Data Subject Access Requests – Harrison v Cameron and ACL judgment

On 7 June 2024, a significant data protection judgment was handed down in the High Court case of Harrison v Cameron and ACL. The case highlights three key issues for organisations to take into account when handling data subject access requests:

  1. individual directors may be under an obligation to respond to a DSAR, as well as their company;
  2. requesters may in principle be entitled to be informed of the specific identities of the recipients of their personal data; and
  3. the "rights of others" exemption can take into account the motive of the requester and the wellbeing and safety of other parties.

Background

Mr Harrison, a private individual working in the property investment sector, hired Mr Cameron's gardening company, Alasdair Cameron Limited ("ACL") to carry out landscaping and gardening services on one of his properties. Mr Harrison and Mr Cameron fell into dispute over the engagement and exchanged several phone calls. Some of these calls were, unbeknownst to Mr Harrison, recorded by Mr Cameron (the "Recordings"). In the Recordings, Mr Harrison made threats of violence towards Mr Cameron and his family. Mr Cameron subsequently shared the Recordings with several friends and family members.

Following the discovery that the Recordings had been distributed beyond this initial group to some of Mr Harrison's competitors in the property investment industry, Mr Harrison made subject access requests ("DSARs") under Article 15 of the UK GDPR to ACL, Mr Cameron and various ACL employees. In the DSARs, Mr Harrison requested, among other information, the identities of the recipients to whom his personal data had been disclosed. However, ACL refused to provide the identifies of individual recipients, and instead merely disclosed the categories that the recipients fell into. Mr Cameron also argued that he was not personally a controller, so he was not required to respond to the DSAR.

Judgment

Was Mr Cameron a controller?

The first issue considered by the High Court was whether Mr Cameron was a controller. The court was satisfied that ACL was a controller in this scenario, but it needed to determine whether Mr Cameron could be one too. If he was, then he would have been under an obligation to respond to the DSAR.

The High Court found that Mr Cameron was not a controller but was instead acting in his capacity as a director of ACL. The court followed the judgment in In re Southern Pacific Personal Loans Ltd, which found that as directors only make decisions as to how data should be processed as agents for the company, they themselves are not controllers, only the company is. The decision was also based on an analysis of the facts, as the High Court suggested that in in some circumstances, a "rogue" director acting in an "unauthorised fashion" could be a controller, but in this situation, as Mr Cameron had called Mr Harrison and made the Recordings in relation to the business relationship between ACL and Mr Harrison, he was clearly acting in his capacity as director of ACL.

Is the data subject entitled to be informed of the specific identities of recipients?

The next issue considered by the High Court was whether Mr Harrison was entitled under the UK GDPR to be informed of the specific identities of the individual recipients, or just the categories of recipients, of the Recordings. Another aspect of this issue was whether it is the data subject or the controller who makes the choice as to whether to disclose the specific identities, or merely the categories, of recipients.

The High Court cited the case of RW v Österreichische Post AG ("Austrian Post") in its decision. This was a decision of the Court of Justice of the European Union ("CJEU") on the same provisions in the GDPR, decided on 12 January 2023. In the Austrian Post case, a citizen had made a DSAR to the Austrian Post Office, requesting the identity of the recipients to whom his personal data had been disclosed. Although this post-Brexit case is not binding in the UK, it was considered as it is highly relevant here.

The CJEU in the Austrian Post case had held that if the data subject requests information on individual recipients, the data subject is entitled, in principle, to that information. Therefore, the choice to receive information on individual recipients or categories of recipients lies with the data subject. However, controllers are not obliged to disclose the identity of recipients where:

  • it is impossible to identify those recipients; or
  • the request is manifestly unfounded or excessive.

If this is the case, the controller may instead identify only the categories of the recipient in question.

The High Court agreed and followed the CJEU's judgment in Austrian Post, finding that in this case, it would not be impossible, manifestly unfounded, or excessive for ACL to disclose the recipients' identities, and so Mr Harrison was in principle entitled to know the identities of the recipients, as he had requested this in his DSAR.

"Rights of others" exemption

The final issue considered was whether the "rights of others" exemption applied. Under this exemption, controllers, in deciding whether or not to disclose personal data of a third party in a DSAR, must assess whether the data subject's right of access outweighs the risk to the rights and freedoms of others.

ACL argued that it could rely on the exemption as due to Mr Harrison's threatening behaviour over the phone and ensuing letters sent to at least 23 employees of ACL, it would not be reasonable to disclose the identities of the recipients as it "would put them at a significant risk of being the object of intimidating, harassing and hostile legal correspondence and litigation".

The High Court agreed, deciding that ACL did not need to disclose the identities of recipients to Mr Harrison on the basis of the "rights of others" exemption. The High Court stated that:

"it was reasonable for the Defendants to give weight to their desire to protect family, friends and colleagues from hostile litigation going beyond the exercise of rights under the UK GDPR and the [Data Protection Act] 2018".

Key takeaways

The High Court's decision has several key implications for organisations dealing with DSARs:

  1. The judgment underlines the existing law that in certain circumstances directors or staff members may be acting as a controller separately to their company, particularly where they are acting in pursuit of their own interests or against instructions. This means they may be required to respond to a DSAR made to them individually (although that was not the case here). Organisations should ensure that their policies, procedures and training mitigate this risk and minimise the potential burden it could cause.
  2. The High Court provided much-needed clarity that controllers are in principle required to disclose the specific identities of recipients where requested in a DSAR, unless this is impossible, manifestly unfounded or excessive. This could be a very complex exercise in different circumstances. Organisations should take proactive steps to assess whether their systems will allow them to track and disclose individual data recipients where appropriate and, if an exemption is unavailable, be prepared to explain why they cannot fulfil this obligation.
  3. The High Court's judgment also indicates that the requester's motives and their likely actions following receipt of data under a DSAR may be factors that organisations can take into account when assessing whether the data subject's right of access outweighs the rights of third parties.

Authors

Katie Hewson
Eva Lu
Arabella Walker