UK Data Subject Access Requests Hang In The Balance
Due to Partygate and various other problems, perhaps it’s easy to forget that for a long time Boris Johnson walked on water, politically speaking that is. Not too long ago, he achieved a landslide General Election victory promising to “get Brexit done”.
Taking a hatchet to retained EU law
While the Pandemic, Ukraine War and Cost of Living Crisis complicate an assessment of how good or bad Brexit will ultimately be for the UK, it’s clear that the government hasn’t completed the tearing up of EU law that was retained by the UK as a device to make it simpler to get Brexit done. As we get nearer to the next General Election, it’s likely that the Brexit card will be prominently replayed, to shore up the government’s core support, which will probably mean an acceleration of the pace of legal change over the coming months. This includes for data protection.
Brexit and data protection reforms
As far as data protection law is concerned, the government is keen to get things done quickly. The GDPR has always been in the firing line and the government’s ambitions have become considerably clearer following the publication of its latest position paper earlier this month.
To recap for people who have not been following the story, in September 2021 the Department for Digital, Culture, Media and Sport (DCMS) published a consultation paper called Data: a new direction, which sets out the government’s aims for reform of the UK’s data protection laws. These laws are a direct hangover from the EU General Data Protection Regulation (GDPR), and they were always going to be in the government’s sights, due to the GDPR’s totemic status as a piece of EU law, which derives from the fact that between 2016 and 2018 the world, including the UK, went GDPR crazy, with awareness levels going through the roof. Arguably, for a period the GDPR was the most famous law in the world.
And six years after the referendum, there it remains, sitting on the UK statute books as an unwelcome reminder of the country’s once loss of sovereignty (if you happen to view EU membership in that way).
June update – trajectory becomes clearer
The government’s argument for data reforms is they support its vision of a buccaneering post-Brexit global Britain, where the economy is freed to be ambitious, pro-growth and innovative (according to the writers of the consultation paper). On 23rd June, the first major update on the reforms was published, containing the government’s reply to the responses that the consultation received.
There’s a lot in this, ranging from proposals that seem to be change for change’s sake, to ones that will genuinely put the UK on a very different path to its former EU partners. The more impactful changes include those for the future of Data Subject Access Requests (DSARs, or SARs, for short) and for the function of the Information Commissioner’s Office (the regulator)
The DSAR regime – giving data protection teeth
The DSAR regime gives people rights to various information about the data that are held on them and processed by businesses, government, public authorities, and many other organisations such as hospitals, schools and churches. The DSAR regime is one of the foundational elements upon which data protection laws are built. It is a critical transparency mechanism that exists to remind everyone that the ability to use another person’s data is built mostly on a licence, not an irrevocable entitlement. It is intended to provide checks and balances against power grabs, unlawful behaviour and, ultimately, harm to individuals. A data protection system without a strong DSAR regime is a toothless tiger, not deserving of its name.
Carve-out for vexatious and excessive DSARs
In the September 2021 proposals the government trailed the idea of introducing charges and cost-based limits on DSARs, but they met with little support and have now been abandoned. However, another proposal has survived, which is that “vexatious or excessive” DSARs could be rejected. This would align the DSAR regime with a separate access regime contained in the Freedom of Information Act (which applies to information held by the public sector).
Putting this in context and to help gauge how far the introduction of a vexatious or excessive carve out would move the UK away from the EU position, even the predecessor to the current GDPR-based data protection regime (which was based on a 1995 EU law) did not contain this carve-out. Thus, if it makes its way into law, the proposal will cause the UK to back pedal on more than 25 years of data protection progress.
Substantive impacts likely
But how substantive a change will the introduction of a vexatious or excessive carve-out be? This can be measured by the examples that the consultation paper and the latest update provide. The kinds of circumstances that might apply include:
- Where the use of personal data does not appear to be the sole or primary reason for making an access request.
- Where the access request might be used to circumvent the rules on disclosure and inspection of documents that apply in civil litigation.
- Where the access request is made by an employee who leaves on bad terms, to disrupt their former employer.
- Where the access request is made by a claims management company
These situations are just examples, but they come down to one thing: people making trouble, if you want to view it like that. These situations are the most contentious ones in which DSARs are made and they represent the bulk of the access requests that most organisations receive.
DSARs neutered and impotent?
The vexatious or excessive carve-out would therefore have the potential to neuter the DSAR regime, eroding it to a state of almost total impotence.
Part of the reason why is because once the carve-out is introduced, organisations receiving DSARs will want to make the most of it. Of course they will and they will stretch the boundaries as far as they can, so that within hardly any time at all the carve-out will be regularly applied in situations that are neither vexatious nor excessive. That is how things are, when a contentious situation arises and there are legal carve-outs to take advantage of.
Looking for checks and balances
Of course, it might be said that there will be checks and balances on the overuse of the carve-out, to render this fear dismissible, exaggerated, and unfair.
Well what are these checks and balances? There is a real access to justice problem in the UK. Litigation is expensive, complicated and time consuming and it’s not going to be an option for sorting out disputes in most cases. That will leave most individuals wholly reliant on the Information Commissioner, the UK regulator, coming to the rescue. But how likely is that?
Only time will tell, but it’s notable that the Information Commissioner is supportive of the government’s proposals. It’s also notable that enforcement action since the GDPR came into effect has all but dried up in the UK. This may not augur well.
At best, it seems that the future of DSARs in the UK hangs in the balance.