EU APPROVES FINANCIAL DATA TRANSFERS TO US FOR COUNTER-TERRORISM PURPOSES

July 28th, 2010 by Anya Proops QC

On 13 July 2010, the Council of Europe promulgated a decision whereby it approved an agreement between the EU and the US for the transfer of financial messaging data from the EU to the US, specifically for the purposes of the US’s Terrorist Finance Tracking Programme. The decision has now been published in the Official Journal for the EU. See further the Council decision dated 28 June 2010 confirming the signing of the agreement, which you can find here.

 

TOWARDS A TRUE SINGLE MARKET OF DATA PROTECTION

July 16th, 2010 by James Goudie QC

Viviane Reding Vice-President of the European Commission responsible for Justice, Fundamental Rights and Citizenship, made a speech entitled “Towards a true Single Market of data protection” at a Meeting in Brussels, on July 14, 2010.  In her speech she said that we need a comprehensive and coherent approach so that the fundamental right to data protection is fully respected within the EU and beyond. She put forward five proposals.

 First, individuals’ rights should be strengthened by ensuring that they enjoy a high level of protection and maintain control over their data. Individuals need to be well and clearly informed, in a transparent way, by data controllers – be it services providers, search engines or others – about how and by whom their data are collected and processed. They need to know what their rights are if they want to access, rectify or delete their data. And they should be able to actually exercise these rights without excessive constraints.

Secondly, the internal market requires not only that personal data can flow freely from one Member State to another, but also that the fundamental rights of individuals are safeguarded. Provided that all data protection guarantees are in place and properly applied, personal data should freely circulate within the EU and, where necessary and appropriate, be transferred to third countries. This requires a level playing field for all economic operators in different Member States. This is currently not the case: indeed, one of the main concerns expressed by businesses in recent consultations is the lack of harmonisation and the divergences of national measures and practices implementing the 1995 Directive.  Further harmonisation and approximation of data protection rules at EU level is needed.

Thirdly, the current rules on data protection in the area of police cooperation and judicial cooperation in criminal matters should be revised.  Derogations to general data protection principles should be limited. They should not go beyond what is necessary and proportionate in order to pursue objectives of general interest, such as the fight against terrorism and organised crime, or the need to protect the rights and freedoms of others.

Fourthly, personal data must be adequately protected when transferred and processed outside the EU. To that end, the current procedures for international data transfers, including in the areas of police cooperation and judicial cooperation in criminal matters, will be improved, strengthened and streamlined.

Fifthly, EU monitoring of the implementation and enforcement by Member States of the existing rules to guarantee that individuals’ rights are actually respected will be a priority; the role of data protection authorities should be strengthened; and data protection authorities should be provided with the necessary powers and resources to be able to properly exercise their tasks both at national level and when cooperating with each other.

James Goudie QC

 

RECENT TRIBUNAL RULINGS – RISKS FOR APPELLANTS

July 15th, 2010 by Anya Proops QC

The Tribunal has recently issued a ruling highlighting the dangers for a public authority if it submits an inadequately reasoned notice of appeal. In Westminster City Council v IC (EA/2010/0096), the Council had submitted a notice of appeal against the Commissioner’s decision notice within the 28 day time limit allowed for under rule 22 of the Tribunal Procedure (First Tier Tribunal) (General Regulatory Chamber) Rules 2009 (“the Rules”). However, the notice of appeal merely asserted that the Commissioner had erred in deciding that the EIR 2004 rather than the FOIA applied to the disputed information. The notice did not contain any grounds for this assertion. Thereafter, the Tribunal ordered the Council to provide grounds for its appeal. The Council was given a week to provide the relevant grounds. The Council missed that deadline. Moreover, it did so in circumstances where it had not notified the Tribunal that it needed an extension of time for lodging the grounds. The Council invited the Tribunal to overlook the three day delay in submitting the grounds. It alleged that the delay was due to staffing difficulties; the need to take legal advice; a failure to understand the tribunal procedures and a failure properly to record the date set by the Tribunal for submission of the grounds. The Tribunal refused to accept these arguments. It held that the Council was a large authority with a specialised in-house FOIA department; that an alleged lack of resources was not a valid excuse and that advice should have been sought at an earlier stage. Accordingly, the Tribunal refused to accept the grounds. There are two lessons to be derived from this ruling. First, an appellant which fails adequately to particularise its case in its notice of appeal or otherwise to follow up the notice promptly with fully reasoned grounds may well end up losing the right of appeal altogether. Second, where there are concerns that a tribunal deadline may be missed, the affected party should always consider notifying the tribunal of that fact and seeking an extension of time.

