Beginning of the End of the "Fishing Expedition"? English High Court offers DSAR Guidance to UK Data Controllers
A recent decision of the English High Court provides authority for data controllers in the UK to pushback on data subject access requests (DSARs) which are numerous and repetitive and have a collateral purpose. In this article, we examine the decision of the court and assess if we are likely to see a similar approach taken in Ireland.

 

Arguably one of the most onerous obligations on data controllers under the GDPR is the broad right of individuals, or "data subjects", to obtain a copy of their personal data from a data controller using a data subject access request (DSAR). Responding to DSARs can be time consuming and expensive and the GDPR requires that DSARs be dealt with "without undue delay". DSARs are frequently used by former employees or aggrieved customers as a means of information finding before litigation. The decision of the English High Court in Lees v Lloyds Bank plc [2020] EWHC 2249 (Ch) appears to recognise this increasing trend and provides authority for UK data controllers to refuse to respond to DSARs where there are justifiable reasons to do so.

Multiple DSARs submitted over two year period

The data subject, Mr Lees, entered into buy-to-let mortgages for three properties with Lloyds Bank Plc (Lloyds). These properties subsequently became subject to orders for possession. Alongside litigation concerning the mortgages, Mr Lees submitted a number of DSARs to Lloyds between 2017 and 2019.  Lloyds responded to each of the DSARs it received.

In the case before the English High Court, Mr Lees alleged, amongst other things, that Lloyds had failed to provide a copy of his personal data contrary to the GDPR and the pre-GDPR English data protection legislation. The court held that the pre-GDPR English data protection legislation was the applicable legislation given the dates the DSARs were submitted. The right of access to personal data contained in this legislation is similar to that under the GDPR. 

DSARs that have a "collateral purpose" 

The English High Court found that Lloyds provided Mr Lees with an answer to each of the DSARs. In each case, the court found the information provided by Lloyds was an adequate response to Mr Lees' quest to uncover evidence about the mortgages. 

The court noted that it has discretion to make an order compelling Lloyds, as data controller, to comply with the DSARs. Importantly, the court stated that, even if Lloyds had not complied with the DSARs, the court would not have granted such an order in light of:

  1. the issue of numerous and repetitive DSARs which is abusive;
  2. the real purpose of the DSARs was to obtain documents rather than personal data;
  3. there being a collateral purpose that lay behind the requests which was to obtain assistance in preventing Lloyds bringing claims for possession;
  4. the data sought would be of no benefit to Mr Lees; and
  5. the claims for possession had been the subject of final determinations in the County Court from which all available avenues of appeal had been exhausted.

The court dismissed Mr Lees' claim noting that it was "without merit". 

Irish Position on DSARs 

Irish courts, like the UK courts, can issue an injunction to compel a data controller to comply with a DSAR where the data subject brings a data protection action under section 117 of the Data Protection Act 2018. In the recent case of Nowak v Data Protection Commission [2020] IECA 202, the Irish Court of Appeal found in favour of the data controller and ruled that data subjects were not entitled to access to personal data contained in internal documents generated for the sole reason of dealing with that data subject's DSAR. To provide such data would "overstretch" the concept of personal data. The decision in Nowak v Data Protection Commission indicates the willingness of Irish courts to strike a balance between the data subject's right of access and the extent of the DSAR obligation on data controllers. 

Whether we see a similar decision to Lees v Lloyds Bank Plc being made by Irish courts remains to be seen and will, undoubtedly, depend on the facts of an individual case. In Lees v Lloyds Bank Plc, Lloyds was subject to a number of DSARs and other factual circumstances weighted heavily on the court's decision that "good reasons" existed for it to decline to order Lloyds to comply with the DSARs. We look forward with interest to see if Irish courts will adopt a similar position. 

Please contact Kate Corcoran, John O'Connor or your usual William Fry contact for any questions about DSARs or any of the issues raised in this article.  

 

Contributed by Kate Corcoran

Key Contacts

John O'Connor Partner

Leo Moore Partner

David Cullen Partner

Related Practice Areas