Opinion
High Court clarifies scope of data subject’s right to know specific recipients of their personal data
Background
The case involved the claimant (a homeowner) contracting the defendant (a director of a gardening company) for property landscaping works. The defendant covertly recorded verbal threats made to them by the claimant, which were then shared by the defendant with their employees, friends, and family members. After becoming aware of the recordings, the claimant made data subject access requests both to the defendant and the defendant’s company, requesting the specific identities of the individuals who had received the recordings. The defendant refused this request on the basis that they had processed the claimant’s personal data in a purely personal and household context, and therefore outside the scope of UK GDPR.
Key findings
The Court confirmed that:
- directors, when acting in their capacity as a director and processing data in the course of their duties for their company, are not controllers – the company is the relevant controller;
- data subjects have the right in principle to know the identities of the recipients of their personal data. It is the choice of the data subject to request either the specific identifies or just the categories of recipients of their personal data;
- however, controllers can withhold this information where the request is manifestly excessive, or disclosure would be outweighed by the interests and rights of the recipients (i.e. on the basis of the “rights of others exemption” under Schedule 2 of the Data Protection Act 2018); and
- controllers have a wide margin of discretion to decide what is reasonable, including what factors are relevant in the balancing exercise. For example, in this case, the Court considered it was reasonable for the defendant to take into account their desire to protect their family and colleagues from hostile litigation beyond the exercise of rights under UK GDPR.
Significance
The judgment removes the controller’s discretion to make the decision on behalf of the data subject and will have practical implications when responding to data subject access requests.
The High Court notably referred to, and agreed with, the CJEU Austrian Post decision (C-154/21), which considered comparable questions under Article 15 EU GDPR. The CJEU decision is not binding on UK courts (as a post-Brexit judgment), though the judge could have regard to it as far as it was relevant. The alignment indicates the continued relevance of EU case law to the interpretation of UK GDPR (absent significant legislative divergence).
The case also confirms that the motive of a data subject access request can in certain instances be a relevant factor for refusing a request and reiterates the specific and limited purpose of the subject access regime.
Related capabilities