GDPR – Nuclear Bomb in the Information Age or Toothless Dog?

If you have ever found yourself in a huff over external entities utilising your private information  whether it be with a company, a friend/partner, an employer or perhaps even an unknown third party, then it is likely that you will be familiar with your right to privacy and anonymity. But how do you find out who has your information?

How do I find out who holds my personal information?

For those who are unfamiliar, the UK General Data Protection Regulation 2016 (‘GDPR’), which came into force on 25 May 2018, grants data subjects the right to access their personal data. Before Brexit GDPR was designed to “harmonise” data privacy laws as well as providing greater protection and rights to individuals in the EU’S member countries. GDPR was also created to alter how businesses and other organisations can handle the information of those that interact with them. There’s the potential for large fines and reputational damage for those found in breach of the rules. By making a Data Subject Access Request (DSAR) you can request copies of any data held about you from any person who has handled, processed or controlled your personal information and such persons must respond to your written request within 30 days (except in certain exceptional circumstances).

It is worth noting here that DSARs and Freedom of Information Act requests (Known as FOIA Requests) are not the same thing and cannot be used in the same way as the end goals for each request are very different. In our next article we will look at how you can weaponise FOIA requests – stay tuned!

How much damage can I do with a DSAR?

Quite a lot of damage actually… DSARs are considered to be a fundamental legal and human right.

So, how does this help in the context of a legal dispute you may have? Well, increasingly in recent years claimants have been using the GDPR and DSARS as a ‘weapon’ against their opponents in disputes in order to fish for information that may be detrimental to their opponent and strengthen their case.

What information can I get with a DSAR?

One such way in which the GDPR can be weaponised to your advantage is by enabling you to obtain information to which you are not ordinarily entitled to see (or not yet entitled) as a litigant under the usual Court rules of disclosure. To illustrate how this works in practice we look to the case of Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74.

The appellants in this case were beneficiaries of offshore trusts in the Bahamas. The defendant was Taylor Wessing LLP, a solicitor’s firm who advised the trustee of the trusts. After the trustee refused to furnish the beneficiaries with certain documents that they had requested, the beneficiaries made a DSAR. Taylor Wessing’s initial response to this request was that this personal information was exempt from disclosure under the Data Protection Act 1998 (DPA 1998).

To cut a long story short, the beneficiaries sued Taylor Wessing for failing to comply with the DSAR. At first the Court sided with Taylor Wessing and decided that the documents were not disclosable between trustees and beneficiaries as a matter of Bahamian Law. It was also held that they were requesting the information in connection with court proceedings which was not a ‘proper purpose’ for making a DSAR.

The beneficiaries were not having this, so they appealed against this decision and they were successful. The Court of Appeal decided that there was no limitation as to the purposes for which a DSAR may be made and a data controller/processer/handler cannot refuse to comply with a DSAR for reasons related to the motive of the person making the request – hooray for claimants!

Therefore, this case demonstrates that DSARS have the potential to be used as a weapon in litigation and if it can be used for litigation it can be used for much more… This case also highlights a really important point –  that the motive behind a DSAR is not a valid reason for refusing to comply with the request.

This is just one of many ways in which you can weaponise the GDPR and we will be sharing much more about this in our upcoming articles in this series.

Is there anything else in particular you would like to know about weaponising the GDPR? Let us know via our social media pages or email us at info@hillarycooperlaw.co.uk .

Tags:

Add your Comment

Recent Posts

Recent Comments

No comments to show.

Archives

Categories

Search

Categories

Recent Posts

04 Jul 2024

20 May 2024

20 May 2024

Tags

businesses casamitjana case law climate change Commercial Lease Contract coronavirus Court COVID-19 covid19 Data Employee Employers Employment enforceability environment equality act ethical vegan finance Freeholder GDPR global environmental awareness HCL Landlord law league against cruel sports Leaseholder legal affects Legal Effects mandatory redundancy Pandemic philosophical belief Property Protection redeployment redundancy remote working Retail SMEs SSP Tenant tribunal vegan veganism work from home