Out-Law Analysis 6 min. read
09 Mar 2020, 12:28 pm
There is an inevitable tension between the instinctive desire of the insolvency practitioners to realise assets for the benefit of creditors and the privacy rights that attach to data.
This tension is evident in two cases ruled on in England and Wales. The rulings offer some initial insight into how insolvency practitioners should respond to requests from individuals when seeking to exercise their rights under data protection law.
The more recent of the two cases was a 2019 case and involved several companies within the Cambridge Analytica group.
The Cambridge Analytica offices had been raided by the ICO in March 2018 and the regulator had seized several servers and other evidence as part of investigations under the UK's Data Protection Act 1998 (DPA 98), which applied at the time. Subsequently the main trading company in the group, SCL Elections Limited, was issued with an enforcement notice by the ICO in relation to its handling of a data subject access request (DSAR) submitted by US professor David Carroll.
By the time the enforcement notice was issued insolvency practitioners Vincent Green and Mark Newman had been appointed joint administrators of the Cambridge Analytica companies. They "did nothing to comply" with the enforcement notice after taking the view that they were not 'data controllers' in this case under the DPA 98, and considering that the company had no staff and that its servers "were in the custody and control of the ICO itself".
The High Court considered whether the conduct of the insolvency practitioners in their handling of the DSAR was appropriate. The court also referred to the extent to which an insolvency practitioner must assess "data breaches" generally when first appointed.
The High Court ruled that an administrator is not automatically the controller of personal data for data protection purposes provided they do not take decisions as principal on behalf of the entity. That finding affirmed the view expressed by the court in a 2014 case that involved a company called Southern Pacific Personal Loans.
In the Green case, the High Court also stated that the administrators’ decisions to take no steps to cause the company in administration to comply with an ICO enforcement notice and to consent to criminal proceedings being brought against it for non-compliance were not necessarily wrong in this instance. It considered that the administrators had acted on legal advice that they had no direct responsibility under the ICO’s notice following the ruling in the Southern Pacific Personal Loans case and there was no evidence to suggest that compliance with the notice would have been less burdensome than non-compliance. The administrators, the court said, were entitled to make that commercial judgment.
The High Court also stated that it was for professor Carroll to pursue his "data rights" and not for the administrators or the company in administration to do so. If professor Carroll did elect to pursue such rights against the company in administration, the two questions the joint administrators had to ask were:
With regard to the second question, the relevant "interests" were professor Carroll’s interests as a creditor and not in any other capacity.
The High Court decided that, in the circumstances, the administrators were entitled to decide that it was not in the interests of the creditors as a whole to embark upon a search for professor Carroll’s data and, in doing so, they could properly take the view that to treat professor Carroll in the same way as the other "data claimants" would not cause unfair harm to his interests as a creditor. The court came to that view after considering whether that decision fell within the range of decisions that could be properly made by competent administrators.
The earlier decision in the Southern Pacific Personal Loans case considered the extent to which it is necessary to deal with DSARs where creditor funds will be depleted by the costs of compliance.
The case involved the fall out of a lending business from the Lehman Brothers group which was subject to large numbers of PPI claims. The court heard how the company, since entering liquidation, had been receiving approximately 88 DSARs per month for the apparent purpose of enabling claims management companies to determine whether or not the individuals had a viable PPI claim. The cost of dealing with the DSARs was estimated at averaging more than £40,000 per month.
The High Court ruled that the liquidators were not data controllers in respect of data processed by the company prior to its liquidation, although the ICO had been pushing for the insolvency practitioner to be seen as a joint controller with automatic personal liability.
The insolvency practitioner, seeking to protect the creditors’ position, applied to the court for declaratory relief which would have the effect of enabling the personal data records to be deleted and further DSARs to be refused. However, perhaps in conflict with the Green case, this aspect was declined by the High Court, which stated the appropriate course was to retain sufficient data to enable the company to respond to data requests made before the disposal of the data and to enable the liquidators to deal with any claims that might be made in the liquidation; the liquidators could only dispose of all personal data in respect of which the company was the data controller, so long as the disposal was in a manner which complied with the DPA 98.
It has become significantly more commonplace for individuals, most notably former employees and creditors, to submit DSARs to insolvency practitioners.
The starting point is that the insolvent entity is required to comply with a DSAR unless it can rely on one or more of the limited exemptions provided for under UK law
DSARs involve searching for and disclosing copies of the personal data held or controlled by an organisation about an individual requester, along with further explanatory information, including why the organisation is holding such personal data, to whom their information is disclosed and the applicable retention locations and periods. It can often seem absurd for an insolvency practitioner, whose primary duty is to act in the best interests of the general body of creditors, to comply with a DSAR given the potentially significant costs of compliance and the negligible benefit to the body of creditors.
However, the starting point is that the insolvent entity is required to comply with a DSAR unless it can rely on one or more of the limited exemptions provided for under UK law to justify not complying with any part of the request. For example, it will not be required to disclose documentation subject to legal professional privilege or confidential references that have been given in respect of employees. Perhaps surprisingly, there are no general exemptions for 'commercial' or 'confidential business' information in the UK.
An insolvency practitioner can decline a DSAR if it becomes "manifestly unfounded, excessive or repetitive in character" or if it would be disproportionate to comply with the request. However, this is a significant hurdle to overcome and the ICO generally expects extensive efforts to be undertaken.
The Green case was helpful, to an extent, and insolvency practitioners and their advisors might look to reference it when building risk-based arguments to decline DSARs.
Each case will need to be considered on its facts. Insolvency practitioners should not ignore DSARs, whether they were made pre- or post-appointment, as the ICO is likely to take a hard line with any such approach as the Southern Pacific Personal Loans case illustrates.
It is clear that courts will not be content for DSARs simply to be left to lapse or for the data to be deleted immediately.
In the event an insolvency practitioner takes the decision to comply with a DSAR made to a company in administration, the costs of compliance should constitute an expense of the company’s administration or liquidation. It is generally not possible to pass those costs onto the requestor, other than in exceptional circumstances.
The position on DSARs in the Southern Pacific Personal Loans case is perhaps less insolvency practitioner-friendly, than the position of the court in the Green case. Neither ruling serves to prevent the ICO from taking enforcement action.
The regulator has a wide array of enforcement tools, including enforcement orders requiring certain steps to be taken. Deleting personal data inappropriately following a DSAR is also potentially a criminal offence. It would certainly be helpful to have a decision from the Court of Appeal or further ICO or industry specific guidance on the pursuit of "data rights" against an insolvent company.
There are of course wider data protection compliance requirements, costs and challenges in addition to responding to DSARs. For example, putting in place the correct contractual terms when sharing data or reporting a data security breach.
There also remains uncertainty as to what actions might turn an insolvency practitioner into a controller for GDPR purposes, beyond where they play the role of agent, and what action the ICO would actually take and against whom. In practice, the insolvency practitioner will often work closely with the business to realise the relevant assets including data, so guidance in this regard is also needed.
Rif Kapadi and James Hillman are experts in data protection and insolvency law at Pinsent Masons, the law firm behind Out-Law.