Author: Robin Hopkins

High Court considers purpose behind subject access request under the DPA

Posted on | by Robin Hopkins

It is not uncommon for data controllers to be faced with subject access requests under s. 7 of the Data Protection Act 1998 the motivations for which appear to have nothing whatever to do with the purposes of the DPA.

The DPA seeks to protect individuals’ privacy rights with respect to data which is processed about them. The subject access provisions help people check up on that data and its processing (see for example YS v Minister voor Immigratie (Cases C-141/12 & C-372/12)). In practice, however, a subject access request is a fishing expedition with an eye on prospective litigation.

How does this affect the individual’s right to have his subject access complied with? The general answer is that, at least as regards applications to the Court under s. 7(9) DPA for the enforcement of a subject access request, the remedial discretion is wide enough to take the requester’s motive and purposes into account.

Kololo v Commissioner of Police for the Metropolis [2015] EWHC 600 (QB) – a judgment of Dingemans J handed down yesterday – looked set to consider the relevance of a requester’s motive (albeit that the context was not the commonplace pre-litigation fishing expedition). In the end, the judgment was largely fact-specific. Nonetheless, it is an interesting illustration of a Court engaging with a requester’s motive and that place of that motive in the statutory scheme.

The judgment is here: Kololo. There is also some press coverage in the Telegraph.

Mr Kololo is on death row in Kenya. He is challenging his conviction and sentence for robbery, kidnapping and murder of British nationals. He has never been to the UK, but officers of the Metropolitan Police were involved in the investigation of the crimes in Kenya and in evidence given at the trial.

His lawyers made subject access requests to the Foreign Office and the Metropolitan Police. The former provided data, but the Police refused. It said his request was an abuse of process.

The predominant purpose of the request was to assist with Mr Kololo’s appeal in the Kenyan Courts. The subject access request itself had said that the information sought “could prove crucial to Mr Kololo’s case”.

In his witness statement to the Court, however, Mr Kololo said that he also wanted to know what information the Police held on him “and what they are doing or have done with it”. He said he was worried about how information about him and his family may be used by the Police.

Dingemans J considered such worry to be speculative. Mr Kololo’s principal aim was plainly to obtain information which might assist with his appeal. But Dingemans J took this view (para. 31): “However, in order for any data which Mr Kololo might obtain from the Commissioner to be of any assistance to Mr Kololo on his appeal, it is likely that Mr Kololo will want to try and point to inaccuracies in the data” (if any such inaccuracies existed).

Therefore, Mr Kololo’s purpose was at least in part aligned with the purposes of the DPA: “a purpose for which Mr Kololo is making the subject access request is to determine whether there are inaccuracies in the data. This means that Mr Kololo (or his legal representatives) is making the subject access request to verify the accuracy of the data. This is so even though verifying the accuracy of the data is unlikely to be of assistance to Mr Kololo for his appellate proceedings. However if the data is not accurate Mr Kololo (or his legal representatives) may seek to correct any inaccuracies in the data. This might, depending on the inaccuracies, be of assistance to Mr Kololo for his other purposes” (para. 35).

Dingemans J noted that the Court’s discretion under s. 7(9) DPA was “’general and untrammelled’ but it is also common ground that such discretion should be exercised to give effect to the purposes of the DPA and be proportionate” (paragraph 32). On the facts, however, one of Mr Kololo’s purposes did accord with the purposes of the DPA. Therefore, his request was held not to be an abuse of process, and the Police were ordered to comply with it.

Additionally, Dingemans J briefly considered the Crime (International Co-operation) Act 2003 for an overseas court or prosecuting authority to request assistance from UK authorities. The existence of that mechanism also did not render Mr Kololo’s subject access request an abuse of process.

Anya Proops and Chris Knight appeared for the Commissioner of Police for the Metropolis.

Robin Hopkins @hopkinsrobin

Leviathan

Posted on | by Robin Hopkins

Hot off the press: the Upper Tribunal has given its judgment in Fish Legal.

Applying the principles from the CJEU’s judgment of December 2013, it has held that the respondent water companies are public authorities for the purposes of the Environmental Information Regulations 2004, by virtue of their “special powers”.

