Mark Harrison v Alasdair Cameron & Anor

This is a first-instance claim under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 seeking disclosure in response to subject access requests under article 15 UK GDPR. The court decided three principal legal questions: (a) whether the First Defendant's dissemination to family and friends fell within the purely personal or household activity exception in article 2(2)(a) UK GDPR; (b) whether the First Defendant was personally a data controller within the meaning of article 4(7); and (c) whether the Second Defendant, as controller, was obliged under article 15(1)(c) to disclose the actual identities of third-party recipients or could withhold them under article 15(4) read with Schedule 2 paragraph 16 DPA 2018.

• The court held the purely personal/household exception did not apply to dissemination of recordings which were made in the context of a business relationship and which were held and disseminated from a company device.
• The court held the First Defendant was not a controller: his acts in recording and sharing were carried out in his capacity as director of the company and the company (ACL) was the controller, applying In re Southern Pacific Personal Loans Ltd and Ittihadieh.
• The court held that article 15(1)(c) requires, in principle, disclosure of the actual identities of recipients (following the reasoning in RW v Österreichische Post AG), but that ACL lawfully withheld the recipients’ identities because disclosure would unreasonably prejudice the rights and freedoms of those third parties and paragraph 16 Schedule 2 DPA 2018 therefore applied.

Background and nature of the claim. The Claimant sought an order that the Defendants comply with subject access requests under article 15 UK GDPR to disclose who had been sent recordings and transcripts of two telephone calls made on 7 May 2022 between the Claimant and the First Defendant. The recordings arose out of a business dispute between the parties under a landscaping contract; the Claimant alleged the recordings had been shared and caused reputational and commercial harm. The Claimant did not pursue a claim for damages or for an article 18 restriction order.

Parties and facts. The Claimant is a private individual and chief executive of a property investment company; the First Defendant is a landscape gardener and director and majority shareholder of the Second Defendant, ACL. The First Defendant recorded two calls without the Claimant's knowledge, then shared the recordings/transcripts with family, friends and certain ACL employees. Copies were later seen in the property industry. The Claimant issued SARs to the First Defendant and to ACL seeking the recipients' identities and other processing information.

Procedural posture and issues for decision.

• Whether the First Defendant's processing in relation to family and friends fell within the "purely personal or household activity" exception (article 2(2)(a) UK GDPR).
• If not, whether the First Defendant was personally a data controller (article 4(7)).
• Assuming processing within the regime (and in relation to ACL): (i) whether article 15(1)(c) entitles the Claimant to the identities of the recipients; (ii) whether disclosure may be refused under article 15(4) and/or Schedule 2 paragraph 16 DPA 2018.

Court's reasoning and findings. The court found (i) the exception for purely personal or household activity did not apply because the recordings were made during business calls about the contractual relationship, and the recordings were held and disseminated from a company device; the activity was not "purely" personal. (ii) Applying authority (In re Southern Pacific; Ittihadieh), the individual director was not a controller for processing done in his capacity as company director; ACL was the controller and the claim against the First Defendant was dismissed. (iii) On article 15(1)(c) the court followed the reasoning of the Court of Justice in RW v Österreichische Post AG and held that, in principle, a data subject is entitled to the actual identities of recipients unless identification is impossible or the request is manifestly unfounded or excessive; ACL could not be required to provide only generic categories where actual identities were readily available. (iv) However, ACL lawfully relied on article 15(4) and Schedule 2 paragraph 16 DPA 2018 (the "rights of others" exemption). The controller has a wide margin of discretion in assessing reasonableness; ACL reasonably concluded disclosure without consent would expose family, friends and employees to harassment and intrusive, hostile legal approaches given the Claimant's conduct and prior correspondence. The court concluded the exemption applied and dismissed the claim against ACL.

The claim is dismissed. The First Defendant was not a data controller because he acted in his capacity as director of ACL when recording and sharing the calls; accordingly the claim against him is dismissed. ACL, as controller, was not required to disclose the actual identities of the recipients because, although article 15(1)(c) ordinarily entitles the data subject to the identities of recipients, ACL reasonably relied on article 15(4) read with Schedule 2 paragraph 16 DPA 2018 to withhold those names in order to protect the rights and freedoms of third parties.