On the face of it, the decision of the Court of Appeal in Dawson-Damer & Ors v Taylor Wessing LLP  EWCA Civ 4 concerned the narrow issue of the circumstances in which the court may decline to exercise its discretion to order that a person must comply with a request under the Data Protection Act 1998 (DPA).
The particular facts and context of the decision means that beneficiaries and trustees of trusts (including offshore trusts) and their advisers should, at the very least, take careful note of the decision. Is it right to suggest, however, that the decision represents a significant change in approach in relation to beneficiaries' rights to information held by trustees?
The appellants in Dawson-Damer were beneficiaries of certain offshore trusts established in the Bahamas. The defendant, Taylor Wessing LLP, is a well-known firm of solicitors which advised the trustee of the trusts.
Following an unsuccessful request for certain documents from the trustee, the appellants made a subject access request (SAR), under the DPA, to Taylor Wessing. Under the DPA, a data subject has a right to be informed where personal data (of which he or she is the data subject) is being processed by a data controller. The data subject is then entitled to certain further information and copies of the data. Taylor Wessing's initial response to the request was that the information requested was subject to legal professional privilege and therefore exempt from disclosure under the DPA.
The appellants applied for an order that Taylor Wessing had failed to comply with the SAR. In 2015, HHJ Behrens QC agreed with Taylor Wessing's position that (in summary) the legal professional privilege exemption relied on by the firm applied where the documents were not disclosable as between trustees and beneficiaries as a matter of Bahamian law. Further (amongst other findings), the fact that the appellants sought the information in connection with court proceedings then ongoing in the Bahamian courts against the trustee was not a 'proper purpose' for making a SAR.
The Court was asked to consider three issues central to the first instance decision:
- Could Taylor Wessing rely on the legal professional privilege exemption insofar as the documents/information were privileged as a matter of English law only, or also as a matter of Bahamian law?;
- If the privilege exception applied only to documents privileged under English law, would any further search involve a “disproportionate effort” (which would also excuse Taylor Wessing from carrying out that search) under the DPA; and
- Was the appellants' 'real motive' (i.e. their collateral purpose of obtaining information in support of proceedings in the Bahamas) for making the SAR a reason to refuse to exercise the court's discretion to order compliance with the SAR.
The Court of Appeal found, in relation to these issues:
- The legal professional privilege exemption applied only to documents that would be subject to legal professional privilege as a matter of English law. A data controller in the UK cannot therefore rely on more restrictive foreign rules regarding privilege to avoid complying with an SAR.
- Taylor Wessing, relying as it did first and foremost on the fact that it considered the information was covered by the legal professional privilege exemption, had failed to satisfy the court that complying with the SAR would involve disproportionate effort on its part.
- There was no limitation in the DPA on the purposes for which an SAR might be made and no rule that a data controller could refuse to comply on the grounds of the requester’s 'true motive'.
The implications of the decision appear wide-reaching in the context of long-established limitations on the ability of a beneficiary to compel the production of trust documents from a trustee as of right. Can they circumvent this by making an SAR against the trustee(s) in the UK, or their UK-based advisers?
The answer is 'possibly', but to what extent exactly will turn on nice questions as to what constitutes 'personal data', 'data' and then the extent to which the information is held in a way that is easily searchable. Practitioners will now be more likely to face such requests as a tactical step in hostile trust litigation. Outside of the trust and estates context, Dawson-Damer has certainly clarified the position that a motive of assisting with litigation shall not be a valid reason for a data controller to refuse to comply with an SAR.
It is important to note that, with the General Data Protection Regulation (GDPR) due to come into force next year, further changes in practice and approach are likely to be required, when holding information about data subjects (in any context…).