A cure for blindness

The first time I read the GDPR properly, something leapt out at me. For years, the received wisdom about the subject access and other rights provided by the legislation was that they were ‘applicant blind’. You could ask the person for assistance in locating their data, but you could not ask them why they were asking. Even if you knew that the person wanted to wind you up, you had to ignore that. When I got to the GDPR articles about subject rights, it struck me that this was no longer the case.

The relevant text in the final version (Article 12.5) is as follows:

Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a)  charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

(b)  refuse to act on the request

Looking at the foundation, the basis on which the request has been made, opens the door to the applicant’s motive. An unfounded request is one for which there is no legitimate basis, a request which is unwarranted. You cannot come to a conclusion that a request is either ‘unfounded’ and ‘excessive’ in many cases without looking at the person, why they have asked and what they intend to do with the data. The word ‘manifestly’ places a high threshold – it must very obviously be the case that the request is unfounded, but nevertheless, the words are there, and they must be there to allow the controller to refuse in some circumstances. If I’m wrong, tell me what those words are there for.

Believing that GDPR allows controllers to refuse requests because of the motives of the applicant often gets me into disagreements with other DP professionals. Perhaps because the ‘applicant blind’ idea is so basic to some people’s understand of how Data Protection works, or because they disapprove of the idea, a lot of people disagree. Last year, a controversy started when anti-abortion campaigners in Dublin filmed pro-choice demonstrators, and someone on Twitter provided a template SAR request for pro-choice people to use. The idea was to (in one Tweeter’s words) ‘swamp’ the anti-abortion campaign with SAR requests, even to show up and get yourself filmed solely so that you could make a SAR. More recently, pro-Remain campaigners, angry that they are receiving entirely legal election literature from the Brexit Party, suggested making SARs to the party to find out where their data had been sourced from. Virtually every time I pointed out that the data would have come from the electoral register, rendering the SAR pointless, they said they would do it anyway to annoy the Brexit Party and waste their time.

I support the idea of abortion without any hesitation, and I commend those who campaign in favour of the right to abortion. I am also what you might call a Hard Remainer – I wish we weren’t leaving the EU, and when we do, I would support a campaign to go back in on a Full Schengen, Join the Euro platform, partly because I think these things are good on balance, and partly because it would annoy people who voted Leave. Nevertheless, I think the anti-abortion campaign were perfectly within their rights to refuse SARs where they could identify a person’s Twitter comments saying that they intended to do a SAR to waste their time, and if the Brexit Party do the same now, I believe that this would be justified. I think GDPR allows for refusals of requests that are made for reasons other than concerns about personal data.

And if you don’t agree with me, you don’t agree with the Information Commissioner either.

For years, the failed FOI campaigner Alan Dransfield has been sending angry emails and complaints to various people at the Information Commissioner’s Office, usually late at night. I know this because as well as copying in various journalists, news organisations, and politicians, he also includes me. It’s hard to know what Dransfield hopes to achieve with these screeds, which blend an aggressive misreading of how the law works, defamatory accusations against ICO staff and RANDOM words in CAPITALS. Usually these emails come out of nowhere, but his most recent missive was in response to an email from the Information Commissioner, refusing to answer a subject access request he had made to them.

If you ever wanted an extreme case to test the limits of what is acceptable, it’s Dransfield. The ICO’s refusal says that since April 2016, Dransfield has sent them over 120 requests for information under the Data Protection Act 2018 (DPA 2018), the Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations 2004 (EIR). In addition, the email contains this remarkable statement:

since May 2018 we have received in excess of 290 items of correspondence from you. Many of these communications have included unsubstantiated accusations of the ICO’s complicity in various crimes and have targeted members of ICO staff with the intention of causing distress

The ICO refusal points out that having previously refused his FOI and EIR requests as vexatious, they are now no longer even acknowledging them because they are about matters which have been dealt with (something which FOI plainly allows). They then go on to say this:

Your requests for information under Article 15 of the GDPR appear to be similarly motivated. We consider that these requests are not made to legitimately establish what information we hold and how we are handling your personal data, but part of a campaign to challenge the decisions that have already been concluded within due process

As well as copying me into his legally illiterate complaints, Dransfield sometimes emails me direct to call me a dickhead or spew out misogynistic and homophobic abuse, but it’s clear that ICO staff have it much worse than me. He’s a toxic character who thrives on causing discomfort and outrage. You might say that if ‘unfounded’ works on him, it’s only because he’s such an extreme case. But Dransfield is not alone. There are other vexatious, unpleasant people whose SARs will be made in the same vein of perpetuating a complaint or a campaign. Most importantly, look at the basis of the ICO’s refusal: we’re saying no because we don’t think you’re making this request for the right reasons. The ICO believes that an unfounded request is one made for the ‘wrong’ reasons.

