Does subject access have to be taxing?

Blockbuster High Court judgments about subject access requests are a rarity. The judgment of Mrs Justice Heather Williams in Ashley v The Commissioners for His Majesty’s Revenue and Customs [2025] EWHC 134 (KB) (27^th January 2025) gives us considerable food for thought.  Overall, it is good news for those making subject access requests.  For controllers, it is a sobering illustration of how onerous their obligations can be.

Mr. Ashley is a well-known businessman and entrepreneur.  Between February 2014 and October 2016, HMRC undertook an enquiry into his 2011/12 tax return (“the Enquiry”).  The Enquiry was conducted by HMRC’s Wealthy and Mid-Size Business Compliance Unit (“the WMBC”).  In October 2016 HMRC issued a closure notice, with a finding that Mr. Ashley had sold certain properties at an overvalue, giving rise to a taxable benefit on which there was a substantial tax liability.  Following Mr. Ashley’s appeal, the closure notice was withdrawn on 21^st October 2022.

On 13^th September 2022 Mr. Ashley made a subject access request (SAR) to HMRC under UK GDPR Article 15.  He sought all information held in relation to him by HMRC since the commencement of the Enquiry.  Initially HMRC refused to provide any data at all in response.  Following the issue of proceedings regarding the SAR, HMRC provided four schedules of personal data processed by the WMBC, and a separate schedule of personal data processed by the Valuation Office Agency (“VOA”), an executive agency within HMRC.  Mr. Ashley continued to maintain that HMRC had not properly complied with his SAR.

His claim was heard in December 2024.  By the end of the hearing, the agreed issues for the Court to resolve were (in summary) as follows:

Issue 1 – whether the SAR was limited to personal data regarding the Enquiry as processed within the WMBC, or whether it also extended to data as processed by the VOA.

Issue 2 – the extent to which data relating to the Enquiry amounted to Mr. Ashley’s personal data.

Issue 3 – whether HMRC was obliged to search for Mr. Ashley’s personal data as processed by the VOA.

Issue 4(a) – this involved consideration of various matters, including what the parties referred to as the “First Tax Exemption”, i.e. the exemption in paragraph 2 of Schedule 2 to the Data Protection Act 2018 (“DPA 2018”).  This exemption relevantly provided that the GDPR provisions as to the right of subject access did not apply to personal data processed for the purpose of the assessment or collection of a tax or duty or similar imposition, to the extent that the application of the subject access provisions would be likely to prejudice that matter.

Issue 4(b) – whether HMRC was in breach of its obligation to provide Mr. Ashley’s personal data in a concise, transparent and intelligible manner.

Below, I summarise how the Court resolved each issue.

Issue 1 was about the scope and interpretation of the SAR.

The Court approached this as an objective question, requiring consideration of the terms of the SAR read in its context, but without applying exacting standards of precision.  HMRC was a data controller for the VOA, and the terms of the request were broad enough to encompass Mr. Ashley’s personal data in respect of the Enquiry that was processed by the VOA.  HMRC’s internal practice of treating the main part of HMRC and the VOA as separate entities for the purposes of subject access requests could make no difference to the proper interpretation of Mr. Ashley’s request.  In all the circumstances, the Court construed the SAR as extending to data processed by the VOA.

Issue 2 was about what information “related to” Mr. Ashley for the purposes of the definition of personal data in UK GDPR Article 4(1).

For Mr. Ashley, it was submitted that all documentation processed by HMRC as regards the Enquiry constituted his personal data.  The Enquiry had considered the valuation of 32 specific properties disposed of by Mr. Ashley.  It was contended on his behalf that all the data relating to these 32 properties, including material about comparable properties taken into account by HMRC during the Enquiry, constituted Mr. Ashley’s personal data.  It was said that all of this material was central to HMRC’s investigation and inextricably intertwined with Mr. Ashley’s personal tax liability.

HMRC argued for a more limited approach, arguing that not all the information relating to how HMRC arrived at its valuations of the 32 properties constituted Mr. Ashley’s personal data.

The Court considered the far-reaching proposition advanced for Mr. Ashley, that all the data processed by HMRC in the context of the Enquiry’s assessment of his tax liability amounted to Mr. Ashley’s personal data, because of the nature of that exercise and its potential effect on him.  The Court rejected this approach as being too broad.  The question was whether particular pieces of information held by HMRC related to Mr. Ashley, rather than whether the overall exercise that HMRC were embarked upon related to him:  see the decisions of the CJEU in in Nowak v Data Protection Commissioner [2018] 1 WLR 3505 (“Nowak”) and FF v Ősterreichische Datenschutzbehörde [2023] 1 WLR 3674 (“FF”).

