June 01, 2020 Court of First Instance -Judgments
Claim No. CFI 051/2018 and CFI 085/2018
THE DUBAI INTERNATIONAL FINANCIAL CENTRE COURTS
IN THE COURT OF FIRST INSTANCE
BEFORE JUSTICE SIR RICHARD FIELD
IN THE MATTER OF AN APPEAL UNDER ARTICLE 37(1) OF DIFC LAW No. 1 of 2007 (THE DATA PROTECTION LAW) AND JUDICIAL REVIEW UNDER PART 42 OF THE COURT RULES
BETWEEN
THE DUBAI FINANCIAL SERVICES AUTHORITY
Appellant
and
THE COMMISSIONER OF DATA PROTECTION
Respondent
ANNA WATERHOUSE
Interested Party
JUDGMENT
Introduction
1. There are before the Court two sets of related proceedings. First, there is an appeal by the Dubai Financial Services Authority (the “DFSA”) under Article 37 (1) of the Data Protection Law (Law No. 1 of 2007) (the “DPL”) from the decision of the Commissioner of Data Protection (the “Commissioner”) dated 20 June 2018 that the DFSA contravened Article 17 of the DPL by refusing to comply with a Subject Access Request (the “SAR”) served on it by the Interested Party (“Ms Waterhouse”). Second, there is an application by the DFSA for judicial review of the direction the Director made in Ms Waterhouse’s case as to the steps he ordered the DFSA to take in response to Ms Waterhouse’s SAR.
The relevant background
2. The DFSA is established by Article 7 of the Regulatory Law and by Article 8 (3) thereof has as one of its major functions the prevention, detection and restraint through appropriate means including the imposition of sanctions of conduct that causes or may cause damage to the reputation of the DIFC or financial services industry in the DIFC. Under Articles 78 and 90 it has respectively the power to conduct investigations and impose sanctions and make directions.
3. Ms Waterhouse was Head of Legal & Compliance Middle East and North Africa for Deutsche Bank AG (“DB”) from 1 October 2007 to 5 March 2014. She was authorised by the DFSA to perform the Licensed Functions of Compliance Officer, Money Laundering Reporting Officer and Senior Manager. DB was a DFSA Authorised Firm.
4. In 2012 the DFSA began an investigation into DB and certain individuals connected to it. In February 2014, this investigation was expanded to include suspected breaches dating back to 2011 of DFSA administered legislation and certain DB employees, including Ms Waterhouse.
5. In October 2014, the DFSA’s enforcement arm produced a report setting out its investigatory findings so far and pursuant to a Decision Notice dated 29 March 2015 the DFSA took action against DB for contraventions of DFSA administered legislation and breaches of DFSA Rules.
6. On or about 29 April 2015, Ms Waterhouse was given a copy of the report setting out the findings of the investigation together with a copy of the materials referenced in the report. These materials comprised six lever arch files of documents ordered chronologically covering relevant events from 2011 to 2013 and copies of transcripts of all interviews undertaken by the DFSA referred to in the report. The chronological documents in the six files were compiled from a much larger number of documents that were gathered during the investigation. In total, there were approximately 300 lever arch files of documents and information produced to the DFSA during the course of the investigation.
7. On 10 January 2016, the DFSA’s Decision Making Committee (the “DMC”) served on Ms Waterhouse a notice setting out the decision it proposed to make in her case including its proposed findings of fact and sanction. Ms Waterhouse was also given a copy of the materials that the DMC had considered. Pursuant to her right to do so, over the ensuing 15 months Ms Waterhouse made a series of representations designed to persuade the DMC not to issue a final decision to take enforcement action against her. In addition, at the request of Ms Waterhouse’s counsel, DFSA Enforcement provided further information up to the point at which it was felt that the information being sought was beyond the scope of the DFSA’s investigation.
8. On 22 June 2017, the DMC served on Ms Waterhouse a Decision Notice stating that for the breaches of DFSA administered legislation identified in paragraph 10 below it was going to impose a financial penalty of US$100,000 and to restrain her from performing any functions in connection with the provision of financial services in or from the DIFC. The Decision Notice referred to the materials the DMC had considered copies of which had already been disclosed to Ms Waterhouse.
9. The background to the DFSA’s Decision Notice was that DB and its employees within the Private Wealth Management (“PWM”) team serving the Middle East and Africa had breached regulatory requirements in providing the regulated financial services of Advising on Financial Products and Credit and Arranging Credit or Deals in Investments in a way which was undisclosed to the DFSA and which did not comply with the requirements set out in the DFSA Rulebook. Around 40% - 50% of the PWM employees’ emails had involved Advising and/or Arranging and the failure to comply with the DFSA Rulebook extended to approximately 583 PWM clients over the period 1 January 2011 to 30 June 2013.
10. The DFSA’s case against Ms Waterhouse was that she gave false or misleading information to the DFSA on several occasions, with knowledge that it was false or misleading or with recklessness as to whether or not that was the case and she had failed over a substantial period to correct false or misleading information provided by herself or others, and in consequence she had: (i) failed to act with integrity, contrary to GEN Rule 4.4.1, Principle 1, Integrity; (ii) failed to exercise due care and skill, contrary to GEN Rule 4.4.2, Principle 2; (iii) failed to deal with the DFSA in an open and co-operative way and failed to disclose appropriate information, contrary to GEN Rule 4.4.4, Principle 4, Relations with the DFSA; and (iv) had contravened Article 66 of the Regulatory Law which prohibits provision of information which is false, misleading or deceptive to the DFSA.
11. On 23 July 2017, Ms Waterhouse referred the DFSA Decision Notice to the Financial Markets Tribunal (the “FMT”), a body established under the DIFC Regulatory Law that hears and determines references to review decisions of the DFSA. When conducting such references, the FMT conducts a de novo full merits review of the DFSA decision and can take into account any relevant new evidence that comes to light after the DFSA's original decision. In the ensuing FMT proceedings, Ms Waterhouse denied the factual allegations made against her and advanced the defence that the DFSA investigation was an abuse of process.
12. The FMT’s decision was issued on 12 August 2019. It dismissed the abuse of process defence and found that Ms Waterhouse had failed to be frank and candid with the regulator about serious regulatory issues and was therefore in breach of GEN Rules 4.4.1, 4.4.2 and 4.4.4 as alleged by the DFSA. There was no finding of dishonesty against Ms Waterhouse, rather one of recklessness. Publication of the decision was restrained by an order of this Court until 12 December 2019 which came after the hearing of the instant proceedings. A number of the details that are given in this paragraph and paragraphs 9 to 11 above are derived from the FMT’s decision.
13. By a letter dated 2 August 2017, Ms Waterhouse served the SAR under Article 17 DPL on the DFSA. Article 17 confers on a “Data Subject” the right, inter alia, to obtain from a “Data Controller” upon request: (a) confirmation whether or not “Personal Data” relating to him or her is being Processed and information at least as to the purposes of the Processing, the categories of Personal Data concerned, and the “Recipients” or categories of Recipients to whom the Personal Data are disclosed; (b) communication in an intelligible form of the Personal Data undergoing Processing and of any available information as to its source; and (c) as appropriate, the rectification, erasure or blocking of Personal Data the Processing of which does not comply with the provisions of the Law.
14. It is common ground that Ms Waterhouse was a Data Subject and the DFSA was a Data Controller.
15. In her letter of 2 August 2017, Ms Waterhouse requested in respect of the period 1 October 2011 to the “present date”:
(a) Emails, reports, notes of meetings, letters or other documents that referred to her by my name in the content of subject heading which: (i) passed between employees of the DFSA (internal communications); or (ii) passed between the DFSA and any third parties (whether sent or received); or (iii) passed between the DFSA and witnesses interviewed by the DFSA in the course of their investigation into her concerning her role at Deutsche Bank.
(b) Emails, reports, notes of meetings, letters or other documents from which she can be readily identified, but which did not expressly refer to her by name in respect of each category of data set out at (i) – (iii) above.
She also stated that any deleted items should be restored and provided to her and requested that once personal data within the scope of the request had been identified she be provided with a hard or electronic copy of the information constituting personal data and (1) a description of the data; (2) an explanation of the purpose for which the data was processed; (3) identification of the source or sources of the data; and (4) identification of to whom the data had been sent or may be disclosed.
16. By letter dated 10 August 2017, the DFSA declined to provide the personal data sought by Ms Waterhouse1 citing Article 39 (2) DPL which disapplies Articles 11-13 and 17 if the application of those Articles would be likely to prejudice the proper discharge by the entities therein mentioned, including the DFSA, of their powers and functions under any laws they administer. In declining to provide the personal data sought by Ms Waterhouse the DFSA stated that her request for disclosure of information directly concerned the exercise by the DFSA of its powers in relation to her conduct during her former role as Compliance Officer, Money Laundering Reporting Officer and Senior Manager of Deutsche Bank in the DIFC. Accordingly, if the DFSA was to provide the information requested this would prejudice the proper discharge of its regulatory powers and functions.
17. Due to a problem with the email address DFSAdataprotection@dfsa.ae, Ms Waterhouse only received the DFSA’s letter of 10 August 2017 on 24 September 2017.
18. On 14 November 2017, Ms Waterhouse lodged a complaint with the Commissioner citing the rejection of the SAR by the DFSA. As stated in paragraph 1 above, the Commissioner’s decision that the DFSA had contravened Article 17 DPL by refusing to comply with Ms Waterhouse’s SAR was issued on 20 June 2018.
19. It is common ground that the DFSA’s appeal to this Court against the Commissioner’s decision is in the nature of a de novo hearing. It is therefore unnecessary to rehearse the Commissioner’s reasons for his decision beyond the summary that follows below.
20. At the time the Commissioner’s decision was issued on 20 June 2018, the FMT proceedings were well under way, there having by then been a CMC on 8 January 2018 and three days of hearings in the period 28 – 30 April 2018. The Commissioner held that the DFSA had failed to establish it would suffer real and substantial prejudice within Article 39(2) if it had to comply with the SAR. The prejudice relied on – diversion of time away from enforcement duties; the potential for creating the impression that the DFSA could be tied up with duties under the DPL and discouraging third parties to give full and frank disclosure -- did not amount to real or actual prejudice because: (a) no details of prejudice were provided when the DFSA responded to the SAR; (b) the appearance was given that the DFSA prioritised its duties under the Regulatory Law over those it had under the DPL; and (c) discouragement of full and frank disclosure was not a problem because confidential information from third parties could be redacted. The DFSA had wrongly assumed that for the public good it should not be bogged down with the tedious details of dealing with SARs when it was trying to protect the public from wrongdoers. The specific interest inherent in Article 17 to serve a SAR outweighed the public interest relied on by the DFSA. With regard to the issue of proportionality that arose from the words “without excessive delay or expense” in Article 17, the cost, time and effort for the DFSA to disseminate the data requested was not a sufficient reason to do no search at all. Proportionality was only relevant to how far the search should go to provide relevant information. If there were any possibility (as was the case here) that the DFSA came to enforcement decisions during the DMC process based on misleading, partial or inaccurate data that may not have been brought to light by disclosure in the DMC or FMT proceedings, the requirement to respond properly to the SAR overrides the time, cost and effort that may be required on the part of the DFSA. This is because Ms Waterhouse faced serious lifelong and professional consequences as a consequence of negative enforcement findings against her. The DFSA should have designed its systems to search and produce information requested by data subjects. Further and in any event, the DFSA not having raised the question of proportionality when it responded to the SAR, it could not raise this issue now retrospectively.
21. The Commissioner directed that the DFSA did not have to disclose information disclosed in the DMC and FMT proceedings or deleted emails or search the physical hard drives of the devices of employees or deal with potential future disclosure to recipients or categories of recipients.
22. In regard to the DFSA’s contention that the information it held in Lever Arch Files did not constitute “Personal Data” because it was not held in a “Relevant Filing System,” the Commissioner held that if the DFSA wished to persist with this contention it should do so when responding to the SAR and in this regard should have regard to the ICO Guidance on what constitutes a relevant filing system and Recital 26 of the European Directive 95/46.
23. On 4 July 2018, the DFSA applied to the Commissioner under Article 33 (6) of the DPL, requesting him to review the direction he made in his decision and to review the 300 odd lever arch files of documents assembled during the DFSA’s investigation which included DB and certain individuals including Ms Waterhouse to form a view whether they constituted a “relevant filing system”.
