Locations
The request is straightforward enough – "Please send me all of my data". But that short message could trigger a painstaking search of your systems that requires reviewing and redacting hundreds of gigabytes' worth of emails, files and records, and involves several months of intensive labour and costs that run into the tens (or even hundreds) of thousands.
As we've discussed before, data subject access requests (DSARs) can be a waking nightmare for in-house privacy professionals and an absolute drain on company resources. Quite simply, responding to a DSAR can be complicated, expensive and take up considerable time and resources for management, legal, administration and IT. This is particularly true in the case of an employee DSAR, where a request is often used as a way to obtain information in (or merely aggravate) an employment dispute.
More often than not, organisations want to meet their obligations under the law and have implemented robust processes and procedures to handle DSARs, but they still struggle to understand the extent of their duty and what efforts they are expected to make under the law. In this blog piece, we revisit the right of access and look at the case law and principles behind it. It's a good time to do so as well, in light of the ICO issuing its draft right of access guidance (the Draft Access Guidance) for public consultation (now closed).
The right of access – a fundamental right
The right of access is one of the key rights under the GDPR but to understand it we need to put things in context. The rights to privacy and the protection of personal data are guaranteed as fundamental rights under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (the Charter), and the right of access itself is enshrined in Article 8(2) of the Charter. It makes sense that access is given priority since an individual needs the ongoing ability to check what data an organisation holds about them in order to understand how their rights may be affected and how to exercise their other data rights. However, it's important to remember that while access is a fundamental right, it isn't absolute and will always be subject to another principle of EU law – proportionality.
Proportionality – a pervasive principle
You won't find any reference to proportionality in Article 15 of the GDPR, and the GDPR doesn't explicitly say that the right of access only requires a "reasonable" or "proportionate" response or is otherwise limited where responding becomes burdensome or costly. However, as we shall see, proportionality will always play a significant role when thinking about individuals' rights under the GDPR.
Going back to its roots, the principle of proportionality stems from the Treaty of the European Union (the Maastrcht Treaty). Article 5(4) of the Maastrcht Treaty says that the content and form of EU action must not exceed what is necessary to achieve the objectives of the European Treaties. The Court of Justice of the European Union (CJEU) confirmed proportionality as a general principle of EU law in the case In R (Omega Air Ltd) v Secretary of State for the Environment Transport and the Regions (Joined Cases C-27/00 and C-122/00). Essentially, this means that EU laws and regulations must always be proportionate to the objectives sought and, by extension, any measures that seek to protect or limit individuals' rights should not exceed what is necessary and appropriate.
The CJEU has applied this principle in a number of cases involving data protection. In Breyer v Bundesrepublik Deutschland (Case C‑582/14), it referred to proportionality when considering whether dynamic IP addresses fall within the definition of personal data. In Digital Rights Ireland (Joined Cases C‑293/12 and C‑594/12), it held that the EU legislature exceeded the principle of proportionality when it adopted the Data Retention Directive, which required telephone communications service providers to retain traffic and location data for law enforcement purposes.
The CJEU has also considered proportionality as it applies to controllers' duties under data protection law. In Lindqvist (Case C-101/01), the CJEU acknowledged that a controller's obligations are "many and significant" and held that proportionality had to be taken into account when applying sanctions. And in Rotterdam v Rijkeboer (Case C‑553/07), it considered a controller's duty to store certain information (including the recipients or categories of recipients of an individual's data) in order to respond to a DSAR and held that this duty could represent an excessive and disproportionate burden. Ultimately, it determined that the obligation had to strike a fair balance between the rights of individuals and the burden placed on controllers.
Proportionality under UK law – stones left unturned
The UK courts have applied proportionality in a number of cases involving the right of access. In Ezsias v Welsh Ministers [2008] EWCA Civ 874, the High Court held that a controller has to take "reasonable and proportionate" steps to identify and disclose data upon receipt of a DSAR. This approach was affirmed by the Court of Appeal in the leading authority on this topic, Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors and Deer v University of Oxford [2017] EWCA Civ 121.
It's useful to take a closer look at the analysis in Ittihadieh. The Court had to consider the exemption under section 8(2)(a) of the previous Data Protection Act 1998 (the DPA 1998), which provided that a controller was not bound to supply a copy of personal data where doing so would be "impossible or involve disproportionate effort". Until that time, the exemption had been interpreted to apply only to the duty to supply a copy of the data but not the duty to search and retrieve the data. However, the Court found that this exemption ultimately derived from the principle of proportionality, which applies to all EU laws (and any national laws derived from or enacted under EU law), and therefore proportionality was relevant at any stage of the DSAR process. In reaching this conclusion, Lord Justice Lewison commented "the EU legislature did not intend to impose excessive burdens on data controllers" – or, in other words, the controller's duty was not to "leave no stone unturned". Following Ittihadieh, the ICO updated its Subject Access Code of Practice to clarify that a controller is not required to take steps that are "unreasonable or disproportionate to the importance of providing individuals with access to their data", and the approach was followed in subsequent cases.
So under the old law – the Data Protection Directive and the DPA 1998 – proportionality had an important role to play. The question is whether proportionality still has a role to play under the new law.
