Zaw Lin and Wai Phyo v Commissioner of Police for the Metropolis  EWHC 2484 (QB), a judgment of Green J handed down today, is an interesting – if somewhat fact-specific – contribution to the burgeoning body of case law on how subject access requests (SARs) made under the Data Protection Act 1998 (DPA) should be approached, both by data controllers and by courts.
The Claimants are on trial in Thailand for the murder in September 2014 of British tourists Hannah Witheridge and David Miller. They could face the death penalty if convicted.
Under the Police Act 1996, and following high-level discussions (including at Prime Ministerial level), it was agreed that the Metropolitan Police Service (MPS) would send an officer to observe and review – but not assist with – the Thai police investigation. The MPS compiled a detailed Report. They agreed to keep this confidential, except that it could be summarised verbally to the families of the victims so as to reassure about the state of the investigation and proceedings. The Report has never been provided to the families or the Thai authorities.
The Claimants made SARs, seeking disclosure of the MPS’ Report. Green J summarised their objectives as follows (para 29):
“The Claimants have endeavoured to clothe their arguments in the somewhat technical language of the DPA. It seems to me that the bottom line of these arguments, stripped bare of technical garb, can be put in two ways. First, the views of the MPS carry weight. Scotland Yard has an international reputation. If the Report is seen as favourable to the prosecution and contains material supportive of the RTP [Royal Thai Police] investigation (which is in effect how the Claimants say it has been presented in public by the families) then they should have the right to see the personal data so they can correct any misapprehensions. Secondly, that in any event they should be able to use any personal data which is favourable to their defence.”
The Claimants were entitled to request disclosure of at least some of the contents of the Report, though Green J estimated that only a small percentage of its contents constituted their personal data (para 25).
The MPS refused the SARs, relying on the exemption for crime and taxation under section 29 DPA.
In determining the claim under section 7(9) DPA, Green J considered arguments as to the applicability (or not) of Directive 95/46/EC (which contains exceptions for criminal matters: see Articles 3 and 13) and the European Convention on Human Rights. His view was that not much turned on these points here (para 49). At common law, the court’s scrutiny must always be fact- and context-specific. In a life-and-death context, anxious scrutiny would be applied to a data controller’s refusal. See para 69:
“… when construing the DPA 1998 (whether through common law or European eyes) decision makers and courts must have regard to all relevant fundamental rights that arise when balancing the interest of the State and those of the individual. There are no artificial limits to be placed on the exercise.”
Green J expressed his discomfort about the application of section 15(2) DPA, which allows the court – but not the data subject – to view the withheld information. This, together with the prospect of a closed session, raised concerns as to natural and open justice. Given the expedited nature of the case before him, it was not appropriate to appoint a special advocate, but that may need to be considered in future cases where the stakes are very high. Green J proceeded by asking questions and hearing submissions on an open basis in a sufficiently generic and abstract way.
In expressing those procedural misgivings, Green J has touched on an important aspect of DPA litigation which has received little attention to date.
He also took a narrower view of the breadth of his discretion under section 7(9) DPA than has often been assumed. At para 98, he said this of the ‘general and untrammelled’ nature of that judicial discretion:
“If Parliament had intended to confer such a broad residual discretion on the court then, in my view, it would have used far more specific language in section 7(9) than in fact it did. In any event I do not understand the observations in the authorities referred to above to suggest that if I find that the MPS has erred that I should simply make up and then apply whatever test I see fit. If I find an error on the part of the MPS such that I must form my own view then I should do in accordance with the principles set out in the DPA 1998 and taking account of the relevant background principles in the Directive and the Convention. My discretion is unfettered by the decision that has gone before, and which I find unlawful, but I cannot depart from Parliament’s intent.”
Such an approach to section 7(9) could make a material difference to litigation concerning SARs.
Green J then set out and determined the issues before him as follows:
Issue I: Who has the burden of proof of proving both the right to invoke the exemption? What is the standard of proof?
Following R (Lord) v Secretary of State of the Home Department  EWHC 2073 (Admin), the answer is that the data controller bears the burden. “The burden of proof is thus upon the MPS in this case to show its entitlement to refuse access and it must do this with significant and weighty grounds and evidence” (para 85).
Issue II: Was the personal data in the MPS report “processed” for purposes of (a) the prevention or detection of crime or (b) the apprehension or prosecution of offenders?
Green J’s answer was yes. Although the purposes behind the Report differed from the usual policing context, there should be no artificially narrow interpretation of the ‘prevention and detection of crime/apprehension or prosecution of offenders’.
Issue III: Would granting access be likely to prejudice any of those purposes?
This required a balancing exercise to be performed between the individual’s right to access and the interests being pursued by the data controller in refusing disclosure. This called for a “classic proportionality balancing exercise to be performed” (para 78).
Here, the starting point was the Claimant’s prima facie right to the personal data. This was bolstered by the life-and-death context of the present case.
The MPS’ refusal, however, pursued legitimate and weighty objectives. In assessing those objectives, it was relevant to consider what precedent would be set by disclosure: the “focus of attention was not just on the facts of the instant case but could also take account of the impact on other cases” (as per Lord).
On that basis, and in light of the evidence, the MPS’ ‘chilling effect’ argument was powerful. See para 107:
“… I accept their judgment and opinion as to the risks that release of the Report would give rise to and in particular, their position on: the considerable benefit to the public interest (in relation to crime enforcement and public security) generally in the MPS (and other relevant police authorities) being able to engage with foreign authorities; the high importance that is attached by foreign authorities to confidentiality; and the risk that not being able to give strong assurances as to confidentiality would pose to the ability of the MPS and others to enter into meaningful working relationship with such overseas authorities.”
It was also important to avoid any potential interference with a criminal trial in a foreign country.
The Claimants’ SARs were not made for any improper purposes, i.e. for purposes other than those which Directive 95/46/EC sought to further. In that respect, the present case was wholly unlike Durant.
The balancing exercise, however, favoured the MPS. Having considered each item of personal data, Green J said his “ultimate conclusion is that there is nothing in the personal data which would be of any real value to the Claimants” (para 125). He expressed his unease with both the procedure and the outcome. Permission to appeal was granted, though Panopticon understands that an appeal is not being pursued by the Claimants.
Anya Proops and Christopher Knight acted for the Defendant.
Robin Hopkins @hopkinsrobin