Since the CJEU gave judgment in Google Spain, there has been much discussion on the conference  circuit about whether the judgment rides rough shod over free speech rights. Certainly the lack of any procedural protections for the media within the right to be forgotten regime has been the subject of much heated debate. For those of you wishing to understand how Article 10 rights are likely to fare under the new General Data Protection Regulation, you would do well to start with this excellent article by Daphne Keller, Director for Intermediary Liability at Stanford Law’s Center for Internet and Society (and notably former Assistant General Counsel to Google).

As Daphne makes clear, the GDPR does not offer the media much by way of solace. Quite the contrary, what we see with the new Regulation is a continuing failure on the part of European legislators to accommodate free speech rights within the data protection regime in a structured and systematic manner. To a large extent this lack of protection for Article 10 rights is a product of the fact that historically data protection and the media have rarely crossed swords. Certainly within our own jurisdiction, it is only over the last 18 months or so that an awareness of the potentially very substantial areas of tension have begun to surface (see further not least the discussion of the Steinmetz case on this blog). However, the reality is that the European quest to place data privacy rights centre-stage, in the online world and beyond, now  poses serious challenges for the media. This is something which will hopefully start to register at least with those EU regulators who will in due course be charged with applying the GDPR.

Anya Proops

The commission set up by the Government to review FOIA, in the wake of the Evans judgment, has today issued a call for evidence, as part of a six week consultative exercise (see here). The questions posed in the call for evidence tend to reconfirm the overall impression that the commission is keen to explore ways in which FOIA can be recalibrated so as to be a more State-friendly enactment. The commission has made clear that it is particularly focussed on the following six questions:

‘Question 1: What protection should there be for information relating to the internal deliberations of public bodies? For how long after a decision does such information remain sensitive? Should different protections apply to different kinds of information that are currently protected by sections 35 and 36?

Question 2: What protection should there be for information which relates to the process of collective Cabinet discussion and agreement? Is this information entitled to the same or greater protection than that afforded to other internal deliberative information? For how long should such material be protected?

Question 3: What protection should there be for information which involves candid assessment of risks? For how long does such information remain sensitive?

Question 4: Should the executive have a veto (subject to judicial review) over the release of information? If so, how should this operate and what safeguards are required? If not, what implications does this have for the rest of the Act, and how could government protect sensitive information from disclosure instead?

Question 5: What is the appropriate enforcement and appeal system for freedom of information requests?

Question 6: Is the burden imposed on public authorities under the Act justified by the public interest in the public’s right to know? Or are controls needed to reduce the burden of FoI on public authorities? If controls are justified, should these be targeted at the kinds of requests which impose a disproportionate burden on public authorities? Which kinds of requests do impose a disproportionate burden?’

No doubt much can be gleaned about the commission’s direction of travel from these questions. However, the commission’s repeated use of the ‘how long’ question is particularly interesting. Query whether it suggests that the commission is looking to propose minimum terms for the disclosure of certain categories of information, for example under ss. 35 and 36. Such a blanket approach to the protection of particular classes of information under these provisions would of course would mark a significant departure from the current more case/fact-specific approach presupposed by these provisions as currently framed. No doubt further commentary on Panopticon will follow in due course.

Anya Proops

There has been a lot of excitement this week about EU-US data sharing in the light of the Schrems judgment (see not least the stream of posts on the judgment on our very own Panopticon). Of course what triggered the Schrems litigation was the Snowden revelations concerning Prism, the US government’s mass surveillance programme, revelations which themselves forced an intensive debate on the protection of digital privacy rights on both sides of the Atlantic. Against that background, it is very interesting to learn that yesterday the Californian Governor, Jerry Brown, signed into law an Electronic Communications Privacy Act designed to place substantial controls around the accessing of digital communications by law enforcement agencies (see further the report from the Electronic Frontier Foundation here). This important legislative development, which essentially subjects the access regime to a system of judicial warrants, suggests that California is very much ahead of the curve within the US when it comes to recognising the need to ensure greater protection for data privacy rights within the digital environment. It is also worth noting that the tech companies themselves appear to have played a strong role in the achievement of this more privacy-sensitive approach to law enforcement. This is hardly surprising given the impact which the Snowden revelations have had on consumer trust in the tech giants of Silicon Valley. It remains to be seen whether the pro-privacy stance being adopted in California is going to attract law-makers in the States as a whole. However, it is interesting to note that the new law in California was itself born out of a bipartisan bill, something which itself reconfirms the fact that the protection of privacy rights is an issue which transcends traditional party politics.