Proportionality under the GDPR – hidden but not gone
The GDPR does not explicitly refer to proportionality in the context of access rights, and the Data Protection Act 2018 (DPA 2018) does not include any "disproportionate effort" exemption. Instead, Article 12(5) of the GDPR states that a controller may refuse to comply with a DSAR or charge a reasonable fee where the request is "manifestly unfounded or excessive". There has been a lot of debate about what these terms mean. When should a DSAR be considered "manifestly unfounded"? And at what point does it become "manifestly excessive"?
In its Draft Access Guidance, the ICO says that "excessive" requests include overlapping and repetitive requests but would not necessarily include requests that involve a large volume of data and prove burdensome. In terms of "unfounded" requests, the Draft Access Guidance says these include requests where the individual has no actual intention of exercising their right of access or is simply making the DSAR for malicious or disruptive purposes. Ultimately, this exemption relates to another doctrine of EU law – the "abuse of right" doctrine – under which the individual's motives can be taken into account by the courts when exercising their discretion. A prime example (and where this doctrine most commonly arises) is where an employee issues a DSAR to harass their former employer or to obtain documents or information rather than their personal data. So the motive or purpose of the DSAR can play a role in determining the controller's duty to respond.
However, even though these exemptions may be relevant in certain situations, it's important to remember that proportionality still applies as a general principle under the GDPR and will be relevant when considering a controller's duties. For starters, the GDPR is an EU regulation and is therefore subject to general principles of EU law – including proportionality. This is reflected in Recital 4 of the GDPR, which states that the right to the protection of personal data is not absolute and "must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality".
Secondly, proportionality does make an appearance in some of the other rights under the GDPR. For example, Article 14(5) states that a controller's obligation to provide information to individuals about processing does not apply where doing so would be impossible or involve a disproportionate effort. Similarly, Article 19 states that a controller does not have to inform individuals about the rectification, erasure or restriction of their data where doing so proves impossible or involves disproportionate effort, and Article 34 includes the same exemption in the context of notifying individuals of personal data breaches.
In this sense, the GDPR does not represent a radical departure from the old law and proportionality is clearly still alive and well. This should provide comfort to controllers who are facing difficult and burdensome DSAR.
Confidentiality and the rights of others
Apart from the huge drain that a DSAR can place on controllers, one of the other issues with the right of access is the potential conflict it creates with another fundamental principle under EU law, which is enshrined under the European Convention of Human Rights, the Charter and the e-Privacy Directive – that confidentiality of communications should be sacrosanct. This conflict arises naturally when a controller is required to employ a team of people (often using outside counsel or a third party provider) to review thousands of emails and other messages which may include personal, confidential or highly-sensitive information. In this sense, the importance of other individuals' privacy rights and the confidentiality of communications are momentarily sidelined in the interests of fulfilling a single DSAR.
Under the GDPR and DPA 2018, the rights of third parties must be protected and any third party personal data should be redacted from a DSAR response. However, although this addresses the disclosure of third party information to the requestor it doesn't address the interference caused by the collection, reading and scrutinising of other individuals' messages and personal information. Again, where two rights are in conflict proportionality should play a role in finding the right balance.
This issue hasn't been forgotten by the courts. In Dawson-Damer v Taylor Wessing [2019] EWHC 1258 (Ch), the High Court held that it would be disproportionate to require the controller (in this case, Taylor Wessing) to search backup systems and ex-employees' personal spaces given the risks that the searches would disclose confidential or personal information about Taylor Wessing employees and other unrelated individuals. This is clear acknowledgement that the controller's duty to respond to a DSAR should not bulldoze other important rights.
Final thoughts
As we have seen, access is a fundamental right under the GDPR and an increasingly difficult one to navigate. Unfortunately, the ICO's Draft Access Guidance provides fairly limited guidance on the extent of a controller's duty when responding to DSARs. It states that the GDPR places a high expectation on organisations to provide information and that "extensive efforts" should be made to find and retrieve information, but gives no illustrative practical guidance or examples for organisations to follow (which would ultimately be more helpful). It is hoped that the ICO – and indeed wider EU regulators – will give further consideration to this topic as it reviews the responses from its consultation and provides:
- Further clarification on what, in practice, would be considered "manifestly unfounded or excessive". Would an employee DSAR, covering many years' worth of data and requiring searching other employees' mailboxes, be considered excessive under the GDPR? What if it was apparent that the employee was merely trying to obtain documents or information as leverage in a dispute and was not genuinely seeking access to their personal data – would a DSAR in this scenario be manifestly unfounded?
- Clearer guidance around the controller's duty to search archive and back-up systems and, in particular, whether that duty requires incurring potentially high costs for non-routine and exceptional access.
- Further explanation of when a controller can apply exemptions when assessing a large volume of data, and whether a "case by case" approach would include, for example, being able to rely on an exemption for an entire category of email correspondence, that is clearly identified and defined, without the need to review each individual email.
- Guidance as to what constitutes the correct balancing act between third parties' right to communicate and express their opinions freely within emails and other correspondence and the rights of an individual to have access to personal data. In this respect, more clarity is needed between the interplay of confidentiality of communications obligations under the ePrivacy Directive and DSAR disclosure obligations under the GDPR.
- An acknowledgment that, even where a controller employs good data retention practices, in a world of 24/7 communication, an individual may appear in vast amounts of first and third party correspondence, and a proportionate balance must be struck between the ease with which individuals can submit access requests (for free) and the considerable effort, cost and third party privacy intrusions to which the controller must go to in order to fulfil a single DSAR.