Court of Appeal rules on subject access request in favour of data subjects

Laura Monro
Laura Monro

Back in November 2015 we reported that the High Court decision in Dawson-Damer v Taylor Wessing brought cautious optimism for data controllers when the judge refused to make an order for compliance with three subject access requests (see https://idatalaw.com/2015/11/24/high-court-decision-brings-cautious-optimism-for-data-controllers/). However, the Court of Appeal has taken a different approach, overturning the High Court decision and ordering compliance by Taylor Wessing, the data controller, with the subject access requests.

In its decision the Court of Appeal focused on the following three key issues:

The extent of the legal professional privilege exception

One of the family members was involved in litigation in the Bahamas with Taylor Wessing’s client which was the Bahamian trustee of the family’s trust fund. Taylor Wessing did not comply with the subject access requests, claiming to be entitled to the exemption for legal professional privilege. The High Court decided that all documents in respect of which the trustee would be entitled to resist disclosure under the ongoing litigation in the Bahamas would be protected by the legal professional privilege exception under English law.

However, the Court of Appeal took a more narrow view, finding that the legal professional privilege exception:

  1. applies only to documents which are protected by legal professional privilege under English law, and does not extend to systems of law outside the UK; and
  2. does not extend to documents which are the subject of non-disclosure rules, in this case the applicable rules being the trustee’s right of non-disclosure.

Whether any further search would involve “disproportionate effort”

The Data Protection Act provides that a data controller must supply the data subject with a copy of the information requested under a subject access request unless the supply of such information “is not possible or would involve disproportionate effort”.

Although the High Court concluded that it was not reasonable or proportionate for Taylor Wessing to carry out searches to determine if any particular document was covered by privilege, the Court of Appeal disagreed.

 The Court of Appeal stated that Taylor Wessing must produce evidence to show what it has done to identify the material and to work out a plan of action. It found that further compliance with the subject access requests would not involve disproportionate effort by Taylor Wessing, and that disproportionate effort must involve more than an assertion that it is too difficult to search through voluminous papers.

Whether the judge would have been entitled to refuse to exercise his discretion in favour of the data subjects because their motive was to use the information in legal proceedings against the trustees

The Court of Appeal held that the High Court judge was wrong not to enforce the subject access requests despite the motive of the data subjects.

Neither the Data Protection Act nor the ICO’s subject access code of practice provides that data subjects have to inform the data controller of their reason for making the subject access request, or what they intend to do with the information requested. There is no “no other purpose” rule which would allow a data controller to refuse to respond to a subject access request if the data subject proposes to use the information obtained for a purpose other than verifying or correcting the personal data held about them.

It follows that the intention of the data subject to use the personal data for the purpose of litigation proceedings cannot be used by a data controller to avoid complying with a subject access request.

The decision of the Court of Appeal finds in favour of the data subjects and serves as a warning to data controllers that significant effort may be needed in responding to subject access requests. Data controllers should also bear in mind that following the implementation of the GDPR in May 2018 there will be less time to comply with subject access requests – the GDPR requires that information must be provided without delay and at the latest within one month of receipt rather than the current 40 days. It is prudent for data controllers to be reviewing their policies and procedures now to ensure that they will be able to comply with the GDPR once it comes into force.

Laura Monro is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at lmonro@foxwilliams.com

ICO publishes blog on the EU-US Privacy Shield

Laura Monro
Laura Monro

Following the approval of the EU-US Privacy Shield on 1 August 2016, the ICO has published a blog summarising the “what, why, and how” of transferring data from the UK to the USA.

Whilst it remains the case that:

  1. the eighth data protection principle requires organisations that wish to transfer personal data outside of the EEA to ensure an adequate level of protection for data subjects; and
  2.  the European Commission has not deemed the USA as providing such adequate level of protection,

transfers to the USA are “adequate” if the organisation receiving the personal data is certified under the EU-US Privacy Shield.

The ICO makes it clear that any organisation still relying on the predecessor to the EU-US Privacy Shield, the Safe Harbor scheme, to transfer personal data from the UK to the USA needs to review their position. Seeking to continue to rely on the Safe Harbor scheme on its own will mean that an organisation is acting in breach of the Data Protection Act.

