The European Commission has announced that it is mounting a legal challenge in respect of the use of targeted online advertising in the UK. The challenge follows complaints which were made to the Commission in response to BT’s act of testing the technology on BT broadband users without their consent. The technology, which is the brainchild of a company called Phorm, enables internet service providers (ISPs) to profile what sites internet users visit so as to enable advertising companies more astutely to target their adverts on individual users. The Commission has taken the view that the UK has breached EU data protection laws by permitting the deployment of the technology in the absence of user consent. The Information Commissioner’s Office has previously stated that the use of the technology would be permissible if operated on the basis that users have opted in to the system. The Commission’s challenge raises real questions as to the legality of Google’s recently launched behavioural targeting system. See further my post on this system below.
Month: April 2009
DPA/FOIA overlap
The overlap between FOIA and the DPA gives rise to a number of difficult problems.
In a paper just posted on 11KBW’s website (and originally delivered to a JUSTICE/Sweet & Maxwell conference in December 2008) I discuss some of these issues. In particular, I deal with the practical problems that arise when an individual makes a request for information to a public authority and some (but not all) of the information constitutes his own personal data. Because the request falls under both the DPA and FOIA, the Information Commissioner will need to deal with any complaint under two different legal regimes; if the requester subsequently appeals, the Information Tribunal will not have jurisdiction to deal with all the issues raised by the request. The article suggests that the present position is unsatisfactory and discusses options for reform.
Google’s Streetview – ICO Responds
The launch of Google’s Streetview service in March 2009 sparked considerable debate within the British media. Privacy campaigners criticised the intrusive nature of the service, which enables internet users to access 360 degree views of people, homes, cars and streets in 25 of Britain’s cities. It would appear that the Information Commissioner has now had his say on the matter. According to an article published in yesterday’s Observer newspaper, the Information Commissioner rejected a complaint brought by Privacy International which challenged the legality of the service. Notably, the Observer reports that the Commissioner dismissed the suggestion put forward by Privacy International that consent should have been sought from individuals whose image was captured in the pictures shown by Streetview. He apparently compared the Streetview service with images of individuals broadcast during televised football matches, where similarly consent would not be sought. Of course, Streetview is not the only part of Google’s operations which have given rise to privacy concerns. Not least in recent weeks, concerns have been raised about another Google innovation, which enables advertisers to target adverts on individual Google users by relying on site-visit profiles developed by Google. The so-called behavioural targeting system enables Google to build up a profile of the internet sites visited by a particular user when using the Google search engine. The profile is then used as a basis for indicating what advertising the user may be interested in. Concerns expressed about the new system have included that individuals are not asked whether they wish to receive targeted advertising and, further, that the right to opt out of the system is not adequately advertised to users.
Guardian article on Streetview:
https://www.guardian.co.uk/technology/2009/apr/12/google-street-view-privacy
Channel 4 report on Behavioural Targetting System
https://www.channel4.com/news/articles/science_technology/how+google+adverts+got+personal/3076122
A problem shared is a breach of the DPA?
It’s a good time for a conference about information sharing. The data sharing provisions in the Coroners and Justice Bill have been withdrawn, in the face of widespread criticism – including from the Bar Council (for more background, see our previous posts here and here). The question whether anything will be done to implement last year’s Thomas/Wolpert review remains an open one.
Against this background, Northumbria University’s conference on 17th April is topical. Speakers include Richard Thomas (coming to the end of his term as Information Commissioner), Marcus Turle from Field Fisher Waterhouse, and Steve Eccleston from Sheffield City Council. I shall be delivering a paper about breach of confidence and its significance for information sharing (I will post it on the 11KBW website after the conference).
Recent ICO decisions on Freedom of Information
In Decision Notice FS50139215, issued this week, the Commissioner has ordered the Met Police to disclose particular CCTV footage showing the movements of the perpetrators of the terrorist attacks on London on 7 July 2005.
The Met had argued that the footage was exempt from disclosure under sections 30(1)(a) (information held for the purposes of an investigation) and 38(1)(a) (health and safety) of FOIA.
The Commissioner accepted that the exemption in section 30(1)(a)(i) and (ii) of FOIA was engaged. However, he rejected arguments that such disclosure would render meaningful police investigation impossible and that, pending any trial, the CCTV footage should only be disclosed to the CPS, the Courts or other bodies involved in the investigative process.