The issues and facts are complex, and the judgment is lengthy. It also makes reference to Lewis Carroll, who now somehow appears in two consecutive Panopticon posts.

The judgment is contained in these two documents: FISH LEGAL UT DECISON PART 1 and FISH LEGAL UT DECISON PART 2.

Analysis  of the judgment will follow on Panopticon shortly (thus the barrister dreamed, while the bellowing seemed to grow every moment more clear).

Robin Hopkins

Data protection: three developments to watch

Posted on | by Robin Hopkins

Panopticon likes data protection, and it likes to keep its eye on things. Here are three key developments in the evolution of data protection law which, in Panopticon’s eyes, are particularly worth watching.

The right to be forgotten: battle lines drawn

First, the major data protection development of 2014 was the CJEU’s ‘right to be forgotten’ judgment in the Google Spain case. Late last year, we received detailed guidance from the EU’s authoritative Article 29 Working Party on how that judgment should be implemented: see here.

In the view of many commentators, the Google Spain judgment was imbalanced. It gave privacy rights (in their data protection guise) undue dominance over other rights, such as rights to freedom of expression. It was clear, however, that not all requests to be ‘forgotten’ would be complied with (as envisaged by the IC, Chris Graham, in an interview last summer) and that complaints would ensue.

Step up Max Moseley. The BBC reported yesterday that he has commenced High Court litigation against Google. He wants certain infamous photographs from his past to be made entirely unavailable through Google. Google says it will remove specified URLs, but won’t act so as to ensure that those photographs are entirely unobtainable through Google. According to the BBC article, this is principally because Mr Moseley no longer has a reasonable expectation of privacy with respect to those photographs.

The case has the potential to be a very interesting test of the boundaries of privacy rights under the DPA in a post-Google Spain world.

Damages under the DPA

Second, staying with Google, the Court of Appeal will continue its consideration of the appeal in Vidal-Hall and Others v Google Inc [2014] EWHC 13 (QB) in February. The case is about objections against personal data gathered through Apple’s Safari browser. Among the important issues raised by this case is whether, in order to be awarded compensation for a DPA breach, one has to establish financial loss (as has commonly been assumed). If the answer is no, this could potentially lead to a surge in DPA litigation.

The General Data Protection Regulation: where are we?

I did a blog post last January with this title. A year on, the answer still seems to be that we are some way off agreement on what the new data protection law will be.

The latest text of the draft Regulation is available here – with thanks to Chris Pounder at Amberhawk. As Chris notes in this blog post, the remaining disagreements about the final text are legion.

Also, Jan Philipp Albrecht, the vice-chairman of the Parliament’s civil liberties committee, has reportedly suggested that the process of reaching agreement may even drag on into 2016.

Perhaps I will do another blog post in January 2016 asking the same ‘where are we?’ question.

Robin Hopkins @hopkinsrobin

How to apply the DPA

Posted on | by Robin Hopkins

Section 40 of FOIA is where the Freedom of Information Act (mantra: disclose, please) intersects with the Data Protection Act 1998 (mantra: be careful how you process/disclose, please).

When it comes to requests for the disclosure of personal data under FOIA, the DPA condition most commonly relied upon to justify showing the world the personal data of a living individual is condition 6(1) from Schedule 2:

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

That condition has multiple elements. What do they mean, and how do they mesh together? In Goldsmith International Business School v IC and Home Office (GIA/1643/2014), the Upper Tribunal (Judge Wikeley) has given its view. See here Goldsmiths. This comes in the form of its endorsement of the following 8 propositions (submitted by the ICO, represented by 11KBW’s Chris Knight).

Proposition 1: Condition 6(1) of Schedule 2 to the DPA requires three questions to be asked:

(i) Is the data controller or the third party or parties to whom the data are disclosed pursuing a legitimate interest or interests?

(ii) Is the processing involved necessary for the purposes of those interests?

(iii) Is the processing unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

Proposition 2: The test of “necessity” under stage (ii) must be met before the balancing test under stage (iii) is applied.

Proposition 3: “Necessity” carries its ordinary English meaning, being more than desirable but less than indispensable or absolute necessity.

