Article 15 of the UK GDPR gives a Data Subjects, a right to receive all the information held about them by a Data Controller. In addition, they have a right to receive information on “the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations.” Does the Data Controller have a choice whether to disclose the recipients or categories of recipient?
In a recent High Court case, Mark Harrison v Alasdair Cameron and Alasdair Cameron Limited (2024), Mrs Justice Steyn ruled that Data subjects are entitled to know the identities of the recipients of their personal data, not just the categories of recipients. Steyn J also clarified the nature and scope of the Subject Access Right (SAR).
Background
The case involved Mr. Cameron, a director of a gardening company, and Mr. Harrison, a wealthy homeowner involved in property investment. Mr. Cameron recorded threatening calls from Mr. Harrison during a dispute and shared these recordings with family members and others. These recordings eventually reached Mr. Harrison’s business peers, allegedly causing his company to lose a significant property acquisition.
Mr. Harrison submitted SARs to Mr. Cameron and his company, ACL, requesting details of who received his personal data. The requests were initially denied on several grounds:
- Mr. Cameron argued that he was processing the data in a purely personal context, which would be outside the scope of the UK GDPR.
- It was claimed that Mr. Cameron, as an individual, was not a Data Controller under the UK GDPR.
- ACL invoked an exemption, arguing that disclosing the identities of recipients would involve sharing information about other individuals without their consent.
Court’s Findings
- The court disagreed with Mr. Cameron’s assertion that the data processing was purely personal. It ruled that he acted as a director of ACL, meaning the processing was within a professional context and thus subject to the UK GDPR.
- Despite Mr. Cameron’s role in processing the data, the court ruled that he was not a Data Controller. Following legal precedents, the court said that a company director, acting in that capacity, is not a controller but the company itself is.
- Despite Mr. Harrison’s entitlement in principle to know the identities of recipients, the court decided against disclosing this information. Mr. Harrison had a history of making numerous SARs and exhibited intentions to pursue legal actions beyond data protection law. ACL argued that revealing the recipients would expose them to significant risks of harassment and legal threats from Mr. Harrison. The court agreed, highlighting that the potential for hostile litigation was a relevant factor in balancing interests. The motive behind a SAR can be considered, especially when there is a need to protect third parties from harm that extends beyond the scope of data protection rights.
The High Court’s judgment brings clarity to the SAR process, emphasising the Data Subject’s right to specific recipient information and reinforcing the limited purpose of SARs in protecting privacy rights. It also introduces a nuanced approach to balancing the rights of the requester against potential risks to third parties, particularly when the requester’s motives suggest potential misuse of the information.
Our upcoming Handling SARs course can help you deal with complex subject access requests. Places are limited so book early to avoid disappointment.