24. On 8 October 2018, the Commissioner issued his decision on the DFSA’s review application declining to conduct the requested review. In the Commissioner’s opinion, the grounds for review were more suited for an appeal or judicial review proceedings and he noted the grounds for review advanced by the DFSA “had also been largely replicated in [the DFSA’s] Grounds of Appeal.”
The legal framework
25. The DPL was closely modelled on the UK Data Protection Act 1998 (the “DPA”) which was enacted to give effect to the European Directive 95/46 (“the European Directive”). The definitions of particular terms are set out in Schedule 1 of the DPL. The DPA was amended by ss. 69 – 72 and Schedule 6 of the UK Freedom of Information Act 2000, these provisions coming into force on 1 January 2015.
26. The DPA was replaced by the UK Data Protection Act 2018 which gave effect to the European General Data Protection Regulation.
27. The provisions contained in the DPL that are of particular relevance to these proceedings are:
(a) Article 8 (obligation on data controllers2 to process personal data3 “in accordance with the Data Subject’s Rights”);
(b) Article 17 (right of data subject to request access to personal data held by a data controller);
(c) Articles 22 and 26 (the establishment of the office of Data Commissioner and the Commissioner’s powers, functions and objectives);
(d) Article 33(1) (power of the Commissioner to issue a direction to a data controller who has contravened the DPL by refusing to comply with a SAR in breach of Article 17);
(e) Article 34 (right of a data subject to complain to the Controller of a contravention of the DPL);
(f) Article 37 (right of a data controller who is found to contravene the DPL or a direction of the Commissioner to appeal to the DIFC Court);
(g) Article 39(2) (disapplication of Articles 11, 12, 13, 14 and 17 to the DFSA and other DIFC bodies).
28. It is necessary to set out Articles 17 and 39 (1) and (2) verbatim.
Article 17
Right to Access to and Rectification, Erasure or Blocking of Personal Data
A Data Subject has the right to obtain from the Data Controller upon request, at reasonable intervals and without excessive delay or expense:
(a) confirmation in writing as to whether or not Personal Data relating to him is being Processed and information at least as to the purposes of the Processing, the categories of Personal Data concerned, and the Recipients or categories of Recipients to whom the Personal Data are disclosed;
(b) communication to him in an intelligible form of the Personal Data undergoing Processing and of any available information as to its source; and
(c) as appropriate, the rectification, erasure or blocking of Personal Data the Processing of which does not comply with the provisions of the Law.
Article 39
General Exemptions
(1) The DIFCA Board of Directors may make Regulations exempting Data Controllers from compliance with this Law or any parts of this Law.
(2) Without limiting the generality of Article 39(1), Articles 11,12,13,14 and 17 and 18 shall not apply to the DFSA, DIFCA and the Registrar if the application of these Articles would be likely to prejudice the proper discharge by those entities of their powers and functions under any laws administered by the DFSA, DIFCA and the Registrar, including any delegated powers and functions insofar as such powers and functions are designed for protecting members of the public against:
(a) financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other banking and financial activities and services, including insurance and reinsurance services, financial markets and financial and monetary brokerage services; or
(b) dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services.
29. The sections in the unamended DPA that are of particular relevance are section 7 (1), (2), (8) and (9) and section 8 (2):
7(1) Subject to the following provisions of this section and to sections 8 and 9, an individual is entitled—
(a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,
(b) if that is the case, to be given by the data controller a description of—
(i) the personal data of which that individual is the data subject,
(ii) the purposes for which they are being or are to be processed, and
(iii) the recipients or classes of recipients to whom they are or may be disclosed,
(c) to have communicated to him in an intelligible form—
(i) the information constituting any personal data of which that individual is the data subject, and
(ii) any information available to the data controller as to the source of those data, and
(d) …
(2) A data controller is not obliged to supply any information under subsection (1) unless he has received—
(a) a request in writing, and
(b) except in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require.
(3) – (7) …
(8) Subject to subsection (4), a data controller shall comply with a request under the foregoing provisions of this section promptly and in any event before the end of the prescribed period beginning with the relevant day.
(9) If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.
8 (2) The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless—
(a) the supply of such a copy is not possible or would involve disproportionate effort, or
(b) the data subject agrees otherwise;
and where any of the information referred to in section 7(1)(c)(i) is expressed in terms which are not intelligible without explanation the copy must be accompanied by an explanation of those terms.
The relevant authorities
30. It was common ground that decisions of the courts of England and Wales on comparable provisions in the DPA to those in the DPL were of persuasive assistance in these proceedings but not binding authority. The following are the principal authorities relied on by the parties.
R (On the Application of Alan Lord) v The Secretary of State for the Home Department [2003] EWHC 2073 (Admin).
31. Here, a Category A prisoner (being the claimant) applied to the English High Court under section 7(9) of the DPA for an order that the Home Secretary be directed to provide him with copies of six Category A reports addressing the question whether he should be moved to a lower category of prisoner. The application was made in response to the Home Secretary having refused the claimant’s request under s.7(1) of the DPA to be supplied with these documents.
32. To the extent relevant to these proceedings, the wording of s. 7(1) of the DPA and the wording of Article 17 of the DPL are in substantially similar terms.
33. The key question to be decided4 on the s.7 (9) application was whether s. 7(1) was exempted from application under s. 29(1)5 of the DPA which provided in material part:
Personal data processed for any of the following purposes –
(a) the prevention or detection of crime;
(b) the apprehension or prosecution of offenders, or
(c ) …
are exempt from … section 7 in any case to the extent to which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in this subsection.
34. In paragraph 83 of the judgment, Munby J (the judge) referred to the following passage at [96] in the judgment of Lord Phillips MR in Campbell v MGN Ltd [2002] EWCA Civ 1373 at [96] where the Court of Appeal of England and Wales (“EWCA”) held that, where a data controller is responsible for the publication of hard copies that reproduce data that has previously been processed by means of equipment operating automatically, the publication forms part of the processing and fell within the scope of the DPA.
In interpreting the Act it is appropriate to look to the Directive for assistance. The Act should, if possible, be interpreted in a manner that is consistent with the Directive. Furthermore, because the Act has, in large measure, adopted the wording of the Directive, it is not appropriate to look for the precision in the use of language that is usually to be expected from the parliamentary draftsman. A purposive approach to making sense of the provisions is called for.
35. The judge held in [94] that the words “in any case” in s. 29(1) DPA are to be read as meaning “in any particular case” so that it was for the data controller to show that one of the statutory objectives is likely to be prejudiced in the particular case. (These words do not appear in s. 39(2) DPL.)
36. Turning to the phrase “is likely to be” in s. 29(1) DPA, the judge held at [100] that “likely” connotes a degree of probability where there is a very significant and weighty chance of prejudice to the identified public interests. The degree of risk must be such that there "may very well" be prejudice to those interests, even if the risk falls short of being more probable than not.
37. In [122], the judge made it clear that s. 29 (1) DPA requires that the issue of whether disclosure is likely to prejudice the prevention of crime has to be determined in relation to the particular and individual case in which disclosure is being sought, but he went on to say that this does not mean that one can simply ignore the consequential effect that disclosure in the particular case may have on others.
38. Fairly characterised, the Home Secretary’s case was that the policy of non-disclosure of Category A reports is necessary in every case because anything less would be likely to prejudice the detection and prevention of crime [106]. The Home Secretary had not sought to make good his case by reference to anything peculiar to or specifically referable to the claimant: his claim was based on the asserted need, in order not to prejudice the legitimate section 29(1) DPA objectives, to impose a general policy confining disclosure in effect to what is contained in “gists” prepared in accordance with ex p Duggan [1994] 3 All ER 277 and ex p McAvoy [1998] 1WLR 790. For the reasons submitted by counsel for the claimant, the case advanced on behalf of the Home Secretary that disclosure of Category A reports risked: (i) attacks on the prison staff who produced the reports; (ii) a lack of frankness in reports; and (iii) prejudice to the efficacy of the Category A review system, was unsustainable [125]. Those reasons were as follows.
39. Category A prisoners were not a homogenous group and it was only in respect of one sub–class of the category that disclosure might impact adversely on the detection or prevention of crime: those Category A prisoners whose dangerousness was liable to manifest itself in attacks on, threats to or intimidation of staff. As to this, a targeted form of non–disclosure would properly protect report writers from the risks presented by the sub–class who do pose a threat and equally protect the integrity of the Category A review system. The procedure for parole reviews provided for full disclosure as the general rule, subject to specific, targeted non-disclosure and the same approach should be adopted in the case Category A reviews. In particular cases, information could be withheld such as information relating to security, surveillance and monitory techniques and prisoners would know that such information would not be disclosed.
40. The judge emphasised that he was not saying every Category A prisoner would in every case be entitled to see the full contents of his Category A reports. There would be cases in which the Secretary of State would be able to rely upon section 29 (1) as justifying less than complete disclosure. All the judge was saying was that the Home Secretary’s present policy of blanket non–disclosure could not be justified under section 29 (1) DPA. What section 29 (1) DPA required was a more selective and targeted approach to non–disclosure, based on the circumstances of the particular case [126].
41. The judge then considered the effect of s. 7(4)(a) and (b) and s. 7(5) DPA. Under these provisions (they have no counterpart in the DPL), unless it was “reasonable in all the circumstances” for the Home Secretary to comply with the claimant’s request without the consent of the prison officers and other persons who had made Category A reports, his obligation was to communicate so much of the information sought as can be communicated without disclosing the identity of the other individuals concerned, whether by the omission of names or other identifying particulars or otherwise.
42. In the judge’s view there had to be a balancing of the interests of prisoners that concerned their liberty and the privacy interests of individuals who could be identified from the information sought under s. 7(1) (including the expectation that such individuals might have of confidentiality) and the balance could be held by a system of targeted disclosure [147-148].
Durant v Financial Services Authority [2003] EWCA Civ 1746
43. The data subject in this case (the claimant) sought disclosure from the FSA which at his request had investigated his complaint against Barclays Bank in the FSA’s supervisory role. The claimant had sued Barclays and lost and sought disclosure of information in the belief that it would help re-open his claims against Barclays. The FSA closed its investigation without informing the claimant of the outcome, as it was entitled to do. In response to the claimant’s s. 7(1) DPA request, the FSA disclosed copies of documents held in computerised form but it refused to disclose information held on manual files on the ground that it was neither “personal” nor “data” in the sense of forming part of a “relevant filing system”. This information consisted of the claimant’s letters of complaint to the FSA and the investigation of that complaint. The claimant applied to a District Judge under s.7(9) DPA whose refusal to order the disclosure sought was appealed to a County Court Judge whose dismissal of the appeal was appealed to the EWCA.
44. The lead judgment of the EWCA was given by Auld LJ who said in [26] that the intention of the Directive is to enable an individual to obtain his personal data, that is, information about himself, from a data controller’s filing system.
45. At [27]-[31], Auld LJ said:
[27] In conformity with the 1981 Convention and the Directive, the purpose of section 7, in entitling an individual to have access to information in the form of his "personal data" is to enable him to check whether the data controller's processing of it unlawfully infringes his privacy and, if so, to take such steps as the Act provides, for example in sections 10 to 14, to protect it. It is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved. Nor is [it] to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties. As a matter of practicality and given the focus of the Act on ready accessibility of the information - whether from a computerised or comparably sophisticated non-computerised system - it is likely in most cases that only information that names or directly refers to him will qualify…
[28] It follows from what I have said that not all information retrieved from a computer search against an individual's name or unique identifier is personal data within the Act. Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree … In short, [personal data] is information that affects his privacy, whether in his personal or family life, business or professional capacity …
[29] This narrow meaning of personal data derives, not only from its provenance and form of reproduction in section 1(1), but also from the way in which it is applied in section 7. That section, picking up the definition of "data subject" in section 1(1), sets out the basic entitlement of an individual to access to personal data "of which …[he] is the data subject"…
[30] Looking at the facts of this case, I do not consider that the information of which Mr. Durant seeks further disclosure - whether about his complaint to the FSA about the conduct of Barclays Bank or about the FSA's own conduct in investigating that complaint – is "personal data" within the meaning of the Act. Just because the FSA's investigation of the matter emanated from a complaint by him does not, it seems to me, render information obtained or generated by that investigation, without more, his personal data. For the same reason, either on the issue as to whether a document contains "personal data" or as to whether it is part of a "relevant filing system", the mere fact that a document is retrievable by reference to his name does not entitle him to a copy of it under the Act…
[31] In short, Mr. Durant does not get to first base in his claim against the FSA because most of the further information he sought, whether in computerised form or in manual files, is not his "personal data" within the definition in section 1(1). It is information about his complaints and the objects of them, Barclays Bank and the FSA respectively. His claim is a misguided attempt to use the machinery of the Act as a proxy for third party discovery with a view to litigation or further investigation, an exercise, moreover, seemingly unrestricted by considerations of relevance…
Zaw Lin and Wai Phyo v Commissioner of Police for the Metropolis [2015] EWHC 2484 (QB)
46. In this case the claimants were Burmese nationals living in Thailand who were charged with the murder of two British tourists in Thailand and faced the possibility of being sentenced to death. With the agreement of the Thai authorities, a Metropolitan police officer, DCI Lyons, went to Thailand and prepared a report on the investigation by the Royal Thai Police (“RTP”) into the murders. The Commissioner of the RTP sought and obtained express agreement from DCI Lyons that his observations and deployment as set out in his report would only be shared with the families of the victims of the murder. The claimants’ subject access requests under s. 7(1) DPA to the Metropolitan Police Commissioner (“MPS”) to be provided with DCI Lyons’ report were refused and they now applied to the High Court under s. 7(9) DPA for an order that the MPS provide them with the report. The MPS contended that the personal data contained in the report had been processed for the purpose of the prevention or detection of crime and/or the apprehension or prosecution of offenders and was exempt from s. 7(1) DPA by reason of s. 29(1) DPA on the ground that disclosure would be likely to prejudice those matters.
