SARs and Legal Professional Privilege

It’s fair to say that the Supreme Court’s Brexit judgment has taken some attention from other legal developments of the day, but Holyoake v (1) Candy (2) CPC Group Limited [2017] EWHC 52 is another significant judgment on the scope of the subject access right under s.7 DPA, and not just because it involves all 4 of Panopticon’s editors.

In the context of underlying multi-million pound proceedings in the Chancery Division between the parties, who are high-end property developers, Mr Holyoake made SARs against Mr Candy and CPC, which he asserted had been inadequately answered. Mr Holyoake claimed that the defendants had carried out inadequate searches, and that Mr Candy had invalidly relied on the LPP exemption.

The Court (Warby J) proceeded from the starting point that the data controller’s implied obligation is to carry out a search limited to what is “reasonable and proportionate”. Mr Holyoake, however, said that the search was not proportionate because (among other reasons) CPC’s searches were limited to corporate email accounts: it had not asked its directors to search their personal email accounts for relevant emails. Warby J rejected that contention. He accepted that a company director who had used a personal email account for corporate business might owe the company a duty to allow access to that account, if needed to comply with a SAR. But he said the company was not bound to ask the question unless there was some sufficient reason to do so; and did not have any general right of access to check the position. The evidence in the case did not support the existence of any such reason.

As to the LPP issue, Mr Holyoake argued that there was reason to believe Mr Candy’s claim to the exemption was unfounded, because (a) the LPP material related to surveillance/investigation of Mr Holyoake and his family by a security consultancy (USG), which was tainted by criminal conduct; and/or (b) those activities resulted in an unjustified interference with Mr Holyoake’s fundamental right to privacy. Mr Holyoake said that the Court should itself inspect the data to determine whether the claim to LPP was unfounded, pursuant to s.15(2) DPA.

Accordingly, Warby J had to determine the scope of the “iniquity” exception to reliance upon LPP as a basis for withholding material, and decide whether it applied. He found as follows:

  1. A speculative case that the documents in question might involve or evidence iniquity will not suffice to displace LPP, where it would otherwise apply. A “strong prima facie case” is needed.
  2. The instruction of private investigators did not necessarily involve a criminal breach of s.55 DPA, nor was it even inherently suspicious. So there was no reason here for supposing that LPP might be abrogated by criminality.
  3. The proposition that LPP could be abrogated where there had been breach of the fundamental right to privacy was a “novel but ingenious argument”; but it could not prevail. There was no prima facie case of wrongdoing, and no worthwhile evidence that USG did more than carry out investigation. Moreover, this argument sought a substantial expansion of the iniquity principle which would, on the face of it, significantly erode the right to LPP, which is itself an aspect of the rights protected by Article 8 ECHR.
  4. As to the claimant’s alternative argument that the Court should balance the respective Article 8 rights of the parties in this context, such a balancing exercise would appear to be inconsistent with House of Lords authority. Lord Taylor CJ had said in R v Derby Magistrates Court ex p B [1996] 1 AC 487 that “if a balancing exercise was ever required in the case of legal professional privilege, it was performed once and for all in the 16th century, and since then has applied across the board in every case, irrespective of the client’s individual merits.” If the law were to develop in this way, it would have to be done by another court on another occasion.
  5. It would not be appropriate for the Court itself to inspect LPP material under s.15(2) DPA. Such inspection should only be carried out as a last resort, where there was credible evidence that those claiming privilege had misunderstood their duty or were not to be trusted, or where there was no reasonably practicable alternative. These were not such circumstances.

This is a judgment that will give substantial comfort to data controllers, since it robustly limits the extent to which the Court will be willing to go behind data controllers’ assertions of compliance, and act on data subjects’ suspicions.

Anya Proops QC and Robin Hopkins were instructed on behalf of the claimant, and Timothy Pitt-Payne QC and Christopher Knight on behalf of the defendants.