5) of GDPR.

*The Austrian Post case was post Brexit and therefore non-binding upon Mrs Justice Steyn; however, she could have regard to it in so far as it was relevant to the issues in the case before her.  (Section 6(2) of the EU (Withdrawal) Act 2018.)

Although Mrs Justice Steyn ruled that this was not a case where it would be impossible or manifestly excessive for ACL to disclose the  specific identities of the 15  Recipients, she was however, satisfied that on the evidence, Mr Harrison’s aggressive and threatening behaviour justified Mr Cameron having  reasonable concerns about how Mr Harrison would behave towards the Recipients if their identity was revealed. Accordingly, she agreed that the identity of the Recipients could properly be withheld from Mr Harrison under the third party personal data exemption. This exemption can be found in Paragraph 16 of Schedule 2 to the Data Protection Act 2018, and it comes into play where a requester’s personal data is co-mingled with information that identifies a third party. It provides that a Controller may refuse part or all of a subject access request where a third party has not consented to the disclosure of their personal data to the requester, and it is not reasonable in the circumstances to disclose their data to the requester without their consent. As lawyers and practitioners will know, when applying this exemption, Controllers are not mandated to seek a third party’s consent but instead must strike a balance between the competing interests of the requester and the third party.

Does this case change things?

When dealing with a SAR, there is a statutory duty, subject to the application of legal exemptions, to not only provide access to the requester’s personal data, but also “supplementary information” about how the Controller is using that personal data such as the purposes for which it is being processed and who it is being shared with (i.e. “Recipients or categories of Recipient to whom the personal data have been or will be disclosed”). Until now, many lawyers and practitioners have been operating on the basis that in order to comply with the duty to provide “supplementary information”, including information about Recipients under Article 15(1)(c), it is up to the Controller to decide whether to disclose categories of Recipients or information about individual Recipients. This case appears to shift that option from the Controller to the Requester.

But this is only a High Court decision I hear you say, will it be treated as precedent? Although the outcome is not completely ideal in terms of its consequences for Controllers, it is likely to be seen as precedent here in the UK. Here’s why; (i) The legal analysis underpinning the Judgement is technically robust and doesn’t technically change Article 15(1)(c); (ii) The decision confirms a post-Brexit leading CJEU Judgement on a similar issue (The Austrian Post case), and (iii) Steyn J is a most highly regarded co-presiding Judge of the Media and Communications list of the High Court. i.e. in data protection world, her word goes !

What now?

If you are dealing with a SAR where the requester has not asked for the specific identify of Recipients, I think Controllers can, at least until ICO has provided guidance to the contrary, make their own choice about whether to disclose categories of Recipients or individual Recipients. However, where a requester has asked for the specific identity of Recipients then a Controller must provide this information as part of the supplementary information unless doing this is impossible, involves disproportionate effort, or it can be shown that the request is manifestly unfounded, or a legal exemption applies.

Paula Williamson, Partner, Excello Law

Paula Williamson is a Data Protection and Privacy Lawyer at Excello Law. She is also a Director of Tenjin, a Data Protection consultancy and training provider. www.mytenjin.com

For SAR advice or training, please contact pwilliamson@excellolawstg.wpengine.com