Hot off the presses comes the first of the Court of Appeal’s
two forays into data protection law this term: Dawson-Damer v Tayor Wessing LLP [2017] EWCA Civ 74.
It is an important decision and one well worth reading, particularly while
waiting for round 2 (which has some overlaps) in Ittihadieh v 5-11 Cheyne Gardens / Deer v University of Oxford
(likely to be handed down in the next month or so).
Why is it worth reading? Well, there are three issues
discussed by Arden LJ in Dawson-Damer,
all of which are of very significant practical importance to those working in
the field (farmers being data subjects too): (1) the extent of the LPP
exemption in para 10 of sch 7 to the DPA; (2) the existence and extent of a
disproportionate effort limit on searches and (3) the approach to be taken to
the judicial discretion in s 7(9). On all three issues, the Court of Appeal
takes quite a different approach to that of HHJ Behrens QC at first instance: [2015] EWHC 2366
(Ch).
It is easiest simply to summarise what the Court of Appeal
has held and leave the comment for later.
The context of Dawson-Damer
is relatively simply stated. The data subjects are beneficiaries of certain
Bahamian trusts for which Taylor Wessing, as data controller, is the legal
representative of a trustee (or former trustee). The data subjects made subject
access requests under s 7 of the DPA to Taylor Wessing in the context of some
trust disputes in the Bahamas. Taylor Wessing declined to respond to those
requests, relying on legal professional privilege (LPP) as a general answer.
LPP
- ·
The exemption for LPP in para 10 of sch 7
applies only to a claim to LPP which would be recognised in legal proceedings
in the UK. It does not extend to privilege under any other system of law. Had
Parliament intended it to apply more widely, it would have said so and
introduced relevant controls (at [42] and [44]). - ·
The LPP exemption does not extend to documents
which are not the subject of LPP but which are the subject of rules of
non-disclosure (such as a trustee’s right of non-disclosure), whether those
rules are under English law or Bahamian law. No such exemption has been
provided in the DPA, and it is not inconsistent with the purposes of the
Directive and the DPA so to hold (at [46], [51], [53]-[54]). - ·
Taylor Wessing is a data controller, regardless
of whether it is an agent of the trustee. It must claim privilege in support of
its client but is otherwise in no special position (at [55]-[56]). (Briefly,
there has been some confusion by solicitors and, apparently, their regulators as
to whether or not they are controllers or processors. The judgment is
clear on this point.)
Proportionality
- ·
The issue of whether a disproportionate effort
involves more than an assertion that the search would be difficult is an issue
of the construction of s 8(2) of the DPA (which refers to disproportionate
effort in the supply of copies of personal data) (at [74]-[75]). - ·
Contrary to the ICO’s Subject Access Code of
Practice, disproportionate effort under s 8(2) is not restricted to supply of
copies, but includes difficulties which occur in the process of complying with
the request which might result in supply. The general principle of
proportionality in EU law applies at all stages (at [76]-[77]). - ·
The Directive emphasises the substantial public
policy reasons for giving data subjects control over the data processed about
them through a system of rights and remedies in the Directive, meaning that, so
far as possible, a subject access reques should be enforced (at [79]). - ·
It is plain almost beyond argument that on the
facts of the case, including in the light of the conclusions on LPP, that
further compliance would not involve disproportionate effort, and Taylor
Wessing must provide evidence to show what it has done to identify personal
data and the relevant plan of action, which it has not yet done, and as a
result of which no particular step can be identified as disproportionate (at
[82]-[84]).
Collateral
Purpose/Motive and the s 7(9) Discretion
- ·
Nothing in the Directive limits the purpose for
which a data subject may request his data, or provides data controllers with
the option of not providing data based solely on the requestor’s purpose (at
[107]). - ·
Nothing in the DPA has required the data subject
to show that he has no other purpose, and it would have undesirable secondary
consequences (at [108]). - ·
The position might be different if the
application under s 7(9) was an abuse of the court’s process (although finding
a mere collateral purpose would not normally be) (at [109]). - ·
The (in)famous perceived contrary
suggestions in Durant (at [27] per Auld LJ) have been misunderstood and taken
out of context. They emphasise only the limited nature of personal data, and do
not establish that a request was invalid if made for a collateral purpose (at
[111]-[112]). - ·
The s 7(9) discretion should not be exercised
because disclosure could not be obtained in the Bahamas under the governing law
of the trusts. The purpose of the DPA is to confer rights on data subjects and
not to administer a trust (at [113]). - ·
Because the discretion is general, it is better
not to seek to limit it in any particular way (at [105]).
There is much food for thought from the judgment of Arden
LJ, but it is undoubtedly the case that it is a data subject-friendly judgment.
Whether it opens the floodgates may need to be awaited, and the second Court of
Appeal judgment (Ittihadieh) may yet add further clarity or some confusion. We
are halfway through the story, but the first half has left a significant
highlights reel.
Christopher
Knight is a barrister at 11KBW. This article is an edited version of a
blogpost which appeared on the Panopticon blog: https://panopticonblog.com/