In a separate development, the Tribunal recently decided in Thackeray v IC (EA/2010/0088) that an appellant would not be allowed to proceed with his appeal in view of his refusal to provide the Tribunal with a postal address. Mr Thackeray had provided an email address in his notice of appeal but refused to provide a postal address, allegedly because he was concerned that he would face harassment if the address was disclosed. Mr Thackeray argued that provision of an email address was sufficient in order to meet the requirements of rule 22(a) and (c) of the Rules. The Tribunal decided that the notice of appeal would be invalid in the absence of the provision of a postal address. The Tribunal took the view that a postal address was a pre-requisite not least in view of: (a) the fact that parties may want, for reasons of security, to deliver documents directly rather than by email; and (b) a postal address would be required to protect the position of the other parties in the event that costs were awarded against the appellant. Unfortunately, neither of these rulings can at present be found on the Tribunal website.

 

NEW ICO CODE OF PRACTICE FOR PROCESSING OF PERSONAL DATA ONLINE

July 15th, 2010 by Robin Hopkins

The Information Commissioner has published a new Code of Practice explaining how the DPA applies in an online world, and offering ‘good practice’ advice for the collection and use of personal data through the internet.

The Code covers (among other things) application and payment forms, social networking sites, cookies and other personally-targeted marketing. It considers the difficulties of ‘non-obvious identifiers’ (such as IP addresses linked to devices rather than to individuals), cross-border data transfers by multinational or non-domestic organisations, and the practice of outsourcing the storage of databases to other web-based companies.

With the aid of examples from such contexts, the Code turns established principles into specific recommendations for internet businesses, including: avoid collecting personal data too early in the relationship or transaction with the user; only collect personal as far as is necessary; provide a clear explanation of how users’ personal data will be processed; ensure that employees only have access to customers’ personal data where necessary, and that this access withdrawn as soon as their employment ends.

Certain suggestions will be particularly welcomed by privacy campaigners: alert users to the security risks associated with ‘autocomplete’ forms; give users a simple option of declining to have their personal data stored and of disabling cookies or other trackers of their online behaviour, and make it easy for them to contact the data controller about how their personal data is being used.

 

STRENGTHENED POWERS FOR THE COMMISSIONER?

July 15th, 2010 by James Goudie QC

 

The European Commission has requested the UK to strengthen the powers of its data protection authority so that it complies with the EU’s Data Protection Directive. The Commission request takes the form of a reasoned opinion – the second stage under EU infringement procedures. The UK has two months to inform the Commission of measures taken to ensure full compliance with the Directive.

 

In the Commission’s view data rules in the UK are curtailed in several ways that leave the standard of protection lower than required.  The Commission is concerned about limitations upon the Information Commissioner’s powers, in particular that he cannot monitor whether third countries’ data protection is adequate, assessments which should come before international transfers of personal information, and he can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks. Also the Commission is concerned that Courts in the UK can refuse the right to have personal data rectified or erased, and that the right to compensation for moral damage when personal information is used inappropriately is also restricted.

James Goudie QC

 

PREPARATION OF WITNESS STATEMENTS – SOME DOs AND DONTs

July 12th, 2010 by Anya Proops QC

In a paper which I delivered at the 11KBW Information Law seminar in May 2010, I identified a number of tips designed to assist parties in preparing for hearings before the information tribunal – the paper can be found here. Very recently, the tribunal has handed down a decision which highlights the dangers to a public authority if it fails to ensure that any witness statements generated for the purposes of the tribunal hearing are sufficiently full and illuminating: Metropolitan Police Service v IC (EA/2010/0006).

The MPS case involved a request made to the MPS for disclosure of information as to how much money Croydon Police had spent on paying informants in the preceding three years. The MPS refused disclosure of the requested information relying on a range of exemptions, including s. 30 (criminal investigations) and s. 31 (law enforcement). The Commissioner upheld the applicant’s complaint against the refusal notice. In the course of the appeal to the tribunal, the MPS produced witness statements in support of its case on appeal. However, as it happened, the significant evidence given by these witnesses was only obtained through the process of cross-examination. The tribunal voiced serious concerns about the fact that the MPS had not included such evidence in its witness statements (which had been exchanged some time before the hearing) but had, instead, effectively ambushed the Commissioner by giving such evidence orally at the hearing. The tribunal noted that this was not the first time the MPS had adopted such a course in proceedings before the tribunal and that ‘there may be cost consequences for the MPS in future cases’ (see paragraphs 16-17). What this judgment highlights is the importance of generating witness statements which contain, so far as possible, the core evidential points upon which the authority wishes to rely in advancing its case. If parts of the evidence are highly sensitive, this does not justify withholding the evidence. Instead, it merely means that the authority should structure the witness statements so that any sensitive, confidential elements are dealt with in the closed statements (which are then considered in closed session.

The tribunal went on to hold that the disputed information was in fact exempt from disclosure under s 24 (the national security exemption – as to which see my earlier post below). The point to be noted here is that the case may never have come before the tribunal had the MPS: (a) identified that s. 24 was in issue at a much earlier stage; and (b) been full and frank with the Commissioner as to the reasons why the information was exempt under s. 24. 11KBW’s Ben Hooper was instructed on behalf of the Commissioner.