As we continue to see courts handing down judgments on DSAR output, with each decision comes further clarity on data controllers’ obligations and the future of these responses is taking shape.
What happened?
Mr Harrison, a private individual whose business is property investment, had hired a landscape gardening company Alasdair Cameron Ltd (ACL) of which Mr Cameron was a director, to carry out work on at one of his properties.
A disagreement occurred concerning the work and Mr Harrison demanded that ACL stop work on his property. There followed an exchange of telephone calls between Mr Harrison and Mr Cameron, some of which (unbeknown to Mr Harrison) were recorded by Mr Cameron.
During two of those telephone calls, Mr Harrison threatened violence towards Mr Cameron and his family.
Mr Cameron then shared those recordings with several friends and family members. A total of fifteen people were in receipt of the recordings.
Mr Cameron said:
“I shared the Recordings almost immediately with a small number of family and friends because I wished them to know that I had been threatened in case [Mr Harrison] made good on any of his threats of violence. I also wanted their advice and assistance about what I should do in this difficult situation. I did this for purely personal reasons and in a personal capacity as a father and husband, as well as for myself and my own personal safety. My concern was for my and my family’s safety.”
The recordings also ended up in the hands of some of Mr Harrison’s competitors in the property investment industry. At the time, Mr Harrison’s business was attempting to purchase the leasehold and freehold of a shopping centre and he believed that he had suffered financial loss in excess of £10 million as a result of someone circulating the recordings “with the express and singular purpose of damaging me in relation to that deal“.
In order to get to the bottom of who had shared the recordings, Mr Harrison submitted DSARs under Article 15 of the UK GDPR to various entities including – but not limited to – ACL, Mr Cameron and various ACL employees.
Mr Cameron provided copies of the recordings in response to the DSAR but would not disclose the identities of the individuals with whom he had shared them. Instead, he just gave him the categories into which the recipients fell.
The Information Commissioner’s Office defines categories of recipients of personal data as “anyone you share personal data with, e.g. suppliers, credit reference agencies, government departments.”
Mr Cameron said that he was not a data controller, so he wasn’t required to respond to the DSAR that was made to him personally.
Mr Harrison then took the matter to court, seeking an order that would compel both Mr Cameron and ACL to comply with their respective DSARs.
Issues for the Court
The court had to decide three main issues:
- Was Mr Cameron a data controller?
- Was Mr Harrison entitled to know the identities of the recipients of his personal data?
- How should the ‘protection of third party rights’ exemption be applied to the recipients of personal data?
Firstly, the matter of whether Mr Cameron was a data controller.
The term “controller” is defined in article 4(7) of the UK GDPR as follows:
“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…”
Mr Cameron claimed that he distributed the recordings to his friends and family “in the course of a purely personal or household activity” therefore the UK GDPR would not apply.
Mrs Justice Steyn did not agree; she said that as the recordings related to the breakdown of the business relationship between Mr Harrison and ACL, the UK GDPR did indeed apply as those recordings directly related to Mr Cameron’s business dealings with Mr Harrison. The Judge stated:
“In my judgment, when Mr Cameron recorded the calls, that act of processing was plainly done by him in his capacity as a director of ACL. Mr Cameron was telephoning Mr Harrison about his decision, as a client of ACL, to terminate their contract…he did so, at least in part, for business reasons and, in any event, it was a business call recorded by him as director of ACL.”
That being said, whilst the Judge had determined that the processing was within scope of the UK GDPR, she also confirmed that Mr Cameron was acting in his capacity as a director of ACL when he recorded the calls and shared the recordings. Therefore, he was not personally held to be a data controller and did not have any legal obligation to respond to Mr Harrison’s DSAR.
The Judge did comment that this decision was determined on the basis that Mr Cameron was not acting as a ‘rogue director’ outside the scope of his directorship; the inference being that there would likely be provision for a rogue director to be held to be a data controller. Therefore, directors must always ensure to be acting in furtherance of the best interests of their company and within the authority conveyed upon them by their role.
