The EU’s General Data Protection Regulation (“GDPR”) contains the much-publicised right of subject access, which gives an individual the right to access a copy of all the personal data a controller holds in relation to him or her.
Under the GDPR, anything that can identify a living individual is personal data. Obvious examples include names, dates of birth, and addresses. Less obvious examples include photographs, identification numbers, or statements of opinion or fact about a person.
The GDPR also has extra-territorial scope, which means that it applies to organisations and businesses outside the borders of the EU if they meet certain criteria. Organisations based outside the EU could therefore find themselves on the receiving end of a subject access request (“SAR”) from an employee, customer or any other individual whose data they process.
Unsurprisingly, SARs are often used aggressively in disputes (most commonly between employers and employees, but they arise in other situations too).
Article 14 of the GDPR includes certain exceptions to the right of subject access, one of which is “where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law”. This exception is intended to provide for legal professional privilege.
Unfortunately, the position in relation to privilege and SARs is not straightforward. The GDPR crosses borders. SARs cross borders. But privilege does not necessarily cross borders. The UK and US both have the concept of legal professional privilege; but they are not exactly the same. By contrast, Germany’s equivalent “professional secrecy” protections are much more narrow in scope. Similarly, in the US and UK, advice from in-house counsel is generally privileged; but in many European jurisdictions, privilege applies only to advice from external lawyers.
To complicate the position further, the GDPR has extra-territorial scope, so a business in the US may receive a SAR. But, problematically, the privilege exception in the GDPR only applies to obligations of professional secrecy “regulated by Union or Member State law”. So, arguably, a US controller in scope of the GDPR cannot rely on the privilege exception when faced with a subject access request from an EU data subject. It seems unlikely that this was the intention of the European Commission when drafting the legislation.
European data protection authorities are yet to issue any guidance on this topic and it has not been the subject of any court decisions. But businesses, particularly those that operate across borders, should be prepared to handle a SAR within a tight timescale (the GPDR requires that controllers comply with them with 30 days in most cases, and the penalties for failing to comply could be severe) and should be cognizant of the risk posed by cross-border privilege issues in their planning.
Steps to take include:
- Identify where SARs are most likely to come from. Do you have employees or customers in the EU? Be aware that certain business activities are more likely to give rise to SARs: redundancy exercises, for example.
- Have a procedure in place for responding to and dealing with SARs. Have a SAR policy available and ensure all staff know who to contact if they receive one.
- Never assume your communications are privileged: think carefully about what you commit to writing.
- If you believe there is a genuine claim to privilege, assert it. But document your reasons for claiming privilege, and be prepared for it to be challenged.
- Consider engaging external counsel at an early stage if you receive a cross-border subject access request.
- Think very hard before relying on in-house counsel in jurisdictions where the advice of in-house counsel does not attract privilege. Consider engaging external counsel in those jurisdictions.
- Remember – you can handle a SAR tactically. The GDPR does not require you to hand over files or documents; it only requires you to provide the individual with their personal data. For example, it is possible (and advisable) to extract the sentences that form an individual’s personal data from a document and put them into a schedule, so that the individual simply receives a schedule of statements relating to them. It may take more time or cost more money to handle a SAR in this way, but it may save time and money down the line.