Key Facts
- •Claimant Chowdhury brought a claim under the Data Protection Act 1998 and 2018 against MI5, MI6, and GCHQ for access to her personal data.
- •Chowdhury received 'neither confirm nor deny' (NCND) responses to her Subject Access Requests (SARs).
- •Defendants applied to strike out the claim or grant summary judgment.
- •The hearing was initially requested to be held in private but was ultimately held in public.
- •The claim had a complex procedural history, involving multiple applications and court transfers.
- •The defendants relied on national security exemption certificates under sections 28 of the 1998 Act and 110 of the 2018 Act.
- •Chowdhury argued that the exemptions did not apply and that she was entitled to access her data.
Legal Principles
Right of access to personal data under Data Protection Act 1998 and 2018
Data Protection Act 1998, s. 7; Data Protection Act 2018, s. 94
National security exemption to data protection rights
Data Protection Act 1998, ss. 27, 28; Data Protection Act 2018, ss. 110, 111
Conclusive evidence of exemption certificates
Data Protection Act 1998, s. 28(2); Data Protection Act 2018, s. 111(1)
Jurisdiction of the High Court in data protection claims
Data Protection Act 1998, s. 15(1); Data Protection Act 2018, s. 94(13)
Summary judgment under CPR 24.2
Civil Procedure Rules, Part 24.2
Outcomes
Summary judgment granted for the defendants; claim dismissed.
The court found the claimant's arguments lacked merit, and the national security exemptions, as evidenced by the certificates, applied to the requested data. The claimant had no realistic prospect of success.