The second issue was whether Mr Harrison had an entitlement under Article 15 of the UK GDPR to be told which individuals had received the recordings from Mr Cameron on behalf of ACL.
In a Court of Justice of the European Union (CJEU) case referenced by the Judge, RW v Österreichische Post AG, (the “Austrian Post” case), the CJEU said that the data controller was obliged to give the data subject the identity of the recipients except where it was not possible to identify the recipients or if the request was “manifestly unfounded or excessive”.
Although post-Brexit the Judge was not bound by the decision in a CJEU case, she acknowledged its interpretation of the (EU) GDPR and agreed that the same would apply to the equivalent UK GDPR requirement, therefore she adopted the same stance set out by the CJEU in determining what that provision meant.
In considering the present case, the Judge confirmed that as there were only 15 individual recipients, it would not be manifestly unfounded or excessive to disclose their identities. Therefore, ACL should, in principle, provide that information to Mr Harrison.
The third and final consideration was the application of the protection of the rights of third parties exemption. Regarding the application of any exemption including that of third party rights, the Judge confirmed the position to be that:
“The controller is the “primary decision-maker” in assessing whether it is reasonable or not. The controller has a “wide margin of discretion” under paragraph 16(2)(b), including as to the factors to treat as relevant to the balancing exercise (subject to paragraph 16(3)) and the weight to be given to each factor they treat as relevant.”
When Mr Cameron, acting on behalf of ACL, had refused to disclose the identities of the people to whom he had sent the recordings, he cited a genuine concern for the safety of those recipients if Mr Harrison found out who they were, given Mr Harrison’s previous threats of violence.
The court took his point, together with evidence about Mr Harrison’s behaviour, and ruled that Mr Cameron’s refusal to disclose the identities of the recipients was reasonable and did not breach Article 15 UK GDPR.
“I conclude that ACL’s assessment that it would not be reasonable to disclose the identities of any of the recipients to Mr Harrison fell well within its margin of discretion as the controller when responding to the ACL SAR. Accordingly, the rights of others exemption applies, and so ACL complied with Article 15 in their response to the ACL SAR.”
The Judge also observed that Mr Cameron had offered to disclose the names of some of the recipients provided that Mr Harrison agreed not to threaten, harass, or bring any claims against any of those recipients (other than under the UK GDPR). Mr Harrison had refused to give such an undertaking.
What can we learn from this case?
A director acting within the remit of their directorship is unlikely to be a data controller in their own right. However, it is possible that rogue directors who act beyond the authority conveyed upon them by the company could find themselves personally responsible for processing personal data.
In principle, a data subject is entitled to know with whom their data has been shared (specific individuals and not just categories). However, that right must be balanced against what might happen to those individuals’ rights and freedoms if that information is disclosed.
In this instance, the data controller rightly took into account what Mr Harrison was likely to do with that information and properly assessed that it had a duty to protect those third parties as protection of their rights in these circumstances would override the rights of Mr Harrison to access this particular information in relation to his personal data.
Therefore if a controller receiving a DSAR assesses that the person making the DSAR might use that information against a third party in any way, this is likely sufficient reason to apply the protection of third party rights exemption under paragraph 16, Part 3 of Schedule 2 to the Data Protection Act 2018 to refuse to disclose those identities. When applying any exemptions, the data controller should keep a record of the assessment undertaken and reason for its use in order that it can demonstrate compliance should there be a later complaint or issue.
Steps that can be taken:
A controller’s internal process for responding to DSARs should set out the steps that will be taken when assessing whether to give a data subject the information on recipients of their personal data. Where recipients are companies and not individuals in their personal capacity, there is no requirement to undertake any assessment as a corporate identity is not afforded the same protection; therefore, the company name should be disclosed.
If a decision is taken to withhold information, careful consideration should be given to that decision, as well as keeping a detailed record of that assessment in case the controller is later required to justify that decision.
If your company is a data controller and has received a DSAR and you are reviewing the rights of the person making that request against those of a third party, you must consider the motives of the requester and how that information might be used. In case of any queries relating to this complex area of law, please do reach out for specialist legal advice.