Proposition 4: Accordingly the test is one of “reasonable necessity”, reflecting the European jurisprudence on proportionality, although this may not add much to the ordinary English meaning of the term.

Proposition 5: The test of reasonable necessity itself involves the consideration of alternative measures, and so “a measure would not be necessary if the legitimate aim could be achieved by something less”; accordingly, the measure must be the “least restrictive” means of achieving the legitimate aim in question.

Proposition 6: Where no Article 8 privacy rights are in issue, the question posed under Proposition 1 can be resolved at the necessity stage, i.e. at stage (ii) of the three-part test.

Proposition 7: Where Article 8 privacy rights are in issue, the question posed under Proposition 1 can only be resolved after considering the excessive interference question posted by stage (iii).

The UT also added this proposition 8, confirming that the oft-cited cases on condition 6(1) were consistent with each other (proposition 8: The Supreme Court in South Lanarkshire did not purport to suggest a test which is any different to that adopted by the Information Tribunal in Corporate Officer).

Those who are called upon to apply condition 6(1) will no doubt take helpful practical guidance from that checklist of propositions.

Robin Hopkins @hopkinsrobin

Happy birthday FOIA: orthodoxy and liberalism

Posted on | by Robin Hopkins

With FOIA celebrating its tenth birthday this month, it is striking that one of its most taken-for-granted axioms has been called into question. The axiom is this: the relevant time is the time of the request, extending perhaps until the statutory time for compliance with the request. When you are assessing the public interest balance and the engagement of exemptions, that is the time you look to; you ignore later developments.

In Defra v IC and the Badger Trust (GI/79/2014), the requester (the Badger Trust) had requested information about Defra’s risk assessments for the proposed badger culling programme. The ICO ordered disclosure. Defra appealed. The case was transferred to the Upper Tribunal due to a witness anonymity issue. The Upper Tribunal dismissed Defra’s appeal. It was not persuaded by Defra’s evidence as to the public interest balance. The judgment is here DEFRA v ICO and Badger Trust – Judgment on Public Interest.

In its judgment, the UT pondered the question of the relevant time. It declined to rule, but stated that it considered this question to be an open one: see paragraphs 44-48. A central tenet of FOIA/EIR orthodoxy over the past decade has been called into question.

Another recent UT judgment is worthy of note as FOIA turns ten. It does not introduce uncertainty, but rather – from the point of view of FOIA’s fans – provides a heartening affirmation of the purpose of the legislation. The case is UCAS v IC and Lord Lucas [2014] UKUT 0557 (AAC): see here UCAS. It was about the extent to which FOIA applied to UCAS. The point I draw out here is this one, at paragraph 39 of the decision of Judge Wikeley:

“I agree with Mr Knight that the starting point in this exercise in statutory interpretation must be the principle that FOIA is a constitutionally important piece of legislation, the scope of which must be interpreted broadly. This much is plain from Sugar (No. 2) itself (see Lord Walker at [76] and Lord Mance at [110]), as well as from other decisions of the House of Lords and Supreme Court (see Common Services Agency v Scottish Information Commissioner [2008] UKHL 47 at [4] per Lord Hope and Kennedy v Charity Commission [2014] UKSC 20 at [153] per Lord Sumption). This emphasis on a liberal construction is, to borrow a phrase from a different context of statutory interpretation, the golden thread which runs through the FOIA case law, whether in the rarefied atmosphere of the Supreme Court or on the judicial shop floor at the First-tier Tribunal.”

So then, happy birthday FOIA. Some of the assumptions of your youth may be in question, but your golden thread is strong. Somebody put that in a greeting card, please.

I appeared in the Badger Trust case. Chris Knight appeared in the UCAS case.

Robin Hopkins @hopkinsrobin

Monetary penalty for marketing phonecalls: Tribunal upholds ‘lenient’ penalty

Posted on | by Robin Hopkins

A telephone call made for direct marketing purposes is against the law when it is made to the number of a telephone subscriber who has registered with the Telephone Preference Service (‘TPS’) as not wishing to receive such calls on that number, unless the subscriber has notified the caller that he does not, for the time being, object to such calls being made on that line by that caller: see regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended (‘PECR’).