Assuming this is correct (and obviously this is a rare case where I think the ICO has got it right), the next question is how far this goes. For years, the UK courts argued that using SARs to pursue litigation was an abuse of process – is that use of a SAR unfounded? I think that weaponised political SARs are unfounded, and even if you disagree, I don’t think you can tell me that it’s impossible. The net result of Dransfield’s adventures in FOI was establishing a principle that has been used to refuse many requests as vexatious – exactly the opposite of what he wanted. His campaign against the Commissioner may, ironically, have the same effect in GDPR.

The ICO rejects SARs they believe have been made for the wrong reasons. If they do this for themselves, there have to be circumstances where they will agree when other controllers do this. Pandora’s Box has been opened. Controllers who are dealing with vexatious applicants or orchestrated campaigns should think very seriously about whether denying a person their subject access right is an acceptable thing to do, but they should do so in the knowledge that the UK’s Data Protection regulator has already done it.



  1. alan dransfield says:

    In essence you have confirmed that a SAR should not be refused under any motives . You have failed to confirm that the FOIA and GDPR 2018 are completely different animal and they cannot be used as a Protean strategy. The laws are different simple as. Personally, I don’t give a fat rats ass what you think of me, I still think you are a wanker and a Information Commissioner wannabee. You have been bleating about the bad things I have said about you but you started the abuse if my memory serves me correctly and my invitation for a quite chat still stands open.

    No way on gods earth could the ICO refuse my SAR dated 21st Aril and no way on Gods earth could they rely upon FOIA Laws . BTW, I still think you are a fucking Dickhead, live with it . Put up or shut up you fucking faggot.

    On Sun, May 19, 2019 at 10:18 AM 2040 information law blog wrote:

    > Tim Turner posted: “The first time I read the GDPR properly, something > leapt out at me. For years, the received wisdom about the subject access > and other rights provided by the legislation was that they were ‘applicant > blind’. You could ask the person for assistance in locat” >

    • If you didn’t care what I think, you wouldn’t be so upset, Alan. Your failing memory defeats you once again, as you have been sending me abusive, homophobic, misogynistic and defamatory comments for years. The hilarious thing is, you’re going to help controllers to refuse as many SARs as you previously helped public authorities to refuse FOIs. It’s like you have a reverse Midas touch – everything you touch turns to shit.

      • alan Dransfield says:

        If you think I have broken the laws I suggest you contact the Old Bill and I amazed you have given me the right to reply because you normally block my response. You are missing the point you fucking wanker, the two laws do not run together it is not a fucking woolworth pick and mix. The ICO claim I have submitted 120 DATA requests which is bollocks. I have submitted ONE SAR only which come after zero and before #2 .

      • I block your responses because you often make defamatory comments about third parties. I’m not going to risk getting sued for your lies. As long as you just keep abusing me, you’re showing anyone who reads this blog what kind of a man you are, and that suits me just fine. You’ve made fundamental errors in both comments here, and I think it helps others to see how little you understand the issues. It explains why you end up helping organisations instead of individuals.

  2. Tim is it necessary to attack Mr Dransfield in order to put up your own considerations of Elizabeth Denham’s dictates etc ?

    • I don’t believe that Denham was involved in the decision, so I think your comment is erroneous. I think it is both relevant and necessary to talk about Dransfield’s unacceptable and abusive conduct. I don’t accept that I have attacked him, and if that’s you see it, perhaps you could comment on whether it was necessary for him to call me a fucking faggot in the comment above?

  3. Sarah Mumford says:

    For, as you say, a very small number, it is worth having the ICO’s wording to hand as a precedent. I agree about ‘applicant blind’ too: often if one approaches a requester to ask if there is any thing, or time frame, they are particularly interested in, they will often say so. If they do I always say they can come back for Everything but can’t remember a time when they did.

  4. Mark Brincat says:

    In my opinion these words “Manifestly unfounded or excessive” are just vague and nebulous terms until case law gives them shape and meaning. Fundamentally there will be 2 types of Controllers with regards to interpretation of these terms. The one that is cautious and is only prepared to apply it to cases where it is plainly applicable (ie repeat requests) or the other brand of Controller who is prepared to take a punt and adopt a generous interpretation of these terms in the hope that they can get away with it (albeit in theory they need to justify it)

    Ultimately the ICO does not know definitively the applicabity of these terms otherwise they would have provided guidance. Which leaves me to believe that either they are as much in the dark as we are or they lack conviction in their stance.

    I agree that these terms have been included by the legislators for a reason (or at least I hope so and were not left in in error!) but we can only speculate about the extent of their application. However I find it hard to imagine, taking into account that the fundamental principle of GDPR was the protection of individuals rights and freedoms, that the intention was to give Controllers the latitide to dilute the right of access by simply challenging the motivation behind it. That would be a slippery slope!

%d bloggers like this: