The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Can a litigant use a subject access request as a means of obtaining quasi-discovery?
Answer: Yes. The UK’s Information Commissioner’s Office has taken the position that a company (or a lawyer) cannot refuse to honor a data subject’s access request simply because the “requester is contemplating or has already begun legal proceedings.” According to the ICO, “whether or not the applicant has a ‘collateral’ purpose (ie other than seeking to check or correct their personal data) for making the [subject access request] is not relevant.”
The net result is that if the access request does not adversely impact the rights or freedoms of a third party (e.g., request information that is subject to attorney client privilege, or that concerns a third party), a lawyer that controls such information may be required to produce it to a requestor that is attempting to obtain information that may be useful in litigation.