The first time I read the GDPR properly, something leapt out at me. For years, the received wisdom about the subject access and other rights provided by the legislation was that they were ‘applicant blind’. You could ask the person for assistance in locating their data, but you could not ask them why they were asking. Even if you knew that the person wanted to wind you up, you had to ignore that. When I got to the GDPR articles about subject rights, it struck me that this was no longer the case.
The relevant text in the final version (Article 12.5) is as follows:
Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request
Looking at the foundation, the basis on which the request has been made, opens the door to the applicant’s motive. An unfounded request is one for which there is no legitimate basis, a request which is unwarranted. You cannot come to a conclusion that a request is either ‘unfounded’ and ‘excessive’ in many cases without looking at the person, why they have asked and what they intend to do with the data. The word ‘manifestly’ places a high threshold – it must very obviously be the case that the request is unfounded, but nevertheless, the words are there, and they must be there to allow the controller to refuse in some circumstances. If I’m wrong, tell me what those words are there for.
Believing that GDPR allows controllers to refuse requests because of the motives of the applicant often gets me into disagreements with other DP professionals. Perhaps because the ‘applicant blind’ idea is so basic to some people’s understand of how Data Protection works, or because they disapprove of the idea, a lot of people disagree. Last year, a controversy started when anti-abortion campaigners in Dublin filmed pro-choice demonstrators, and someone on Twitter provided a template SAR request for pro-choice people to use. The idea was to (in one Tweeter’s words) ‘swamp’ the anti-abortion campaign with SAR requests, even to show up and get yourself filmed solely so that you could make a SAR. More recently, pro-Remain campaigners, angry that they are receiving entirely legal election literature from the Brexit Party, suggested making SARs to the party to find out where their data had been sourced from. Virtually every time I pointed out that the data would have come from the electoral register, rendering the SAR pointless, they said they would do it anyway to annoy the Brexit Party and waste their time.
I support the idea of abortion without any hesitation, and I commend those who campaign in favour of the right to abortion. I am also what you might call a Hard Remainer – I wish we weren’t leaving the EU, and when we do, I would support a campaign to go back in on a Full Schengen, Join the Euro platform, partly because I think these things are good on balance, and partly because it would annoy people who voted Leave. Nevertheless, I think the anti-abortion campaign were perfectly within their rights to refuse SARs where they could identify a person’s Twitter comments saying that they intended to do a SAR to waste their time, and if the Brexit Party do the same now, I believe that this would be justified. I think GDPR allows for refusals of requests that are made for reasons other than concerns about personal data.
And if you don’t agree with me, you don’t agree with the Information Commissioner either.
For years, the failed FOI campaigner Alan Dransfield has been sending angry emails and complaints to various people at the Information Commissioner’s Office, usually late at night. I know this because as well as copying in various journalists, news organisations, and politicians, he also includes me. It’s hard to know what Dransfield hopes to achieve with these screeds, which blend an aggressive misreading of how the law works, defamatory accusations against ICO staff and RANDOM words in CAPITALS. Usually these emails come out of nowhere, but his most recent missive was in response to an email from the Information Commissioner, refusing to answer a subject access request he had made to them.
If you ever wanted an extreme case to test the limits of what is acceptable, it’s Dransfield. The ICO’s refusal says that since April 2016, Dransfield has sent them over 120 requests for information under the Data Protection Act 2018 (DPA 2018), the Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations 2004 (EIR). In addition, the email contains this remarkable statement:
since May 2018 we have received in excess of 290 items of correspondence from you. Many of these communications have included unsubstantiated accusations of the ICO’s complicity in various crimes and have targeted members of ICO staff with the intention of causing distress
The ICO refusal points out that having previously refused his FOI and EIR requests as vexatious, they are now no longer even acknowledging them because they are about matters which have been dealt with (something which FOI plainly allows). They then go on to say this:
Your requests for information under Article 15 of the GDPR appear to be similarly motivated. We consider that these requests are not made to legitimately establish what information we hold and how we are handling your personal data, but part of a campaign to challenge the decisions that have already been concluded within due process
As well as copying me into his legally illiterate complaints, Dransfield sometimes emails me direct to call me a dickhead or spew out misogynistic and homophobic abuse, but it’s clear that ICO staff have it much worse than me. He’s a toxic character who thrives on causing discomfort and outrage. You might say that if ‘unfounded’ works on him, it’s only because he’s such an extreme case. But Dransfield is not alone. There are other vexatious, unpleasant people whose SARs will be made in the same vein of perpetuating a complaint or a campaign. Most importantly, look at the basis of the ICO’s refusal: we’re saying no because we don’t think you’re making this request for the right reasons. The ICO believes that an unfounded request is one made for the ‘wrong’ reasons.
Assuming this is correct (and obviously this is a rare case where I think the ICO has got it right), the next question is how far this goes. For years, the UK courts argued that using SARs to pursue litigation was an abuse of process – is that use of a SAR unfounded? I think that weaponised political SARs are unfounded, and even if you disagree, I don’t think you can tell me that it’s impossible. The net result of Dransfield’s adventures in FOI was establishing a principle that has been used to refuse many requests as vexatious – exactly the opposite of what he wanted. His campaign against the Commissioner may, ironically, have the same effect in GDPR.
The ICO rejects SARs they believe have been made for the wrong reasons. If they do this for themselves, there have to be circumstances where they will agree when other controllers do this. Pandora’s Box has been opened. Controllers who are dealing with vexatious applicants or orchestrated campaigns should think very seriously about whether denying a person their subject access right is an acceptable thing to do, but they should do so in the knowledge that the UK’s Data Protection regulator has already done it.