47. Green J (the judge) decided that the pursuit of an investigation for the purpose of family liaison was within the scope of s. 29 (at [87]) but held that s.29 and Article 13 of the European Directive required a balancing exercise to be performed between the individual’s right of access under s. 7(1) DPA and the data processor’s right to refuse disclosure under s. 29(1) DPA [78]. The argument to the contrary advanced by counsel for the MPS was not sustainable:
80. … If it were correct then it would in effect reduce to nought the relevant individual's right to privacy or any other right including the even more fundamental right to life. The argument is inconsistent with (inter alia): (a) the Directive and the plain reference to the fundamental rights of the individual concerned; (b) the raison d'être of the DPA 1998 as a protector of an individual's fundamental rights; (c) the view taken by the Court of Justice that derogations from the individual's fundamental rights had to be construed narrowly and in this regard see by way of illustration Case C-473/12 IPI v Englebert et ors [2014] 2 CMLR 9 at paragraph [39] where the Court emphasised that derogations from the fundamental right to privacy "... must apply only insofar as is strictly necessary" (this being the traditional language of the Court of Justice when it is referring to a proportionality exercise); (d) the judgment of Mr Justice Munby in Lord at paragraph [99]: see below at paragraph [84] and with his explanation that because of the importance of the policy of protecting individual rights the burden of proof lay on the State to justify derogation to a high standard of proof; and (e) the judgment of Lord Sumption in Catt at paragraph [8].
48. The judge endorsed Munby J’s observation in Lord that the consequential effect of disclosure in a particular case may have on others can be taken into account when determining whether disclosure is likely to prejudice the prevention or detection of crime. He referred to this as the “chilling effect” of disclosure.
104. Chilling effect: I turn now to the argument based upon the chilling effect of disclosure. I accept that this is, in law, a valid consideration for the MPS to take into account and raise. This is so even though the purpose does not relate to the proceedings in issue but to other future and unidentified proceedings.
105. An issue arising in Lord (ibid) was whether data could be withheld from disclosure on the basis of wider public interest considerations which went beyond the case in issue. The Judge held that it was for the data controller to show that the statutory objective was likely to be prejudiced in the case in which the issue arose (paragraph [94]). But importantly he held further (at paragraph [122]), in an observation of direct significance to the present case, that the focus of attention was not just on the facts of the instant case but could also take account of the impact on other cases:
122. Moreover, I can accept that, although section 29(1) requires that the issue of whether disclosure is likely to prejudice the prevention or detection of crime has to be determined in relation to the particular and individual case in which disclosure is being sought, this does not mean that one can simply ignore the consequential effect that disclosure in the particular case may have in others."
106. In my judgment this observation must be correct. Nothing in the Directive provides support for a conclusion that the exemption can only be invoked if the data controller can establish that disclosure would be prejudicial in the narrow confines of the instant case. The rationale behind non-disclosure must go wider. Article 13 of the Directive is concerned with the generic activities of prevention, investigation, detection and prosecution of criminal offences and Article 3 refers even more broadly to "areas of criminal law". Disclosure which is prejudicial to these tasks should, under the Directive, be capable of being immune from disclosure. If the disclosure would not prejudice the instant case but would set a precedent which would cause prejudice more broadly, for instance by discouraging cooperation in the future with third parties, then that is also a matter which, in my judgment, falls within the legitimate scope of the protection as a purpose which can in principle be invoked to justify a refusal in the instant case.
49. In [115] the judge said that the case ultimately turned upon the intrinsic relevance of the personal data to the defence in the criminal proceedings when set against the interests of the MPS in non-disclosure. He had read the report but was not at liberty to disclose its contents. He had reviewed each item of personal data in the report and focussed upon the possible value in question could have for the accused in the trial. His conclusion was that there was nothing in the personal data which could be of any real value to the claimants and in consequence the claimants’ application did not succeed.
Dawson-Damer and others v Taylor Wessing LLP and others [2017] EWCA Civ 74; [2017] 1WLR 3255
50. In this case the claimants, beneficiaries under Bahamian trusts, made data subject access requests of the defendant solicitors who acted for the sole trustee of one of the settlements seeking personal data relating to themselves that was in the defendant’s possession. The solicitors refused the request on the basis that much of the personal data was exempt from disclosure on the ground it was subject to legal professional privilege under paragraph 10 of Schedule 7 to the DPA. The claimants then applied to the High Court under s. 7(9) DPA for an order that the defendant provide the personal data requested but this application was refused on the grounds, inter alia, that: (i) the information sought was covered by legal professional privilege; (ii) to supply the claimants with permanent copies of the information would involve a disproportionate effort for the purposes of s. 8(2) DPA6; (iii) the subject access requests had been made for the improper purpose of obtaining information to be used in proceedings in the Bahamas.
51. It is the Court of Appeal’s decision on the issues of “proportionate effort” and the relevance (if any) of the purpose of the subject access request that is of relevance to the instant proceedings.
52. The lead judgment was given by Arden LJ who held on the issue of “proportionate effort” that:
(a) … it falls to the data controller to show that the supply of a copy of the information in permanent form would involve disproportionate effort [75].
(b)… [P]roportionality means that in appropriate circumstances there will be bounds to a search: the very words of section 8(2) assert that possibility. However, it is clear from the recitals to the Directive that there are substantial public policy reasons for giving people control over data maintained about them through the system of rights and remedies contained in the Directive, which must mean that where and so far as possible, SARs should be enforced. Moreover, most data controllers can be expected to know of their obligations to comply with SARs and to have designed their systems accordingly to enable them to make most searches for SAR purposes [79].
(c) The defendant had not made good its “disproportionate effort” claim. It must produce evidence to show what it had done to identify the material and to work out a plan of action [83]-[84].
53. Arden LJ styled the issue of the relevance (if any) of the purpose of the subject access request as “the no other purpose rule” issue. She accepted the claimants’ contention that what was said in [27] in Durant does not establish a principle that there is no duty under s. 7 DPA to comply with a SAR if the purpose of the request is otherwise than to check the data requested to see if it infringes the data subject’s privacy and if so to take the steps provided for in the DPA. Paragraph [27] in Durant was not to be taken out of context. What was being said in that paragraph was that a person could not claim that data was personal data because it would assist him in obtaining discovery in litigation or complaints against third parties [111]. Recital (10) of the European Directive made it clear that the rights given by the Directive are to protect fundamental rights conferred by EU law. The Court had been shown nothing in the DPA or the Directive which limits the purpose for which a data subject may request his data or provide data controllers with the option of not providing data based solely on the requester’s purpose [107].
Ittihadieh v 5 – 11 Cheyne Gardens RTM Co Ltd et al; Deer v University of Oxford [2017] EWCA Civ 121
54. The judgments in these two appeals are relevant in respect of: (i) the underlying purpose of the right of access to personal data; (ii) the obligation to communicate in intelligible form “the information constituting any personal data of which the individual is the data subject” in s. 7(1)(c ) DPA (cf Art 17 DPL); (iii) the issues of reasonableness and proportionality so far as concerns a data controller’s duty to provide information in response to a subject access request; and (iv) the discretion conferred on the court by s. 7(9) DPA (cf Arts 33(1) and 39(2) DPL) and balance to be struck between the prima facie right of the data subject to have access to his personal data on the one hand and the interests of the data controller on the other.
55. In the first appeal, the appellant (Mr Ittihadieh) had an interest in three flats in a residential building in London. The management of certain parts of the building was in the hands of a right-to-manage company (“the RTM Co”) which was established by a number of non-corporate owners of other flats in the building who became members of RTM Co and were in dispute with the appellant. At a later date, the appellant became a member of RTM Co but his attempts to get representation on RTM Co were blocked. In the belief that residents in the building had been swapping and retaining personal information about him and there was a specific file on him, the appellant served a wide-ranging subject access request on the directors of RTM Co seeking a copy of all personal data which may be held in handwritten notes, meeting and other attendance notes, letters, e-mails, SMS text messages and word-processed documents. In response, the company said through its solicitors that the request was a “fishing expedition” and an abuse of process that would involve the company in wholly unnecessary costs. Later, RTM the company served about 400 documents some of which were redacted. Dissatisfied with this disclosure, the appellant applied under s. 7(9) DPA for an order that the requested information be supplied. The judge who heard that application held that the subject access request had been directed to the company only: the directors and secretary were not data controllers. As to the disclosure made by the company, no attempt had been made to show that the 400 pages of disclosed documents failed to provide the information to which the appellant was entitled and it would be disproportionate to make an order.
56. In the second appeal, the appellant had brought a sex discrimination claim against Oxford University which was compromised. Subsequently she brought five fresh claims against the university alleging that she had been victimised because she had advanced the settled claim and the subsequent claims. She served two subject access requests on the university. In the first she sought a very wide range of documents aimed at obtaining information about a refusal to provide her with a reference. To begin with the university refused the request on the ground that improper use was being made of the DPA and the appellant served a second subject access request. Subsequently, in response to an order by a judge, the university reviewed over 500,000 emails and other documents at a cost of £116,116. Following a review of this material about 300 documents were disclosed. The appellant’s claim to the court came back before a different judge who held that none of the withheld material constituted the appellant’s personal data and even if there had been any errors of taxonomy in his analysis, in the exercise his discretion he would not require the university to take any further steps in compliance as this would serve no useful purpose.
57. The lead judgment was given by Lewison LJ. In paragraphs [82] – [89] he observed that the underlying purpose of the right of access to personal data is for the data subject to check its accuracy to see that they are being processed lawfully. However, a data controller is not entitled to refuse to comply with a request if it is made for a collateral purpose such as to obtain documents for the purposes of litigation:
“ [T]he mere fact that a person has collateral purposes will not invalidate a SAR, or relieve the data controller from his obligations in relation to it, if that person also wishes to achieve one of or more of the purposes the Directive …” [86].
58. In paragraph [93] Lewison LJ dealt with the how a data controller must respond to a SAR.
The obligation under section 7(1)(c) includes an obligation to communicate in intelligible form "the information constituting any personal data of which the individual is the data subject". This goes further than section 7(1)(b) which requires a description of the personal data. It is an obligation to supply the information itself. Even so, it is not an obligation to supply documents: Dunn v Durham CC [2012] EWCA Civ 1654, [2013] 2 All ER 213 at [16]. It is of critical importance to distinguish between the two. Although it may be more convenient and cheaper in some cases for a data controller to supply copy documents, there is no legal obligation to do so. It is very easy, however, to slip from dealing with personal data into dealing with electronically generated or stored documents in which personal data are recorded. It seems from many of the reported cases (as well as these two appeals) that individuals who make SARs are, in truth, looking for copy documents. They are in my judgment aiming at the wrong target. This ties in with the definition of "personal data"...
