As individuals become more aware of their rights under data protection law, data subject access requests (DSARs) are an increasingly frequent concern for organisations both large and small. DSARs remain the single most common cause of regulatory complaints for organisations – the latest annual report from the Irish Data Protection Commission shows that 27% of all complaints received during 2020 related to DSARs.
DSARs: latest trends
The rights around DSARs are set out in the GDPR and Recital 63 makes it clear that it is the intention that “a data subject should have the right of access to personal data… in order to be aware of, and verify, the lawfulness of the processing”. Nevertheless, we are seeing many organisations subject to DSARs from individuals who are simply not interested in the processing itself and want the data for some other reason.
Every financial services organisation will have been subject to a DSAR in order to obtain information as a pre-cursor to a claim against them for mis-selling a service or breaching an agreement in some way. Many businesses which welcome members of the public onto their premises will be familiar with the DSAR request as the first salvo from a customer aiming to tee up a legal claim (often a request for CCTV in the context of a claim for injuries allegedly sustained on the premises).
Indeed, we are now frequently seeing the rights around DSARs being used by individuals for pre-action disclosure of material that the usual legal route would not allow, whether that be the rules of disclosure in either the criminal or civil jurisdictions.
Organisations in that position can be faced with two prospects: provide the material under the DSAR and risk encouraging a legal claim, or refuse and risk a complaint to the data protection regulator.
Recent case law in Ireland
A 2020 judgment from the Irish High Court in Dudgeon v Supermacs appeared to signify a success for business owners in dealing with these requests. In this case, the Court held that the controller was not under an obligation to disclose personal data, in the form of CCTV footage of an incident, to a person identifiable from the footage and who wished to claim damages arising from the incident.
However a closer look suggests that the Supermacs judgment may be more limited than appears at first glance and business owners must still have regard to their statutory obligations under the GDPR and (in Ireland) the Data Protection Act 2018 (IDPA).
It is vital for businesses and their in-house legal advisers to understand exactly when they must hand over personal data and when they can avail themselves of a restriction.
Dealing with the DSAR
The starting point for understanding whether a controller is obliged to hand over personal data will be section 60(3)(a)(iv) of the IDPA. This allows for restrictions on the right of access:
“where the restrictions are necessary and proportionate…
in contemplation of or for the establishment, exercise or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings whether before a court, statutory tribunal, statutory body or an administrative or out-of-court procedure”.
This exception can be useful but it is not guaranteed to succeed in arguing that the general right of access underpinning the DSAR regime does not apply.
Section 60(3)(a)(iv) has not yet been tested by the Irish Courts, however a High Court decision under the previous legislation is instructive. The 2012 case of Dublin Bus v Data Protection Commissioner concerned a DSAR for CCTV footage relating to a slip and fall. The Irish High Court held that:
“the existence of proceedings between a data requester and the data controller does not preclude the data requester making an access request under the act nor justifies the data controller in refusing the request”.
While this case was decided under the previous legislation, it is difficult to foresee why the same rationale would not still apply under the 2018 legislation.
Dudgeon v Supermacs
This case concerned a customer who claimed she suffered injury when she sat on a defective chair in Supermacs which broke, causing her to fall to the ground. The High Court refused the plaintiff’s application to compel discovery of the CCTV footage on the basis that the plaintiff’s “only purpose” in seeking discovery of the CCTV was to enable her to “see in advance of giving her evidence in chief and in advance of undergoing cross examination, whether her assertion as set out in the indorsement of claim that she fell to the ground is correct”. Therefore the discovery material “goes exclusively to the issue of the plaintiff’s credit”. The High Court also noted a helpful passage from a prior Supreme Court judgment which stated that discovery:
“is to aid a party in the progress of litigation: it is not designed to identify grounds capable of establishing a cause of action, i.e. it cannot be used to enable a person to plead the cause of action or a defence which he is not otherwise in a position to plead…”
However there are two important provisos which may limit the scope of the Supermacs judgment:
- Supermacs did not dispute the fact that the plaintiff sat on a defective chair which broke (and it seems Supermacs’ Defence was to be based on issues of causation and quantum). This was clearly influential in the Court’s reasoning (and it is less certain whether the Court would have come to the same conclusion if Supermacs had not already admitted some of the fundamental facts of the case).
- This judgment concerned the discovery process and did not address the wider data access right issue. While the judgment may tend to support an argument that a data controller should not be compelled to hand over CCTV footage where the data subject is using it solely to formulate a claim, this would still have to be balanced against the data subject’s rights which are well established by statute.
Position in the Courts of England and Wales
The Courts of England and Wales take broadly the same position. There is a clear lineage of cases that set out that a collateral purpose of a requestor submitting a DSAR to obtain material to assist in litigation does not provide the controller with an absolute exemption to the DSAR obligations, but is a relevant factor in the exercise of the court’s discretion.
In January 2021, the High Court of England and Wales dismissed a claim against a bank for allegedly failing to provide an adequate response to a DSAR. The circumstances in that case were, amongst other things, that the requestor wanted to obtain documents to help with a claim against the bank, rather than obtain personal data or consider the data processing being undertaken.
Approach of the Irish Data Protection Commission
Commenting on the Supermacs judgment, the Data Protection Commission stated that:
“an individual’s right under data protection laws such as the GDPR to request access to their personal data does not depend on whether they are engaged in a court case… In summary, Mr Justice Barr’s decision in this case is focussed on the law concerning discovery and is not in reference to or related to data protection rights… For that reason, unless a restriction under the GDPR or relevant data protection legislation can be relied upon, a data controller is still required to fulfil access requests in relation to CCTV footage.”
This reasoning is difficult to dispute, and businesses would need to establish solid grounds to be able to rely on the Supermacs case or s. 60(3)(a)(iv) to resist handing over the CCTV. The important qualification in the legislation is that the restriction must be “necessary and proportionate”, and the requirement to demonstrate this will typically translate into evidencing detriment to the data controller which cannot be overcome on a balancing test (e.g. that disclosure of the data would unfairly prejudice the controller’s case or its legal strategy).The Data Protection Commission is increasingly requesting documentary evidence demonstrating such an analysis has taken place and organisations resisting disclosure of CCTV footage pursuant to DSAR would be well-advised to ensure they have a process in place to do so.
 Dudgeon v Supermacs Ireland Ltd  IEHC 600
 Bus Atha Cliath / Dublin Bus v Data Protection Commissioner  IEHC 339