KB 2023 004108 - [2025] EWHC 1824 (KB)

The defendant did not dispute that, for relevant purposes, it was a data controller, liable for the acts and omissions of Mr Stevens, and, in processing personal data, was subject to the duties provided by the UK GDPR. It further accepted that, in the compilation of JS1, it had processed the claimants’ personal data – including special category data (relating to the claimants’ health) - and had not sought their consent. The defendant disputed, however, that it thereby acted in breach of the UK GDPR. Specifically, it contended: (i) pursuant to article 6(1)(c) (by virtue of the defendant’s duties to the court) and (e) (furthering of the administration of justice in the public interest), the processing was reasonably necessary for the performance of a task carried out in the public interest, namely the administration of justice; further/alternatively (ii) pursuant to article 6(1)(f), the processing of the claimants’ personal data as part of JS1 was reasonably necessary for the purposes of the legitimate interests of the insurers and of the defendant (acting for the insurers) in defending the Ersan claims, which were not outweighed by any interests, rights or freedoms of the claimants, not least because (a) by bringing/threatening their claims, they should reasonably have expected that their personal data would be used by the defendant and put before the courts in open proceedings, and (b) they did not allege that they suffered any compensable damage or distress as a result of the processing of which they complained.

As for the current iteration of the claimants’ case, this had shifted ground: the focus was now on the question of the necessity of using the claimants’ names without pseudonymisation (not expressly pleaded or requested as part of the claim for declaratory relief). To the extent it was open to the claimants to now advance this case, it went nowhere: (i) the probative value of JS1 was to be tested in the County Court proceedings (the County Court and (on appeal) the High Court having accepted it was sufficiently reliable to be admissible); (ii) there was a clear evidential justification for each element of the data that went into JS1 (see JS2), which explained why it had been reasonably necessary to include the claimants’ names when creating JS1 and when providing this to Ersan and the court (further disclosure to individual claimants was by Ersan); (iii) the article 9(1) prohibition against special category data processing did not apply given JS1 was necessary for the establishment, exercise or defence of legal claims (see article 9(2)(f)); (iv) more generally, reasonable necessity did not mean “strictly” necessary, but allowed for a range of reasonable responses, and the data processing in JS1 met the proportionality test; (v) it could not be said that, in bringing legal claims against insurers, the claimants should not reasonably have expected the data they disclosed would not be probed and analysed in this way; (vi) there could be no objection to the data in JS1 being disclosed to the County Court and Ersan; (vii) had pseudonymisation been the claimants’ real objective, this could have been achieved without litigation - the defendant had agreed to this when the County Court proceedings resumed in March 2023, sending the pseudonymised spreadsheet to Ersan on 31 March 2023, before these proceedings commenced; (viii) more generally, given they were willing to put their personal data (including special category data) into open court in their (proposed) County Court claims and/or in the present proceedings, the claimants’ evidence as to their upset was properly to be described as confected.

The complaints regarding fairness and transparency added nothing: (i) the defendant was entitled to rely on the privacy notice on its website (no complaint was made in respect as to the content of that notice), but, in any event, the investigation of data provided in legal proceedings was to be expected; (ii) it would not have been proportionate for the defendant to contact each (potential) Ersan claimant with its privacy notice; (iii) there had been no valid request under article 17, which, in any event, did not apply to processing necessary for the establishment, exercise or defence of legal claims (article 17(3)(e)); (iv) more generally, articles 14 and 17, and corresponding provisions within article 5, were subject to the like exemption at paragraph 5(1)(c) of Schedule 2 to the Data Protection Act 2018; (v) there was generally no unfairness in putting arguments on a client’s instructions (see the unreported judgment of the Deputy Master in claim KB-2023-001056 Dowding v Laddie (23 October 2023)).

Otherwise, while accepting that the claimants’ claims strictly fell outside the rule in Henderson v Henderson, the defendant contended that these proceedings were an abuse, amounting to an attempt by Ersan to use the claimants’ UK GDPR rights: (i) to relitigate issues raised but not pursued in other proceedings; and/or (ii) to collaterally circumvent the outcome of those other proceedings, and/or (iii) to circumvent the Ersan undertaking. Had the three claimants been party to the proceedings before HHJ Backhouse, these claims would undoubtedly fall to be struck out on a Henderson v Henderson basis. This litigation was an attempt by Ersan to achieve the same end (the undermining of the defendant’s, and its insurer clients’, ability to rely on JS1) via a different claim between different parties. Even if not an immediate answer to the claims, this would be relevant to any remedy and/or costs.