Anyone who has been following the litigation on charging for access to property search information under the EIR may like to know that the judgment in East Sussex v Information Commissioner is due to be given by the CJEU on 6 October 2015 (for further information on the background to the case and the Advocate-General’s Opinion, see here). One of the important issues in the East Sussex litigation has been the risks which charging for environmental information may pose in terms of the potential dissuasive effect on applicants. It will be interesting to see whether the Government has an eye to such dissuasive effects as when it is thinking how to develop its proposals on fees in the GRC (see further Chris Knight’s post on the proposals here).

Anya Proops

In case you have missed this vitally important piece of news (because I certainly did), the European Data Protection Supervisor has come up with an ingenious way of weaning you off playing Angry Birds. Yes, the EU Data Protection mobile app is now available at no charge for all data protection addicts – see here. Now, instead of getting on with some paid work, you can while away your time comparing the latest proposed texts of the draft General Data Protection Regulation. Joy!

Anya Proops

There has been much debate as of late as to how data privacy rights should be reconciled with journalistic freedoms under the data protection legislation. This is a difficult issue which surfaced domestically in the recent case of Steinmetz & Ors v Global Witness and is now being debated across Europe in the context of the controversial right to be forgotten regime. One of the many important questions which remains at large on this issue is: what degree of protection is to be afforded under the data protection legislation to those publication activities which might be said to be of low public interest value (i.e. they satisfy the curiosity of readers but do not per se contribute to public debate).

It was precisely this question which the European Court of Human Rights was recently called upon to consider in the case of Satakunnan Markkinapörssi Oy And Satamedia Oy V. Finland(Application No. 931/13). In Satamedia, the Finnish Supreme Court had concluded that a magazine which published publicly available tax data could lawfully be prevented from publishing that data on the basis that this was required in order to protect the data privacy rights of the individuals whose tax data was in issue. The Finnish Court held that this constituted a fair balancing of the Article 10 rights of the publishers and the data privacy rights of affected individuals, particularly given that: (a) the freedom of expression derogation provided for under the Finnish data protection legislation had to be interpreted strictly and (b) the publication of the tax data was not itself required in the public interest, albeit that it may have satisfied the curiosity of readers. The owners of the magazine took the case to Strasbourg. They argued that the conclusions reached by the Finnish Court constituted an unjustified interference with their Article 10 rights. The Strasbourg Court disagreed. It concluded that the Finnish Court had taken into account relevant Strasbourg jurisprudence on the balancing of Article 10 and Article 8 rights (including Von Hannover v. Germany (no. 2) and Axel Springer AG v. Germany) and had arrived at a permissible result in terms of the balancing of the relevant interests (see para. 72).

There are three key points emerging from the judgment:

– first, it confirms the point made not least in the ICO’s recent guidance on data protection and the media, namely that there is no blanket protection for journalistic activities under the data protection legislation;

– second, it makes clear that, where there is a clash between data privacy rights and Article 10 rights, the courts will closely scrutinise the public interest value of the publication in issue (or lack thereof);

– third, it confirms that the lower the public interest value of the publication in question (as assessed by the court), the more likely it is that the rights of the data subject will be treated as preeminent.

Anya Proops

 

So here’s the question: you’re an individual who wants to have certain links containing information about you deindexed by Google; Google has refused to accede to your request and, upon complaint to the ICO, the Commissioner has decided that your complaint is unfounded and so he refuses to take enforcement action against Google under s. 40 DPA 1998; can you nonetheless secure the result you seek in terms of getting your data forgotten by mounting a judicial review challenge to the ICO’s decision? Well if the recent decision by the Administrative Court in the case of R(Khashaba) v Information Commissioner (CO/2399/2015) is anything to go by, it seems that you’ll be facing a rather mountainous uphill struggle.

In Khashaba, Mr Khashaba had complained to the Commissioner about Google’s refusal to de-index certain articles which apparently contained information revealing that Mr Khashaba had failed in his legal attempts to get his gun licences reinstated and had also failed to obtain placement on the Register of Medical Specialists in Ireland. The Commissioner concluded that Google had acted lawfully under the DPA 1998 in refusing to de-index the articles in question. Mr Khashaba was evidently unhappy with this result. Accordingly, he brought a judicial review claim against the Commissioner in which he contended in essence that the Commissioner had erred: (a) when he concluded, in exercise of his assessment powers under s. 42, that Google had acted lawfully in refusing to de-index the articles and (b) by failing to take enforcement action against Google under s. 40. By way of an order dated 17 July 2015, Hickinbottom J dismissed Mr Khashaba’s application for permission to judicially review the Commissioner’s decision. His reasoning was based on the Commissioner’s summary grounds, upon which the court felt itself unable to improve:

– first, permission was refused on the ground that Mr Khashaba had an alternative remedy because it was open to him to bring proceedings against Google directly in connection with its refusal of his application to be forgotten;

– second, the Commissioner had a wide discretion under s. 42 as to the manner in which he conducts his assessment and as to his conclusions on breach. He also had a wide discretion when it came to the issue of enforcement under s. 40. There was no basis for concluding that the way in which the Commissioner had exercised his powers in response to Mr Khashaba’s complaint was unreasonable or otherwise disproportionate.

