With the UK’s forthcoming Data (Use and Access) Bill set to make significant changes to the UK’s data protection regime, the operation of GDPR in the UK is set to change significantly in the coming year. Beyond the legislative agenda on data protection, the UK courts may decide to have their say on the thorny issues of data sharing.

The judicial branch in the UK’s constitution tends to offer significant deference to the legislature. Even the UK’s Supreme Court cannot ‘strike down’ a law as is common practice in the United States and other countries. However, UK courts can use their interpretation of the law to make just as radical shifts in the application of regulation. 

In 2024, the UK Court of Appeal handed down a stunning judgement which has drastically expanded how far a business—and even senior manager—can be held to account for failures of due diligence.

Now, a new case before the UK courts involving retail billionaire Mike Ashley has the potential to change the rules on how people can get access to their data. Ashley has launched a legal battle against HM Revenue & Customs (HMRC), accusing the tax authority of “egregious” data protection violations in a dispute linked to an £88 million property deal.

The case, currently being heard in London’s High Court, centres on Ashley’s claim that HMRC unlawfully withheld personal data gathered during its investigation into the 2012 sale of 32 properties. Ashley’s lawyers argued that HMRC officials had falsely alleged that Sports Direct, the retail giant he founded, overpaid for the properties, implying misconduct on his part.

Background of the dispute

In the contested transaction, Ashley sold the properties to special purpose vehicles owned by Sports Direct for £88 million. HMRC subsequently claimed the properties had been sold at an inflated value, accusing Ashley of understating his personal tax liability—covering income tax and national insurance contributions—by £13 million.

Ashley has demanded access to his personal records under data protection laws, which allow individuals to request such data through a Subject Access Request (SAR). His legal team argues that HMRC’s disclosures have been inadequate and its alleged breaches of the law warrant court intervention.

“Serious and damaging allegations”

Anya Proops KC, representing Ashley, described HMRC’s actions as “extremely serious” and potentially harmful to his reputation. She contended that the authority’s allegations suggested Ashley had acted against the interests of Sports Direct and its shareholders by orchestrating an overpayment.

Proops also criticised HMRC’s failure to comply fully with data access laws, calling its initial response to Ashley’s SAR in 2022 “a complete stone wall.” While HMRC has since disclosed some records, Ashley’s team maintains that the tax authority continues to breach its obligations.

HMRC defends its actions

HMRC’s lawyers acknowledged initial shortcomings in responding to Ashley’s SAR but argued that the authority had acted in good faith to address the issues. James Cornwell, representing HMRC, said the tax authority had made significant efforts to rectify its compliance and rejected claims of ongoing breaches. He also described some of Ashley’s demands for further disclosures as “manifestly excessive.”

Ashley’s legal team emphasised the cost and effort required to defend against HMRC’s initial £13 million tax demand, which was eventually dropped in 2022 following his appeal. Proops asserted that the withdrawal was due to procedural issues rather than a concession of error by HMRC.

What could the impact of the court case be?

Ashley is seeking a court order requiring HMRC to release additional personal data and cover his legal costs. The case highlights ongoing tensions between taxpayers and regulatory authorities over transparency and accountability in data handling and tax investigations.

If Ashley’s case succeeds, it could reinforce the principle that even government bodies like HMRC must rigorously comply with data protection laws, including obligations under the UK version of GDPR. The case may set a legal precedent for how SARs must be handled, emphasising the need for full and timely responses. This could compel organisations across sectors to review their processes to avoid similar legal challenges.

A ruling in Ashley’s favour could encourage more individuals to exercise their right to access data during disputes with public authorities, ensuring greater transparency and fairness in investigations. Tax authorities might face more challenges to their investigative processes, particularly where allegations are based on incomplete or undisclosed information.

Public bodies like HMRC may need to enhance their data handling and governance practices to ensure compliance with SAR obligations and avoid reputational damage or financial penalties. Government agencies could face a higher risk of litigation from individuals alleging data protection breaches, leading to more cautious and transparent practices.

The case could also provide judicial guidance on what constitutes “manifestly excessive” requests under the UK GDPR, helping both data controllers and individuals understand the boundaries of SARs.

The reputational damage cited in Ashley’s case may highlight the need for organizations to consider how their actions, or failures to act, could harm individuals’ reputations. If the case reveals systemic issues in how public authorities handle data access requests, it could prompt the UK government to review and update regulations to close loopholes or clarify obligations. The Information Commissioner’s Office (ICO) might take a more proactive role in ensuring compliance, particularly for public bodies.

The High Court’s decision on the matter is awaited.