Under the forthcoming General Data Protection Regulation, data subjects have a right to access their personal data held by a controller. Controllers under the GDPR will need to respond to data subjects who make a subject-access request. These rights currently exist under Data Protection Directive, Article 12, which requires controllers to confirm to a data subject if their personal data is being processed, the purposes of the processing, the categories of data being processed, and the recipients of that data, plus the logic on any automated processing decisions made on the basis of the personal data. Article 13 allows for certain restrictions on these rights under member state laws, including “for the protection of the data subject and of the rights and freedoms of others.” GDPR Article 15 enhances these requirements by requiring the responses be within a month, generally without charge, and with additional information, such as data retention periods.
This seems simple enough, except for the possible increase in administrative work for data controllers.
Litigation complicates this relatively simple requirement. Although differing widely across EU jurisdictions, there are typically rights of disclosure or discovery by parties involved in litigation. For example, in the U.K., there is standard disclosure for both litigating parties to each other, and additional disclosures can be ordered by the court. Ireland has litigant-requested court-ordered discovery, while continental EU courts, under civil law, have varying levels of litigant-requested and court-initiated and ordered discovery. Discovery/Disclosure requests can overlap with SARs. Restricting access to personal data under SARs is the legal professional privilege, which protects communications and documents created for litigation or legal advice given. LPP is a combination of litigation privilege and legal advice privilege.
LPP is an allowable restriction to SARs under Directive Article 13 (GDPR Article 23). The Irish Data Protection Commissioner advises that individuals do not have a right to access information relating to them, which is subject to LPP in court. The U.K. Information Commissioner’s Office states that personal data is exempt from the right of access if LPP can be claimed for it in legal proceedings. Problems can arise when parties use their access rights under EU privacy laws to attempt to circumvent LPP or other limitations on discovery/disclosure. Two recent cases in the U.K. and one from Ireland demonstrate this tension between the right of confidentiality for legal matters under LPP, discovery/disclosure litigation requests, and the right to access personal data via an SAR.
In the 2012 case of Dublin Bus v. Data Protection Commissioner, the High Court of Ireland considered whether there was a right under the Data Protection Act, as asserted by the plaintiff and supported by the DPC, to receive certain personal data to support their litigation claims. The plaintiff had fallen on a bus and, after commencing litigation, asked under an SAR for the CCTV video of their fall. The defendant refused, stating the video was protected by litigation privilege. The DPC then issued an enforcement notice on the defendant to provide the video. The defendant appealed that because the motive of the plaintiff was to use the video for litigation purposes, the DPC was exercising the role of court-ordered discovery. The court ruled that this was actually a request concerning privacy rights, there was no statutory exception for refusing an SAR because the data would be used in litigation, and it was not its role to fashion such a new exception.
In the 2017 case of Holyoake v. Candy, the High Court of England and Wales considered whether LPP can be used to hide a privacy violation or protect communications about responding to an SAR. The plaintiff’s SAR was originally rejected on the grounds that it would be used to support litigation, the data could be obtained through the disclosure process, and a significant amount of personal data would be subject to litigation privilege but, after being narrowed, was carried out by the defendants. The court noted that while litigation privilege “arises where a document has been brought into existence for the sole or dominant purpose of use for litigation … Litigation privilege may be … disapplied where it [is] designed to act as a cloak for crime or fraud.” The court ruled that a violation of privacy was not considered a crime or fraud that would result in the dis-applying of LPP to the SAR. It also ruled that the use of lawyers to conduct an SAR search allowed LPP to be used on communications about that search, even though non-lawyers could have conducted the search.
In the 2017 case of Dawson-Damer v. Taylor Wessing LLP, the Court of Appeals of England and Wales considered whether a litigation motive for an SAR under the Data Protection Act was a valid reason to reject it and also the jurisdictional scope of LPP under the DPA. The appellants had issued an SAR against the trustee of a foreign trust. The trustee, a law firm, resisted the SAR, stating that the personal data was covered by LPP, including the wider privilege of that foreign jurisdiction. The court of appeals ruled that SARs were not limited to simply verifying and correcting personal data and no other use, and so the motive for issuing an SAR was not relevant. The court also ruled that the LPP under the DPA was the privilege available under English — not foreign — law, as the DPD Article 13 restrictions allowed for national laws that applied only within their own jurisdictions.
The ICO’s 2014 Subject Access Code of Practice addressed the SAR/LPP/discovery issues: “It has been suggested that case law provides authority for organisations to refuse to comply with an SAR where the requester is contemplating or has already begun legal proceedings. The Information Commissioner does not accept this view, but he recognises that: the courts have discretion as to whether or not to order compliance with an SAR; and if a court believes that the disclosure of information in connection with legal proceedings should, more appropriately, be determined by … the courts’ rules on disclosure, it may refuse to order personal data to be disclosed … Nevertheless, simply because a court may choose not to order the disclosure of an individual’s personal data does not mean that, in the absence of a relevant exemption, the DPA does not require you to disclose it. It simply means that the individual may not be able to enlist the court’s support to enforce his or her right.”
To summarize, the GDPR will bring certain enhancements to the requirements for controllers in handling SARs. Litigation, including the role of discovery/disclosure and LPP can complicate the response to SARs. LPP can be a valid reason for controllers to decline to provide certain personal data requested by an SAR but LPP only applies to personal data in documents and communications relating to legal advice and litigation. In absence of LPP or other legal restrictions such a national security, data subjects have a right to their personal data requested under an SAR, even if intending to use it in court against the defendant controller. Controllers should become familiar with all the restrictions allowed by their national laws in replying to an SAR and the GDPR’s new SAR requirements.
photo credit: DesignRecipe European Union Flags 2 via photopin