All of which tends to suggest that: (a) the courts are likely to be very slow in impugning a decision of the Commissioner that particular information should not be forgotten and (b) that, if you’re an applicant who wants your data to be forgotten, you may yet find that the regulatory route offers little by way of comfort in terms of securing the necessary amnesiac effect.

11KBW’s Christopher Knight represented the Commissioner.

Anya Proops

 

Since the CJEU’s controversial decision in Google Spain,the debates have raged about how the so-called right to be forgotten should cash out in the online world. Particular concerns have been expressed by the media that the judgment rides rough shod over Article 10 rights, including not least the Article 10 rights of the website authors whose stories are being deindexed. Now it seems the BBC is seeking to reassert its Article 10 rights by publishing a list of all the stories which have been deindexed by Google thus far – see here.

The BBC’s position is that the publication of the list does not seek to frustrate the Court’s judgment, because it will not ‘make the stories more findable for anyone looking for a name’. What it will do, according to the BBC is enable a ‘meaningful debate’ about the right to be forgotten to take place. This is a bold step coming from one of the world’s most respected media organisations. It will doubtless provoke a copycat reaction from other media organisations which regard the CJEU’s judgment in Google Spain as an affront to their Article 10 rights. What is interesting about this new approach is that it does very clearly allow the wider public to examine how the right to be forgotten is in practice being weighed against the fundamental right to free expression. No doubt the BBC’s actions will attract criticism from those individuals who had hoped that their requests to be forgotten would result in the relevant links sinking for all time into the soup of online forgetfulness. It remains to be seen how the Information Commissioner will respond to this important and provocative development.

Anya Proops

The transnational nature of many modern commercial enterprises can create significant difficulties when it comes to the application of domestic data protection legislation within the EU. Questions can often arise as to whether the enterprise has the necessary territorial presence in order to enable the domestic legislation to apply. These questions can be particularly difficult to resolve where the enterprise in question comprises an online business which has ethereal tentacles stretching into multiple jurisdictions. Of course, we have now all just about got to grips with the interesting intellectual gymnastics embarked upon by the CJEU in Google Spain. Now the issue of the territorial application of data protection legislation has resurfaced in a case concerning a spat between a Slovakian company operating a property-dealing website (W) and various disgruntled Hungarians who sought to sell their properties through the site: Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (Case 230/14).

You can read about the background to the Weltimmo case here. In short, the core question which arose in Weltimmo was whether the Hungarian Data Protection Authority (HDPA) had jurisdiction to fine W in circumstances where:

(a) W had its registered seat in Slovakia;

(b) one of W’s owners was a Hungarian living in Hungary who had legally represented W before the HDPA;

(c) W had received personal data from individuals in Hungary who wished to advertise their Hungarian properties on W’s website and

(d) W had apparently then gone onto misuse the personal data it had received.

The Hungarian Kúria court was unsure as to how to answer this question. This was because it was unclear as to the legal effects of two Articles of Directive 95/46/EC: Article 4 (concerning the territorial scope of domestic data protection laws) and Article 28 (concerning the role of the domestic supervisory authority). Accordingly, the court referred a number of questions to the CJEU, all of which were essentially focused on identifying the territorial reach of the domestic data protection laws and domestic supervisory authorities under the Directive (you can find the questions here). Advocate-General Cruz Villalón (yes he of Digital Ireland fame) has now given his opinion on these questions: see here. Rather frustratingly however, the opinion is not currently available in English. It is available in French and a host of other European languages (including for the multi-lingual amongst you Bulgarian and Czech). My admittedly rather untutored take on the French language version is that it contains the following key conclusions (see in particular paragraph 72):

– The effects of Articles 4 and 28 are that a supervisory authority in Member State X cannot assert jurisdiction over a data controller which is not ‘established’ in Member State X. Instead, that supervisory authority only has jurisdiction in respect of data controllers which are ‘established’ within its own territory (i.e. within Member State X).

– When considering the extent to which a data controller is ‘established’ in Member State X, the focus should be on the de facto, rather than the de jure, position. The crucial question is: from where, in a physical, logistical sense, does the data controller operate the business in question? Answering this question is likely to require a focus on where the business’ human and technical resources are located.

– The data controller may be established in a number of different Member States, provided that its operations in those Member States have the necessary quality of stability.

– Factors such as where the data has been downloaded, the nationality of the injured parties, the domicile of the owners of the company responsible for processing the data or the fact that the service provided is directed at the territory of another Member State are not directly relevant or decisive. They may however be indirectly relevant insofar as they may shed light on the question of where the data controller is established.

It remains to be seen whether the CJEU will follow the Advocate-General’s opinion. If it does, then that will reaffirm the essentially fragmented, patchwork nature of the protections afforded under the current Directive. Of course, if and when the draft General Data Protection Regulation becomes law, this patchwork of protections will give way to a more unified approach, as the era of the one-stop shop will be upon us.

Anya Proops