The strategic use of Subject Access Requests in the private wealth area is of particular interest. SARs are not new but GDPR has changed the game somewhat. Jonathan Neumann explains.
The General Data Protection Regulation (GDPR) celebrated its first birthday on 25 May 2019.
The EU-wide regulation governing the use of personal data by businesses, corporations and charities operating in the EU and threatening crippling fines of up to €20 million or 4 per cent of an organisation’s annual turnover (whichever is higher), the GDPR was widely feared before it came into force a year ago.
So has it lived up to its expectations? Although it was anticipated that the GDPR would be used to target tech giants such as Google and Facebook – and indeed complaints were filed against them on day one calling for some £7 billion of fines. But the only major enforcement action has been by the French data regulator, which imposed a £44 million penalty on Google for offering insufficient transparency to consumers and relying on unclear consent in the use of personal data for advertisement personalisation on its platforms.
Of the almost 150,000 queries and complaints lodged under the GDPR in the EU over the past year, only around £50 million in penalties have been levied – and most of that is from the Google fine.
That said, this first year is being regarded as a transitional period. The Irish data regulator has hinted that enforcement action against Facebook, Apple, Twitter and LinkedIn may be in the pipeline, while the UK’s data regulator, the Information Commissioner’s Office, has reportedly spent much of the year on cases that arose under the previous data protection laws before it shifts its focus to the GDPR.
The GDPR also has its critics, who point to the enormous expense of implementing it (thought to be up to £20 billion), the regulatory inconvenience it imposes (which has led some U.S. and Asian websites simply to exclude Europeans from access to avoid having to comply with the rules) and the burden it places on small businesses, charities and the European technology industry (some estimate a fall of around 20 per cent in funding for existing and new European tech companies and an 11 per cent drop in new jobs created by the sector). Indeed it has been argued that ironically the impact of the GDPR has been to strengthen large tech companies, whose share of the digital advertising market has increased over the past year.
As for ordinary individuals, other than being bombarded in the first few weeks with updated corporate privacy policies and charities asking for consent to receive their emails, and being unable to access some foreign websites, the effect of the GDPR has probably been quite limited.
One area of data protection law that can be particularly useful to HNWs, however, is subject access requests (SARs). SARs could be made prior to the implementation of the GDPR, albeit that the GDPR has introduced some changes to the procedure.
SARs are requests made by individuals to any business or organisation regarding any personal data of theirs that is being held and how it is being used. It can be made not only to tech companies and other commercial outfits but also, more interestingly, employers, media outlets and lawyers. There are bases for the recipients of these requests to decline them, but these exceptions are fairly narrow and – with some significant exceptions – largely untested in the courts.
One of those exceptions is the long-running Bahamian trust case of Dawson-Damer v Taylor Wessing. The beneficiaries of the trust served SARs on Taylor Wessing, the trustee’s English solicitors, to acquire information pertinent to the Bahamian case but which they could not access in the Bahamas.
The Court of Appeal concluded that Taylor Wessing’s legal professional privilege (LLP) argument only applied to data that would not be disclosable under English law, rather than data that was not disclosable under Bahamian law, thereby narrowing the scope of LLP in a ruling that shocked the industry.
More recently, the High Court (to which elements of the case were remitted) concluded that Bahamian law does not give the beneficiaries an automatic right to see the trustee’s legal advice, a ruling that came as some comfort to the offshore trust industry and their English solicitors.
At a time when transparency in financial affairs and ownership of assets is being imposed by governments across the world, SARs are an important tool for limiting what third parties know about you and how they use that information.