In Rudd v Bridle [2019] EWHC 893 (QB), Warby J tried a number of issues arising out of a data subject access request (“DSAR”) under s.7 of the Data Protection Act 1998 (“the DPA 1998”). He held that information provided to the Claimant was inadequate, rejected the Defendant’s entitlement to rely on three claimed exemptions and ordered him to provide the Claimant with further information.
Background
The Claimant, Dr Rudd, is a consultant physician who specialises in respiratory medicine and is one of the country’s leading experts on asbestos-related cancers such as mesothelioma. The First Defendant, John Bridle, has spent his career working in the asbestos industry and runs a website called Asbestos Watchdog, which promotes the industry’s interests. The Second Defendant, J & S Bridle Limited, was a company controlled by Mr Bridle and his son.
Mr Bridle had made a complaint to the General Medical Council alleging that Dr Rudd had falsified the risks to health associated with chrysotile or white asbestos in his expert reports to the courts. The GMC rejected the complaint as not meeting the standard for investigation, which decision was upheld on review following a challenge by Mr Bridle. Mr Bridle also made unfounded allegations to MPs and communicated with unnamed allies in the asbestos industry about ways to discredit Dr Rudd.
Dr Rudd sought further information to find out more about Mr Bridle’s activities and which individuals or companies were behind the complaint. Mr Bridle contended that his company J&S Bridle Limited was the data controller, not himself personally and sought to rely on the journalism, regulatory activity and legal professional privilege exemptions.
Dr Rudd made a DSAR and issued a notice under section 10 DPA 1998. This, on any view, somewhat spiralled. Mr Bridle contended that his company J&S Bridle Limited was the data controller. A second SAR and notice were issued against the company. The Defendants contended that almost all of the data requested was exempt on grounds of legal professional privilege (para 10 of Sch 7), the journalism exemption (section 32) or the regulatory proceedings exemption (section 31).
Judgment
The Issues
There was, as Warby J, noted a dispute about the issues in dispute ([56] to [57]). The Judge decided that the main issues were as follows ([59])
- “Data Controller Issues”: Who was the data controller – Bridle personally or the Company?
- “DSAR issues”:
- “Exemption Issues”: Could the data controller rely on the three exemptions claimed – Journalism, LPP, Regulatory Exemption?
- “Adequacy issues”: Was the existing information provided sufficient under s.7 DPA 1998?
- “Unwarranted Processing Issue”: whether Dr Rudd had established a basis for an order under s.10 DPA 1998.
- “Remedies Issue”: Whether the court should make orders under (a) s.7(9); (b) s.10 or (c) 13 of the DPA 1998.
The Judge found that issue (3) and issues (4)(b) and (c) were not ready for trial as these had not been properly pleaded by Dr Rudd ([60]). These claims were dismissed.
Evidence
Warby J found that Dr Rudd was an honest and straightforward witness ([64]). In contrast, he found that Mr Bridle’s evidence was not reliable ([68]). He found that the complaint to the GMC meant that for motives of personal greed, and in order to enable individuals to claim undeserved compensation, Dr Rudd had been party to a massive fraud on the Court and on innocent businesses by deceiving the Court on a number of occasions.
In addition, he found that Mr Bridle was not frank with the Court about the role in which he made the GMC Complaint, and had sought to dress up what he did as something done solely and exclusively on behalf of the Company when he knew that he did not have that in mind at the material time.
Data Controller Issue
The final issue was also a very fact-specific one as to whether or not Mr Bridle was a/the data controller, rather than the company. Warby J referred to the guidance of the Article 29 Working Party in Opinion 1/2010 ([142]) that the question is who exercises practical control over the data. The question is: why is the processing taking place, who initiated it?
Mr Bridle was the only person who fitted these criteria. He claimed that Asbestos Watchdog was an alter ego of the Company however the Judge held that it was a “personal project” of Mr Bridle.
Warby J said that the fact that Mr Bridle used his company email address and sometimes signed as director did not undermine the conclusion that he was the data controller. These were instances of him borrowing company facilities to further his aims. The personal data was being held, used or disclosed under the control of Mr Bridle who was not acting in the capacity as director ([153])
DSAR Exemption Issue
As to s.32 journalism exemption, Warby J referred to his previous holding in NT1 that the concept of journalism is not so broad to cover every activity conveying information or opinions. Data processed for more than one purpose are not exempt. The statutory test must be met, and that involves a subjective and an objective element: at [77].
Mr Bridle’s evidence did not address all of the statutory tests. It is not sufficient simply to say that a solicitor has reviewed the data and applied the exemption (especially where the inference is that the only source of the solicitor’s views was an unreliable witness): at [78]-[82].