Following Nowak, the “relating to” requirement was satisfied where “the information, by reason of its content, purpose or effect, was linked to a particular person”.  In applying this test, the “content”, “purpose” and “effect” of the information were disjunctive ways in which it might be linked to an individual. However, in many instances these features were likely to overlap, and the position would be strengthened where a link existed in more than one of these senses.

The Court held that HMRC would need to reconsider the SAR, applying the above approach.

In relation to the 32 properties, the Court considered that the valuations of these were Mr. Ashley’s personal data.  The 32 properties were owned by Mr Ashley and HMRC’s valuations were directly relevant to its assessment of his potential liability to pay tax.  However, it did not follow that all the data generated by HMRC in arriving at those valuations was also his personal data.  For instance, it was difficult to see how details about comparable properties that Mr Ashley did not own and had no link to would be information relating to Mr Ashley. Similarly, it was difficult to see how information relating to HMRC’s processes would be information relating to him. On the other hand, data relating to the 32 properties themselves, used in HMRC’s assessment of their value, was likely to be Mr. Ashley’s personal data.

Issue 3 was about the extent of HMRC’s obligation to search.  The Court concluded that this obligation extended to data held by the VOA.  HMRC had not established that a requirement for it to search such data would be disproportionate.

Issue 4(a), in the light of the above findings, raised only one further point, namely whether HMRC was entitled to rely on the First Tax Exemption in relation to a certain (very limited) part of the personal data at issue.

The Court held that HMRC had not shown that the application of the subject access provisions would be likely to prejudice the assessment or collection of tax. “Likely” connoted a very significant and weighty chance of prejudice, to be established convincingly by evidence rather than assertion. The suggestion that the relevant data would provide an insight into HMRC’s position as to the settlement of future tax liabilities was, at best, merely speculative.

Issue 4(b) was about the requirement for personal data responsive to a SAR to be provided in a concise, transparent and intelligible form (see UK GDPR Article 12(1)).  The Court considered whether HMRC was required to provide anything more than a copy of the personal data, i.e. whether it was also required to provide contextual information. Relying on FF, the Court concluded that HMRC was obliged to provide contextual information where that was necessary for that personal data to be intelligible, in the sense of enabling the data subject to exercise their GDPR rights effectively.  Providing a documentary extract consisting of the Claimant’s name or his initials or other entirely decontextualised personal data was unlikely to suffice.

Overall, the decision is good news for those making subject access requests.  The approach taken to the meaning of personal data is a relatively wide one, though not as broad as Mr. Ashley had sought.  The requirement to provide contextual data is highly case-specific, but in future data controllers will find it hard to justify providing heavily redacted documents with only a few visible snippets of personal data.

Among Counsel, there was an 11KBW monopoly.  Anya Proops KC, leading Zac Sammour, acted for Mr. Ashley.  James Cornwell acted for HMRC.

The recent decision of the High Court (Richard Spearman QC, sitting as a Judge of the Queen’s Bench Division) in David Neil Gerrard and Elizabeth Ann Gerrard v Eurasian Natural Resources Corporation Limited and Diligence International LLC [2020] EWHC 3241 (QB), relates to one aspect of the complex litigation between Mr. Gerrard (currently a partner at Dechert LLP, a law firm) and ENRC (his former client).   The decision deals with various interlocutory applications in a claim that is itself ancillary to the main proceedings.  Nevertheless, even though it relates to a skirmish in a much more extensive battle, the decision is of considerable interest in its own right, in particular as to the use of covert surveillance in the context of litigation.

Mr. Gerrard was ENRC’s solicitor between December 2010 and March 2013, acting for ENRC in relation to a SFO investigation.  In 2017, ENRC brought proceedings against Mr. Gerrard in the Commercial Court alleging that Mr. Gerrard had acted negligently and in breach of fiduciary duty by seeking to extend the scope of the SFO’s investigation into ENRC, and by leaking information about ENRC to the media and the SFO.  In 2019, ENRC brought further proceedings in the Chancery Division against the Director of the SFO, for (among other matters) inducing Dechert LLP and/or Mr. Gerrard to breach their fiduciary duty to ENRC. Continue reading →

