Providing the identity of third-party recipients of personal data to a data subject – helpful guidance from the High Court

The High Court has handed down a helpful judgment for data controllers responding to data subject access requests which analyses the circumstances in which it may be appropriate for a data controller to withhold the identities of third parties who have been provided with a data subject's personal data.

Case Summary

The case related to a dispute arising out of a landscape gardening contract, in respect of which the claimant, Mr Harrison, sought to terminate the agreement. There were several related calls between the claimant and the first defendant, Mr Cameron (a director and largest shareholder of the second defendant).

The first defendant recorded two of those calls, subsequently providing the recordings to employees of the second defendant and (directly and indirectly) several "friends and family" (15 people in total).

In response to a DSAR submitted by the claimant, the second defendant provided copies of the recordings but refused to provide the identities of the individuals to whom the first defendant had sent the recordings. The claimant sought an order that the defendants comply with his DSAR.

The central question was whether one or both of the defendants were required, in response to the DSAR, to disclose to him the names of those 15 people to whom the recordings (or transcripts) were disseminated, and whether the Court should order them to do so.

Issues for the Court

The Court had to determine the following issues:

1. Whether the processing of personal data by the first defendant was in the course of a purely personal or household activity?

    

2. And if not, whether the first defendant was a data controller in his personal capacity?

    

3. Whether the claimant as the data subject was entitled to the identities of recipients of the recordings?

    

4. And if so, whether the data controller was not entitled to provide the identities (a) in order not to adversely affect the recipients' rights and freedoms pursuant to Article 15(4) UK GDPR and/or (b) by relying on the exemption under Schedule 2, paragraph 16 of the DPA 2018.

1) Processing in the course of a purely personal or household activity?

Article 2 of the UK GDPR provides that the Regulation does not apply to "the processing of personal data by an individual in the course of purely personal or household activity."

The parties agreed that the dissemination of the recordings by the second defendant and the dissemination of the recordings to the second defendant's employees could not fall within the exemption.

In so far as the first defendant was able to rely on the exemption to dissemination to "friends and family", the Court held that the first defendant's processing was done in his capacity as a director of the company, and that when he disseminated the recordings, he was not acting in the course of a "purely personal or household activity."

The judge made the point that Article 2(2)(a) should not be construed so narrowly that it intrudes on the right to private life of an individual who may chat with family and friends about their day at work, but found in this case that the sharing of recorded personal data was not analogous to a "general chat between friends".

2) Whether the first defendant was a data controller?

Whilst it was uncontentious that the second defendant was a data controller, the Court had to also determine whether the first defendant was also a controller as defined by Article 4(7) UK GDPR.

In re Southern Pacific Personal Loans Ltd, the Court held that directors of a company are not controllers of personal data, as they are agents for the company, and as such, do not make any determination, either alone or jointly or in common with their company. This was also cited with approval in Ittihadieh v Cheyne Gardens in the Court of Appeal.

The Court held that the first defendant was not a controller, as he was acting in his capacity as a director of the second defendant when he recorded and shared the recordings. The Court did however note that a "rogue employee or director" who acts in an unauthorised fashion may become a controller, but this was not applicable in this case.

3) Whether the data subject was entitled to be provided with the identities of recipients of the recordings?

Article 15 UK GDPR provides that the data subject, in addition to the right to obtain copies of personal data, is entitled to "the recipients or categories of recipients to whom the personal data has been or will be disclosed", save that the right to obtain a copy of personal data shall not adversely affect the rights and freedoms of others.

The First Chamber of the CJEU gave a preliminary ruling on the interpretation of Article 15(1)(c) in RW v Österreichische Post AG (the "Austrian Post case"). Although the case did not bind the Court (post-dating the UK's exit from the EU), the Court considered it in the context of s.6(2) EU (Withdrawal) Act 2018.

The Austrian Post case held that there was an obligation on the data controller to provide the data subject with the actual identity of recipients unless (1) it was impossible to identify those recipients or (2) if the request is manifestly unfounded or excessive.

The Court held that the interpretation given by the CJEU in the Austrian Post case to Article 15(1)(c) is correct and should be applied in determining the meaning of the equivalent provision in the UK GDPR, noting that due to the very limited numbers of individuals, this was not a case in which it would be impossible to disclose the specific identities.

4) Whether the second defendant could rely on the "rights of others" exemption?

The question then became whether the second defendant could rely on the exemptions contained in Article 15(4) UK GDPR and/or paragraph 16, Schedule 2 to the DPA 2018.

In circumstances where the recipients had not given their consent to the disclosure of their names, the question for the controller was whether it was reasonable to disclose their identities to the claimant without their consent. As the controller decided that it was not reasonable to disclose their identities, the question for the Court became whether it was reasonable in all the circumstances for the controller to refuse the request.

The second defendant's case was that it had objected to providing the claimant with the recipients' identities where it would put them at significant risk of being the object of intimidating, harassing and hostile correspondence and litigation.

On that basis, the Court concluded that it would not be reasonable to disclose the identities of the recipients to the claimant, and that this fell within the controller's margin of discretion, thus finding that the controller complied with Article 15 in its response.

Outcome

The case against the first defendant was dismissed as he was not a controller, and the claim against the second defendant was dismissed on the grounds that the "rights of others exemption" applied to the withheld personal data.

Key takeaway points

This case is significant for data controllers as the English court has endorsed the Austrian Post case regarding the provision to a data subject of the identities of third parties who are in receipt of the data subject's personal data.

Whereas data controllers may have previously been content to provide a data subject with high level categories of recipients, this may be insufficient unless the data controller is able to demonstrate that it is impossible to disclose the identity of a recipient, or that the request is manifestly unfounded.

In order to avoid providing a data subject with specific identities of recipients, the controller must therefore demonstrate that it was reasonable in all the circumstances for the controller to refuse the request in accordance with the exemption in paragraph 16, Schedule 2 to the DPA 2018. This will be a fact specific exercise.

Data controllers should ensure that their internal processes for responding to DSARs set out the appropriate steps to be taken when it comes to providing a data subject with information as to the identity of recipients of their personal data. Any decision to withhold such information should be carefully considered and documented should the process ever be challenged before the ICO or in the English courts.

The judgment also serves as a useful reminder of the importance of having accurate data mapping so that a data controller is quickly able to identify with whom a data subject's data has been shared.

Mark Harrison v Alasdair Cameron & Alasdair Cameron Limited [2024] EWHC 1377 (KB)