Subject Access Requests: Guidance on Crime and Legal Privilege Exemptions

April 26, 2016

The recent High Court decision in Gurieva v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB) gives some practical guidance to data controllers on the approach they need to adopt if they wish to rely on the crime and legal privilege exemptions to compliance with Subject Access Requests (SARs) made under the Data Protection Act 1998.

Ms Gurieva and her husband applied to the High Court for an order requiring the private investigation firm Community Safety Development (UK) Ltd (CSD) to comply with their SAR. CSD had been instructed by a Mr Gorbachev in relation to claims he was making against the couple, among them a private criminal prosecution in Cyprus, in relation to a Russian company of which they were the beneficial owners.

CSD resisted the application by asserting that the crime (s 29(1)) and/or legal privilege (sch 7, para 10) exemptions under the Data Protection Act 1998 applied to the personal data it held and, as such, it did not have to comply with the SAR. However, if wrong about that, CSD argued that the court should use its discretion not to require compliance on the basis that the couple were using the SAR to obtain an illegitimate procedural advantage for the criminal action in Cyprus and/or that the burden on it of complying was disproportionately heavy.

The court rejected these arguments and allowed the application.

It held that, in order to rely on the crime or privilege exemptions under the Act, a data controller must carry out sufficient analysis of the personal data to be able to identify which data is not exempt and to provide convincing and detailed reasoning as to why the other data does fall within the relevant exemptions. In other words, just because some of the data may appear to fall within one of the exemptions, a data controller cannot rely on a blanket exemption in respect of all of it. 

In Gurieva, as it was not likely that all the personal data identified would attract either exemption, and CSD had made no attempt to undertake a detailed analysis to differentiate between the data, their arguments in this regard failed.

The court then went on to assess whether it should exercise its discretion to allow the application and said that the general principle is that it ‘will ordinarily be exercised in favour of a claimant who has made a valid SAR, in the absence of a good reason not to’.

CSD argued that the disproportionate burden of the SAR was just such a reason and suggested that the task of determining whether the personal data was privileged should more properly be carried out in the context of the criminal proceedings in Cyprus. This argument was dismissed on the grounds that:

  1. the personal data in question had already been identified and was limited to a relatively small cache of 1,500 documents -as such, the court did not accept that the task of determining whether privilege applied to the data was a prolonged or complex one;
  2. it was uncertain whether there would be a disclosure exercise in Cyprus and there was no reason to assume that it would be more appropriate to determine the issue of privilege in those proceedings; and
  3. as there was no suggestion that the law of privilege in Cyprus differed to English law, it may even save the parties time and money for the issue of privilege to have been determined in the context of the instant SAR.

The court noted that these factors distinguished Gurieva from the case of Dawson-Damer v Taylor Wessing [2015] EWHC 2366 (Ch), in which the court did not order compliance with an SAR on proportionality grounds in the context of on-going litigation in the Bahamas.

The Dawson-Damer case gave some succour to data controllers who wished to avoid complying with SARs when litigation was afoot elsewhere. Indeed, it was relied on heavily by CSD’s counsel in Gurieva, in particular to argue that the couple’s SAR was an abuse of process and/or made for an improper purpose. However, these arguments were again rejected.

The court said that there was no abuse of process (for example, attempting to get early disclosure or disclosure of documents not otherwise obtainable in litigation) because ‘such purposes could and would be thwarted by properly reasoned reliance on the privilege and crime exemptions’. Therefore, this issue would not be relevant when considering the issue of the court’s discretion.

Furthermore, the court noted that the SAR regime is often described as ‘purpose blind’ and a court should not ‘enquire into or permit investigation of the purpose for which a SAR has been made’. It was satisfied that there was no evidence of an improper purpose in this case; the intimidating letters sent to the couple by CSD in relation to the Russian company gave them reasonable grounds to believe that CSD held inaccurate personal data about them.

However, the court did make the general comment that it had ‘difficulty with the notion that the use of an SAR for the purpose of obtaining early access to information that might otherwise be obtained via disclosure in pending or contemplated litigation is inherently improper’. Just such a tactic is increasingly popular with claimants and their representatives – Gurieva appears to show judicial opinion swaying more in their favour than respondent data controllers may have argued in light of Dawson-Damer.

James Murray is an employment solicitor with an interest in data protection issues at Kingsley Napley LLP: JMurray@kingsleynapley.co.uk – 020 7566 2936