Court issues helpful guidance in dealing with customer's repetitive Data Subject Access Requests

Background

Both prior to the issue of possession proceedings, and following the issue of possession proceedings, the customer made multiple Data Subject Access Requests (DSARs) to the Bank to which the Bank responded on a number of occasions.  However, the customer was not satisfied by the Bank’s responses.

The customer’s Part 8 claim

The customer subsequently issued a Part 8 claim against the Bank in the High Court in which among other things he sought the Court’s assistance in relation to the Bank’s alleged failure to provide data contrary to the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (EU) 2016/679 (GDPR).

The decision

The Judge, Chief Master Marsh, found that the Bank had responded to each of the Customer’s DSARs and that, in each case, its answer was an adequate response to the DSAR submitted by the Customer.  The Customer had been seeking to uncover evidence that would assist him in the possession proceedings. 

The Chief Master made it clear (obiter) that the Court has a discretion whether or not to make an order in circumstances where there is a failure to provide a proper response to a DSAR, but in this instance, the Court’s view was that the Bank had responded appropriately to the Customer’s DSARs.  Further, the Court considered that even if the Bank had not responded adequately to the DSARs, there would have been good reasons for declining to exercise the Court’s discretion to make an order that the Bank should respond to the DSARs. These reasons included:

• there had been numerous and repetitive DSARs which were abusive;
• the real purpose of the DSARs was to obtain documents rather than personal data;
• there had been a collateral purpose behind the requests, i.e. to obtain assistance in preventing the Bank from bringing possession claims; and
• the data sought would have been of no benefit to the Customer.

Key points

It is not uncommon for lenders to receive numerous and repetitive DSARs from Customers, particularly from those Customers with whom they may be involved in litigation.

It can be time consuming and resource intensive for lenders to comply with such requests, especially if the Customer challenges the adequacy of the response(s) they receive from the lender and makes further DSARs. 

The decision in this case will likely be welcome to lenders who are receiving numerous and repetitive DSARs from a Customer, particularly where there is a collateral purpose behind the requests such as to obtain documents to be used in litigation between the lender and the Customer.

There is some potential divergence between the position the Court has taken and guidance issued by the UK’s data protection regulator. The Information Commissioner’s Office (ICO) takes the view that DSARs are “purpose agnostic” and that organisations cannot refuse to respond to DSARs where they are made for a collateral purpose. Whilst the GDPR makes allowances for data controllers to refuse to respond to DSARs that are “manifestly unfounded or excessive”, current ICO guidance suggests that the bar to demonstrate this is high.

It is not currently clear whether the obiter comments of the Court would prevail over the ICO’s guidance. Lenders should therefore be aware that, whilst the judgment may assist them in front of the courts, the regulator may have different expectations as to when DSARs made for a collateral purpose must be responded to.

By Sanjeev Ahuja and Emma Erskine-Fox

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.