As a first step, the ICO recommends that any organisation looking to transfer data to the USA should ensure that the receiving organisation is certified under the EU-US Privacy Shield – if the receiving organisation is not certified you will need to rely on other ways to legally transfer the personal data to the USA.

At the present time, these include the model contractual clauses and binding corporate rules. However, the ICO is aware that such methods, whilst currently valid, are not free from uncertainty. This is not least because the model contractual clauses have been referred to the EU court by the Irish data protection regulator as to whether these clauses provide the adequate level of protection for international data transfers.

The ICO intends to issue guidance for organisations on international data transfers early in the Autumn – watch this space.

Laura Monro is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at lmonro@foxwilliams.com

Telegraph Media Group fined £30,000 by ICO

Laura Monro
Laura Monro

As 2015 draws to a close, the Information Commissioner’s Office has fined the Telegraph Media Group Ltd £30,000 for a serious breach of the UK Privacy and Electronic Communications Regulations (“PECR”). The PECR set out specific rules in respect of electronic communications. In particular, the PECR prevent the sending of unsolicited marketing and advertising by electronic means without the individual’s consent to such marketing and advertising.

On the day of the general election earlier this year, the Telegraph Media Group sent out its daily editorial e-bulletin which included a letter from the editor of the Telegraph newspaper urging its readers to vote Conservative. Whilst subscribers to the Telegraph Media Group had signed up, and hence consented to receiving, the editorial e-bulletin, the ICO found that by promoting a particular election campaign the nature of the e-bulletin had changed from an editorial communication to a ‘marketing communication’.

In order to amount to valid consent to receiving a particular electronic communication under the PECR, consent must be knowingly given, clear, and specific. In the circumstances, the Telegraph Media Group did not have the specific consent of the readers to send such a marketing communication and the communication was sent in breach of the PECR.  The ICO Head of Enforcement considered that the Telegraph had been negligent in sending the letter from the editor as part of the e-bulletin and explained that “people signed up to The Telegraph’s email service so they could catch up on the news or find out about subjects they were interested in. They did not expect to be told who they should be voting for.”

The ICO has the power to impose a monetary penalty on a data controller of up to £500,000 in respect of such a breach. However, the relatively low amount of £30,000 was determined by the fact that only 17 complaints were received, and that the email in question was a late addition to the usual mailing. The ICO acknowledged that there was pressure to distribute it quickly and little time to properly consider whether it should be included in the mailing.

This case serves as a reminder of the scope of the PECR and the enforcement action open to the ICO for those who ignore the rules.

High Court decision brings cautious optimism for data controllers

Laura Monro
Laura Monro

A recent decision of the High Court has highlighted the difference in approach taken by the Court and the ICO in respect of compliance with subject access requests.

The Data Protection Act 1998 gives individuals the right to request that data controllers provide them with a copy of any personal data held about them, subject to certain exemptions. The intended purpose of a subject access request is to enable the individual to verify the personal data held about them and the lawfulness of the processing of that data.

In Dawson-Damer v Taylor Wessing subject access requests were made by three family members against law firm Taylor Wessing, the data controller. One of the family members was involved in litigation in the Bahamas with Taylor Wessing’s client which was the Bahamian trustee of the family’s trust fund. Taylor Wessing did not comply with the subject access requests, claiming to be entitled to the exemption for legal professional privilege. As a result, the family members submitted an application to the court to make an order for compliance with the subject access requests.

The judge refused the application holding that, amongst other points:

(i) whilst there was no direct evidence of the motives in making the subject access requests, in the judge’s view, the real purpose of the subject access requests was to obtain information that may assist in connection with the litigation in the Bahamas. Such purpose was not a proper purpose for submitting a subject access request. This follows the decision of the County Court in 2012 in Elliott v Lloyds TSB Bank Plc & Anor which decided that if it could be shown that “but for” the litigation the subject access request would not have been made, such request would be an abuse of process.

