Key takeaway
In balancing the right of access against the right to privacy, the data controller should consider the potential risks to third parties from revealing their identity to a data subject. In this evaluation, a data controller may opt not to disclose the specific recipients of personal data but instead provide information regarding the categories of recipients.
Introduction
Responding to a subject access request is often a balancing act. The individual making the request has a right of access to their personal data, along with details of who are the recipients of their personal data [1]. However, third parties are also entitled to their privacy and as such it may not be appropriate to provide a data subject with details of the specific recipients, instead opting to provide details of the categories of recipient.
This balancing act was analysed in Harrison v Cameron & ACL [2024] EWHC 1377 (KB).
The Court applied the approach adopted in the ECJ case of RW v Österreichische Post AG [2], in which the ECJ applies the AG's opinion that data subjects should be provided with the identity of the recipient of their data if the data subject requests this. The Court in this case went on to confirm that a margin of discretion applied to the data controller when deciding to provide details of the specific or categories of recipient. Due to the facts of the case, the data controller had complied with the request by providing only the categories.
Background
The claimant, Mr Harrison, made demands and threats against the defendant, Mr Cameron, on two telephone calls between Mr Harrison and Mr Cameron. Without the Claimant's knowledge or consent, Mr Cameron had recorded these calls and then shared them with several family members, friends and colleagues at his business, ACL. The call recordings were also then shared with a potential business contact who decided not to engage the Claimant in a potentially lucrative contract, in part due to the Claimant's conduct on the recordings. The Claimant made numerous (20+) data subject access requests (SAR) to ACL and to its employees. ACL responded to the Claimant's request and confirmed the broad categories of recipients of the call recordings and the number of recipients in each category (such as five ACL colleagues).
The Claimant was dissatisfied with this response and made a SAR to Mr Cameron, seeking the identities of the individuals who he had shared the call recordings with. Mr Cameron refused.
As a result, the Claimant brought claims against both Mr Cameron personally for not responding to the SAR, and also ACL for not properly responding to the SAR and disclosing the individual recipients of the call recordings.
The Defendants rebutted the claims on the basis that:
- The GDPR does not apply where personal data is processed by an individual in the course of personal or household activity, so there was no legal requirement for Mr Cameron to respond to the Claimant's SAR
- That Mr Cameron was not a data controller for the purposes of the GDPR, so did not have to respond to the SAR, and
- The right to privacy of the individuals who received the recording allowed ACL to withhold their identities, as had been done when ACL responded to the SAR by confirming only the categories of recipient.
Judgment
The Court found in the Defendants' favour, agreeing that Mr Cameron did not need to respond to the Claimant's SAR and that ACL had properly responded.
The Court applied a two-step process to determine whether a data controller is required to provide the specific or categories of recipients.
- The starting position is that the data controller should provide the data subject with the actual identity of recipients, unless it is impossible to identify those recipients or the data controller demonstrates it would be manifestly unfounded or excessive to do so.
In this case, it was neither manifestly unfounded or excessive and therefore (subject to step 2) the specific recipients should be provided.
- Consideration should then be given to balancing the competing interests of the data subject and third parties (without a starting presumption either way). The Court must balance the data subject's right of access with the third party's rights and freedoms (namely those in Article 15(4) of the GDPR, which are expanded on in paragraph 16 of Schedule 2 of the Data Protection Act 2018).
In these circumstances, it was not reasonable to disclose the identities of the recipients given there was no consent, or consent had been actively denied. Therefore, the decision to only disclose the categories of recipient was within the data controller's 'margin of discretion' in this matter. The Court took into consideration the 'menacing' behaviour of the Claimant and the risk he may go on to harass the third party recipients if their identities were disclosed. Consideration was also given to the purpose of seeking the further information, which was not seen to be in the spirit of understanding how his personal data was being processed, but for litigation. The data controller was able to decide in favour of the recipient's right to privacy in this matter over the data subject's right of access.
As such, it was suitable for ACL to have confirmed the number of recipients and the category of recipient (such as 'family').
Implications
This case follows the approach adopted by the ECJ in RW v Österreichische Post AG. However this case provides welcome clarity which was missing from the ECJ decision as to whether providing the specific recipient, or category of recipients is subject to the balancing of third-party rights and freedoms vs. data subject rights.
An individual making a SAR is entitled to know who has received their data. But this must be balanced against the privacy rights of the recipients and the Court found that the conduct of the individual making the SAR should be taken into account. Therefore the individual's apparent intention and motive when making a SAR could be considered by the data controller.
Whilst in this case the Claimant had said he had no intention of 'threatening or harassing' any of the recipients of the call recordings, the Court agreed that it was reasonable for the Defendants to withhold the identities of the recipients. This was because the Claimant's solicitors, on the Claimant's instructions, had sent SAR letters to over 20 ACL employees which were 'intimidating and unwarranted' and threatened to issue legal proceedings if they did not respond. Consequently the Court agreed the rights of others exemption applied.
Conversely, this situation also places an onus on data controllers to evaluate whether third party data should be disclosed to a data subject. The starting position is that specific details should be provided unless it is impossible, manifestly unfounded, excessive or it is reasonable to protect the third parties. Adopting a lenient approach could expose data controllers to claims from third parties for the wrongful disclosure of their information. As such, careful attention must be paid to redacting or removing third party data from documents and determining how to present the categories of recipients.
WBD Clarity
WBD Clarity is a targeted solution for responding to SARs, allowing organisations to reduce the volume of personal data, streamline the review process and undertake SARs in a manner compliant with the ICO guidance. It is fully scalable, so can be used by your organisation as a platform to manage the document review process and where individual documents can be reviewed by a WBD privacy specialist as needed, or the entire SAR can be outsourced where there are complex elements or a high volume of documents.
To see the benefits of the platform or to discuss how WBD Clarity could help support your organisation, please contact us.
Sources and relevant articles
[1] Under Article 15 (1) (c) of the UK GDPR
[2] See our prior article on the application of this case here.
RW v Österreichische Post AG - see our prior article on this case here.
This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.