Amongst other things, the new EU General Data Protection Regulation (GDPR) – due to be implemented in May 2018 – aims to strengthen and reinforce the effectiveness of Subject Access Requests (SARs), currently provided for under section 7 of the Data Protection Act 1998 (DPA).
Under the GDPR, individuals will be able to make SARs free of charge. Requests must be complied with ‘without undue delay’ – and at any event within 1 month unless the request is particularly complex – rather than within 40 days, as currently specified under the DPA, and failure to comply with a request could attract a hefty fine of up to 4% of global turnover or €20 million, whichever is the greater.
This is significant in light of the recent willingness shown by the Court of Appeal in Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74 to support the use of SARs not only to protect individual privacy – as originally intended by the legislation – but also where the purpose of the request is to allow an individual to gather information for the purposes of litigation.
The court also held that the exemption from SAR obligations available under the DPA for legally privileged information (Para. 10, Schedule 7 DPA) does not apply in relation to litigation outside the UK , and that there is no exemption under the DPA for documents which are subject to a right of non-disclosure under other legislation (in that case, under trust law principles).
If the range of available exemptions is narrow, how might organisations to whom a request is made be able to resist a SAR? In Dawson-Damer the court considered it possible to refuse a request which requires ‘disproportionate effort’ – provided that the data collector produces evidence to demonstrate its efforts: a simple assertion that it is too difficult to search through voluminous papers will not suffice.
The court went on to say that “what is weighed up in the proportionality exercise is the end object of the search, namely the potential benefit that the supply of the information might bring to the data subject, as against the means by which that information is obtained”. This raises the question of how, when the end object of the SAR is litigation, potential benefit to the data subject in those proceedings interacts with the proportionality assessment.
Concepts of reasonableness and proportionality familiar from litigation disclosure exercises may therefore be of importance in complying with SARs following the implementation of the GDPR, and as awareness of data protection rights rises among individuals. That said, under the GDPR a company can only refuse to comply with a SAR is if the request is ‘manifestly unfounded or excessive’ – arguably a somewhat higher bar than the current ‘disproportionate effort’ test. How the courts and regulators interpret this new standard remains to be seen.