Employers very often wish to monitor how their employees are using work computing facilities during office hours. They may suspect wrongdoing, such as improper use of confidential client or business information, or accessing material which is prohibited by the employer’s policies. They may be concerned about employees using work facilities – and work time – for personal communications. Can the employer investigate by accessing the employee’s communications without their knowledge? Continue reading
Author: Robin Hopkins
‘Plebgate’ and the protection of journalistic sources
It has been a mixed day for the media’s entanglements with the judiciary. Chris Knight posted earlier today about the unhappy outcome for Mirror Group Newspapers before the Court of Appeal in the Gulati privacy damages litigation arising from phone-hacking.
News Group Newspapers, however – together with Sun journalist claims Tom Newton Dunn, Anthony France and Craig Woodehouse – had a happier outcome in another case about telephone privacy, though this time with the media as victim rather than perpetrator of the interference.
Judgment IPT/14/176/H saw the claimants succeed in part in their claim against the Metropolitan Police in the Investigatory Powers Tribunal (‘IPT’). Continue reading
The new General Data Protection Regulation: nearly there
As has been foretold (see for example this prophecy from Christopher Knight), there is soon to be a new birth of exceeding great import, ushering in a new world order.
And lo: the General Data Protection Regulation is approaching the end of its long incubation. The text appears to have been agreed in the last few hours: see this press release from the European Commission. It will go to a committee vote on Thursday of this week and will then be put before the European Parliament. Happy Christmas everyone!
2016 will be a momentous one in data protection ones. Panopticon will try to round up some wise women or men to dissect the new GDPR for readers in due course.
Robin Hopkins @hopkinsrobin
Multi-billion dollar actions for inaccurate personal data?
Data protection has developed a curious habit of churning up heroic (or anti-heroic, depending on how you view it) figures who take on global behemoths to surprising effect. Maybe I am being too dramatic, but think of Mario Costeja González, the complainant at the heart of the Google Spain ‘right to be forgotten’ case, and Max Schrems, whose litigation has thrown Safe Harbor and transatlantic data transfers into turmoil.
If we maintain a transatlantic gaze, another such figure comes into view. On Monday of this week, the Supreme Court of the United States heard argument in the case of Spokeo Inc v Thomas Robins. Mr Robins – the potential David in this important new David v Goliath episode – is at the forefront of litigation against the ‘people search engine’ Spokeo (see Anya’s earlier post here).
The profile Spokeo compiled about him said he was a graduate, a professional in his 50s and a married man with children. Hardly defamatory stuff, except that none of it was correct. He did not establish that these errors caused him any financial loss, but he seeks damages for the publication of factually incorrect information about his life.
So what, you say? Well, consider the Amicus Briefs put before SCOTUS by Ebay, Facebook, Google and Yahoo. They all say that this is a very big deal. They point out that, as major global tech innovators, they are exposed to numerous federal and state laws which contain statutory damages provisions for private causes of actions. If standing is granted for “no injury” lawsuits “plaintiffs may pursue suits against amici even where they are not actually harmed by an alleged statutory violation, and in certain circumstances, seek class action damages that could run into the billions of dollars”.
The issues in Robins (should you be compensated for mere breaches or for ‘digital injuries’?) resonate with live issues before the courts in the UK: can you be compensated under the Data Protection Act 1998 for mere distress (see Vidal-Hall v Google, en route to the Supreme Court)? How should one compensate for privacy violations (see Gulati, on which the Court of Appeal’s judgment is awaited)?
Regardless of whether Mr Robins emerges as a Goliath-slayer, his case adds to the law’s increasingly intense scrutiny of global tech companies whose stock in trade is personal data.
Robin Hopkins @hopkinsrobin
FOI and Article 10: life after Kennedy (and Kenedi)
The right to freedom of expression under Article 10(1) of the European Convention on Human Rights includes “freedom… to receive and impart information and ideas without interference by public authority”. Does that mean that there is a human right to freedom of information?
The question has haunted the courtrooms of the UK and other EU member states in recent years. In England and Wales, the last domestic word has been Kennedy v Charity Commission [2014] UKSC 20. The answer in Kennedy was ‘no’: Article 10 ECHR does not impose a positive, free-standing duty on public authorities to disclose information upon request.
That is not, however, the final word. Kennedy is to be heard by the European Court of Human Rights in Strasbourg – but the case has been stayed. This is because the Grand Chamber accepted another case raising essentially the same question.
The case is Magyar Helsinki Bizottság v Hungary (18030/11). The applicant, a human rights NGO, asked police forces to disclose information about ‘public defenders’, i.e. defence counsel appointed in criminal proceedings. The police forces refused, and the Hungarian court refused to order disclosure. The applicant complains that the refusal interferes with its rights under Article 10.
The case Bizottság was heard by the Grand Chamber today.
The UK government was an intervener. It urged the Court to conclude that Article 10 ECHR does not create a right to receive information from a public authority, in accordance with a line of authority (Leander v Sweden (1987) 9 EHRR 433, Gaskin v United Kingdom (1990) 12 EHRR 36, Guerra v Italy (1998) 26 EHRR 357 and Roche v United Kingdom (2006) 42 EHRR 30).