The Commissioner’s comments on the public interest in full disclosure of any material relating to the 7/7 bombings are of particular interest. He noted, for example, that whilst there had already been widespread media coverage in relation to the bombings, “full disclosure in order to avoid any suspicion of ‘spin’ or ‘cover up’ will continue to be in the public interest regardless of the volume of related information that has previously been disclosed”. On similar lines, he observed that in circumstances in which the 7/7 attacks had been the subject of conspiracy theories, the fact that “disclosure would presumably support the official account of the time line and basic facts of the attacks and reduce any perceived lack of transparency about how this account was formed, along with removing any suspicion of ‘spin’ or ‘cover up’” was a valid public interest factor in favour of disclosure.
The Commissioner rejected the Met’s claim that the exemption under section 38(1)(a) of FOIA (health and safety) was engaged at all, emphasising that the arguments advanced by the Met on this point had lacked detail in relation to the specific CCTV footage in question. He also concluded that, whilst not cited by the Met, the personal data exemption in section 40(2) of FOIA was engaged in respect of footage from which individuals other than the perpetrators of the attacks could be identified. The Met must redact this information, such as by pixellation, before the footage is disclosed.
In other Decision Notices issued this week, the Commissioner has held that:
- Oxford, Cambridge and Manchester Universities and Kings College and University College, London must disclose information relating to primate research. A complainant had sought such information from a number of universities, including information as to the numbers and species of primates referred to in returns to the Home Office, and as to current research. The Commissioner held that the exemptions relied upon by the universities were not engaged (variously, sections 38 (health and safety), 40 (personal data) and 43 (commercial interests) of FOIA).
- The Department of Health must disclose civil servants’ submissions to Ministers in relation to proposed variations to consultants’ contracts as part of its ‘modernising medical careers’ initiative. Whilst the exemption in section 35(1)(a) (policy) of FOIA was engaged, the public interest in maintaining the exemption did not outweigh that in disclosure (FS50151464).
- In contrast, the FCO was entitled to refuse to confirm or deny whether it held particular information as to identification of a voice heard in the video showing the beheading of Ken Bigley in Iraq in 2004. The FCO successfully relied upon sections 23(5) (information supplied by or relating to the security services) and 24(2) (national security) of FOIA (FS50188323).
Reviewing the situation
Under FOIA, there is no statutory duty on public authorities to operate an internal review procedure relating to their handling of FOI requests. There is however an incentive for them to do so – if a review procedure is available but has not been exhausted then the Commissioner can decline to entertain a complaint from the requester under FOIA section 50.
Section 45 of the Act enables the Secretary of State to issue a Code of Practice giving guidance to public authorities about how they should operate their functions under the Act. The Commissioner can make a practice recommendation (under section 48) where a public authority’s practice appears not to comply with the Code.
The Code issued under section 45 in November 2004 states that authorities should operate a review procedure, with decisions being made within a reasonable time. In February 2007 the Commissioner issued guidance that a reasonable time for completing an internal review is 20 working days from the date of the request; in a small number of cases it might be reasonable to take longer, but in no case should the time taken exceed 40 days.
Today the Information Commissioner’s Office (ICO) has issued a press release about a Practice Recommendation addressed to Greater Manchester Police (GMP) dated 31st March 2009. The Recommendation expresses concern both about the time taken by GMP to deal with internal reviews (over 150 working days in one case) and the apparent inaccuracy of some of the information provided to the ICO by GMP. The Commissioner recommends that GMP should take steps to ensure its future compliance with the time limits in the ICO’s February 2007 guidance. Paragraph 52 of the recommendation is significant, emphasising the ICO’s willingness to take formal action where there is continuing non-compliance with the Code.
Incidentally, although the Practice Recommendation refers to the ICO’s February 2007 guidance, new guidance about internal reviews (dealing with both FOIA and EIR) was issued on 16th February 2009. A useful summary of recent guidance issued by the ICO is available here, courtesy of the FOI blog maintained by the Campaign for Freedom of Information.
I am grateful to Andrew Smith (currently a pupil at 11KBW) for drawing the Practice Recommendation to my attention and helping to draft this post.