Month: October 2013

Kennedy in the Supreme Court: News Flash

Posted on | by Christopher Knight

At the close of the first day’s oral argument in Kennedy v The Charity Commission, the Supreme Court indicated that it would be dismissing the first ground of appeal, i.e. on the domestic construction of section 32(2) of FOIA. Reasons for this decision will be given at a later date, but the effect will be that the construction preferred by the Court of Appeal in the first Kennedy appeal ([2011] EWCA Civ 367; [2011] 2 Info LR 152) will stand and that information falling within the scope of section 32(2) does not cease to be absolutely exempt upon the conclusion of the inquiry or arbitration.

The hearing continues on the application, or otherwise, of Article 10 ECHR.

Kennedy reaches the Supreme Court

Posted on | by Timothy Pitt-Payne KC

The most eagerly awaited Information Law hearing of 2013 starts today.  The Supreme Court will be considering the appeal against the decision of the Court of Appeal in Kennedy v Charity Commission and others [2012] EWCA Civ 317.  The case raises the issue of whether Article 10 of the European Convention on Human Rights confers a right of access to information held by public authorities.  It also requires the Court to construe section 32(2) of the Freedom of Information Act 2000 (an absolute exemption applicable to information held for the purpose of an inquiry).  The Supreme Court is being asked to reconsider aspects of its judgment in BBC v Sugar (No 2) and as a result the appeal has been listed before a panel of seven Justices.

For details of the extensive 11KBW involvement in the hearing, see here.

 

Timothy Pitt-Payne QC

Two new Upper Tribunal decisions: commercial confidentiality, ministerial communications

Posted on | by Robin Hopkins

The Upper Tribunal has issued two decisions on information rights matters this week. Both are by Upper Tribunal Judge David Williams, and both include substantive treatments of some of the issues that arise most commonly in information rights litigation.

Natural Resources Wales and SI Green (UK) Ltd v Information Commissioner and Friends of the Earth Swansea [2013] UKUT 0473 (AAC) saw the Upper Tribunal overturn a First-Tier decision on commercial confidentiality under the Environmental Information Regulations 2004, concerning the operation of a landfill site near Swansea. I was not involved in the First-Tier Tribunal proceedings, but blogged on the decision here. The Upper Tribunal’s decision is here. It found that, contrary to the approach of the First-Tier Tribunal, regulation 12(5)(e) EIR (confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest) is not the same as section 41(1) of FOIA (actionable breach of confidence).

In Judge Williams’ second judgment published this week, he upheld the First-Tier Tribunal’s decision in Cabinet Office v IC and Gavin Aitchison (EA/2011/0263). Anya blogged on the First-Tier Tribunal decision here. In essence, it concerned the takeover of Rowntree by Nestle in 1988 and what, if anything, ministers in the Thatcher government had said to each other about it. Questions also arose about the relevance of the reduction of the ‘Twenty-Year Rule’ for historical records to a ‘Ten-Year Rule’. The relevant exemptions were sections 35(1)(a) and (b) (formulation or development of government policy; Ministerial communications). The Tribunal found the public interest to favour disclosure (and, as regards one part of the request, confirming or denying whether any information was held relating to Cabinet discussions on the topic). The Upper Tribunal agreed. See here: Cab Off Aitchison GIA 4281 2012-00, and also the coverage by the requester (a journalist at the York newspaper The Press) here.

Given my involvement in both cases, I don’t offer any analysis on Panopticon today. Instead, I offer them as weekend reading for enthusiasts. You’re welcome.

Robin Hopkins

Facebook fan pages: data protection buck stops with Facebook, not page owners

Posted on | by Robin Hopkins

In Re Facebook, VG, Nos. 8 A 37/12, 8 A 14/12, 8 A 218/11, 10/9/13 the Schleswig-Holstein Administrative Court has allowed Facebook’s appeals against rulings of the regional data protection authority (the ULD), Thilo Weichert.

The case involved a number of companies’ use of Facebook fan pages. The ULD’s view was that Facebook breached German privacy law, including through its use of cookies, facial recognition and other data processing. He considered that, by using Facebook fan pages, the companies were facilitating Facebook’s violations by processing users’ personal data on those pages. He ordered them to shut down the fan pages or face fines of up to €50,000.

The appellant companies argued that they could not be held responsible for data protection violations (if any) allegedly committed by Facebook, as they had no control over how that data on the pages was processed and used by the social networking site. The Administrative Court agreed.

The case raises interesting questions about where the buck stops in terms of data processing – both in terms of who controls the processing, and in terms of where they are based. Facebook is based in Ireland, without a substantive operational presence in Germany. Earlier this year, the Administrative Court found – again against the Schleswig-Holstein ULD’s ruling – that Facebook’s ‘real names’ policy (i.e. a ban on pseudonymised profiles) was a matter for Irish rather than German law.

The ULD is unlikely to be impressed by the latest judgment, given that he is reported as having said in 2011 that:

“We see a much bigger privacy issue behind the Facebook case: the main business model of Google, Apple, Amazon and others is based on privacy law infringements. This is the reason why Facebook and all the other global internet players are so reluctant in complying with privacy law: they would lose their main profit resource.”

For more on this story, see links here and here.

