We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
11 April 2017
The Court of Appeal has clarified the circumstances in which a party to litigation can use a subject access request under Section 7 of the Data Protection Act 1998 (which implements the EU Data Protection Directive (1995)) to obtain information which may be useful in litigation. This judgment provides clarification on issues relating to the legal professional privilege exception, the concept of disproportionate effort and the relevance of the data subject's motive in making the request.
The appellants in the case were members of the Dawson-Damer family who were beneficiaries of various Bahamian trusts. Respondent Taylor Wessing (TW) was a law firm which acted for the trustee of a number of these Bahamian trusts. One of the trusts, the Glenfinnan Settlement, had been set up for the benefit of Ms Dawson-Damer.
In 2006 and 2009 the trustee removed $402 million from the Glenfinnan Settlement and allocated it to new trustees (to hold on new discretionary trusts for the benefit of the other discretionary trustees). The appellants challenged the validity of these appointments in February 2014 and in August 2014 made a subject access request under the Data Protection Act to TW seeking personal data relating to themselves which was held by TW as solicitors of the trust.
TW claimed that the documents were privileged and that consequently it was not obliged to provide them to the appellants. The appellants contested this, stating that a trustee cannot rely on privilege against a beneficiary (except for litigation privilege between the two parties). On January 19 2015 the appellants sought an order from the court requiring TW to comply with the subject access request.
On March 20 2015 Dawson-Damer commenced proceedings in the Bahamas against the sole trustee of the Glenfinnan Settlement. In those proceedings she challenged the validity of the appointments made in 2006 and 2009. Those proceedings are ongoing.
The questions to be answered by the Court of Appeal were as follows:
Extent of privilege exception
The Court of Appeal overturned the decision of the first-instance court and concluded that the privilege exception applies only to documents which carry legal professional privilege for the purposes of English law (the narrow view). In deciding between whether the narrow or wide approach was appropriate, the relevant question was the interpretation of the phrase 'legal proceedings' in Paragraph 10 of Schedule 7 to the Data Protection Act.
'Legal proceedings' are not limited expressly to the United Kingdom, but in the Court of Appeal's view, this was Parliament's intention. First, Parliament is presumed not to legislate outside the United Kingdom. This is reinforced by the fact that in creating the privilege exception, Parliament was exercising the member state option under Article 13(1)(g) of the underlying directive, which permitted measures to safeguard "the rights and freedoms of others" recognised by the relevant member state under its own law. The reference in Paragraph 10 to privilege which may be recognised in legal proceedings must refer to proceedings within the United Kingdom, as that is the only form of privilege which the domestic rules of the United Kingdom recognise. Anything wider would require express provision.
There was a further question in respect of whether the privilege exception applies to documents which, although not subject to legal professional privilege, are subject to a right of non-disclosure, such as the trustee's right of non-disclosure under Bahamian law. TW argued that a purposive interpretation should be given to the words 'legal professional privilege' to avoid circumventing Bahamian law. However, the Court of Appeal did not accept that the privilege exception in the Data Protection Act could be interpreted so broadly without express provision.
The court concluded that the privilege exception exempts the data controller from complying with a subject access request only to the extent that legal professional privilege attaches to such documents according to the law of any part of the United Kingdom.
Section 8(2) of the Data Protection Act allows a data controller not to provide copies of information constituting personal information if "the supply of such a copy… would involve disproportionate effort". It falls to the data controller to prove that the supply of a copy of the information is either impossible or would require disproportionate effort.
The court noted that the word 'supply' means that what is weighed up in the proportionality exercise is the end object of the search, namely the potential benefit that the supply of the information might bring to the data subject, as against the means by which that information had been obtained. It will be a question of evaluation in each particular case whether disproportionate effort will be involved in the finding and supplying of the information as against the benefits that it might bring to the data subject.
The court further noted that the directive clearly states a number of substantial public policy reasons as to why subject access requests should be enforced as far as possible. Data controllers should also be expected to know their obligations to comply with subject access requests and to have designed their systems to enable them to make most searches for subject access request purposes.
The court concluded that the first-instance court had been influenced by its erroneous decision that the applicable law was that of the wide view. The Court of Appeal held that when the narrower view of the privilege exception was applied, it was plain that further compliance with the request would not involve disproportionate effort by TW. To take advantage of this exception, TW would need to produce evidence to show what it had done to identify material and work out an action plan. TW had done neither in order to discharge its burden of proving the efforts made to undertake a search for the data requested.
Section 7(9) discretion
In respect of the question as to whether the court should exercise its discretion under Section 7(9) of the Data Protection Act to make an order against the data controller to comply with the subject access request, the Court of Appeal held that there was nothing in the act or the directive which prohibited a request from being granted where there was an ulterior purpose behind the request (eg, as in this case, using the disclosure in proceedings in the Bahamas). The court concluded that it would be strange if verification of data were always the sole aim of a subject access request and the inference of a 'no other purpose' rule would have undesirable consequences.
In Durant v Financial Services Authority ( FSR 573) the judge had held that the right to obtain information under Section 7 of the Data Protection Act is not "to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties". However, the court held that Durant had been concerned with the definition of personal data, rather than the purpose of using that data (ie, a person could not claim that something was personal data because it would assist him or her in obtaining discovery or in litigation or complaints against third parties). Durant had nevertheless acknowledged that the discretion under Section 7(9) of the Data Protection Act is "general and untrammelled".
In deciding whether to exercise its discretion, the court must have regard to fulfilling the purposes of the Data Protection Act which confer rights on the data subject. The court was not exercising any jurisdiction in relation to the administration of the trust, which was a matter of Bahamian law. The fact that disclosure could not be obtained from the trustees under the governing law of the trusts was irrelevant. The court concluded that the discretion should be exercised and granted the order enforcing compliance with the subject access request.
The Court of Appeal's ruling is a positive judgment for data subjects, and in particular prospective claimants in the United Kingdom and abroad, in that they have been given the green light to use the Data Protection Act to obtain documents for use in litigation. At the same time, the court's finding that the test for 'disproportionate effort' applies to both the process of compliance with the request as well as the ultimate supply of the documents makes the process of compliance more onerous for a data controller. However, it is not unlimited. By way of example, in Holyoake v Candy ( EWHC 52), after this decision, it was held that a review of over 17,000 was more than sufficient to discharge the burden on the data controller to conduct searches.
Permission to appeal to the Supreme Court has been granted in this case, which should provide further clarification on the issue.
For further information on this topic please contact Sarah Shaul or Davina Given at RPC by telephone (+44 20 3060 6000) or email (firstname.lastname@example.org or email@example.com). The RPC website can be accessed at www.rpc.co.uk.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.