Repetitive Data Subject Access Requests: a recent ruling

Lees v Lloyds Bank plc [2020] EWHC 2249 (Ch).

The claimant in this case alleged that their bank had failed to respond fully to a data subject access request, but the High Court held that the bank had responded adequately to the data subject access requests (and so did not make an order against the bank). The court also made a clear comment on the excessive data subject access requests made by the claimant.

The High Court reiterated that a court has discretion to refuse to grant an order to comply with a data subject access request. Here, the court said that it was clear that the access requests were so numerous and repetitive as to be abusive.

Additionally, the real purpose of the request was held not to be to obtain access to personal data held, but to indirectly gain access to documents. In this case, the claimant had a collateral purpose, namely to use a data subject access request as a means of gaining access to documents in order to litigate against the bank – using a data subject access request as a means for extending its usual rights under the disclosure process in litigation.

This ruling is interesting because it restates the court’s discretion in making orders for a data subject access request, and it acknowledges the burden that data subject access requests place on many client-facing businesses. The court has also chosen to use the case to make a statement as to the disingenuous motive behind data subject access requests and the abusive nature of repetitive requests.

Under the Data Protection Act 2018, no charge may be made for an access request by a business or data controller. However, if the controller can show that requests from a data subject are manifestly unfounded and excessive, the controller can either charge for responding to the request or refuse to act on it (article 12(5) GDPR). This case may support businesses in refusing (or at least charging for) repeat data access requests that it believes to be “nuisance” requests.