Data protection law has received a new public prominence in recent months, with the media focusing in particular on global internet companies, such as Facebook or Google. At the same time, the practical implications of data protection law in a range of contexts have continued to be quietly and incrementally developed in the courts. One recent example is the High Court decision in Guriev v Community Safety Development (UK) Ltd, which offers particularly salutary lessons for those who make use of private investigators.
Background
The proceedings were brought by the main beneficial owners of a Russian company, OJSC PhosAgro. In early 2015, they received correspondence from the defendant (CSD), an English firm of private investigators, notifying them of an investigation into the ownership of PhosAgro and the circumstances of its listing on the London Stock Exchange.
The motivation behind this investigation was essentially a claim that some of the shares in PhosAgro were, or ought to have been, held on trust for the benefit of a Mr Alexander Gorbachev. Various requests for information relating to PhosAgro were made by CSD to both claimants in March 2015, mentioning the possibility of civil and criminal liability for serious breaches of prospectus rules.
Mr Justice Warby determined that a reasonable reader could conclude that these questions were “aimed rather to intimidate” than to elucidate answers (this is itself a notable cautionary point for those making use of private investigators). In May or June 2015 (even this question was contested), a private criminal prosecution was commenced in the Cypriot courts by Mr Gorbachev against the claimants and various other parties, relating to the ownership of PhosAgro. Mr Justice Warby concluded that the claimants at this time had “a proper interest in determining what personal data CSD held relating to them and assessing its accuracy”.
On 15 June 2015, the claimants submitted a Subject Access Request (SAR) to CSD requesting various information, including a copy of all the claimant’s personal data held by the defendants. CSD refused to provide any such information on various grounds, and the claimants commenced proceedings in the English courts on 16 October 2015, seeking an order to require the defendant to comply with the request.
High Court decision
The judgment focused on the question of whether one of two exemptions might apply, and whether the court should exercise its discretion to compel compliance. The first exemption, set out in section 29(1) of the Data Protection Act 1998 (DPA) and referred to as the “crime exemption”, excludes personal data processed for “the prevention or detection of crime” or “the apprehension or prosecution of offenders”, to the extent to which providing access to that data would be likely to prejudice these matters.
Mr Justice Warby concluded that, on this point, it had not been established by CSD that all the information it held was for these purposes, nor that the disclosure of any information it held would prejudice any criminal investigation or trial. Any claim for this exemption could not be made on a general basis, but had to be a “proper evidence-based evaluation”. Importantly, the court noted that no such exception applies in relation to existing or anticipated civil proceedings.
The second exemption, referred to as the “privilege exemption”, is provided under Paragraph 10 of Schedule 7 to the DPA, which exempts data subjects to legal professional privilege. The court noted that the burden of establishing that such privilege exists falls on the party seeking to rely on it. This would require specific evidence of the purpose for which particular information had been obtained. Once again, a claim for this exception could not be made on a general basis, but would require a reasoned and evidenced analysis as to why particular documents or parts of documents were privileged.
The final argument made by CSD was that the court should exercise its discretion, under section 7(9) of the DPA, to refuse to order compliance with the claimants’ SAR on the basis that it imposed a disproportionate burden on CSD and that the information was being sought for an improper purpose.
The court held that it would not be unduly onerous on CSD to comply with the order, noting that if legal proceedings were anticipated, the task of determining whether documents were privileged would in any case have to be carried out in connection with any such proceedings.
The court also held that the purpose for which an SAR has been submitted is not generally a matter into which the courts should enquire, and that there was no “abuse of process” in obtaining early access to information that might later be disclosable in litigation. The claimants were successful and CSD was ordered to comply with their SAR.
Comment
This case illustrates the growing importance of data protection law across a range of different contexts, which is only likely to increase following the European Union’s recent adoption of the long-anticipated General Data Protection Regulation (GDPR). The GDPR will come into effect in May 2018 and aims to provide greater and more uniform protection for the personal data of European citizens.
In the meantime, the Guriev decision is an important reminder that data protection is not just an issue for large internet companies, but potentially for any individual or company that directly or indirectly collects personal information, including those who rely on private investigators.
Robert Weekes of Blackstone Chambers acted for the successful claimants in this matter.