59. On the subject of proportionality, Lewison LJ said this in paragraphs [95] – [100] and [103].
Although neither article 12 of the Directive nor section 7 of the DPA contain any express obligation on the data controller to search for personal data in response to a SAR, it is common ground that such an obligation must necessarily be implied. In Dawson-Damer at [71] to [79] this court concluded that the obligation to search derived from section 8(2); but since section 8 applies only for the purpose of compliance with section 7(1)(c)(i), if section 7 does not apply, section 8 cannot either. I cannot help thinking, however, that both the Directive and the DPA have, as an underlying assumption, the assumption that personal data can be sufficiently retrieved and made ready for disclosure to the data subject at the touch of a few buttons. Experience shows that this assumption is fundamentally unsound. [95]
There are nevertheless indications in the Directive that the EU legislature did not intend to impose excessive burdens on data controllers. First, there is the description in the recitals of the kinds of systems to which the Directive applies:
"(15) Whereas the processing of such data is covered by this Directive only if it is automated or if the data processed are contained or are intended to be contained in a filing system structured according to specific criteria relating to individuals, so as to permit easy access to the personal data in question
(27) … whereas, nonetheless, as regards manual processing, this Directive covers only filing systems, not unstructured files; whereas, in particular, the content of a filing system must be structured according to specific criteria relating to individuals allowing easy access to the personal data…" [96]
Second, in considering the scope of a member state to lay down time limits for the retention of personal data, the court in Rotterdam v Rijkeboer applied the principle of proportionality: see [60] to [66]. Likewise in Lindqvist the court applied the principle of proportionality to a conflict between privacy on the one hand and freedom of expression on the other. In (Case C-582/14) Breyer v Bundesrepublik Deutschland at [46] in considering whether an individual was likely to be capable of being identified from particular data, the court held that this meant capable without disproportionate effort [97].
Third, as Mr Milford correctly pointed out, the principle of proportionality is a general principle of EU law: (Joined Cases C-27/00 and C-122/00) R (Omega Air Ltd) v Secretary of State for the Environment Transport and the Regions [2002] ECR 1-2569 at [62]; and the court treated it as such in Lindqvist. [98]
Fourth, in Ezsias v Welsh Ministers at [93] Judge Hickinbottom held that on receipt of a SAR, a data controller must take reasonable and proportionate steps to identify and disclose the data he is bound to disclose. In my judgment he was right. He also considered at [94] that some context for deciding whether a search is reasonable and proportionate was given by the amount of the fee payable (£10 in most cases) and by a public authority's ability to refuse to comply with a SAR where the costs of doing so would exceed £600. However, the fee of £10 payable in the general run of cases is in my view derisory; and I think that it would be very dangerous to give it any significant weight in deciding whether a search has been reasonable and proportionate. [99]
As mentioned, section 8(2) of the DPA entitles a data controller not to supply a copy of the information in in permanent form if to do so would involve disproportionate effort. However, there is no express provision of the DPA which relieves a data controller from the obligation to supply the information required by section 7(1) on the ground that it would be disproportionate to do so. In my judgment, while the principle of proportionality cannot justify a blanket refusal to comply with a SAR, it does limit the scope of the efforts that a data controller must take in response. That was also the conclusion of this court in Dawson-Damer at [76] and [77]. [100]
There is one further point to be made under this head. Because the implied obligation to search is limited to a reasonable and proportionate search (or as Mr Milford put it, it is not an obligation to leave no stone unturned), the result of such a search does not necessarily mean that every item of personal data relating to an individual will be retrieved as a result of such a search. There may be things lurking beneath another stone which has not been turned over. Accordingly the mere fact that a further and more extensive search reveals further personal data relating to that individual does not entail the proposition that the first search was inadequate. [103]
60. Lewison LJ said that the discretion conferred on the court by s. 7(9) DPA was not untrammelled. A discretion conferred on a court by legislation was conferred for a purpose in exercising such a discretion the court must act in furtherance of that purpose. The starting point when exercising the discretion conferred by s. 7(9) was that the controller had failed to comply with his obligations under s. 7 [105]. However, that said, in exercising the discretion the court must have regard to the general principle of proportionality which runs through EU law [107]. A balance had to be struck between the rights and interests in question [108]. Amongst the relevant factors that the court may take into account were: is there a more appropriate route to obtaining the requested information; the nature and gravity of the breach; the absence of a legitimate reason for the SAR, even though a collateral purpose of assisting in litigation is not an absolute bar; the application is an abuse of rights e.g. where litigation is pursued merely to impose a burden on the data controller; the application is procedurally abusive, e.g. where it has failed before; and the personal data are of no real value to the data subject.
61. In the Ittihadieh appeal, the judge’s exercise of discretion had been firmly based on proportionality and the judge reached a conclusion which he was entitled to reach [128].
62. In the Deer appeal, the judge had been entitled to: (i) take the view that further disclosure would serve no useful purpose; (ii) take account of the appellant’s relentless pursuit of disclosure not only of personal data but also documents; and (iii) the lack of proportionality in the appellant’s subject access requests.
The parties’ respective cases in the appeal
The DFSA’s case on the appeal
63. The DFSA pleads eight grounds of appeal in its Particulars of Claim which were served before it had been established that the appeal against the Commissioner’s finding that the DFSA had contravened the DPL was by way of a de novo hearing. Unsurprisingly, the argument advanced by Mr Pitt-Payne QC for the DFSA was rather more broadly expressed than the pleaded grounds of appeal. The argument proceeded under the following headings.
The Article 39 exemption (Ground 3)
64. It was submitted that compliance with the SAR would be likely to prejudice the proper discharge of the DFSA’s powers and functions by severely impacting on: (a) the DFSA’s role in the on-going proceedings brought by Ms Waterhouse in the FMT challenging the DFSA’s Decision Notice during which the DFSA had to gather further information; and (b) the DFSA’s wider functions as a Regulator including future investigations. In respect of both (a) and (b), compliance with the SAR would involve the DFSA in having to divert very significant financial and human resources from performance of its regulatory functions; and in respect of (b) alone, there would be the “chilling effect” noted in Zaw Lin at [106] of deterring third parties from sharing confidential information with the DFSA and also the subjects of future investigations could be encouraged to serve SARs with the intention of distracting the DFSA and tying up time and money.
65. The DFSA’s assessment of the quantity of paper records presented during the hearing before the Commissioner was that there were about 280 lever arch files of hardcopy documents that represented evidence gathered during the course of the enforcement investigations. These lever arch files were not ordered by reference to the individuals who were the subject of the investigation and contained a mix of different types of documents. More than 100 of the lever arch files contained documentary evidence in support of the findings contained in the report relating to an independent investigation that was commissioned by Ms Waterhouse’s previous employer in 2014 covering events from the start of 2011. Some of the lever arch files could be excluded as not containing personal data about Ms Waterhouse but in respect of others of the files there was no way to make this determination without individual examination thereof.
66. So far as concerns electronic records, the DFSA put before the Commissioner a report compiled by Mr Matthew Hammond, Senior Manager in the DFSA’s Enforcement Division. Mr Hammond’s conservative estimate of the total DFSA data estate across physical and virtualised servers was between 70 and 80 TB. In addition, there were approximately 140 laptop computers of approximately 40 TB. A review of the whole estate would require the retention of a third-party contractor at an estimated cost of between US$500,000 and US$800,000. Mr Hammond had reviewed the following sources of the electronic data with a view to estimating the person hours needed to review the date to comply with the SAR: Regulatory Information System; centralised email server; virtual personal devices; physical hard drives; mobile devices; and SharePoint.
67. The Court has before it a witness statement from Mr Patrick Meaney, the DFSA’s Head of Enforcement dated 13 December 2018. In this statement, Mr Meaney refers to Mr Hammond’s report and brings the Court up to date stating that, since the proceedings before the Commissioner, the DFSA had received a price estimate for the work required to comply with the SAR from Deloitte Professional Services (DIFC) Ltd in the sum of US$300,000 plus AED 15,7007 which represents more than double the annual budget for the Legal, Consultancy and other Professional Fees and approximately 9% of the Enforcement Division’s entire annual budget.
68. In the course of the Commissioner’s investigation into Ms Waterhouse’s complaint against the DFSA, the Commissioner sought from Ankura Consulting Group LLC (“Ankura”) a detailed preliminary estimate of the costs it would charge to provide technology services to assess electronic records and lever arch files in the DFSA’s possession for personal data relating to Ms Waterhouse. The Commissioner’s request was for an estimate to be used to answer the DFSA’s arguments relating to the disproportionate cost to respond properly to the SAR. Ankura’s estimated total costs for the engagement were US$ 90,000 – US$ 102,500, assuming a 3 - 6 month duration if the work could be done remotely and US$ 120,000 – US$ 153,000 if the work had to be done on site. These estimates were based on a different approach from that adopted by Deloitte in that data would be culled at source by taking into account likely storage sites and individuals involved and the first estimate assumed that onsite data would be provided on site with remote forensic support. In addition, between US $10,000 and US$ 12,500 per month would be charge under both scenarios for mobile server costs.
69. The Ankura estimates are criticised by Mr Lake in his third witness statement where he says that Ankura has incorrectly assumed that there were defined data collection process and data collection points in a very structured controlled environment and the relevant information in hard copy files will be already stored in electronic format in one of the searchable data bases. Mr Lake also points out that data cullable at source is limited to email data searchable by the DFSA’s IT administrator and searches of this data would not include attachments.
70. Mr Meaney also expresses the view that parties asked to provide information to the DFSA in the course of an investigation, even if they could be compelled to produce it under the Regulatory Law, would be much less willing to co-operate if they knew the subject of the investigation could discover who had provided the information by serving a SAR when otherwise the information would remain confidential pursuant to Article 38 (1) of the Regulatory Law.
71. The DFSA submits that the interest of Ms Waterhouse in the provision of the information she seeks that is to be balanced against the interest of the DFSA in not having to comply with the SAR is the extent to which Ms Waterhouse’s case in the FMT proceedings could be assisted if the SAR were enforced. And given the disclosure that has been made by the DFSA in respect of the DMC proceedings, the Decision Notice and the FMT proceedings, both on the DFSA’s initiative and in response to disclosure applications made by Ms Waterhouse, the weight of her interest is very small as was recognised in paragraph 5 of Ms Waterhouse’s submissions to the Commissioner dated 7 March 2018:
It is correct to point out that any documents disclosed by the DFSA following this complaint that are relevant to her regulatory challenge before the FMT should then be included in the bundle of documents before the Tribunal. However since the DFSA has now given disclosure within those proceedings it is anticipated that there may not be many further documents to include in any event.
72. Evidence relating to the disclosure provided to Ms Waterhouse during the proceedings referred to in paragraph (71) above is provided by Mr James Lake, the Associate Director in the Legal Department of the DFSA, in his first witness statement dated 13 December 2018. In this statement Mr Lake deposes to the matters related in paragraphs (6) and (7) and in paragraphs 106 -107 to the documents that had been provided to Ms Waterhouse following the Decision Notice as follows:
(a) on 29 April 2015, a complete set of the materials referenced in the report setting out the findings of the DFSA‘s investigation as at October 2014 and copies of transcripts of all interviews undertaken by the DFSA in connection with this matter referred to in the report;
(b) on 10 January 2016, a copy of the relevant materials taken into consideration by the DMC when it made the decision to give Ms Waterhouse a Preliminary Notice (setting out the proposed action and giving her an opportunity to make representations on that proposed action;
(c) copies of further documents during the course of Ms Waterhouse’s representations to the DMC (for example on 23 March, 28 April, 22 June, 23 June, 30 June, 4 August, 11 August and 21 August 2016); and
(d) on 18 December 2017 the DFSA provided Ms Waterhouse with further documents which were relevant to the FMT proceedings and referred to in the DFSA‘s response to Ms Waterhouse’s Statement of Case in those FMT proceedings.
