On 7 June 2024, the High Court passed down a potentially significant judgment in the data protection case of Harrison (H) v Cameron & Another (C). The three key points from this judgment are that: 

1. In principle, Data Subjects are entitled to be informed of the identities of the recipients of their personal data (not just the categories of recipient);
2. The subject access regime has a “specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her personal data unlawfully infringes privacy rights and, if so, to take such steps as the data protection law provides”; and
3. A director of a company, when acting as such, will not be a “controller” themselves in their personal capacity.

Background 

The case originated when, H, who had hired a landscape gardening company led by C for work on his property, demanded that the company leave his premises due to disagreements. Following this, C secretly recorded two phone conversations with H without his consent. These recordings were widely circulated among C’s employees, family, and friends. Allegedly, this dissemination of private conversations harmed H’s business. In an attempt to seek more information, H issued Data Subject Access Requests (DSARs) to find out who received the recordings, but C refused to disclose this information. 

There are two conclusions the Judge came to in this case which provide context for the ensuing findings. 

1. The Judge decided that H’s behaviour was seriously and persistently menacing, and he had resorted to threats of violence to intimidate C into complying with his demands; and 
2. H’s solicitors had written hostile letters to a number of third parties suspected of having received the recordings. The Judge referred to letters sent by Mr Harrison’s solicitors to over twenty employees of the company as intimidating and unwarranted in circumstances where the company accepted it was a controller of the data. 

Judgment

We have summarised below each of the key areas that the Judge concluded on: 

• C argued that the processing of the data was for domestic purpose and therefore it fell outside the provisions of UK GDPR and the Data Protection Act 2018. The Judge ruled that this could not be the case as it related to the breakdown of a business relationship between H and the company.
• The Judge ruled that the company was the controller of H’s data. C was not a controller of that data as he was acting in his capacity as a director of the company when making and sharing the recordings. This followed existing case law, establishing a director of a company is not a separate controller of the data that they process in that capacity. 
• It has been debated whether Article 15 of UK GDPR requires the controller to specifically disclose the actual identities of the recipients of the data rather than just categories of recipients. The Judge established that specific identities should, in most cases, be shared. In reaching this decision, the Judge followed the earlier ruling given by the Court of Justice of the European Union in the Austrian Post case. This further demonstrated that indications from EU data protection law will continue to be considered by the UK judiciary following Brexit.
• In relation to the above, employees can be recipients and may need to be specifically identified. The Judge rejected an argument raised by the company that employees cannot fall within this requirement if they only dealt with the data as part of their duties as employees.
• Finally, the requirement to identify the recipients of the data is subject to Article 15(4) of the UK GDPR and Schedule 2 paragraph 16 of the Data Protection Act 2018. These provisions mean that the rights of the data subject must be balanced against the rights of third parties. These provisions were relied upon by the company when refusing to disclose the identities of the recipients of H’s data. This was due to genuine concerns of the company regarding the two points identified by the court above on the welfare of those recipients given the threats H had made against C and the subsequent aggressive correspondence H’s solicitors had sent. Therefore, the refusal to disclose the identities of the recipients of the two recordings was reasonable and not a breach of Article 15 UK GDPR.

Key considerations

The most important point to emphasise from this decision is that a Data Subject is entitled to know with whom their data has been shared (specific individuals or organisations and not just categories), but that this has to be balanced with the impact of disclosure on the rights and freedoms of those recipients.

This judgment also suggests that DSARs may not always be effective in a pre-litigation context to obtain information in advance of or alongside a claim, particularly where information about third parties may be disclosed who can then be targeted in subsequent litigation. When assessing the rights of a data subject against the rights of a third party, organisations can and should consider the motive of the DSAR and should respond carefully. 

If you would like any further information or have queries on the content of this article, please contact David Varney or a member of our Technology team.

This article was written by Abbie McGregor.