Discovery and Data Protection

November 30, 2017

In Susquehanna
International Group Limited v Needham [2017]
IEHC 706
, Ms. Justice Baker , sitting in the High Court of Ireland, was faced with a dispute about the extent of the discovery of documents which should be ordered by the court. It is a case in which the plaintiff seeks injunctive relief and damages for breach of contract arising from the alleged misuse of confidential documents obtained in the course of the defendant’s employment regarding the business, employees and business relationships of the plaintiff. Among other claims, it is suggested that the defendant acted so as to help another company to recruit staff from the plaintiff.

There were serious arguments about the width and depth of discovery that was appropriate, with the usual suggestion that the party seeking wider discovery was on a fishing expedition. What makes the case different from the mainstream is what the judge described as ‘the novel question of whether a court should order a person to make discovery of documents that he or she can obtain on foot of a data subject protection request’. One example of the sort of document sought was the notes of the new employer made at the time of the interview of the defendant – information that might often be sought by way of a subject access request but usually by a failed applicant and not for the benefit of the successful applicant’s past employer.

In resisting the call for discovery by making a subject access request, the defendant’s counsel cited Durant v Financial Services Authority [2003] EWCA Civ 1746, in which Auld LJ observed (at [31]) that the request for data made by Mr. Durant was:

‘a misguided attempt to use the machinery of the Act as a proxy for third party discovery with a view to litigation or further investigation, an exercise, moreover, seemingly unrestricted by consideration of relevance’.

It was argued that the purpose was more properly achieved by an order for discovery or non-party discovery. She argued that the power to order discovery is a judicial power and that the plaintiff was attempting to bypass the judicial process. More fundamentally, she argued that the objective of data protection law and the Data Protection Directive is to protect the right of an individual to privacy, to enable the individual to correct any inaccuracy in the personal data relevant to them held by others or to ensure that records of an inaccurate nature are not kept about that person (citing Recital 41).

Baker J ruled as follows:

44. I accept the argument of counsel for the defendant as to the purpose of the Data Protection Directive and the source of the right of a person to make a data request. I consider too that, there are likely to be circumstances where another remedy such as non-party discovery is more appropriate. This derives from the principle that discovery must not be permitted to be oppressive of a litigant and must be proportionate.

45. I am not satisfied that the request in the present case is oppressive or disproportionate. From the evidence and arguments before me, I am satisfied that the defendant has a unique right to seek certain classes of documents. While the request is couched in the language of contemporary data rights, the class of documents sought to be discovered is a type of document which is known and recognised in the common law. A person may be compelled to make discovery of documents which are in the possession of an agent of that person, for example a solicitor, a banker or a trustee, to take a few examples. While I accept that counsel for the defendant is correct regarding the purpose of the Data Protection Directive, and while the plaintiff could seek in the alternative to make an application for non-party discovery against Citadel or Execuzen, the test remains that which is long established in the authorities, namely whether the documents are relevant and necessary and the request is proportionate and not unduly oppressive.

49. The present request for discovery is not in my view an attempt to use data protection law for a collateral purpose. The judgment of the Court of Appeal for England and Wales in Durant v. Financial Services Authority is not on point, as it concerned whether the applicant was himself entitled to access to information, and the Court held that he was misguided, as the proper course of action was to seek discovery and not to make a data request.

50. It matters not therefore that data protection legislation deriving from the Directive has the primary purpose of protecting the right of privacy and accuracy regarding personal data held by others, if the effect of the legislation is to make available as of right certain information held by others relevant to that person.

51. There is no principled reason why information which is capable of being obtained by a data request cannot be the subject matter of a request for discovery. The law would suggest that a data access request ought not to replace discovery where discovery is the more relevant remedy, and the corollary may equally be the case, that discovery ought not to replace a data request. But the question at issue in the present case is whether the defendant can be compelled to obtain documents which are within his power by making a data request. I consider that he can.’

Baker J accepted, however, that the order for discovery must not be oppressive and that the subject access request might not yield all that was hoped for by the plaintiff. The defendant was ordered to take reasonable steps to obtain the documents by means of a subject access request.