73. In paragraphs 96 and 97 of his first witness statement, Mr Lake states that in a letter dated 23 December 2017 Ms Waterhouse requested disclosure and listed a number of categories of documents which she wanted disclosed. These were: (i) documents passing between the DFSA and DB relevant and concerning the investigation by the DFSA into DB or Ms Waterhouse or Chetan Palmar (“CP”); (ii) documents passing between the DFSA and DB relevant and material to the proceedings concerning the settlement of the investigation into or proceeding against DB or CP or any others; (iii) documents passing between the DFSA and Freshfields and the DFSA and DB about the internal investigation by DB and Freshfields into Ms Waterhouse’s alleged actions which are relevant and material to the proceedings and/or any part of the Kansas Report and/or the DFSA’s Investigation Report and supporting documents; (iv) all documents held by the DFSA relating to the subject matter of the Kansas Report (some of the documents are mentioned in the Report but had not been disclosed so far); (v) internal documents held by the DFSA about Ms Waterhouse relating to the investigation by the DFSA against me including all correspondence between the DFSA Enforcement and the DMC members or advisors and between members of the DMC Steering Committee, the DMC and DFSA Enforcement; (vi) documents passing between the DFSA and DB and internal documents held by the DFSA which concerned possible regulatory action to be taken against Ms Waterhouse; (vii) documents passing between the DFSA and Clifford Chance about alleged events and the Skilled Persons Report relevant to the investigation by the DFSA into DB or CP or Ms Waterhouse; and (viii) documents passing between the DFSA and DB concerning the disclosure of the settlement agreement between DB and Ms Waterhouse to the DFSA.
The DFSA agreed to review certain of the categories of documents requested but not all of them. The DFSA did not consider it appropriate to review and disclose documents falling within all of the categories requested by Ms Waterhouse as it did not consider all of them relevant or material to any issue in the FMT proceedings.
74. In paragraphs 108 – 114, Mr Lake states as follows. The DFSA responded to Ms Waterhouse’s documentary request in a letter dated 3 January 2018. This letter contained a detailed analysis of the request and sets out the categories of documents which the DFSA was prepared to review to ensure that anything relevant and material to the reference to the FMT had in fact been disclosed and it gave detailed reasons in terms of lack of relevance or prior provision for the refusal to disclose the documents in the other categories sought. Given the DFSA’s offer to undertake the review offered in the 8 January 2018 letter, Ms Waterhouse’ counsel did not make any application for disclosure at the CMC on 8 January 2018 and nor did the FMT make any further order for disclosure.
75. The DFSA completed the disclosure review and the further disclosure was provided to Ms Waterhouse on 22 February 2018. Additionally, as related above, the DFSA provided further disclosure of documents in the FMT proceedings on 8 March 2018, 22 March 2018, 23 March 2018, 2 April 2018 and at other times leading up to and during the FMT hearing from 28 to 30 April 2018.
Proportionality and Article 17 (Ground 5)
76. Citing paragraphs [95] – [103] of Lewison LJ’s judgment in Ittihadieh (see paragraph 59 above), the DFSA submits that proportionality is central to the DPA not only because of the wording of s. 8(2) thereof but also because of the European law context and given that the DPL was modelled on the DPA, a similar approach should be applied to the DPL. It follows that, irrespective of Article 39(2), a data controller is not obliged to comply with a SAR if to do so would be disproportionate and this is the situation in the instant case.
77. The DFSA further submits that, as was held in Ittihadieh [107]-[108]8 and Dawson-Damer [76]-[77]9, the question of proportionality is essentially a consideration as to what would constitute a fair balance between the interests of the data controller and the data subject. Applying this approach, for the reasons submitted on the question of proportionality in respect of Article 39(2) (see paragraphs 71 -75 above) it would be disproportionate to require the DFSA to comply with the SAR.
Nature of the Request: documents, not information (Ground 1)
78. The DFSA submits that the SAR is in any event misconceived because it seeks the disclosure of documents whereas under Article 17 DPL (cf s. 7(1)(a) – (c) DPA), a data subject has the right only to obtain his or her personal data in intelligible form. In support of this submission, the DFSA cited Ittihadieh at [92] – [93].
The obligation under section 7 (1) (b) is not an obligation to supply personal data: it is an obligation to provide a description of the personal data. The description might, for example, say that the data controller has processed the data subject's name and address, date of birth, wage record, educational qualifications and so on [92].
The obligation under section 7(1)(c) includes an obligation to communicate in intelligible form "the information constituting any personal data of which the individual is the data subject". This goes further than section 7(1)(b) which requires a description of the personal data. It is an obligation to supply the information itself. Even so, it is not an obligation to supply documents: Dunn v Durham CC [2012] EWCA Civ 1654 [2013] 2 All ER 213 at [16]. It is of critical importance to distinguish between the two. Although it may be more convenient and cheaper in some cases for a data controller to supply copy documents, there is no legal obligation to do so. It is very easy, however, to slip from dealing with personal data into dealing with electronically generated or stored documents in which personal data are recorded. It seems from many of the reported cases (as well as these two appeals) that individuals who make SARs are, in truth, looking for copy documents. They are in my judgment aiming at the wrong target. This ties in with the definition of "personal data". Accepting as I do that a person's name is his personal data, it does not follow that every piece of information in a document in which his name appears is his personal information. In such a case it would, in my judgment, be enough for the data controller to inform the data subject that, for instance, his name is consistently recorded as "Charles Pooter" and his address as "the Laurels, Brickfield Terrace, Holloway" in a specified number of documents between particular dates. There would be no obligation to disclose the documents themselves. This is, I think, borne out by article 12 of the Directive which requires the data controller to inform the data subject of the "categories of data concerned."[93]
79. The DFSA argued that it was plain from the following wording of the SAR that what was being requested were documents.
“The scope of my request
Although the DFSA will hold and will have processed a wide range of personal data about me, this request is limited to the following data:
1. Emails, reports, notes of meetings, letters or other documents that referred to her by my name in the content of subject heading which (i) passed between employees of the DFSA (internal communications) or (ii) passed between the DFSA and any third parties (whether sent or received) or (iii) passed between the DFSA and witnesses interviewed by the DFSA in the course of their investigation into her concerning her role at Deutsche Bank.
2. Emails, reports, notes of meetings, letters or other documents from which she can be readily identified, but which did not expressly refer to her by name in respect of each category of data set out at (i) – (iii) above.
3. In order that the search should be proportionate, I am prepared to agree that the search is limited to emails, reports, notes of meetings, letters, or the documents falling under paragraph 1 or 2 above from 1st October 2011 onwards.
I am not seeking to see any documents that would be covered by legal privilege
80. The DFSA also relied on the following statements (with italicised emphasis supplied) in letters sent by Ms Waterhouse to the FMT in the course of requesting the FMT to delay making a decision until the proceedings now before the Court had been concluded.
(a) Letter dated 2nd October 2018:
“I do not ask the FMT to adjourn the hearing listed from 29 October, so long as the FMT does not conclude the present proceedings until the outcome of the challenge in the CDP’s decision is known, since to do so would risk a decision being taken in the absence of important documents”.
(b) Letter dated 11th October 2018:
“On 20 June 2018 the CDP upheld my complaint against the DSA and ordered it to provide documents to me.“
“The DFSA remains, therefore, in breach of its obligations to provide documents to me”.
“It is for that reason that the provision of documents pursuant to the CDP’s decision is essential in order for me to have a fair hearing.“
(c) Letter dated 23rd October 2018:
“I invite the tribunal to conclude that the absence of these documents reinforces the need for me to have access to the information which is the subject of the CDP‘s decision.”
(d) “The position remains of course, that if there are further documents of which I am not aware I cannot make submissions on them. That reinforces the need for the data protection issue to be resolved before the conclusion of the appeal.”
Preconditions for making a complaint (Ground 4)
81. The DFSA submits that the Commissioner did not become seised of Ms Waterhouse’s complaint concerning the DFSA’s refusal to provide the requested personal data because Ms Waterhouse did not believe on reasonable grounds that she had been adversely affected by a contravention of the Law as regards her Article 17 rights as required by Article 34 (1) DPL. That provision reads:
A Data Subject who believes on reasonable grounds that he has been adversely affected by a contravention of the Law in respect of the Processing of his Personal Data and as regards the exercise of his rights under Articles 17 and 18 may lodge a complaint with the Commissioner of Data Protection.
82. The DFSA contends that Ms Waterhouse was not adversely affected by its refusal to comply with the SAR because her purpose was to obtain documents helpful to her in the FMT proceedings and she could equally achieve this purpose through making an application for disclosure of relevant documents in those proceedings. It follows that Ms Waterhouse cannot have believed on reasonable grounds that she was adversely affected by the DFSA rejection of the SAR.
83. In the proceedings before the Commissioner, in addition to contending that she had been adversely affected by the DFSA’s refusal to comply with the SAR because her right to be provided with her personal data had been wrongly denied by the DFSA, Ms Waterhouse cited the following examples of personal data having been inaccurately and/or misleadingly the processed by the DFSA:
(a) Some but not all of the relevant data about a grievance she had initiated against her line manager whilst employed by a former employer had been processed by the DFSA.
(b) Part of the data concerning this grievance was misleading and gave an inaccurate explanation of the circumstances leading to the grievance.
(c) The DFSA had processed partial and inaccurate data about Ms Waterhouse’s pay when employed by a former employer which was a financial institution.
(d) The DFSA had processed partial and inaccurate data about the terms of a confidential settlement Miss Waterhouse had reached with her former employer.
(e) The DFSA had processed Ms Waterhouse’s medical records and disclosed them to a third party without the requisite consent
84. Ms Waterhouse also contended that following the refusal by the DFSA to comply with the SAR she had spent considerable time and incurred expenditure pursuing her complaint about the refusal.
85. The DFSA‘s response to (1) and (2) above is that Ms Waterhouse raised the issue of DB disciplinary proceedings against her and her grievance against DB in the course of her representations to the DMC. To understand these claims the DFSA requested and were provided with information and copies of relevant documents by DB. In the course of the FMT proceedings, Ms Waterhouse again raised the allegations she made against her former line manager and following a CMC (partly held in private) the FMT ordered that the DFSA may disclose information about Ms Waterhouse’s allegations to DB and the line manager to enable the DFSA to investigate the allegations and to respond thereto in the FMT proceedings. Early in January 2018, the DFSA asked DB to provide copies of all documents relating to the grievance filed by Ms Waterhouse and just over a week later DB provided documents and information regarding Ms Waterhouse’s grievance. DB then provided further information and relevant documents on 25 January 2018. Prior to receiving this information, in January 2018, the DFSA had only limited information regarding Ms Waterhouse’s grievance against DB and the former line manager. In the light of this explanatory background, Ms Waterhouse’s assertion that the DFSA had “processed some but by no means all” of the relevant data about her grievance is not understood and is rejected.
86. As to (3) above, the DFSA was provided with details of Ms Waterhouse’s salary in the period 2011-2014 by DB in October 2014 in response to a notice under Article 80 of the Regulatory Law. That information was held only within the DFSA Enforcement Division and it was not used or relied on for the purposes of the ongoing investigation. Accordingly, in the submission of the DFSA, Ms Waterhouse’s claim that this information was partial and inaccurate makes no sense and is denied.
87. As to (4), the DFSA accepts that it disclosed the existence of the settlement agreement between Ms Waterhouse and DB to the FMT. The DFSA also informed the FMT that Ms Waterhouse had received a very significant payment from DB in compensation for loss of employment. This disclosure was initially in the context of her application for the FMT to waive the filing fee for her reference to the FMT. DFSA Enforcement required DB to provide details of the settlement for the purposes of responding to representations made by Ms Waterhouse to the DMC. The settlement agreement was also referred to in correspondence during the FMT proceedings. Save aforesaid, the DFSA avers that it has not disclosed the settlement agreement to any other parties including internally to the DMC or to the FMT and it submits that there is no basis for Ms Waterhouse’s allegation that it partially and inaccurately processed this information.
88. As to (5), the DFSA maintains that it only obtained Ms Waterhouse’s medical records in December 2017 after her subsequent complaint to the Commissioner. In her Statement of Case Ms Waterhouse referred to a medical report she had obtained which she claimed was relevant to the FMT proceedings. The medical report was first seen on 17 December 2017 when Ms Waterhouse provided it to the DFSA with various other documents including some of her previous medical records which were referred to in the report. The report focused on a particular factual event in email correspondence involving Ms Waterhouse dated 30 October 2011. These were matters in dispute in the FMT proceedings.
