DSARs: Are The Courts Flexing Their Muscles (Again)? – Privacy – United States – Mondaq News Alerts



To print this article, all you need is to be registered or login on Mondaq.com.

In the 2020 UK case of Lees v Lloyds Bank plc EWHC 2249
(Ch) (24th August 2020), the High Court dismissed a claim against
Lloyds Bank for alleged failures to provide adequate responses to
Mr Lees’ data subject access requests (‘DSARs’) in
breach of the Data Protec tion Act 2018 (‘DPA 2018’) and
the GDPR. Having decided that Lloyds Bank had adequately responded
to the DSARs, the High Court discussed its discretion to refuse an
order compelling compliance where a claimant demonstrates that a
defendant has not responded to a DSAR in accordance with the
relevant legislation. Although this section of the Court’s
judgment was ‘obiter dicta’, and therefore persuasive
rather than binding on other courts, it is helpful in understanding
the likely approach UK courts will take when faced with such
applications.

The Court’s reasoning

Although some of the DSARs were made when the Data Protection
Act 1998 was still in force, given the similarity between that
legislation and the DPA 2018 in respect of DSARs, the Court’s
reasoning is likely to be applicable to applications under the
GDPR. As a reminder, the GDPR now forms part of UK law by virtue of
section 3 of the European Union (Withdrawal) Act 2018, as amended
(including by the Data Protection, Privacy and Electronic
Communications (Amendments etc.) (EU Exit) Regulations 2019
(‘UK GDPR’) and the DPA 2018.

After recognising that its discretion was not “general and
untrammelled”, the Court noted that there would be good
reasons for declining to exercise its discretion in favour of Mr
Lees in light of the following:

  • the issue of numerous and repetitive DSARs deemed to be
    abusive;

  • the real purpose of the DSARs being to obtain documents rather
    than personal data;

  • there being a collateral purpose that lay behind the requests,
    which was for Mr Lees to obtain assistance in preventing Lloyds
    bringing claims for possession of various properties against Mr
    Lees;

  • the fact that the data sought would be of no benefit to Mr
    Lees, as he had no defence in law to such claims; and

  • the fact that those claims had been the subject of final
    determinations in the County Court from which all available avenues
    of appeal had been exhausted.

For those faced with responding to DSARs in similar
circumstances, this decision will be welcome, as it indicates the
more robust approach that courts may take where they believe DSARs
are being deployed by claimants in a tactical way, for example, to
obtain early or wider disclosure than that permitted under the
Civil Procedure Rules. Such ‘nuisance’ DSARs are often very
time-consuming and costly for organisations.

ICO’s guidance

So how does the Lees decision sit with the Information
Commissioner’s Office (‘ICO’) guidance on responding to
DSARs?

In the past, the ICO has taken the position that DSARs should be
‘motive blind’, i.e. that those responding to DSARs cannot
decline to do so on the basis that the individual making the
request has some ulterior motive, such as early disclosure.
However, in its revised DSAR guidance published on 21st October
2020 (‘the Guidance’, copy at www.pdpjournals.com/docs/888115) the ICO
appeared to change its position.

Under Article 12(5)(b) of the UK GDPR, one of the only two
grounds for refusing to comply with a DSAR is that the request is
‘manifestly unfounded’. The Guidance states that a request
may be manifestly unfounded if an individual clearly has no
intention to exercise his/ her right of access, and gives as an
example of this a situation where an individual makes a request,
but then offers to withdraw it in return for some form of benefit
from the organisation to which he/she is making the request. The
specific example provided in the Guidance involves an individual
making a DSAR to an online retail company and stating in their
request that he/she will withdraw it if the company credits the
individual’s online account with a specified sum of money. The
Guidance states that a request may also be manifestly unfounded if
it is malicious in intent, and being used to harass an organisation
with no real purpose other than to cause disruption. The Guidance
gives the following examples of where this might apply:

  • the request explicitly states, in the request itself or in
    other communications, that he/ she intends to cause
    disruption;

  • the request makes unsubstantiated accusations against the
    organisation or specific employees which are clearly prompted by
    malice;

  • the individual is targeting a particular employee against whom
    they have some personal grudge; or

  • the individual systematically sends different requests to the
    organisation as part of a campaign, for example, once a week, with
    the intention of causing disruption.

The only other ground for refusing to comply with a DSAR is that
it is ‘manifestly excessive’ (under Article 12(5) (b) of
the UK GDPR). Again, the Guidance pro vides some helpful direction
to determine whether a request is manifestly excessive. In
particular, an organisation will need to consider whether the
request is clearly or obviously unreasonable, based on whether it
is proportionate when balanced with the burden or costs involved in
dealing with it. The Guidance states that this consideration will
mean taking into account all the circumstances of the request,
including:

  • the nature of the requested information;

  • the context of the request, and the relationship between the
    organisation and the individual;

  • whether a refusal to provide the information or even
    acknowledge whether it is held would cause substantive damage to
    the individual;

  • the organisation’s available resources;

  • whether the request largely repeats previous requests and
    whether a reasonable interval has not elapsed (taking into account
    the nature of the data, including whether they are particularly
    sensitive, and how often they are altered); and

  • whether the request overlaps with other requests (noting that
    if it relates to a completely separate set of information, it is
    unlikely to be excessive).

