UK GDPR: High Court delivers judgment on the ‘right of access’ and the ‘household exemption’

When Alasdair Cameron, the owner of a gardening company Alasdair Cameron Limited (ACL), took a job with property investor Mark Harrison, he probably didn’t expect to end up at the High Court of England and Wales (EWHC) explaining why he shared recordings of two threatening phone calls with his client.

Harrison claimed Cameron was obliged under the UK General Data Protection Regulation (GDPR) to reveal who received a copy of the recordings. Cameron refused, claiming that to do so would adversely affect the rights of his friends and family. 

The High Court’s judgment sheds new light on the UK GDPR’s “right of access”, the “purely personal or household” exemption, and the continued influence of the Court of Justice of the European Union (CJEU) and other EU bodies. 

Background to the case

When Cameron finished work on Harrison’s Surrey estate and asked him to settle the remainder of his £650,000 invoice, Harrison responded with a series of threatening and offensive remarks over the course of two phone calls. 

Cameron recorded the calls and shared them with 12 people, including friends, family, and employees. Some of those people further shared the recordings with others. 

Harrison submitted two data subject access requests (DSARs): One to Alasdair Cameron himself, and the other to his company, ACL. 

Among other things, Harrison demanded to know who received copies of the recordings under Article 15 (1) (c) of the UK GDPR, which entitles the data subject to know the “recipients or categories of recipients” of their personal data. 

Cameron refused to comply with this part of the request, and the case reached the High Court. 

Purely personal or household activity?

The court considered whether Cameron was exempt from the UK GDPR when he shared the recordings with his friends and family. Article 2 of the UK GDPR says that the law does not apply to “purely personal or household activity.” 

To answer this question, the court looked at several EU cases that continue to apply in the UK because they were decided before Brexit: 

• Lindqvist v Sweden (Case C-101/01) 
• Ryneš v Úrad pro ochranu osobních údaju (Case C-212/13) 
• Jehovah’s Witnesses (Case C-25/17) 

These cases were all cited in a UK Court of Appeal judgment, Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd (2017). 

Based on these four precedents, the court decided that Cameron was not covered by the UK GDPR’s “household exemption” because the processing was not “purely” personal – it was partly related to Cameron’s work. 

Was Cameron a controller?

Given that the “household exemption” did not apply, the court had to decide whether Cameron (the natural person) was a controller of Harrison’s personal data – or whether the only relevant controller was Cameron’s company, ACL. 

The court considered two UK cases, Ittihadieh (again) and In re Southern Pacific Personal Loans Ltd (2014). The judge also looked at European Data Protection Board (EDPB) guidance on the controllers and processors to aid her interpretation of the law. 

The court found that Cameron was not a controller because, as an individual, he had not determined the purposes and means of processing – his company, ACL, had done so. 

Recipients or categories of recipients? 

Harrison said Cameron had damaged his reputation by sharing the call recordings, and demanded to know the identities of the people with whom Cameron had shared them. 

Article 15 (1) (c) of the UK GDPR states that data subjects are entitled to request the “recipients or categories of recipients” of their personal data. So which is it – the recipients or the categories or recipients? Does the data subject get to decide, or the controller? 

To answer this question, the court considered a CJEU judgment, Austria Post (C-154/21), in which the CJEU determined that data subjects were entitled to know the specific recipients of their personal data in almost all circumstances. 

Austria Post was decided after Brexit completion day, so it is not binding on UK courts. However, UK judges may “have regard to” such cases when considering matters of EU law. 

The judge agreed with the CJEU in Austria Post and decided that, on principle, Cameron was required to tell Harrison the identities of the people who received the call recordings.

Other people’s rights and freedoms

Given the nature of his exchanges with Harrison, Cameron was understandably reluctant to reveal the names of friends and family members with whom he had shared the phone records. 

Cameron relied on Article 15 (4) of the UK GDPR, which says that controllers must take account of the “rights and freedoms” of other people when responding to a subject access request. 

Citing a recent High Court case, X v Transcription Agency (2023), the judge found that Cameron was justified in not revealing the names of the people with whom he had shared the recordings. 

Therefore, despite the information being in scope of the UK GDPR’s right of access, Cameron was right not to reveal it to Harrison. 

The UK courts hear relatively few data protection cases, and Harrison v Cameron deals with some of the UK GDPR’s most fundamental rules and principles. The High Court’s application of CJEU cases shows how the EU can continue influencing judicial interpretation of retained EU law following Brexit.