Anya Proops

So there we have it. Data protection, once the preserve of tragic anoraks with too much time on their hands, has now firmly taken up its place as a glittering star within the European legal firmament. For who now, in the wake of the Schrems judgment, can doubt the global political and economic significance of the data protection regime, as embodied first and foremost in EU Directive 95/46/EC.

But let us begin by examining why the Schrems judgment in particular has launched data protection into the legal stratosphere. Well let’s start with the fact that it is not every day that a judgment issued by the Court of Justice of the European Union effectively finds that a world super-power has breached fundamental human rights by engaging in a campaign of mass surveillance within its own borders (see paras. 90-98). Then there’s the realisation that the Court has been prepared to deploy those findings so as to attack the validity of a European Commission decision which has shaped the approach which businesses within the EU and the US have taken to EU-US data sharing for the past fifteen years (see para. 104). Then it starts to sink in that the Court’s conclusion that that decision is invalid is inevitably going to destabilise data-sharing arrangements adopted by businesses across the EU, not to mention the US. So what starts as a hugely politically significant judgment turns into a judgment with vast commercial implications (and I am not just talking about the Facebooks of this world because it is clear that the judgment affects all business which transfer data into the US). What is all the more astonishing about the judgment is that it represents a remarkable willingness on the part of the Court to usurp an ongoing political process which is itself designed to achieve a consensus on lawful EU-US data sharing (see further the European Commission’s continuing efforts to negotiate with the US authorities on how to address deficiencies in the Safe Harbour regime).

But then again should any of this really come as any surprise? After all, this is not the first time that the Court has boldly used EU data protection legislation as a means of reshaping key socio-political paradigms. First, it was the internet which was subject to a substantial sea-change as a result of the Court’s recognition that a right to be forgotten could be asserted against search engines (as in Google Spain). Then we saw the Court using data protection legislation in effect so as to inhibit EU Member State surveillance programmes (as in Digital Rights Ireland). Now it is the wider corporate world which is feeling the full force of the behemoth that is EU data protection legislation as data-sharing arrangements across the EU-US piste potentially unravel in the face of the Court’s judgment (see further the ICO’s recent statement on the judgment and its implications for businesses here).

The important question which has yet to be answered is whether the Court’s seemingly relentless march to affirm the primacy of data privacy rights within and indeed beyond the borders of the EU may ultimately itself produce wholly disproportionate and indeed politically untenable results. However, one thing is for sure: the data protection super nova will continue to attract our gaze for some time to come.

Anya Proops

 

More breaking news on Schrems – the word on the street is that judgment is due to be given by the CJEU on 6 October. This means we will only have to wait another week before discovering whether the Court has followed the Advocate General’s hugely politically controversial opinion.

I should add that on 6 October judgment is also due to be given by the CJEU in East Sussex v Information Commissioner (case on charging for property search information under the EIR). Of course no one could doubt the importance of the East Sussex case (and I’m not just saying that because I appeared for the Commissioner) but I have a sneaking suspicion that Schrems may yet steal our thunder…

Anya Proops

In July of this year, I blogged about a judicial review case involving a challenge to the ICO’s decision that Google had not breached the DPA when it refused a ‘right to be forgotten’ application made by a Mr Khashaba. My post confirmed that the court had refused permission for Mr Khashaba to proceed with his claim on the papers. Mr Khashaba has since gone on to renew his application for permission. That application was also refused. The judge, HHJ Simon Barker QC (sitting as a Deputy), concluded that permission should be refused on the basis that civil proceedings against Google constituted an adequate alternative remedy, even if those proceedings required service out of the jurisdiction. The judge went on to observe that civil proceedings also constituted a more appropriate vehicle for resolving Mr Khashaba’s claim. This was particularly because they would allow the evidence in the case to be more effectively tested, with the result that the judge would be in a position to make a more effective and informed assessment of the reliability of the claimed consequences of continued listing of the relevant webpages (cf. judicial review proceedings where typically there is no cross-examination of witnesses). Mr Khashaba was ordered to pay the ICO’s costs. Christopher Knight represented the ICO.

What is notable about this judgment is that it suggests that the courts are alive to the fact that assertions that particular data ought to be forgotten should not be taken at face value but should instead be rigorously tested. Obviously one is left with the abiding questions of whether Google, as opposed to the authors of the relevant source websites: (a) is itself best placed to undertake that testing exercise and (b) will be sufficiently incentivised in any individual case to mount a defence to the claim. It will in any event be interesting to see whether Mr Khashba does now seek to pursue his case against Google.

Anya Proops