This week has brought unprecedented disruption to the legal system, and the whole economy.  The Panopticon team, and all of us at 11KBW, are working hard to ensure that we can continue to provide you with the level of service that you have come to expect.  Meanwhile, here are some initial responses to the Coronavirus pandemic from an information law perspective. Continue reading →

Over the years, Panopticon has discussed a number of cases about the powers of the police to record, retain, and disseminate information about individuals.  The judgment of Mr. Justice Julian Knowles in R (ota Harry Miller) v (1) The College of Policing, and (2) The Chief Constable of Humberside [2020] EWHC 225 (Admin) is a significant contribution to the law in this area.  In Panopticon terms the case is unusual, in that the issues are discussed by reference to the right to freedom of expression under Article 10 of the European Convention on Human Rights (“ECHR”), rather than by reference to Article 8 or data protection legislation.

An important part of the context for the case is the current political controversy regarding the status of transgender people, including proposals to reform the Gender Recognition Act 2004 so as to replace the current requirements for obtaining a Gender Recognition Certificate (GRC) with an approach that places greater emphasis on an individual’s self-identification of their gender.  Reforms along these lines were the subject of a Government consultation in 2018.  In this respect also, the case takes Panopticon into hitherto unchartered waters. Continue reading →

 

A spectre is haunting data controllers – the spectre of group liability for data breach.

In Vidal-Hall v Google [2015] EWCA Civ 311 the Court of Appeal held that damages claims under section 13 of the Data Protection Act 1998 (DPA) can be brought on the basis of distress alone, without monetary loss.  Since that decision there has much speculation that a major data breach could lead to distress-based claims against the data controller by a large class of individuals.  Even if each individual claim was modest (in the hundreds or low thousands of pounds) the aggregate liability could be substantial.

Cases of this nature may give rise to important questions of public policy.  Often the data controller will themselves be the victim of malicious or criminal conduct, involving a hack by outsiders or a data leak by insiders. In such situations, should the data controller be required to compensate data subjects?  What if the very purpose of the hack or leak was to damage the data controller, so that by imposing civil liability on the controller the Courts would help further that purpose?

The recent decision of the High Court in Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 is the first significant case to grapple with these issues post Vidal-Hall.  The case involves a group claim brought by some 5,500 Morrisons’ employees in connection with the criminal misuse of a significant quantity of payroll data by a rogue employee.  In a lengthy judgment handed down on 1^st December 2017, Langstaff J found that Morrisons were not directly liable to the claimants in respect of the criminal misuse of the data, whether under the DPA or at common law, but that they were nevertheless vicariously liable.  The trial dealt only with liability: quantum remains to be determined.

11KBW’s Anya Proops QC and Rupert Paines acted for Morrisons. Continue reading →

On 6^th October 2015 the CJEU declared the Commission’s Safe Harbor Decision invalid, in Case C-362/14 Schrems.  Since then, data protection specialists have discussed little else; and Panopticon has hosted comments by Chris Knight, Anya Proops, and Robin Hopkins.

How have EU data protection regulators responded to the judgment?

The ICO’s immediate response came in a statement from Deputy Commissioner David Smith.  This struck a careful and measured tone, emphasising that the Safe Harbour is not the only basis on which transfers to the US can be made, and referring to the ICO’s earlier guidance on the range of ways in which overseas transfers can be made.

On 16^th October the Article 29 Working Party issued a statement taking a rather more combative line.  Here are the main points.

1. The question of massive and indiscriminate surveillance (i.e. in the US) was a key element of the CJEU’s analysis. The Court’s judgment required that any adequacy analysis implied a broad analysis of the third country domestic laws and international commitments.

2. The Working Party urgently called on Member States and European institutions to open discussions with the US authorities to find suitable solutions. The current negotiations around a new Safe Harbour could be part of the solution.

3. Meanwhile the Working Party would continue its analysis of how the CJEU judgment affected other transfer tools. During this period Standard Contractual Clauses and Binding Corporate Rules could still be used.  If by the end of January 2016 no appropriate solution with the US had been found, the EU regulators would take “appropriate actions”.

4. Transfers still taking place based on the Safe Harbour decision were unlawful.

There are a couple of key messages here.  One is that it seems doubtful that the Article 29 Working Party would regard an adequacy assessment by a data controller as being a proper basis for transfer to the US:  see point 1.  A second is that there is a hint that even standard clauses and BCRs might not be regarded a safe basis for transfer (see point 3): the answer will depend on the outcome of the Working Party’s further analysis of the implications of Schrems.