89. When she provided the DFSA with a copy of the report, Ms Waterhouse stated that it contained confidential medical information and she did not give her consent for the report to be disclosed to any third parties. The extent to which Ms Waterhouse was able to rely on the report and the DFSA’s ability to respond to the issues it raised was considered by the FMT at the CMC on 8 January 2 018. Prior to that, the DFSA and Ms Waterhouse exchanged correspondence on the issues to be discussed at the CMC. In a letter to the DFSA dated 23 December 2017, copied to the FMT, Ms Waterhouse stated that “it will assist case preparation if you inform me before the CMC if you intend to instruct your own expert to give evidence.” Subsequently, by letter dated 3 January 2018, the DFSA informed Ms Waterhouse that if the FMT were to grant permission for her to rely on the medical evidence she had disclosed, the DFSA intended to ask that an expert attend the FMT hearing for cross-examination and that the DFSA be given permission to produce its own expert evidence. Ms Waterhouse was therefore informed before the CMC that if the FMT granted permission for her to rely on the report, the DFSA intended to produce its own expert evidence. The DFSA proceeded to instruct a medical expert who was provided with a copy of Ms Waterhouse’s medical report and supporting documents. The expert subsequently provided the DFSA with a written assessment and opinion on Ms Waterhouse’s medical report which was shared with Ms Waterhouse on 8 March 2018. Ms Waterhouse then asked the DFSA to explain how it had obtained her consent to her confidential medical information including her medical records being provided to a third-party. It was Ms Waterhouse’s view that having explicitly withheld her consent to her medical records being disclosed to a third-party, the DFSA ought not to have provided the report to the expert. The DFSA explained in a letter to Ms Waterhouse dated 23 March 2018 that having informed Ms Waterhouse that it would be instructing an expert and Ms Waterhouse having consented to this, the DFSA had understood that she did not object to her medical report being provided to the expert. The DFSA apologised if they had misunderstood her intentions.
90. Prior to becoming aware that the DFSA had provided the medical report and medical records to the medical expert, Ms Waterhouse had no basis on which to believe that the DFSA had somehow been processing her personal data relating to her medical information against her wishes. The DFSA’s instruction of a medical expert had been necessary for the purposes of the ongoing FMT proceedings and disclosure of confidential information by the DFSA is permissible under Article 38(3) of the Regulatory Law and had been impliedly consented to by Ms Waterhouse when she was told and consented to the instruction of a medical an expert by the DFSA.
The DFSA’s paper records (Ground 6)
91. In the course of the proceedings conducted by the Commissioner, the DFSA contended for the first time that the 280 odd lever arch files containing hard copy documents it had compiled during the investigations into DB and Ms Waterhouse did not constitute a “Relevant Filing System” for the purposes of the definition of “Data” in the DPL and therefore cannot constitute “personal data” and hence cannot come within the scope of the SAR.
92. “Data” is defined in the DPL as:
Any information which: (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should be processed by means of such equipment; or (c) is recorded as part of a Relevant Filing System or with the intention that it should form part of a Relevant Filing System.
“Relevant Filing System” is defined as:
Any set of information relating to an identifiable natural person to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.
94. As recorded in paragraph (22) above, the Commissioner declined to decide whether the lever arch files were a Relevant Filing System but instead directed that when the DFSA came to comply with the SAR in compliance with Commissioner’s direction that it should do so, the DFSA could contend that the lever arch files were beyond the scope of the SAR and the issue whether this was so could then be decided.
95. The DFSA submits that, pursuant to Article 33(2) DPL which provides that when issuing a direction, the Commissioner “shall carry out, as a minimum, due process by means of undertaking all the reasonable and necessary inspections and investigations to be adequately satisfied to be adequately satisfied to establish the Data Controller’s contravention …”, the Commissioner should have inspected the lever arch files and found that they were a not a Relevant Filing System. Accordingly, even if (which is denied), the DFSA was obliged to comply with the SAR to the extent that Ms Waterhouse’s personal data was electronically stored, the Commissioner should have held that the lever arch files were beyond the scope of the SAR.
The Commissioner’s case on appeal
96. To begin with I shall deal with the Commissioner’s contentions of an over-arching nature and I shall then summarise his specific submissions in response to the DFSA’s case.
97. Mr Russell QC for the Commissioner argued that if the SAR was a valid request (which it was), then the DFSA was obliged, as a minimum, to scrutinise the personal data of Ms Waterhouse that it held and to inform her, as a minimum, what personal data of hers it held that could be provided without prejudicing it in the discharge of its powers and functions under any law it administered. The DFSA had failed to undertake any such scrutiny and thus, as of 10 August 2017, when it rejected the SAR, the DFSA was in contravention of the DPL and that breach had continued ever since. Anything that the Commissioner or the DFSA did subsequently was accordingly nothing to the point.
98. This submission prompted the Court to observe that it would have serious reservations about ordering the DFSA to comply with the SAR in its entirety if it was of the view that certain of the data requested ought to be withheld on grounds of confidentiality or to avoid the risk of the flow of information from third parties drying up if such parties knew that their identity might be revealed through compliance with a SAR. Mr Russell then took instructions from the Commissioner and informed the Court that the Commissioner accepted that the direction given in his decision does not preclude the DFSA from raising, in respect of any particular item or category held by it in relation to Ms Waterhouse, any objection to its provision which is based on Article 39(2) or that any material which it holds is not personal data.
99. Citing p. 46 of the SAR Code of Practice issued by the UK Information Commissioner’s Office (“ICO”), Mr Russell noted that even if a data controller does not have to supply information in a permanent form in response to a SAR, the data subject still has the right to be given a description of the recipients of the data and it appeared that the DFSA had declined to inform Ms Waterhouse of the persons or categories of persons to whom her personal data had been disclosed and no reason had been advanced why this prima facie breach of the DPL was excused by Article 39 (2). In particular, the DFSA had provided no evidence whether it had considered this aspect of the SAR which, since it required merely a review of the DFSA’s outgoing communications, would have been a much less extensive than a search of the DFSA’s whole data base. On this ground alone, the finding of the Commissioner could be supported.
100. The Commissioner further contended that the burden was on the DFSA to identify the basis upon which its refusal to provide requested information was lawful (see Dawson-Damer at [73]) and where the effort involved in compliance with a SAR is relied on as an aspect of proportionality, a mere assertion that it is too difficult to search through voluminous papers is not sufficient (see Dawson-Damer at [74]).
The Article 39 exemption (Ground 3)
101. Mr Russell submitted that, unlike Article 39(1) DPL, Article 39(2) DPL does not confer a general exemption on the DFSA from the provisions of Article 17 DPL. Instead, Article 39(2) is expressly limited in scope and thus there must be many cases where the DFSA could respond positively to a SAR where doing so would have no effect whatsoever on the performance of its statutory duties.
102. Mr Russell next argued that the Article 39 (2) DPL “likely to prejudice” test must be satisfied by reference to the “specific request” and the boundary of the exemption conferred by that provision does not extend to information in the possession of the DFSA which could be disclosed without risk of prejudice to its statutory duties. Thus, the “likely to prejudice test” must be applied to the specific pieces of information held by the data controller which means that the data controller will have had to scrutinise all the information that might contain personal data relating to the data subject before he can lawfully resist a SAR under Article 39(2). In support of this contention, Mr Russell relied on the following parts of the Subject Access Code of Practice version 1.2 (“V 1.2”) and the original version (“OV”) issued by the Office of the UK Information Commissioner (ICO): (a) information systems should facilitate dealing with SARs (V 1.2, p 21); (b) a data controller should be prepared to make extensive efforts to find and retrieve the requested information (V 1.2, p 28); (c) the DPA does not permit you to exclude information from a response to a SAR merely because it is difficult to access (OV, p 22); (d) rely on the disproportionate effort exception only in the most exceptional of cases and respond in a cooperative way (OV, p 37); (e) s. 31 of the DPA (exemption) does not operate as a blanket exception (V 1.2, p 4) of [the Code of Practice] as to how data controllers should respond to a SAR.
103. It was further submitted that specific evidence is required to support the DFSA’s contention that the performance of the DFSA’s powers and functions would be prejudiced by compliance with the SAR. No such specific evidence had been adduced by the DFSA which has simply relied on a generalised assertion that its powers and functions would be prejudiced if it had to comply with the SAR. For this reason alone, this ground of appeal fails. In addition, citing page 22 of the original version of the ICO’s SAR Code of Practice, Mr Russell contended that in any event, cost per se cannot be a defence since it is simply a cost of compliance with the law as a data controller.
104. It was contended that instead of proceeding on the basis that it was necessary to search throughout the whole of the information it held in respect of Ms Waterhouse in order to comply with the SAR, the DFSA, after consulting with Ms Waterhouse, should have adopted a targeted disclosure approach of the sort canvassed in Lord which could have eliminated certain categories of information from disclosure, for instance disclosure which would have involved revealing the source of information received in confidence.
105. Mr Russell styled the DFSA’s argument that it would be very severely hampered in carrying out its regulatory functions in respect of its investigation of Ms Waterhouse as “the sky will fall in” argument. In responding to this part of the DFSA’s case, the Commissioner relied on an affidavit sworn by Ms Lori Baker who, in her capacity as Director of Data Protection, has assisted the Commissioner in respect of the proceedings presently before the Court. In her 2nd affidavit, Ms Baker deposes to a conference call attended by individuals representing the UK Financial Conduct Authority (FCA) led by Mr Choyce which was attended, inter alios, by the Commissioner, Mr Russell and herself. Ms Baker says that Mr Choyce stated during the conference that the FCA handles SARs in the manner required of any data controller. The ICO guidance in relation to SARs is not controversial and is not challenged by the FCA, and the FCA applies it accordingly. The cost of handling SARs is part of the requirements to comply with the DPA. In responding to SARs the FCA has to assess the requirements clearly in light of any exemptions, the data subject’s interests and the public interest, and respond appropriately, regardless of the cost. The FCA has only applied exemptions in very rare and limited circumstances as prescribed by the DPA. The FCA and the ICO cooperate to ensure appropriate application of the DPA. Any necessary tests for exemptions are applied on a case-by-case basis; the FCA does not rely on any sort of blanket application of exemptions afforded to it by the DPA. The FCA applies the “prejudice test” as applied by the UK Data Commissioner in his Decision Notices. There is nothing on the record that an order by the ICO has been opposed or challenged by the FCA. There have been no appeals of an ICO decision. The FCA and the ICO are well aligned regarding policy in this area of the law. The FCA estimates that prior to the introduction of the European General Data Protection Regulation (the “GDPR”) there were approximately 120 SARs per year made to it. After the GDPR there have been approximately 80 per year.
106. Responding to the DFSA’s submission based on the cost of implementing the SAR, Mr Russell maintained that what lay behind this contention was the DFSA’s failure to have the systems in place necessary to comply as data controller with the requirements set out in Article 8 DPL and its duty to comply with SARs under Article 17 DPL. Mr Russell also pointed out that among the estimates of the costs of implementing the SAR that were before the Court there was only one which included the instructions in respect of the work to be done, and that was the Ankura estimate obtained by the Commissioner.
Proportionality and Article 17 (Ground 5)
107. It was argued by Mr Russell that there is no warrant for subordinating the clear right conferred on a data subject by Article 17 DPL to considerations of proportionality. In his submission, the reliance by the DFSA on the words “without excessive delay or expense” in the opening sentence of Article 17 relied on by the DFSA for one of the two bases for its proportionality contention was misconceived. He submitted that those words simply give effect to sections 7(2) and 7(8) of the DPA and when the UK cases refer to proportionality, they are referring to section 8(2)(a) of the DPA which has no counterpart in the DPL.
Nature of Request: documents, not information (Ground 1).
108. In support of the Commissioner’s contention that the SAR was in respect of personal data and not documents, Mr Russell laid emphasis on: (a) the words “personal data” in the second sentence of the SAR letter; (b) the words “personal data” and “the following data” in the opening words of the section of the letter entitled “The scope of my request;” (c) the words “personal data” in the opening sentence under the heading “Information to Supply”; (d) the word “data” in each of the four categories listed in the heading “Information to Supply;” and (e) the words “the data” in the concluding sentence of the letter.
Preconditions for making a complaint (Ground 4)
109. Mr Russell submitted that the Commissioner’s Decision that the DFSA was in contravention of the DPL resulted from a request from Ms Waterhouse that he undertake an inspection and investigation under Article 33 of the DPL and that provision is not subject to the precondition that the applicant believes on reasonable grounds that he or she has been adversely affected by a contravention of the DPL as regards his or her rights under Article 17, as is the case in respect of a complaint lodged under Article 34 DPL. This submission was founded on the wording of Ms Waterhouse’s letter to the Commissioner dated 14 November 2017 which reads in relevant part:
I do not accept that the refusal with my request falls within the exemption set out in Article 32 (b) ….
