Two recent decisions from Europe show the struggles which the Courts are facing when determining the scope of data subject access requests (DSARs) - one decision being potentially beneficial to controllers who are also in litigation with the data subject; the other of potential concern where a data subject wishes to know who has received their personal data. 

This article considers the decision on the identification of the recipients of personal data.

Although neither decision will directly apply to the interpretation of the UK GDPR (for jurisdictional reasons) these could be taken into account by the ICO and the UK Courts in the future.

Identifying specific recipients of personal data

When responding to a DSAR there are two elements to provide: (1) the personal data sought and (2) the processing information set out in Article 15(1) of the UK GDPR. One of the categories of information is "the recipients or categories of recipient to whom the personal data have been or will be disclosed…"

Typically, when responding to a DSAR data controllers place reliance on their data privacy notice which, amongst other matters, explains the categories of recipients to whom personal data has or may be disclosed. However, this notice is a generic document which is not specific to the processing of a particular data subject's personal data – it explains the categories of recipients to who personal data has or may be disclosed rather than specify the exact recipients for that individual.

Specific or generic?

In RW v Österreichische Post AG [1] the Austrian Postal Service relied on their generic privacy notices when responding to a DSAR. The data subject was however persistent in seeking to understand the specific recipients of their personal data. The advocate general was asked to opine on this matter and determined that when responding to a DSAR that where sought by the data subject they should be provided with the identity of the specific recipients to whom their personal data has been disclosed. The basis for this was that under Article 15(1)(c) of the GDPR the data subject (rather than the data controller) has the choice of being provided with either the specific recipients or categories of recipients. Further, this reading of the GDPR was in line with the spirit of the legislation.

The AG's opinion is however caveated:

  • Where it is materially impossible to provide information about specific recipients (ie. because they have not yet been identified) then this obligation could not apply since it would not be possible for the data controller to identify such recipients.
  • This must be considered in the light of the principles of fairness and proportionality. Therefore where the data controller demonstrates that the data subject’s requests are manifestly unfounded or excessive then it would not be required to provide the specific recipients.

This specific identification of recipients doesn't sit comfortably with the right of privacy of third parties when responding to a DSAR.

Whilst the AG's opinion sets out two caveats, it is untested whether data controllers should also be balancing the right of access against the right of privacy of third parties when requested to provide this information [2]. For example, should data controllers be disclosing the identity of recipients of emails which contain the data subject's personal data if doing so would harm the third party?

Our expectation is that data subjects would look to rely on this provision not for the purposes of verifying that their data has been processed correctly, but for grievances / litigation and seeking to find out who was involved. This opens up the risks to employees being approached by the data subject, but also to complaints from third parties that their data has been inappropriately processed by being passed to the data subject.

Risk mitigation?

WBD Clarity (our bespoke solution to DSARs) could be used to mitigate this risk. Applying secure redactions to the emails would remove who was a party and protect their privacy, but it would also be possible to automatically produce a list of the from, to and cc lines for these emails. This list would show the specific recipients of the personal data and thereby providing access but not revealing to which documents the recipients were connected. This disassociation of the individuals from the emails could be an appropriate balance of providing access to personal data whilst protecting third parties. 

Whilst at the moment this is only an opinion by the AG, even if agreed with by the ECJ would not be directly binding on the UK GDPR, and only applies where the data subject expressly asks for the specific recipients to be identified – it is a concerning development for data controllers who typically rely on the generic privacy notices and may be an additional burden and risk area when responding to DSARs.