As to the “regulatory purposes” exemption in s.31 of the DPA 1998, the Judge inclined to the view that this exemption only applies to the regulatory body and cannot be claimed by a controller who has supplied information to it ([88]). But in any event, the exemption only applied to the extent to which provision of subject access would be likely to prejudice the proper discharge of the relevant functions. There was no evidence of this ([89]). Such prejudice could not be inferred from the fact that the GMC had not volunteered all the data to Dr Rudd. In any event there could be no prejudice where the GMC involvement had long since concluded ([90]).
As to the “privilege” exemption, Warby J refused to accept the evidence of Mr Bridle’s solicitors. He did not consider that the evidence bore out litigation privilege in circumstances where there was no evidence that the information was held for the dominant purpose of litigation ([97]).
DSAR Adequacy Issue
Under s.7 of the DPA 2018, a data subject whose personal data is being processed is entitled to a description of the personal data (s.7(b)(i)), the purposes for which they are processed (s.7(b)(ii)) and the recipients to whom they are or may be disclosed (s.7(b)(iii)).
As to the identification of recipients, Warby J held that Dr Rudd was entitled to a description of the recipients or classes of recipients, but not to know their names ([105)]. However, in some cases the identities of the persons concerned were also Dr Rudd’s personal data. Warby J approached this on the basis that people who had been anonymised who were alleged to have conspired with Dr Rudd in the alleged fraud were his personal data ([116]). Similarly, people with whom it was said he had helped to attack others, and people referred to as “victims of Rudd” were his personal data. This was on the basis that this information was biographically significant ([116]).
Under s.7(1)(c), the data subject is entitled to have communicated in intelligible form the information constituting the personal data (s.7(c)(i)) and any available information as to the source of those data (s.7(c)(ii)).
As to sources, Warby J held that under s.7(1)(c), the Claimant was entitled information about the sources of personal data and there was no need to show that this was Dr Rudd’s personal data. Here the entitlement was not to a description, but to the actual information i.e. the names ([120] to [124]).
Warby J rejected Mr Bridle’s blanket approach, refusing to identify any third party sources. He pointed out that the names of firms, companies and other legal entities could not be withheld. Further, there was no evidence that anyone had been asked for consent and he had no reason to doubt that disclosure would be reasonable.
As to intelligibility, Warby J rejected the submission that Dr Rudd was entitled to know the full contents of the documents so that personal data could be placed in context. He had no right to know the full contents of documents ([126] to [127]).
As to a description of the purposes of the processing, Warby J held the principle of proportionality must be kept in mind. The essence of the right is to know what the data controller is doing or intends to do with personal data relating to the data subject. There is no obligation to provide that information on a document-by-document basis ([130]).
Remedies
The only relevant remedy was an order under s.7(9) DPA 1998. In relation to the exercise of the discretion Warby J considered the various factors set out in the Ittihadieh case ([2018] QB 256 at [110]). He rejected the argument that he should not make an order but declined to order the full relief claimed by Dr Rudd and, in particular the disclosure of documents. He ordered disclosure of descriptions of recipients, of sources, of the purposes of processing and the dates of documents ([133]).
Comment
This is long and complex judgment which deals with a number of novel data protection issues. Although they concern DSARs under s.7 the same issues will arise in relation to requests made under Article 15 of the GDPR. Two areas of the discussion of the legal issues are of particular note.
First, there is detailed consideration of the nature of the information which a respondent to a DSAR is required to provide. This covers the “classes of recipients” (but not their identities) and the identities of the sources of the data. In relation to the latter, information should be provided as to the identity of companies or firms but not in relation to individuals unless they have consented or it is reasonable to do (see s.7(4) and, now DPA 2018, Sch 2, para 16). The case emphasises the well-established point that the right is obtain a “copy of the personal data”, not copies of the documents containing the data.
Second the judgment is the first to consider, in detail, how to determine whether an individual who is a company director is the data controller in a personal capacity or whether the data controller is the company. This is question of fact but the judgment contains a useful discussion of the factors to be taken into account.
Finally, the judgment emphasises the need fully to plead out a data protection case – setting out the precise relief being claimed and the grounds for this to include the nature of any distress being claimed. A number of claims were dismissed by the Judge although it appears that the limitation period has not expired and it is possible that Dr Rudd could bring a fresh action for damages.
This is an area of litigation which is increasing in importance and complexity. This judgment provides interesting and helpful guidance and should be read by all practitioners in the field.
Hugh Tomlinson QC is a member of the Matrix Chambers media and information practice group.
Leave a Reply