I therefore wish to lodge a complaint with you under Article 34 and also to request you to carry out an appropriate inspection and investigation under Article 33 to determine whether the Data Controller of the DFSA contravened the Law … If your investigation concludes there has been a contravention I further request you to issue a direction requiring the Data Controller to comply with my Data Subject Access Request …
110. Mr Russell argued that a complaint made under Article 34 is intended by that provision to be dealt with by mediation whereas an appropriate inspection and investigation by the Controller pursuant to Article 33 is a free standing course of action which does not have to be undertaken as part of the process of mediation.
The DFSA’s paper records (Grounds 6)
111. The Commissioner submits that this ground concerns the process of the Commissioner’s decision making. These processes occurred after the contravention of the DPL started on 10 August 2017 and are irrelevant in the context of the appeal: the DFSA was either entitled to refuse to comply with the SAR or it was not. Further, since the DFSA admitted in its response dated 10 August 2017 to the SAR that it holds personal data relating to Ms Waterhouse, the “lever arch file” issue is not determinative of whether the DFSA contravened the DPL.
Ms Waterhouse’s submissions in the appeal
112. Ms Waterhouse said that in the course of the proceedings leading to the Decision Notice issued by the DMC the question of the effect of the non-disclosure by the DFSA of particular pieces of information on her ability to achieve a fair outcome was raised a number of times.
113. Next, Ms Waterhouse responded to Mr Lake’s statement in paragraph 16 of his 6th witness statement that the DFSA had been concerned one of Ms Waterhouse’s primary purposes in issuing the SAR was to frustrate the FMT proceedings. Ms Waterhouse told the Court that the SAR had two purposes: (1) to rectify any data concerning herself that was not fully accurate; and (2) to assist in her challenge before the FMT. It had never been her intention in issuing the SAR to frustrate the due process of the FMT and there was no evidence that that had been her intention. Ms Waterhouse also expressed the view that it was to be inferred from Mr Lake’s paragraph 16 that the DFSA did not consider the SAR on its merits when it was received.
114. Ms Waterhouse next reminded the Court that the FMT had not acceded to her application to postpone reaching and issuing a final decision until the present proceedings before the Court had been determined. In denying the application, the FMT had said that if any document emerged as a result of the SAR that materially undermined the FMT’s decision there was the possibility of a reconsideration of the result. The SAR had therefore not delayed the outcome of the FMT proceedings and so, even if one of the purposes of the SAR had been to delay those proceedings (which was not the case), that purpose had failed.
115. Ms Waterhouse then sought to contextualise a statement made by Mr Pitt-Payne, Counsel for the DFSA, regarding the position adopted by one of Ms Waterhouse’s counsel in the FMT interlocutory proceedings, when it was said that whilst documents produced by the DFSA under the DPL would have to be added to the bundle, since the DFSA had now given disclosure within the FMT proceedings, it was anticipated that there may not be many further documents to include in any event. Ms Waterhouse said that the anticipation of her then counsel was that disclosure in the FMT proceedings was beginning to roll.
116. In answer to a question from the Court, Ms Waterhouse said that she had made various applications for disclosure by email, including communications within the DFSA, which she could provide given time to retrieve them. She told the Court that following a CMC in the FMT proceedings, certain documents had been provided by the DFSA but on scrutinising them, it could be seen that some of these documents were not complete and/or referred to other documents that had not been disclosed. These “referred to” documents had not been disclosed which meant that she was quite comfortable in saying she believed that further relevant documents had not been disclosed.
117. Ms Waterhouse accepted that following communications with Mr Lake, some further documents were disclosed and she believed that an application for further disclosure had been made to the FMT. She had not attended the April 2018 FMT hearing in Dubai because she was unwell and the transcript reveals that her counsel raised issues about non-disclosure and he put certain questions about these issues to Mr Bock in cross-examination. Documents had emerged at the hearing itself and her counsel complained that they ought to have been produced at an earlier stage.
118. Ms Waterhouse then submitted that there would not be significant cost involved in the DFSA reviewing the materials in the 280 lever arch files the DFSA had spoken of. She went on to say that it had emerged from the cross-examination of Mr Adrian Bock in the FMT proceedings that the overall investigation including herself was commenced in 2012, whereas she had only been notified that she was being investigated in February 2014.
119. Ms Waterhouse also was at pains to point out that delay in her receiving the DFSA’s response to the SAR had an adverse practical impact on her because she was having to get on with the FMT proceedings at the same time. She added that when she received a response from the DFSA it came not from the DFSA's data protection officer but from DFSA Enforcement and she was surprised that no witness statement from the DFSA data protection officer had been served in these proceedings.
120. At the conclusion of the hearing the Court gave Ms Waterhouse leave to serve copies of documents evidencing applications for the disclosure of documents in the FMT proceedings and the DFSA’s and the FMT’s responses thereto within 16 days, and the DFSA was given leave to provide copies of transcripts of the FMT proceedings that covered questions of disclosure and to serve a response to Ms Waterhouse’s documents within 10 days after receipt of Ms Waterhouse’s documents.
Discussion and decision
121. The issue in the appeal is whether the Commissioner’s finding that the DFSA contravened the DPL in refusing to produce any of the personal data Ms Waterhouse sought in the SAR should stand or be set aside.
122. In consequence of the appeal being a de novo proceeding, the DFSA do not have to challenge any particular aspects of the Commissioner’s reasoning other than his conclusion that the DFSA contravened the DPL; and neither side is restricted to the contentions or the evidence it presented in the proceedings heard by the Commissioner. Evidence as to events occurring after the date of the Commissioner’s decision (20 June 2018) must be relevant to the state of affairs existing at that date, although I regard it as legitimate and appropriate to have regard to evidence of subsequent events when stepping back to look at matters in the round when coming to a final view on the issue of proportionality.
The Article 39 exemption (Ground 3)
123. The broad categories of information arising out of the investigation into Ms Waterhouse and the DMC and FMT proceedings that were identified by the DFSA at the hearing as being relevant to this ground of appeal were: (1) Information sought from third parties and/or information received by the DFSA from third parties. (2) Information contained in documents that reveal the internal thinking of the DFSA as the investigation proceeded and the DMC and FMT regulatory proceedings were continuing. (3) Information that is “neither here nor there” i.e. not sensitive or confidential.
124. It is for the DFSA to establish that it is entitled to be exempted from providing the information sought by Ms Waterhouse in accordance with the terms of Article 39 (2) (see Lord at [94]). In my judgment, this means that the DFSA must satisfy the Court that if Article 17 were to apply to the SAR the disclosure of each of the above categories would very well prejudice the proper discharge of the DFSA’s powers and functions under the Regulatory Law, without necessarily reaching the threshold of “more probable or not” (see Lord at [97]).
125. These categories of information are held in part electronically and in part in 280 lever arch files that are not ordered by reference to individuals who were the subject of the investigation involving Ms Waterhouse. Some only of these files could be excluded as not containing Ms Waterhouse’s personal data but all the others would have to be scrutinised to see if they contained information within the terms of the SAR. I reject Mr Russell’s submission that all the DFSA had to do to make available one significant part of the information required by the SAR, was to look at its outgoing correspondence to see which items referred to Ms Waterhouse and what of her personal data they included. As well as looking at the outgoing correspondence, the DFSA would have had to look at its incoming and internal correspondence because that might include material that indicated that personal data had been disclosed otherwise than in writing, for example in oral meetings or over the telephone.
126. As noted above, the DFSA submits that the scrutiny of the information it holds as a result of its investigation into Ms Waterhouse and the regulatory proceedings against her that would be necessary to comply with the SAR would involve the very heavy use of manpower and financial resources which would seriously impede the efficient discharge of its powers and functions both generally and in respect of its continuing involvement in the FMT proceedings initiated by Ms Waterhouse. As already noted above, the different estimates of the costs for outside firms to scrutinise the information held by the DFSA relating to Ms Waterhouse are: US$ 500,000 – US $800,000 (Mr Hammond’s estimate); US$ 300,000 + AED 15,700 (Deloitte); and Ankura’s estimate: US$90,000 – US$102,500 (on-site), US$120,000 – US$153,000 (off-site).
127. The DFSA further argues that if it had to provide the information required by Ms Waterhouse this would get into the public domain and others whom the DFSA investigates would issue SARs in attempts to distract and frustrate the investigations in which they were involved.
128. In addition to the general contentions related in paragraphs (126) and (127) above, the DFSA submits that: (a) the disclosure of information in category (1) would involve revealing the sources of the information in question and this would impede the gathering of information from third parties in the course of investigations as deposed to by Mr Meaney in his witness statement; and (b) the information within category (2) is highly confidential and its disclosure would inhibit those involved in investigations from expressing and recording views as an investigation progresses which would be very detrimental to the investigation process.
129. In my judgment, it would be likely that if the information within categories (1) and (2) were disclosed pursuant to the SAR, the proper discharge of the DFSA’s powers and functions under the Regulatory Law would be prejudiced for the reasons contended for by the DFSA. The disclosure would have the “chilling effect” referred to by Haddon-Cave J in Zaw Lin [104] – [106].
130. However, for two reasons, I do not find that the powers and functions of the DFSA would be likely prejudiced if the information within category (3) were disclosed pursuant to the SAR. Firstly, I am not satisfied that it is likely that disclosure of this category of information would likely lead to others who are being investigated by the DFSA to use SARs for the collateral purpose of harassing and distracting the DFSA. Secondly, I do not think it likely that if the DFSA had to carry out the necessary scrutiny of all its information relating to Ms Waterhouse in order to determine which information is within which category, the DFSA’s powers and functions under the Regulatory Law would be prejudiced. In my view, the use of DFSA personnel to carry out the necessary scrutiny could be avoided by engaging an outside agency to conduct the necessary scrutiny and, doing the best I can, having reviewed the costs estimates put before the Court, I find that the money required would likely be of the order of US$250,000. Would having to find this sum likely prejudice the DFSA in the discharge of its functions? In my judgment, it would not. In the first instance, the money would be met from the DFSA’s budget and to the extent necessary it would be met by additional funds provided by the Dubai Government. It is unthinkable in my opinion that the Government of Dubai would not provide the necessary additional funds when to refuse to do so would leave the DFSA, a vital DIFC body, in plain breach of the DPL.
131. For these reasons, this ground of appeal succeeds only to the extent of the information contained in categories (1) and (2) which is an insufficient outcome for the setting aside of the Commissioner’s finding that the DFSA was in contravention of the DPL.
Proportionality and Article 17 (Ground 5)
132. In my judgment, a data subject’s right to access to his or her personal data under Article 17 DPL is subject to the doctrine of proportionality. This is so for two reasons. First, proportionality is expressly incorporated into Article 17 DPL by the words “at reasonable intervals and without excessive delay or expense” in the opening sentence. I reject Mr Russell’s submission that these words are there simply to give effect to sections 7(2) and 7(8) of the DPA. As Mr Pitt-Payne submitted, the reference to “expense” cannot be a reference to a cost to the data subject because, unlike the DPA, the DPL makes no provision that allows a data controller to charge a data subject.
133. Secondly, I agree with Lewison LJ’s view in Ittihadieh that the implied obligation to search for personal data in response to a SAR is limited to a reasonable and proportionate search for the first three reasons he gives for reaching this conclusion, namely: (i) the indications in recitals (15) and (27) of the European Directive that the EU legislature did not intend to impose excessive burdens on data controllers; (ii) the application of the principle of proportionality by the ECJ in Rotterdam v Rijkeboer [Case C-553/07] as to the time limits for the retention of data; (iii) the fact that proportionality is a general principle of European law, see Omega Air Ltd v Secretary of State for the Environment [2002][ ECR 1-2569. I accept Mr Pitt-Payne’s contention that in modelling the DPL on the DPA, which in turn was the product of the European Directive, it was intended that the DPL should march in step not only with UK law but also with EU law. As Mr Pitt-Payne pointed out, the first DIFC Data Protection Law enacted in 2004 contains in Schedule 2 a list of pronouncements that were taken into account in the Law’s drafting and included in this list is the European Directive.
