Londonderry calling: Are trustees free from Dawson-Damer under the GDPR?
Discussions of data protection reform in the House of Lords, however, give reason to believe that the Londonderry principle may return to protect trustees and keep these important decisions private.
GDPR versus the Data Protection Act 1998 (DPA 1998)
The General Data Protection Regulation (GDPR) has arrived and, since it is a regulation rather than a directive, it has been effective law in the UK since it came into force on 25 May 2018. The Data Protection Act 2018 (the DPA 2018) repeals and replaces the DPA 1998 and, while many of its provisions have not yet been enacted, those that have aim to fill in the gaps and extend parts of the GDPR. There are a number of key changes introduced by the GDPR compared to the DPA 1998, including tougher sanctions, stricter reporting requirements and alterations to the details of the subject access regime.
The subject access regime may be of most interest to the trust industry. Data subject access requests (DSARs) served under the subject access regime have been an issue for trustees in particular since the Court of Appeal’s February 2017 decision in Dawson-Damer. DSARs have often been used as a means of obtaining disclosure from trustees without resorting to litigation and circumventing the usual limitations on the disclosure of trust documents.
Recap of Dawson-Damer
It has long been established in trust law that trustees have, in certain circumstances, been entitled to refuse disclosure of trust information or documentation when requested by beneficiaries, under what is known as the Londonderry principle (Re Marquess of Londonderry’s Settlements ; Schmidt v Rosewood Trust Ltd ). Trustees have enjoyed the ability to administer trusts without beneficiaries having automatic access to records of discussions about the exercise of trustees’ discretionary powers.
However, the decision in Dawson-Damer was widely read as undermining the Londonderry principle. Mrs Dawson-Damer began proceedings in the Bahamas against the trustee of a trust of which she was a beneficiary. Mrs Dawson-Damer wanted access to information about her that was protected from disclosure in the Bahamian proceedings under Bahamian law. She then served a DSAR on the UK-based solicitors for the trustee, Taylor Wessing, seeking to obtain in England information she could not obtain in the Bahamas.
At first instance the High Court rejected Mrs Dawson-Damer’s case on the basis that, among other things, the information requested was of the kind protected by the Londonderry principle, which the Court decided fell within the legal professional privilege exemption in the DPA 1998 (LPP Exemption). However, on appeal, the LPP Exemption was interpreted more narrowly to include strictly only information that attracts privilege (properly so-called) under English law. The Court of Appeal overturned the decision and ordered Taylor Wessing’s compliance with the DSAR.
For further insight into the Dawson-Damer judgment, the possible effects on the trust industry and how trustees might adapt to the change in the landscape, see our article here.
Concerns for trustees
We understand that the Dawson-Damer litigation is still in progress and there may be further judgments which clarify the effect of the Court of Appeal’s judgment. However, in practical terms the decision suggested that, where a trustee has a record of the fact that one beneficiary might be more or less suitable to receive a distribution than another for a particular reason relating to that beneficiary, upon service of a valid DSAR, the trustee may be obliged to disclose this information. The subject access rights of individuals were thus considered superior to the rights of trustees to withhold sensitive trust information.
Many offshore centres, such as the Bahamas, Jersey and Guernsey, have enacted statutory protection for information held by trustees, but those protections are at risk of being undermined if DSARs can be made of UK professionals involved in advising the trustees.
Reform under DPA 2018
While the GDPR contains 173 paragraphs of recitals that provide contextual information to the regulation, the DPA 2018 does not. Instead, when interpreting English legislation, relevant background material can in certain circumstances be obtained from discussions of the statute in Parliament, following the decision in Pepper v Hart .
In this instance, debates in the House of Lords may assist in evaluating the impact of the new data protection regime on trust law. When the Data Protection Bill was announced in the Queen’s Speech on 21 June 2017, in preparation for the GDPR’s introduction across the EU, a window of opportunity opened for the UK trust industry to have its say at the bill’s first reading in the House of Lords.
With the support of the Trust Law Reform Committee, Lord Pannick argued for an amendment which would include exemptions for personal data processed by trustees that record a person’s deliberations about the manner of exercise of a power or discretion under the trust. Such a term would reflect, and effectively reinstate, the Londonderry principle.
However, in the first reading of the bill in the House of Lords on 13 November 2017, the Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport, Lord Ashton of Hyde, rejected the amendment. Lord Ashton explained that there was already adequate protection under the GDPR: article 15(4) in particular provides that information under a DSAR need not be disclosed where doing so would adversely affect the rights and freedoms of others.
This provision was revisited at the bill’s subsequent reading on 13 December 2017. Lord Pannick QC here asked for the Lords’ Spokesperson (Ministry of Justice), Lord Keen of Elie, to confirm that article 15(4) would apply to protect the Londonderry principle. Lord Keen stated that the Government considers that “the rights and freedoms of others” under article 15(4) includes those of both trustees and other beneficiaries: “Where disclosure under data protection law would reveal information about a trustee’s deliberations or reasons for their decisions that would otherwise be protected from disclosure under trust law, the Government’s view is that disclosure would adversely affect the rights and freedoms of trustees and beneficiaries in the trustees’ ability to make independent decisions in the best interests of the trust without fear of disagreement with beneficiaries”.
This statement does not indicate Parliamentary approval of the decision in Dawson-Damer. Here, the legislature has relied on a separate provision to protect trustee information, rather than by expressly extending the LPP Exemption. Although this exemption has been replicated in the DPA 2018, Parliament has rejected this square peg answer to a round hole question.
This is welcome news for trust professionals who had grown concerned that DSARs were being deployed to support or fish for grounds for litigation. While the application of the Government’s guidance will need to be supported by the facts of each case, this analysis of the Article 15(4) exception goes a long way to assuage the immediate issues created by the Dawson-Damer decision.
While this should give some comfort to data controllers in the UK who act for and advise trustees, there are still some areas of uncertainty.
One issue is that the Government’s stated position is not necessarily binding on the courts, who may interpret the relevant statutory provisions differently. Parliament has expressly stopped short of codifying the Londonderry principle, considering that to be a disproportionate step. Instead, according to Lord Keen, should the law be tested and found insufficient in protecting the Londonderry principle, section 16 of the DPA 2018 grants the Secretary of State power to make further exemptions – but there is a question mark about whether the Government would wish that power to be exercised to protect those working with offshore trustees.
Trustees and their advisers must therefore still deal with some material uncertainty, and the Government’s approach does not seem calculated to make litigation on these issues less likely. There are also other, more complex scenarios which may need to be clarified. For example: imagine a corporate trustee’s (T) shareholder (S) is served with a DSAR by a beneficiary (B) of the trust of which T is trustee. S holds personal data about B because S shares IT systems with T. Subject to other DPA 2018 exemptions not applying, is B entitled to receive their personal data from S? In particular, do the “rights and freedoms of others” include a person who is not the data controller who has received the DSAR?
All that having been said, the position under the GDPR appears to be an improvement for trustees and their advisers in the UK – although that conclusion is necessarily somewhat tentative. However, we remain cautiously optimistic that in the data protection context, the Londonderry principle is back.