Robin Hopkins

Data protection reform in the EU

Posted on | by Timothy Pitt-Payne KC

In 1913, Parliament was debating the Welsh Church Disestablishment Bill.  F. E. Smith described it as “a Bill which has shocked the conscience of every Christian community in Europe”.  This prompted a stinging rebuke from G.K. Chesterton:  was it remotely plausible that, say Breton fishermen, or Russian peasants, had the slightest interest in any of this?

“ Do they, fasting, trembling bleeding

Wait the news from this our city?

Groaning, ‘That’s the Second Reading!’

Hissing ‘There is still Committee!’

If the voice of Cecil falters,

If McKenna’s point has pith,

Do they tremble for their altars?

Do they, Smith?”

A hundred years later, the European Parliament is debating data protection reform.  To suggest that every citizen of the Union is hanging on the words of Jan-Philipp Albrecht or Viviane Reding would invite Chestertonian derision.  But there must be a number of businesses that are trembling (if not perhaps fasting or bleeding, as yet) at talk of fines of up to 100 million Euros (or 5% of global turnover, whichever is the greater) for breach of the new requirements.  And the level of interest among ordinary citizens, at any rate in some countries in the EU, should not be underestimated.

The above reflections are prompted by the news that the LIBE Committee of the European Parliament has adopted an agreed position on the proposed new Regulations and Directive.  This gives a mandate for the rapporteurs – MEPs Jan-Philipp Albrecht and Dimitrious Droutsas – to negotiate with the EU Council on Parliament’s behalf.

The full text of the proposed version of the legislation approved by the LIBE Committee has not been made public.  However, this press release from the Commission indicates that there are some important differences between the Commission’s original proposal in January 2012 and the text being put forward by the LIBE Committee.  Notably, the Committee is proposing maximum sanctions of 100 million euros or up to 5% of annual worldwide turnover, as compared with 1 million euros or up to 2% of annual worldwide turnover.

The Committee also wishes to strengthen the territorial scope of the reforms.  The Commission’s original proposal was that in specified circumstances the Regulation should apply to the processing of personal data of subject residing in the Union, by a controller not established in the Union.  The Committee is proposing that the Regulation should apply to the processing by a controller or processor not established in the Union.

The Commission’s proposal was that this extra-territorial reach of the Regulation should apply where the processing activities were related to the offering of goods and services to data subjects in the Union, or to the monitoring of their behaviour.  The Committee is proposing that the Regulation should apply to the offering of goods or services to data subjects in the Union irrespective of whether a payment of the data subject is required.  So, on the Committee’s text, a social networking site established outside the EU would be caught if it offered membership to individuals in the Union, even if membership was free.   The Committee also proposes that the Regulation should apply to the monitoring of such subjects (not just to the monitoring of their behaviour).

The Committee’s text also would prohibit disclosure outside the EU of personal data processed in the EU, where such disclosure was ordered by a non-EU court or tribunal, unless the transfer was authorised in advance by the relevant EU national data protection authority.  So, it would appear, if a US court ordered disclosure of personal data about UK citizens, then a US company that complied with that order without the prior authorisation of the ICO would be in breach of the Regulation and could be fined.

Media and online comment (see e.g. here and here) has suggested that the European Parliament’s current approach – strengthening the protection for data subjects, in particular in relation to international transfers – is partly a reaction to the revelations by Edward Snowden about the disclosure of personal information to the NSA.

The next step will be for the Council to decide on its position.  There will be a Council discussion between heads of state and government on 24th – 25th October, relating to the digital single market, followed by a meeting of Justice Ministers on data protection reform on 4th – 5th December.  There will then be a “trilogue” between Parliament, the Council, and the Commission.  The President of the European Commission has called for a final text to be agreed before the European Parliamentary elections in May 2014 – though it seems likely that there will be a further 2 years or so before the new legislation comes into effect.

Timothy Pitt-Payne

 

Fingerprints requirement for passport does not infringe data protection rights

Posted on | by Robin Hopkins

Mr Schwarz applied to his regional authority, the city of Bochum, for a passport. He was required to submit a photograph and fingerprints. He did not like the fingerprint part. He considered it unduly invasive. He refused. So Bochum refused to give him a passport. He asked the court to order it to give him one. The court referred to the Court of Justice of the European Union questions about whether the requirement to submit fingerprints in addition to photographs complied with the Data Protection Directive 95/46/EC.

Last week, the Fourth Chamber of the CJEU gave its judgment: the requirement is data protection-compliant.

The requirement had a legal basis, namely Article 1(2) of Council Regulation 2252/2004, which set down minimum security standards for identity-confirmation purposes in passports.

This pursued a legitimate aim, namely preventing illegal entry into the EU.

Moreover, while the requirements entailed the processing of personal data and an interference with privacy rights, the ‘minimum security standards’ rules continued to “respect the essence” of the individual’s right to privacy.

The fingerprint requirement was proportionate because while the underlying technology is not 100% successful in fraud-detection terms, it works well enough. The only real alternative as an identity-verifier is an iris scan, which is no less intrusive and is technologically less robust. The taking of fingerprints is not very intrusive or intimate – it is comparable to having a photograph taken for official purposes, which people don’t tend to complain about when it comes to passports.

Importantly, the underlying Regulation provided that the fingerprints could only be used for identity-verification purposes and that there would be no central database of fingerprints (instead, each set is stored only in the passport).

This is all common-sense stuff in terms of data protection compliance. Data controllers take heart!

Robin Hopkins