The recent case of Green v. Group Ltd and others  EWHC 954 (Ch) dealing with Cambridge Analytica’s insolvency has clarified the approach that administrators should take when subject access requests are made to the companies over which they are appointed.
A failed administration…
In the aftermath of the notorious data analytics activities of Cambridge Analytica, companies in this group suffered serious financial damage. Administration proceedings were initiated but the administrators were not able to profitably realise the group’s business. Unbeknown to the administrators, the Information Commissioner’s Office (ICO) had also seized the companies’ laptops and servers, which meant the business could not continue to trade. The failed attempts to market the business led the administrators to place the companies into compulsory liquidation and request that they be appointed as liquidators.
A creditor’s complaint…
A contingent creditor objected to the appointment of the administrators as subsequent liquidators. Among various objections, the creditor complained that the administrators had breached duties arising under data protection laws. He sought an Enforcement Notice under the Data Protection Act 1998 against two group companies to request that they comply with a subject access request to provide details of his personal data potentially held by the companies.
The creditor also wrote to the administrators requesting copies of the materials and notes of the oral submissions made at the administration hearing. The administrators allowed the creditor’s disclosure application, having rejected it initially, and eventually provided the requested documents.
A few data protection questions…
In its assessment of the creditor’s objections, the High Court first referred to previous case law, which had established that a liquidator is not regarded as a controller in respect of personal data processed by the company. As a general rule, a liquidator acts as a company’s agent and, unless the liquidator takes decisions about the processing of the data as a principal rather than an agent, the liquidator cannot be considered a controller.
Here, the administrators decided not to search for the creditor’s data through records of 700 terabytes which had been seized by the ICO. The court agreed that this was a decision that the administrators were suited to make. As agents of the company, the scope of their statutory duty was limited and the interests of one creditor had to be balanced against the interests of the general body of creditors.
The court also said that administrators have no general duty to investigate data breaches by the company relating to third parties (such as data subjects). Their duty only extends to investigating breaches of the duty owed by the directors to the company or its creditors.
The court also accepted the administrators’ “commercial judgment in an uncertain legal context” not to appeal the Enforcement Notice as the cost of compliance would have been disproportionate. This was because administrators have the right to prioritise recovering assets before addressing claims and distribution issues. There was criticism, though, that the administrators had failed to “appreciate the legal niceties of a novel situation in a developing area of the law”.
This decision is a welcome judicial clarification that administrators (as well as liquidators) are not controllers. What is more, it confirmed that data protection investigations are not for administrators or liquidators to solve – these should remain in the realm of external regulators and be carried out at the public expense. While this is bad news for data subjects seeking information from insolvent companies, liquidation and administration proceedings should only be used for what they are, not as a “free-floating public enquiry into possible unlawful activity implicit in the business model of the insolvent company”.