The High Court recently dismissed an appeal by Dublin Bus in relation to an enforcement order issued by the Data Protection Commissioner on the basis that the existence of legal proceedings between a data controller and a data subject does not preclude the data subject from submitting a data access request even if such request is being used as an alternative or supplement to discovery. The High Court upheld the enforcement notice issued by the Data Protection Commissioner requiring Dublin Bus to provide a copy of CCTV footage to the data subject.
The decision highlights the fact that data controllers must comply with data access requests notwithstanding that data subjects may be using such requests as a shortcut for accessing documentation in the context of ongoing legal proceedings. There is no statutory exemption available to data controllers to complying with a data access request where there are separate legal proceedings in play and the request is being used by the data subject to further such proceedings.
An individual has a right of access to personal data held about them by a data controller pursuant to section 4(1)(a) of the Data Protection Acts 1988 and 2003 (DPA). Having initiated personal injury proceedings against Dublin Bus, the data subject subsequently submitted a data subject access request to Dublin Bus seeking a copy of her personal data, including CCTV footage of the incident. This request was declined by Dublin Bus initially on the grounds that the information requested was privileged (legal privilege being one of the exemptions from compliance with data access requests under the DPA). The data subject complained to the Data Protection Commissioner and an enforcement notice was issued by the Commissioner requiring Dublin Bus to provide the CCTV footage.
Dublin Bus relied on English case-law to support the argument that there is an exception to the right of access where there are legal proceedings ongoing between the data subject and the data controller. Dublin Bus argued that the fact that the Commissioner had notice that proceedings had commenced between the parties required the Commissioner to advise the data subject that she should proceed by way of an order for discovery not a data access request. Dublin Bus submitted that the courts are the sole body with competence to order discovery of documents and that competence should not be usurped by the Data Protection Commissioner.
The High Court, in dismissing the appeal concluded that none of the specified exemptions applied to Dublin Bus in this case and if the drafters of the DPA intended that an individual’s data access rights could be limited in instances where litigation had commenced, this would have been expressly stated in the legislation. There is also nothing in the Data Protection Directive (95/46/EC) restricting the purpose for which a data access request may be made by a data subject.
Position in UK
The High Court noted that while under UK data protection legislation, there is a statutory discretion reserved to the UK courts as to whether to make an order directing compliance with a person’s access request, no such discretion exists under the Irish DPA. In distinguishing, in particular, the UK decision in Durant v Financial Services Authority1, the High Court stated that it had no discretion to take into account the data subject’s motive for her access request despite the fact that it was not contested that she sought access to her personal data solely as a means of furthering her litigation against Dublin Bus.
It is worth noting that the UK Information Commissioner (ICO) has also expressly rejected the notion that the commencement of legal proceedings precludes the right to bring an access request. However the ICO does acknowledge that in the UK, the courts have discretion over whether to enforce an order in relation an access request and the courts may be reluctant to do so where it is clear that the purpose of the request is to fuel separate legal proceedings and, in particular, where the rules of discovery would provide a more appropriate route to obtaining the information sought. The ICO states that it is also likely to take into account such matters when considering whether to exercise its enforcement powers in this context. The Data Protection Commissioner in Ireland has not yet expressed similar views and it remains to be seen whether there will be any significance placed by the Commissioner on the use of data access requests as an alternative to discovery in the future.