The Guidance makes clear that a request is not necessarily
excessive just because the individual requests a large volume of
information. The Guidance also highlights some general
considerations organisations should take into account when deciding
whether a request is manifestly unfounded or excessive, namely:

  • considering each request individually and not having a blanket
    policy;

  • not presuming that a request is manifestly unfounded or
    excessive just because an individual has previously submitted a
    manifestly unfounded or excessive request; and

  • ensuring that there are strong justifications for considering a
    request to be manifestly unfound ed or excessive, which can be
    clearly demonstrated to the individual and the ICO.

In particular, the ICO points out that the inclusion of the word
‘manifestly’ means there must be an obvious or clear
quality to the request’s unfoundedness or excessiveness.

Where Lees sits with the ICO’s guidance

The courts and the ICO seem now to be somewhat more aligned on
how they will treat complaints about responding to DSARs. Their
current position seems to offer greater hope and help to
organisations facing ‘nuisance’ DSARs. However, the
criteria for not responding seem to be fairly strict, especially in
the ICO’s case. Unfortunately, in addition to serving as a
helpful roadmap for organisations, the Guidance could also be used
by individuals who wish to make ‘nuisance’ requests as a
checklist for what not to include in DSARs in an attempt to ensure
that they are not viewed as manifestly unfounded or excessive.

Although there is greater alignment between the approach of the
courts and the ICO, organisations should also be aware of the
differences in approach when considering whether to respond to
DSARs. The grounds for not responding identified in the
Lees case clearly go beyond the grounds identified by the
ICO. Specifically, the Court had taken into account the ‘bigger
picture’: that the data sought would have been of no benefit to
Mr Lees given he had no defence in law to the bank’s claims;
those claims had already been the subject of final determinations;
and available avenues of appeal been exhausted.

Some organisations may feel uncomfortable following the
Court’s more ‘muscular’ approach, given the lack of
clarity as to whether the Court’s remarks take precedence over
the Guidance. However, more seasoned practitioners will know that
this sort of tussle between the courts and the regulator is not
new. For instance, in the case of Durant v Financial Services
Authority
[2003] EWCA Civ 1746, the Court of Appeal appeared
to narrow what had to be disclosed in response to a DSAR asking for
everything in which the individual was named. The Court of Appeal
took the view that the recipient of the DSAR should only have to
disclose data which were either of biographical significance (which
would not include data which merely mention an individual’s
name without any personal connotations, such as a meeting request
email) or which focus on an individual (being information that
affects his/her privacy, whether in a personal or business
capacity).

Following the Article 29 Working Party’s (now the European
Data Protection Board) opinion on the concept of personal data,
which endorsed a broad interpretation of personal data in clear
contrast to the restrictive interpretation in Durant, the ICO
issued guidance advising that the principles in Durant should only
be applied where data are not ‘obviously about’ an
individual or clearly ‘linked to’ him/her. As with Lees,
this left organisations unclear about whether the view of the
courts or the ICO took precedence, until the Court of Appeal
helpfully revisited the issue in the case of Edem v Information
Commissioner and Financial Services Authority
[2014] EWCA Civ
92. The Court of Appeal accepted that personal data should be
interpreted in accordance with the ICO’s guidance, and that the
ruling in Durant should be confined to the limited
circumstances identified by the ICO in its guidance.

Given the current uncertainty about taking into account the
‘bigger picture’ considerations identified in Lees
when deciding whether to respond to a DSAR, we can only hope for
another Edem to provide clarity on this issue.

Originally published by Privacy & Data Protection
Journal
.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

Data Privacy Comparative Guide

Fieldfisher

Data Privacy Comparative Guide for the jurisdiction of European Union, check out our comparative guides section to compare across multiple countries

Monthly State Privacy Legislative Updates: January 2021

Akin Gump Strauss Hauer & Feld LLP

In the wake of the California voters’ approval of Proposition 24, or the California Privacy Rights Act of 2020 (CPRA), a ballot initiative that expanded data privacy obligations for businesses…

It Is Time For Federal Chief Privacy Officers

Cooley LLP

As the Biden administration organizes a new government, we have an opportunity to institutionalize privacy as a top priority across government. The mounting threats to privacy and…

2020 Privacy Law Year In Review

Winston & Strawn LLP

Amid the global pandemic, 2020 witnessed the debut of new privacy laws and an explosion of privacy and data security issues arising from the switch to remote work and use of communications…



READ SOURCE

READ  House Guard fined for unlawful marketing calls - Dorset Echo

LEAVE A REPLY

Please enter your comment!
Please enter your name here