The High Court recently considered the novel issue of whether it should order a person to disclose documents which they do not hold but can obtain by exercising their access rights under the Data Protection Directive (EU Directive 95/46/EC). The Court concluded that a party may be directed to disclose all documents requested in discovery that are reasonably available to them by means of a data subject access request.
In Susquehanna International Group Limited v Needham, the plaintiff (SIG) claimed that the defendant was in breach of the express terms of his contract of employment. SIG alleged that the defendant: (1) was in breach of a covenant not to induce employees of SIG to leave for employment elsewhere; and (2) breached his obligation to preserve confidential information, trading strategies, and commercial know-how belonging to SIG.
The defendant, a trader in financial instruments, was one of a number of employees who left their employment with SIG in 2016. He subsequently took up employment with Citadel, a firm in the same business as SIG. Prior to taking up employment with Citadel, the defendant interacted with a recruitment company, Execuzon.
SIG's Discovery Request
Discovery is a procedure for disclosing information, usually by furnishing documents, so that both parties to litigation may know the case that they have to answer. SIG sought discovery a category of documents relating to interactions between the defendant and Citadel or Execuzon. The category included any documents held by Citadel and/or Execuzon that could be obtained by the defendant "on foot of data protection requests".
SIG argued that personal data held by a third party were within the "possession, power or procurement" of the defendant as explained by the Supreme Court in Thema International Fund plc v HSBC Institutional Trust Services (Ireland) Ltd. In that case, Mr Justice Clarke described the test as follows:
"A party either has documents in its possession or has the legal entitlement to require possession. In those circumstances the document must be discovered. In all other circumstances, the document does not have to be discovered."
SIG argued that the defendant had a right as a matter of European law, under the Data Protection Directive, to obtain data relevant to him from the relevant data controller. Therefore, SIG submitted, it was within the defendant's power to produce that personal data in response to a discovery request.
Objections to Data Protection in Aid of Discovery
The defendant objected to being required to make data access requests, arguing that:
- it was wrong in principle to compel use of data protection processes to achieve a collateral purpose more properly realised by an order for third party discovery (an argument made by reference to the UK case of Durant v Financial Services Authority which refused to allow data subject access requests as a proxy for discovery);
- the objective of data protection law and of the Directive was to protect the right to privacy, to enable the correction of any inaccuracy in the personal data held, and to ensure that inaccurate records were not kept; and
- Mr Justice Barrett had previously found, in Glaxo Group v Rowex, that discovery should not be used to compel "inappropriate disclosures of personal data".
The Court restated that the test for discovery remains "whether the documents are relevant and necessary and the request is proportionate and not unduly repressive." In the circumstances, it found that compelling data access requests would not be disproportionate or oppressive for the defendant.
While finding that the information in question here was not of the personal or highly confidential nature contemplated in Glaxo Group v Rowex, the Court also noted that Glaxo Group did not prohibit the ordering of data access requests in aid of discovery. The Court was satisfied that the present request was not an attempt to use data protection law for a collateral purpose in the sense discussed in Durant v Financial Services Authority.
Ultimately, the Court directed the defendant to disclose all documents requested in discovery that were reasonably available to him by means of a data subject access request. The defendant was also directed to take reasonable steps to procure the documents.
While data subject access requests are often used to seek documents from the opposing party prior discovery, this case gives rise to novel questions and concerns.
For those embroiled in litigation, the decision has the potential to expand significantly the so-called "universe" of documents which must be identified, retrieved, and reviewed when making discovery. Litigators will wonder whether parties might also be compelled to submit access requests under the Freedom of Information Act, expanding that universe still further. There will be concern too that further delays in the discovery process may arise where data controllers refuse access and data subjects have to challenge that refusal, either voluntarily or at the direction of the Courts.
Ms Justice Baker did agree that this approach to discovery must not be used as a tool of oppression. Exactly what "reasonable steps" must be taken, and how far one must go in challenging a refusal of access by a data controller, remains an open question.