Subject Access Requests: High Court looks at the meaning of recipients

A judgment handed down recently by the High Court looks at the “purely personal” exception under the UK GDPR, whether article 15(1)(c) entitles data subjects to know the identity of recipients, and the application of paragraph 16 of Schedule 2 of the DPA (the “rights of others” exception). The facts of the case are fairly colourful (the hearing was covered by the Times, the Telegraph and the Daily Mail), but from a data protection perspective the more interesting point is the Court's consideration of whether the words “the recipients or categories of recipient to whom the personal data have been or will be disclosed” in article 15(1)(c) entitle a data subject to know the identity of individual recipients of their data. Readers may recall that the CJEU looked at this question last year in RW v Osterreichische Post AG (C-154/21) . It concluded that data subjects had a right to be told the specific recipients of their data unless it was impossible to identify them, or the request was manifestly unfound or excessive. The High Court agreed with the CJEU's interpretation and considered it should be applied in determining the meaning of article 15(1)(c) of the UK GDPR. 

The High Court also had to consider whether “recipient” in this context only referred to external recipients, or  included employees of the  controller. This question was also considered by the CJEU last year, in J.M. vs. Apulaistietosuojavaltuutettu, Pankki S (Case C-579/21).  In that case a customer wanted to know which specific bank employees had accessed their data. The CJEU held that “the employees of the controller cannot be regarded as being ‘recipients’, within the meaning of Article 15(1)(c) of the GDPR, …, when they process personal data under the authority of that controller and in accordance with its instructions”. The High Court came to the opposite conclusion, although without referencing the CJEU's decision on the point: “Recipients clearly include those, such as the employees of ACL to whom the Recordings were disclosed, who are not third parties, and who process personal data under the direct authority of the controller.”   

This conclusion did not impact the overall outcome of the case. Providing the identity of the recipients would involve disclosing personal data about them, which brought the “rights of others” exception into play. The Court decided that it was not unreasonable for the controller in this case to decide to withhold this information given the “sustained and menacing behaviour” of the claimant data subject. This was a fairly exceptional set of facts, but the confirmation that the controller has a “wide margin of discretion”  when applying the “rights of others” exception is helpful for controllers. It seems unlikely that this judgment will be appealed given the facts of the case, but there are aspects of the Court's reasoning which may well be challenged in the future, particularly around its interpretation of “recipients or categories of recipients”.