134. In Ittihadieh, Lewison LJ applied the doctrine of proportionality in the context of exercising the discretion conferred on a court by section 7 (9) DPA but what he had to say on proportionality is also applicable to this ground of appeal. I agree with his observation in [108] that a balance has to be struck between the prima facie right of the data subject to have access to his or her personal data on the one hand, and the interests of the data controller on the other. I also note that amongst the relevant factors in this balancing assessment that Lewison LJ identifies in [110] are: (1) whether there is a more appropriate route to obtaining the requested information, such as by disclosure in legal proceedings; and (2) the reason for having made the SAR. In regard to the second factor, Lewison LJ said:
While the absence of a stated reason does not in itself invalidate the SAR, the absence of a legitimate reason has a bearing on the exercise of the court's discretion (DB v The General Medical Council at [59]) even though a collateral purpose of assisting in litigation is not an absolute bar: Dawson-Damer at [112]. … Whether the real quest is for documents rather than personal data is also relevant ... Dawson-Damer at [77] confirms that the "potential benefit" to the data subject is relevant to the question whether a proportionate search has been carried out and, by parity of reasoning, the same must be true of the court's exercise of its discretion …
135. In Ittihadieh at [100], Lewison LJ, adopting the observations of Arden LJ in Dawson-Damer, expressed the view that proportionality cannot justify a blanket refusal to comply with a SAR. With respect, I do not accept this conclusion if it was intended to lay down a hard and fast rule regardless of the particular circumstances of the case. In my judgment, it is inherent in the concept of proportionality and the balancing exercise it involves that there may be exceptional cases where an outright refusal can be justified on proportionality grounds.
136. It is beyond argument that Ms Waterhouse’s principal and overriding purpose in issuing the SAR was and remains to obtain information contained in documents stored by the DFSA that assists her case in the FMT proceedings.
137. I agree with Lewison LJ’s observation in Ittihadieh at [82] that the underlying purpose of the right to personal data is for the data subject to check the accuracy of the data and to see that they are being processed lawfully. Despite this being the underlying purpose of the right, it has been held in England that the fact a data subject may have a purpose collateral to the purpose of checking his or her personal data for its accuracy does not necessarily mean that he or she loses the prima facie right to be provided with his or her personal data. Thus, if a data subject wants to check the accuracy of his personal data held by a data controller, it has been held that the fact that he or she also wishes to use the information to obtain documents relevant to litigation does not of itself mean that it would be disproportionate to enforce the data subject’s prima facie right conferred by Article 7 DPA10. However, this does not mean, in my view, that the real, predominant purpose of the issuance of a SAR cannot be taken into account in appropriate circumstances when the question of proportionality is being considered generally, as it is in this case where the Court is concerned to weigh the practical impact on Ms Waterhouse of not having access to her personal data against the burden that would have to be borne by the DFSA if the SAR were enforced.
138. In seeking to achieve her principal and predominant purpose by issuing the SAR, Ms Waterhouse is seeking to oblige the DFSA to scrutinise essentially all of the information it has gathered in the period 1 October 2011 to 2 August 2017 that related to herself, when at the same time the DFSA was and had been under a duty in the lead up to the DMC Decision Notice to disclose all relevant documents whether in paper of electronic form that were relevant to the regulatory offences the DFSA alleged against her.
139. I am in no doubt that the task of scrutinising the information held by the DFSA to determine what of Ms Waterhouse’s personal data it had acquired in the period 1 October 2011 to 2 August 2017 would be an extremely onerous one in terms of manpower and particularly money. This is amply borne out by Mr Hammond’s report exhibited to Mr Meaney’s witness statement and, as I have already concluded, if the scrutiny were to be done by a private contractor the cost would likely be of the order of US$250,000, which on any view is a large sum of money. Even if a private contractor were engaged, there would still have to be the involvement of already busy DFSA officials in supervising the contractor’s work and making the ultimate decision as to what information falls within which category: (1), (2) or (3).
140. I turn to ask myself what would be the practical impact on Ms Waterhouse if the DFSA was relieved of the obligation of doing the work and spending the money to comply with the SAR. As I have already observed, at the same time as the DFSA was being requested to comply with the SAR it was under a duty to disclose all relevant documents whether in paper of electronic form that were relevant to in the FMT proceedings. This duty of disclosure is an aspect of the overall implied duty that lay on the DFSA to conduct the investigation into Ms Waterhouse fairly. Unlike in prosecutions brought to trial in the UK where the practice is that a police officer or a team of officers is appointed with the sole task of ensuring that all proper disclosure is made to defendant, the DFSA officials with overall responsibility for disclosure were always likely to be and in fact were the DFSA’s lead investigator, Mr Adrian Block (who was cross-examined about disclosure in the course of giving evidence in the FMT proceedings and found to be an entirely straightforward and honest witness) and, in addition, a member of the DFSA’s legal team, who turned out to be Mr Lake.
141. It was also foreseeable as at 10 August 2017 and at all times during the proceedings before the Commissioner that, as happened, the DFSA would be represented by experienced and responsible counsel11 who would well appreciate the duty on the DFSA to disclose relevant documents and that Ms Waterhouse would have access to legal advice and representation at different times during the FMT proceedings. In addition, it was clearly foreseeable, again as turned out to be the case, that it would be open to Ms Waterhouse to apply to the FMT for orders for disclosure of specified classes or particular documents. Thus, whilst Ms Waterhouse represented herself for parts of the FMT proceedings, she was represented by counsel on a number of occasions who advised her on disclosure, mounted applications for disclosure and also made detailed submissions in support of Ms Waterhouse’s case.
142. In my judgment, given the matters referred to in paragraphs (140) and (141) above, it was well foreseeable at the time both when the DFSA rejected the SAR and when the Commissioner made his Decision that the chances that a piece of personal data helpful to Ms Waterhouse’s case would not be disclosed in the course of the FMT proceedings but would be disclosed if the SAR were given effect to were extremely remote.
143. This conclusion is in accord with the evidence as to how disclosure was in fact dealt with by the DFSA and the FMT in the period subsequent to 10 August 2017. As recorded in paragraphs (72) to (75) above, Mr Lake deposes in his first witness statement to the documents provided by the DFSA to Ms Waterhouse in the period 29 April 2015 to 20 April 2018. Since the hearing of these proceedings on 26 and 27 November 2019, Ms Waterhouse, with the consent of the Court, has served a number of documents that she submits evidence her attempts to obtain disclosure from the DFSA and the DFSA’s responses thereto in the period 10 March 2016 to 20 May 2019, a number of which consisted of refusals to make the requested disclosure. In response to these documents, the DFSA served a detailed submission supported by further documents setting out the extent to which it provided further documents to Ms Waterhouse and providing a justification for those occasions when it did not accede to Ms Waterhouse’s requests. The clear picture that emerges from all this material is that Ms Waterhouse made numbers of requests for documents some of which were met and several of which were justifiably declined on the ground that they went to peripheral matters and were simply not relevant. Ms Waterhouse also complained to the FMT about non-disclosure of documents and on occasion applied for disclosure orders.
144. In the course of the FMT proceedings on 2 October 2018, Ms Waterhouse requested the FMT not to conclude the present proceedings until the outcome of the cases now before the Court, “since to do so would risk a decision being taken in the absence of important documents”. The categories of documents Ms Waterhouse identified in support of her request which she claimed might have relevant data were: (1) details of her settlement with DB; (2) documents relating to the Deloitte report that had not been disclosed; (3) documents seen by Freshfields in their internal investigation for DB; (4) meetings including a suggested informal meeting between Mr Bock and a DB employee about the terms of Ms Waterhouse’s settlement with the bank; and (5) full details of the interaction between the DFSA and DB concerning the settlement reached between the DFSA and DB.
145. Responding to the application, the DFSA observed that there was no suggestion of missing documents relevant to the real issues in the October 2018 hearing or in closing submissions submitted to the FMT.
146. The FMT’s decision given on 15 May 2019 on Ms Waterhouse’s application was in the following terms:
The context of this issue is set out in the Decision. The DFSA has apparently been disclosing documents to Ms Waterhouse and her lawyers since 2016. There have been more than 12,000 pages of documents in this case disclosed either voluntarily or by order made by the Tribunal. It seems in improbable that there are yet more relevant documents given the nature of the real issues. Further if there were any they could easily have been obtained by an order from the Tribunal.
Ms Waterhouse argues that if the outcome of the [Data Protection] litigation leads to disclosure of the data she seeks it may have an effect on this case also. As a matter of principle, it should not have that effect. The DFSA should have disclosed all material relevant to the issues in this case and confirms that it has.
The main issue in this case has been whether DB’s admitted regulatory breaches were or should have been known to Ms Waterhouse and, if so, why she did not disclose them to the DFSA. The particular categories identified by Ms Waterhouse do not as we see it assist her argument. First, they are of limited or no relevance. Secondly, despite that, the requests appear to have been answered by the DFSA. Thirdly even if the documents had been relevant and the DFSA had refused disclosure Ms Waterhouse would have obtained an order from us and does not need data protection law to obtain this.
In a situation where the DFSA insists that it has given full disclosure and when no remotely plausible case has been made that this claim is untrue, there is no reason to delay the conclusion of the case again and yet further and for an indefinite period. [Emphasis supplied]
If at the end of the Data Protection litigation the DFSA were required to disclose data which should have been disclosed in these proceedings that would be a serious matter and Ms Waterhouse would be free to apply to us for suitable relief.
147. In my judgment, when, in light of the process of disclosure to which the DFSA was subject under the supervision of the FMT, one weighs the real interest that Ms Waterhouse had in seeking to enforce her prima facie right under Article 17 against the very heavy burden that would have fallen on the DFSA if it had to comply with the SAR, it would be grossly disproportionate to order the DFSA to comply with the SAR. It follows that the DFSA succeeds on Ground 5 and that the Commissioner’s Decision should be set aside.
Nature of the Request: documents, not information (Ground 1)
148. I reject this ground of appeal. In my opinion, whether a request expressed to be a SAR made under Article 17 DPL is a request for personal data for the purposes of that Article depends on wording of the request. Looking at Ms Waterhouse’s SAR, I conclude for the textual grounds advanced by the Commissioner that it is a request within the Article and not a request for documents which would be outwith the Article. The fact that Ms Waterhouse may have contemplated, or indeed desired, that her request would be met by the provision of copies of documents is neither here nor there.
Preconditions for making a complaint (Ground 4)
149. This ground of appeal I also reject.
150. I agree with Mr Russell’s submission that the proceedings before the Commissioner were proceedings sanctioned by Article 33 and not Article 34, notwithstanding that the Commissioner appears to have thought the opposite to be the case. It is true that in her letter to the Commissioner dated 14 November 2017 Ms Waterhouse asked both for an investigation under Article 33 and complained under Article 34, but I am satisfied that on its proper construction Article 34 contemplates a complaint that will be considered within mediation proceedings and this was not the nature of the action taken by the Commissioner who undoubtedly conducted an investigation.
151. Even if the proceedings conducted by the Commissioner included a consideration of a complaint under Article 34 and was therefore not exclusively an investigation under Article 33, I reject the DFSA’s argument that Ms Waterhouse was not adversely affected by the DFSA’s refusal to comply with the SAR because her purpose was to obtain documents. As I have held, Ms Waterhouse’s principal and predominant purpose in issuing the SAR was indeed to obtain documents but the means by which she hoped to achieve this was through the SAR and accordingly, when the DFSA refused to comply with the SAR, it cannot be gainsaid that she believed on reasonable grounds that she had been adversely affected by what she believed to be a contravention of the Law as regards the exercise of her Article 17 rights.
The DFSA’s paper records (Ground 6)
152. The Court was not asked to decide for itself whether the paper records were a relevant filing system. This is because this ground of appeal asserts that the Commissioner made an error of law in declining to decide for himself whether the paper records were or were not a relevant filing system and in consequence the entirety of his decision that the DFSA contravened the DPL is vitiated and must be set aside.
153. In my judgment, in light of the fact that: (i) the issue before the Commissioner was whether the DFSA’s refusal to comply with the SAR for the reasons given in its letter of 10 August 2017 constituted a breach of the DPL; and (ii) the DFSA only raised the relevant filing system issue when serving its clarificatory submissions, those submissions having been sought by the Commissioner for clarification of the DFSA’s case based on Article 39 (2) DPL, I do not think the Commissioner can be faulted for the approach he took. This ground of appeal is therefore rejected.
The DFSA’s judicial review case
154. The DFSA’s judicial review case is predicated on the dismissal of its appeal. Given my decision to allow the appeal it is not necessary to determine the judicial review application and I have decided not to extend this already very long judgment by doing so.
Conclusion
155. For the reasons given above, the DFSA’s appeal is allowed and the Commissioner’s Decision dated 20 June 2018 is set aside.
Issued by:
Nour Hineidi
Date of issue: 1 June 2020
At: 11am