However, in contrast, the ICO’s subject access code of practice provides that data subjects do not have to inform the data controller their reason for making the subject access request, nor what they intend to do with the information requested.

(ii) It was not reasonable or proportionate on the facts of the case for Taylor Wessing to carry out the necessary search to determine if any particular document was covered by legal professional privilege. In the circumstances, whether or not a document was protected by privilege depended on Bahamian law. As such, deciding whether a document was protected by privilege would be time consuming (and hence costly) and require consideration from skilled lawyers.

This reasoning is in contrast to the ICO’s view that a data controller need only supply such data as is found after a reasonable and proportionate search. The ICO’s guidance suggests that data controllers cannot refuse to deal with a subject access request simply because it will be an onerous task and time consuming to do so.

Employers as data controllers which have received subject access requests will be aware that such a request will be an administrative burden on the business. The decision in Dawson-Damer v Taylor Wessing is therefore likely to be welcomed by data controllers. However, the decision is at odds with the ICO’s guidance which suggests that data controllers should be prepared to make extensive efforts to find and retrieve the requested information, and even if a data controller can show that supplying a copy of information in permanent form would involve disproportionate effort, the data controller must still comply with the request in some other way.

It remains to be seen whether the ICO will revise its guidance in light of the court decisions. However, the ICO is unlikely to do so in the near future given that the judge acknowledged that the Court of Appeal might take a different view to that decided in Dawson-Damer v Taylor Wessing and granted permission to appeal. In the meantime, employers should take a cautious approach in following the decision of the High Court.

Please contact Laura Lumby for further information.

The way the cookies crumble

Laura Monro
Laura Monro

This article was originally written for and featured in Childrenswear Buyer Online.

An informal review of the websites of various businesses referred to in the August edition of Childrenswear Buyer found that only half of these businesses have policies relating to the use of cookies on their websites! Even less so have registered with the Information Commissioner’s Office (“ICO”) as a data controller of personal information.

Why do these issues matter?

The use of cookies is regulated in the UK by certain privacy and electronic communication regulations (the Regulations) designed to protect the privacy of internet users. The ICO is responsible for enforcing compliance with the Regulations and has the power to take action where necessary. This includes:

  1. committing a business to a particular course of action in order to improve its compliance with the Regulations;
  2. compelling a business to take action to bring about compliance with the Regulations; and
  3. although unlikely, fining a business up to £500,000.

But the non-legal consequences of not complying with the Regulations should be of equal concern to businesses.

So what are cookies? Cookies are small files downloaded onto a device such as a computer, tablet or mobile phone when the user accesses certain websites. Cookies collect information about the user’s internet activity including, their user preferences. The Regulations apply to all information collected by cookies, including personal data. However, where cookies collect personal data such as the user’s name, postal address or email address, businesses need to ensure that they comply with the additional requirements of the UK Data Protection Act. In addition, any business collecting personal data through its website should have an online privacy policy setting out the business’ practice in relation to the collection, storage and use of that personal data.

The Regulations require that users are told about the cookies placed on a website and given the choice as to which of their online activities are monitored in this way. A cookie may only be used if users have given their consent having been provided with clear and comprehensive information about the purpose of that cookie. Consent must involve some form of communication where the user knowingly indicates their acceptance – obtaining consent that relies on a user’s ignorance about what they are agreeing is unlikely to comply with the Regulations.

Between April and June 2014, the ICO received 38 concerns reported about cookies. The ICO has stated that it is taking a practical and proportionate approach in enforcing the Regulations where organisations are making the effort to comply. However, its current focus is on ensuring compliance with the Regulations by websites that are doing nothing to raise awareness of cookies, or to obtain the user’s consent to the use of various cookies. The ICO will look unfavourably on a business with a casual approach to data protection and the privacy of its customers, particularly at a time of heightened interest following, for example, the trial of Rebekah Brooks and Andy Coulson.

What do you need to do to comply? As a first step, if you have an online presence you should undertake a “cookie audit” to assess the cookies used on your website, and the purposes of each cookie. Once identified, you will be able.