This Week in Data/Cyber/Tech: A Significant English Court Judgment on the Scope of Data Subject Access Requests

Viewpoints
June 14, 2024
2 minutes

There's rarely a quiet week in data protection — and this one was no exception. 

Besides the publication of the election manifestos by the UK's main political parties, a good deal of my time has been spent speaking with clients about a judgment issued last Friday by the High Court that will have big implications for the information that organisations have to provide in response to data subject access requests made under the UK GDPR. (The judgment also discusses the important question of the extent to which the purpose/motive of a DSAR can be factored into a controller's response, which I will write about separately.)

*****

Harrison v Cameron clarifies that the reference in Article 15(1)(c) of the UK GDPR to the controller providing an individual with information about “the recipients or categories of recipient to whom the personal have been or will be disclosed” is a choice for the requester — i.e., not the controller — to make. Although this has been the position under the EU GDPR following an ECJ judgment in January 2023, it was arguable that controllers responding to DSARs submitted under the UK GDPR could:

  1. Decide whether to provide information about recipients in a specified or generalised way (and most organisations took the latter approach).
  2. Provide its privacy notice to meet this requirement (as Article 13(1)(e) of the UK GDPR requires the notice to contain information about “the recipients or categories of recipients” to which the controller discloses personal data).

Following the High Court’s decision, those arguments are generally no longer applicable. So if a requester asks you to provide the names of the parties with which you have shared their personal data, you will now have to do so — unless this would prove impossible or manifestly excessive. In some cases, individuals may only want to know about a limited number of specific third-party recipients of personal data. But requesters can ask you to provide the names of potentially dozens of recipients and, in general, you cannot refuse.

*****

If there's a silver lining for controllers it is that although the choice is the requester's to make, most DSARs copy and paste the language of Article 15 of the UK GDPR — or, at any rate, don’t specify that the recipients must be named. But this will start to change, as individuals (and their lawyers) become familiar with last week’s judgment.

In the meantime, if the requester has not specified the option that they want, it is arguable that the controller can choose which information to disclose. Therefore, providing your privacy notice is likely to meet the requirements in Article 15(1)(c) of the UK GDPR. To be clear, this doesn’t lessen the obligation to provide the requester with copies of their personal data, but it will help in respect of the additional information to be provided in relation to the data.

*****

You will likely soon start to see the implications of this judgment in practice. If you have questions about it — or this area more generally — we would be happy to chat.

Subscribe to Ropes & Gray Viewpoints by topic here.