In the 2020 UK case of Lees v
The Court's reasoning
Although some of the DSARs were made when the Data Protection Act 1998 was still in force, given the similarity between that legislation and the DPA 2018 in respect of DSARs, the Court's reasoning is likely to be applicable to applications under the GDPR. As a reminder, the GDPR now forms part of
After recognising that its discretion was not "general and untrammelled", the Court noted that there would be good reasons for declining to exercise its discretion in favour of
- the issue of numerous and repetitive DSARs deemed to be abusive;
- the real purpose of the DSARs being to obtain documents rather than personal data;
-
there being a collateral purpose that lay behind the requests, which was for
Mr Lees to obtain assistance in preventing Lloyds bringing claims for possession of various properties againstMr Lees ; -
the fact that the data sought would be of no benefit to
Mr Lees , as he had no defence in law to such claims; and - the fact that those claims had been the subject of final determinations in the County Court from which all available avenues of appeal had been exhausted.
For those faced with responding to DSARs in similar circumstances, this decision will be welcome, as it indicates the more robust approach that courts may take where they believe DSARs are being deployed by claimants in a tactical way, for example, to obtain early or wider disclosure than that permitted under the Civil Procedure Rules. Such 'nuisance' DSARs are often very time-consuming and costly for organisations.
ICO's guidance
So how does the Lees decision sit with the
In the past, the ICO has taken the position that DSARs should be 'motive blind', i.e. that those responding to DSARs cannot decline to do so on the basis that the individual making the request has some ulterior motive, such as early disclosure. However, in its revised DSAR guidance published on
Under Article 12(5)(b) of the
- the request explicitly states, in the request itself or in other communications, that he/ she intends to cause disruption;
- the request makes unsubstantiated accusations against the organisation or specific employees which are clearly prompted by malice;
- the individual is targeting a particular employee against whom they have some personal grudge; or
- the individual systematically sends different requests to the organisation as part of a campaign, for example, once a week, with the intention of causing disruption.
The only other ground for refusing to comply with a DSAR is that it is 'manifestly excessive' (under Article 12(5) (b) of the
- the nature of the requested information;
- the context of the request, and the relationship between the organisation and the individual;
- whether a refusal to provide the information or even acknowledge whether it is held would cause substantive damage to the individual;
- the organisation's available resources;
- whether the request largely repeats previous requests and whether a reasonable interval has not elapsed (taking into account the nature of the data, including whether they are particularly sensitive, and how often they are altered); and
- whether the request overlaps with other requests (noting that if it relates to a completely separate set of information, it is unlikely to be excessive).
The Guidance makes clear that a request is not necessarily excessive just because the individual requests a large volume of information. The Guidance also highlights some general considerations organisations should take into account when deciding whether a request is manifestly unfounded or excessive, namely:
- considering each request individually and not having a blanket policy;
- not presuming that a request is manifestly unfounded or excessive just because an individual has previously submitted a manifestly unfounded or excessive request; and
- ensuring that there are strong justifications for considering a request to be manifestly unfound ed or excessive, which can be clearly demonstrated to the individual and the ICO.
In particular, the ICO points out that the inclusion of the word 'manifestly' means there must be an obvious or clear quality to the request's unfoundedness or excessiveness.
Where Lees sits with the ICO's guidance
The courts and the ICO seem now to be somewhat more aligned on how they will treat complaints about responding to DSARs. Their current position seems to offer greater hope and help to organisations facing 'nuisance' DSARs. However, the criteria for not responding seem to be fairly strict, especially in the ICO's case. Unfortunately, in addition to serving as a helpful roadmap for organisations, the Guidance could also be used by individuals who wish to make 'nuisance' requests as a checklist for what not to include in DSARs in an attempt to ensure that they are not viewed as manifestly unfounded or excessive.
Although there is greater alignment between the approach of the courts and the ICO, organisations should also be aware of the differences in approach when considering whether to respond to DSARs. The grounds for not responding identified in the Lees case clearly go beyond the grounds identified by the ICO. Specifically, the Court had taken into account the 'bigger picture': that the data sought would have been of no benefit to
Some organisations may feel uncomfortable following the Court's more 'muscular' approach, given the lack of clarity as to whether the Court's remarks take precedence over the Guidance. However, more seasoned practitioners will know that this sort of tussle between the courts and the regulator is not new. For instance, in the case of Durant v
Following the Article 29
Given the current uncertainty about taking into account the 'bigger picture' considerations identified in Lees when deciding whether to respond to a DSAR, we can only hope for another Edem to provide clarity on this issue.
Originally published by
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Ms
EC2M 1QS
Tel: 212479 6000
Fax: 212479 6275
E-mail: aorzehoski@cooley.com
URL: www.cooley.com
© Mondaq Ltd, 2021 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source