Subject access requests, threats of violence, exemptions and the like

The High Court (Steyn J) has today handed down judgment in Harrison v Cameron and ACL [2024] EWHC 1377 (KB), a case full of notable legal points and rather colourful facts. On phone calls with one of the defendants, the claimant had repeatedly made threats of violence, without realising that the calls were being recorded. Via subject access requests under Article 15 of the UK GDPR, he sought the identities of individuals to whom the content of the recordings had been disclosed. The defendants refused, relying inter alia on the ‘personal data of others’ exemption (see DB v General Medical Council, etc), in light of the claimant’s conduct. In dismissing the claimant’s claim for the identities of the recipients, Steyn J’s judgment addresses not only that exemption, but a range of important data protection issues including the ‘personal/household’ exemption, the definition of ‘data controller’, the right to request specific identities of recipients and the application of post-Brexit CJEU case law (Austrian Post). I acted for the defendants, instructed by Charles Fussell & Co LLP, so for now I’ll just post this.