Candy Crush (-es Holyoake)

Readers of this blog will recall an important DPA judgment, particularly on the legal professional privilege exemption, which came out in January 2017 called Holyoake v Candy & CPC [2017] EWHC 52 (QB) (see the blogpost here). That case has, however, involved various pieces of satellite litigation including a 193 page judgment of Nugee J handed down just before Christmas in Holyoake & Hotblack v Candy & Candy & others [2017] EWHC 3397 (Ch).For some reason the parties to the extensive Chancery proceedings appear to have seen as most important the multi-million pound claims for misrepresentation, duress, unlawful means conspiracy, interference with economic interests, undue influence, breach of consumer credit legislation, breach of the rule against penalty clauses and the exotically named extortion under colour of due process. For very detailed and lengthy reasons which it is unnecessary to set out here, Nugee J rejected all of Mr Holyoake’s various claims. The judge made numerous adverse findings in respect Mr Holyoake’s performance as a witness, although it is fair to say that the Candy brothers did not escape without some measure of criticism either. (I should declare that I acted for Candy and CPC in the earlier DPA proceedings; although all of the Panopticon editors were on one side or the other.)

Unaccountably, neither the parties nor Nugee J appear to have regarded the existence of a DPA claim in the Chancery trial as the most significant issue to be determined. This was not the same issue as in the DPA proceedings, which concerned the responses to a subject access request, although there was an element of overlap. Two DPA breaches were alleged. First, it was said that the instruction of a private investigator to see if Mr Holyoake had any criminal convictions was a breach of section 4(4). This had been discussed to some extent in the earlier proceedings and Nugee J made it clear that he was not going to go behind the conclusions drawn in that case, with which he agreed, that there was no evidence of unlawful attempts to access the PNC (given that the investigator only purported to be able to say that there were no unspent convictions) and that, in any event, he did not consider that Mr Holyoake could have been distressed to discover that his opponents had discovered only that he appeared to have no convictions.

Of more interest is the second DPA breach alleged. It was argued (although not apparently the subject of much oral discussion) that in briefly discussing with Investec that Mr Holyoake had obtained a loan, CPC had breached section 4(4). It is fairly clear from the judgment that Nugee J found most of the DPA terms unfamiliar and that he had not (for understandable reasons) had a lot of assistance at trial in working his way through them. Unusually, Nugee J was not at all happy that the facts fell within the definition of data (see the discussion at [455]), but eventually concluded that CPC must have stored an electronic record of the loan somewhere, even if he hadn’t seen it (at [456]). But, asked Nugee J, was CPC processing that personal data when Mr Candy told Investec, given that Mr Candy knew the fact of the loan perfectly well and had no need at all to consult the electronic records? It is worth setting out the conclusion at [458]:

I have come to the conclusion that he did not. What in my judgment he disclosed was the information in his head, not the information in CPC’s records, and the fact that the same information could in fact be found in CPC’s records does not mean that what he was disclosing was that information. I should say that I can see arguments to the contrary and in the absence of any submissions, I am far from confident that I have reached the right conclusion; but I have to decide the point, and it seems to me that the purpose of the Act is to regulate what a data controller does with information stored in a relevant record, and it does not seem consonant with that for the Act also to regulate what a person does with information in his own head that has not been derived from the records.

The judge went on to hold that Mr Candy was also a data controller (unusual), that any disclosure was justified by condition 6(2) of Schedule 2, that there was no prejudice to the data subject anyway, and that Mr Holyoake’s evidence was that he had been happy about the involvement of Investec and suffered no distress requiring compensation.

So tucked away at para 458 of the judgment is an interesting nugget for DP lawyers. If you don’t need to consult the recorded data to disclose something, are you relevantly processing? It is a novel question and one which is likely to require further careful thought. Those interested may also want to look at the Irish decision in Shatter v Data Protection Commissioner & Wallace (Meenan J, 9 November 2017) that a Minister who had been told something orally by a police officer but not retained or otherwise recorded by him was not a data controller (with thanks to TJ McIntyre for the reference). The point is likely to be taken again.

Christopher Knight