A paradox of choice
When a data subject makes a data subject access request pursuant to Article 15 UK GDPR not only are they entitled to a copy of their personal data, unless an exemption applies, but also to be told a range of information about how their personal data has been and is being processed. One item of information to which they are entitled, in accordance with Article 15(1)(c) UK GDPR, is to be informed of the “the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations”. “Recipient” is defined at Article 4(9) UK GDPR as “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not”. In this regard, the Information Commissioner’s Office’s guidance merely states that “In their response, the organisation should also include:… who they are sharing your information with…”
This provision may give the impression that data controllers have discretion in determining whether to inform data subjects of the specific identifies of recipients of personal data or merely to inform them of the categories of recipient, the difference between stating (for example) we shared your personal information with our professional advisers or we shared your personal information with our professional advisers, Handley Gill Limited. Indeed, neither the Recitals nor the Articles of the UK GDPR provide any explicit guidance as to the circumstances in which specific recipients should be identified.
In relation to the interpretation of the same provision of the EU GDPR, in January 2023 the First Chamber of the CJEU gave a preliminary ruling in the case of C-154/21 RW v Österreichische Post AG ('the Austrian Post case') that “Article 15(1)(c) of the GDPR must be interpreted as meaning that the data subject’s right of access to personal data concerning him or her, provided for by that provision, entails, where those data have been or will be disclosed to recipients, an obligation on the part of the controller to provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of Article 12(5) of the GDPR, in which cases the controller may indicate to the data subject only the categories of recipient in question”.
Since that decision post-dated Brexit, however, by virtue of s.6(1) European Union (Withdrawal) Act 2018, the ruling is not binding on courts and tribunals although, as provided for by s.6(2) of that Act, they may have regard to decisions in so far as they are relevant.
The interpretation of the equivalent provision of the UK GDPR has recently been determined by the High Court in Harrison v (1) Cameron & (2) Alasdair Cameron Limited [2024] EWHC 1377 (KB), in which the Court decided to follow the CJEU’s approach and determined that “the interpretation given by the CJEU in the Austrian Post case to article 15(1)(c) of the GDPR is correct and should be applied in determining the meaning of article 15(1)(c) of the UK GDPR”, and that this was not limited to external recipients of the personal data but included internal recipients, such as employees of the data controller, subject to any applicable exceptions, such as where a request is “manifestly unfounded or excessive” in accordance with Article 12(5) UK GDPR, or exemptions.
Schedule 2 Part 3 paragraph 16 Data Protection Act 2018 provides an exemption from the obligation to comply with Article 15(1)-(3) UK GDPR where compliance “would involve disclosing information relating to another individual who can be identified from the information” unless that individual has either given their consent or it is reasonable to disclose the information without consent. In the Harrison case, the judge concluded that, on account of the requester’s own conduct and that of his legal representatives toward the data controller and potential recipients of the requester’s personal data, the data controller had been entitled to conclude that it would not be reasonable to disclose the identities of individual recipients of the personal data in the absence of consent.
Data controllers need to ensure that their internal guidance and practices in relation to the disclosure of the recipients of personal data are updated to reflect this judgment, with disclosure of the specific identities of recipients being the default position unless an exception or exemption can be established.
For further information on handling data subject access requests, you can read our previous blog post on the subject, ‘Dominate that DSAR’, and download our Helping Hand Data Subject Access Request (DSAR) Compliance Checklist.
Should you require support in establishing internal processes and procedures for handling data subject rights requests, including data subject access requests (DSARs), or in handling one or more specific requests, our specialist data protection consultants are on hand to help you so please don’t hesitate to contact us.
Find out more about our data protection and data privacy services.