The Hungarian government’s position was to the same effect. It contended that concessions made in cases supporting the link between Article 10 and freedom of information (such as Társaság a Szabadsagjogokert v Hungary (2011) 53 EHRR 3 and Kenedi v Hungary 27 BHRC 335) were fact-specific.
Statutory rights to freedom of information in England and Wales are currently under threat of curtailment. Kennedy introduced (or confirmed) that, at least in certain circumstances, freedom of information also has a common law foundation. The Grand Chamber’s judgment in Bizottság will reveal whether, in addition to its statutory and common law pillars, freedom of information has a human rights basis as well.
Jason Coppel QC, Karen Steyn QC and Christopher Knight of 11KBW represented intervening parties in Bizottság.
Robin Hopkins @hopkinsrobin
Court of Appeal considers damages for privacy breaches – data protection to follow suit?
This week, the Court of Appeal is grappling with a difficult and important question: how do you value an invasion of privacy? In other words, where someone has suffered a breach of their privacy rights, how do you go about determining the compensation they should receive?
The appeal is brought by MGN against the judgment of Mann J in Gulati & Ors v MGN Ltd [2015] EWHC 1482 (Ch). That judgment concerned victims of blagging and phone-hacking (including Paul Gascoigne, Sadie Frost and Alan Yentob) for which Mirror Group Newspapers was held responsible.
Mann J awarded the claimants compensation ranging between £85,000 and £260,250. His judgment was ground-breaking, in part due to the size of those awards. (By way of comparison, the previous highest award in a privacy case had been made to Max Mosely, in the region of £60,000 – but most awards have been much lower).
It was also ground-breaking in terms of the methodology adopted to calculate quantum for privacy breaches. Here is how Mann J summarised the rival arguments (paragraph 108; I have underlined the components put forward by the claimants):
“… The case of the claimants is that the compensation should have several elements. There is compensation for loss of privacy or “autonomy” resulting from the hacking or blagging that went on; there is compensation for injury to feelings (including distress); and there is compensation for “damage or affront to dignity or standing”. The defendant disputes this and submits that all that can be compensated for is distress or injury to feelings… It is accepted that such things as loss of autonomy are relevant, but only as causes of the distress which is then compensated for. They are not capable of sustaining separate heads of compensation…”
As is clear from that synopsis, the debate is not just about money, observable cause-and-effect or hard-edged law. The debate also has difficult philosophical and ethical dimensions. It seems that neither society nor the law (which sometimes overlap) has yet got to the bottom of what it really means to have one’s privacy invaded.
In any event, Mann J certainly did his bit to progress that debate. He preferred the analysis of the claimants – hence the large awards they received. See for example his paragraphs 143-144:
“… The tort is not a right to be prevented from upset in a particular way. It is a right to have one’s privacy respected. Misappropriating (misusing) private information without causing “upset” is still a wrong. I fail to see why it should not, of itself, attract damages. Otherwise the right becomes empty, contrary to what the European jurisprudence requires. Upset adds another basis for damages; it does not provide the only basis. I shall therefore approach the consideration of quantum in this case on the footing that compensation can be given for things other than distress, and in particular can be given for the commission of the wrong itself so far as that commission impacts on the values protected by the right.”
The Court of Appeal’s judgment in MGN’s appeal will have a huge impact on the size of awards in privacy cases, and thereby on the privacy litigation landscape itself. It will also no doubt contribute to our understanding of how 21st-century society values (or ought to value) privacy.
What impact will it have on compensation under section 13 of the Data Protection Act 1998?
As with privacy compensation, data protection compensation is having a revolutionary year: see the striking down of section 13(2) in Vidal-Hall v Google [2015] EWCA Civ 311. Traditionally, few people brought claims under section 13 DPA, because it was assumed that they could only be compensated for distress (their primary complaint) if they also suffered financial loss (which mostly they hadn’t). Vidal-Hall overturned that: you can be compensated for distress alone under section 13 DPA. This point will be considered by the Supreme Court next year, but for now, the removal of this barrier to successful section 13 claims is hugely important.
Another barrier, however, lingers: section 13 DPA awards tend to be discouragingly low, from a claimant’s perspective. See most crucially Halliday v Creation Consumer Finance [2013] EWCA Civ 333 (where an award for £750 was made): “the sum to be awarded should be of a relatively modest nature since it is not the intention of the legislation to produce some kind of substantial award. It is intended to be compensation…” (per Arden LJ at paragraph 36).
Increasingly, however, case law emphasises the intimate relationship between data protection and fundamental privacy rights: see for example Vidal-Hall, and last year’s ‘right to be forgotten’ judgment in the Google Spain case.
So, if Mann J’s wide, claimant-friendly approach to quantifying damages is upheld in the privacy context, how long before the same approach infiltrates data protection litigation?
Robin Hopkins @hopkinsrobin