A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 23 March 2023
This recent decision of Courtney Timothy Riley v The Student Housing Company (ops) Limited saw the Scottish Courts being asked to interpret the exemptions to Articles 5(1)(a) and 5(1)(b) of the UK GDPR. The Pursuer (Claimant) alleged that there had been a breach of the Defender’s duty to process his personal data lawfully and fairly, and for specified and legitimate purposes. The Defender argued that the exemptions in Schedule 2 of the 2018 Act applied, as any disclosures it made were made in connection with legal proceedings and for the purpose of defending legal rights.
The facts of the case were rather unusual. The Pursuer had been an employee of the Defender. His contract of employment was terminated in December 2019. Another employee, Mr A, raised employment tribunal proceedings against the Defender. Mr A made a number of allegations of wrongdoing by the Defender, many of which concerned the Pursuer’s conduct towards him during the course of his employment, including the use of derogatory and discriminatory language.
Mr A’s case proceeding to an Employment Tribunal hearing and the decision of the Tribunal was reported in March 2022. Mr A’s claim was successful and he was awarded compensation. The Pursuer was named 162 times in the Tribunal’s decision. The decision was reported in the press, with the Pursuer being described as having made ‘vile jibes’ about Mr A.
The Pursuer claimed that the Defender processed his personal data while defending the employment tribunal proceedings. He claimed that the Defender should have told him about the employment tribunal proceedings; provided him with copies of the tribunal bundles; asked him to comment on the allegations that had been made against him; and invited him to provide a witness statement to be put to the employment tribunal. The Pursuer claimed that the Defender’s failure to take these steps constituted a breach of its duty to process his personal data fairly and transparently, in terms of Article 5(1)(a). The sum sued for was £75,000. He claimed for distress and anxiety under the 2018 Act, and also claimed that his employment prospects had been impacted.
The Pursuer argued that the Defender had breached its duties under the UK GDPR. He argued that the exemption would only take effect if the data controller could not otherwise comply with the listed provisions.
The Defender argued that it was not necessary for a data controller to demonstrate that it was impossible to comply with the provisions to rely on the exemption, otherwise the exemption would serve no purpose.
The Court’s decision
The matter proceeded to a diet of debate on the legal arguments, with the Defender inviting the Court to strike out the Pursuer’s claim before proof (trial). The core issue for the Court was the interpretation of Paragraph 5(3) of Schedule 2, which states that the listed GDPR provisions do not apply: “to the extent that the application of those provisions would prevent the controller from making the disclosure.”
The Court observed that “The rationale for the exemption contained in Paragraph 5(3) of Schedule 2 appears to be that a party’s duties as a data controller should not fetter its discretion to conduct litigation as it sees fit in pursuance of the vindication of its legal rights, or impinge on its right to a fair trial in terms of Article 6 of ECHR. It is because of the potential for tension to arise between these considerations that the exemption is necessary.”
The Court accepted the Defender’s submissions and dismissed the Pursuer’s claim. The purpose of the exemption is to ensure that a litigant’s duties as a data controller do not impinge on its right to a fair trial.
There are a number of interesting takeaways from this decision:
This is one of the few reported decisions of the Courts in Scotland on the interpretation of the UK GDPR. Had the case been decided in favour of the Pursuer, the consequences could have been significant and far reaching. This is a welcome decision for Data Controllers and gives some insight into the level of detail the Scottish Courts will expect to see in pleadings in such claims.
A link to the decision can be found here.
0141 223 8561
+44(0) 141 223 8568
Hans Allnutt, Astrid Hardy
Patrick Hill, Sonali Malhotra
Julian Miller, Clare Hughes-Williams
Patrick Hill, Camilla Elliot
Hans Allnutt, Camilla Elliot
Hans Allnutt, Stuart Hunt
Astrid Hardy, Hans Allnutt
Julian Miller, Tom Evans
Jade Kowalski, Astrid Hardy