The appellant in Amber UPVC Fabrications v IC (EA/2014/0112) sells UPVC windows and the like. It relies heavily on telephone calls to market its products and services. It made nearly four million telephone calls in the period May 2011 to April 2013, of which approximately 80% to 90% were marketing calls.

Some people complained to the Information Commissioner about these calls. The Commissioner found that the appellant had committed serious PECR contraventions – he relied on 524 unsolicited calls made in contravention of PECR. The appellant admitted that it made 360 of the calls. The appellant was issued with a monetary penalty under section 55A of the Data Protection Act 1998, as incorporated into PECR.

The appellant was issued with a monetary penalty to the value of £50,000. It appealed to the Tribunal. Its appeal did not go very well.

The Tribunal found the appellant’s evidence to be “rather unsatisfactory in a number of different ways. They took refuge in broad assertions about the appellant’s approach to compliance with the regulations, without being able to demonstrate that they were genuinely familiar with the relevant facts. They were able to speak only in general terms about the changes to the appellant’s telephone systems that had been made from time to time, and appeared unfamiliar with the detail. They had no convincing explanations for the numerous occasions when the appellant had failed to respond to complaints and correspondence from TPS or from the Commissioner. The general picture which we got was of a company which did as little as possible as late as possible to comply with the regulations, and only took reluctant and belated action in response to clear threats of legal enforcement.”

The Tribunal set out in detail the flaws with the appellant’s evidence. It concluded that “the penalty was appropriate (or, indeed, lenient) in the circumstances, and the appellant has no legitimate complaint concerning its size”.

This decision is notable not only for its detailed critique (in terms of PECR compliance) of the appellant’s business practices and evidence on appeal, but also more widely for its contribution to the developing jurisprudence on monetary penalties and the application of the conditions under section 55A DPA. Thus far, the cases have been Scottish Borders (DPA appeal allowed, in a decision largely confined to the facts), Central London Community Healthcare NHS Trust (appeal dismissed at both First-Tier and Upper Tribunal levels) and Niebel (PECR appeal allowed and upheld on appeal).

The Amber case is most closely linked to Niebel, which concerned marketing text messages. The Amber decision includes commentary on and interpretation of the binding Upper Tribunal decision in Niebel on how the section 55A conditions for issuing a monetary penalty should be applied. For example:

PECR should be construed so as to give proper effective to the Directive which it implements – see the Tribunal’s discussion of the Marleasing principle.

The impact of the ‘contravention’ can be assessed cumulatively, i.e. as the aggregate effect of the contraventions asserted in the penalty notice. In Niebel, the asserted contravention was a specified number of text messages which had been complained about, but the Tribunal in Amber took the view that, in other cases, the ICO need not frame the relevant contravention solely by reference to complaints – it could extrapolate, where the evidence supported this, to form a wider conclusion on contraventions.

Section 55A requires an assessment of the “likely” consequences of the “kind” of contravention. “Likely” has traditionally been taken to mean “a significant and weighty chance”, but the Tribunal in Amber considered that, in this context, it might mean “more than fanciful”, ie, “a real, a substantial rather than merely speculative, possibility, a possibility that cannot sensibly be ignored”.

The “kind” of contravention includes the method of contravention, the general content and tenor of the communication, and the number or scale of the contravention.

“Substantial” (as in “substantial damage or substantial distress”) probably means “more than trivial, ie, real or of substance”. Damage or distress can be substantial on a cumulative basis, i.e. even if the individual incidents do not themselves cause substantial damage or substantial distress.

“Damage” is different to “distress” but is not confined to financial loss – for example, personal injury or property interference could suffice.

“Distress” means something more than irritation.

The significant and weighty chance of causing substantial distress to one person is sufficient for the threshold test to be satisfied.

Where the number of contraventions is large, there is a higher inherent chance of affecting somebody who, because of their particular unusual circumstances, is likely to suffer substantial damage or substantial distress due to the PECR breach.

The Amber decision is, to date, the most developed analysis at First-Tier Tribunal level, of the monetary penalty conditions. The decision will no doubt be cited and discussed in future cases.

11KBW’s James Cornwall appeared for the ICO in both Amber and Niebel.

Robin Hopkins @hopkinsrobin