Author: Robin Hopkins

GCHQ’s internet surveillance – privacy and free expression join forces

Posted on | by Robin Hopkins

A year ago, I blogged about Privacy International’s legal challenge – alongside Liberty – against GCHQ, the Security Services and others concerning the Prism/Tempora programmes which came to public attention following Edward Snowden’s whistleblowing. That case is now before the Investigatory Powers Tribunal. It will be heard for 5 days, commencing on 14 July.

Privacy International has also brought a second claim against GCHQ: in May 2014, it issued proceedings concerning the use of ‘hacking’ tools and software by intelligence services.

It has been announced this week that Privacy International is party to a third challenge which has been filed with the Investigatory Powers Tribunal. This time, the claim is being brought alongside 7 internet service providers: GreenNet (UK), Chaos Computer Club (Germany); GreenHost (Netherlands); Jimbonet (Korea), Mango (Zimbabwe), May First/People Link (US) and Riseup (US).

The claim is interesting on a number of fronts. One is the interplay between global reach (see the diversity of the claimants’ homes) and this specific legal jurisdiction (the target is GCHQ and the jurisdiction is the UK – as opposed, for example, to bringing claims in the US). Another is that it sees private companies – and therefore Article 1 Protocol 1 ECHR issues about property, business goodwill and the like – surfacing in the UK’s internet surveillance debate.

Also, the privacy rights not only of ‘ordinary’ citizens (network users) but also specifically those of the claimants’ employees are being raised.

Finally, this claim sees the right to free expression under Article 10 ECHR – conspicuously absent, for example, in the Google Spain judgment – flexing its muscle in the surveillance context. Privacy and free expression rights are so often in tension, but here they make common cause.

The claims are as follows (quoting from the claimants’ press releases):

(1) By interfering with network assets and computers belonging to the network providers, GCHQ has contravened the UK Computer Misuse Act and Article 1 of the First Additional Protocol (A1AP) of the European Convention of Human Rights (ECHR), which guarantees the individual’s peaceful enjoyment of their possessions

(2) Conducting surveillance of the network providers’ employees is in contravention of Article 8 ECHR (the right to privacy) and Article 10 ECHR (freedom of expression)

(3) Surveillance of the network providers’ users that is made possible by exploitation of their internet infrastructure, is in contravention of Arts. 8 and 10 ECHR; and

(4) By diluting the network providers’ goodwill and relationship with their users, GCHQ has contravened A1AP ECHR.

Robin Hopkins @hopkinsrobin

Fairness under the DPA: public interests can outweigh those of the data subject

Posted on | by Robin Hopkins

Suppose a departing employee was the subject of serious allegations which you never had the chance properly to investigate or determine. Should you mention these (unproven) allegations to a future employer? Difficult questions arise, in both ethical and legal terms. One aspect of the legal difficulty arises under data protection law: would it be fair to share that personal information with the prospective employer?

The difficulty is enhanced because fairness – so pivotal to data protection analysis – has had little or no legal treatment.

This week’s judgment of Mr Justice Cranston in AB v A Chief Constable [2014] EWHC 1965 (QB) is in that sense a rare thing – a judicial analysis of fairness.

AB was a senior police officer – specifically, a chief superintendent. He was given a final written warning in 2009 following a disciplinary investigation. Later, he was subject to further investigation for allegedly seeking to influence the police force’s appointment process in favour of an acquaintance of AB; this raised a number of serious questions, including about potential dishonesty, lack of integrity, and so on.

AB was on sick leave (including for reasons related to psychological health) for much of the period when that second investigation was unfolding. He was unhappy with how the Force was treating him. He got an alternative job offer from a regulator. He then resigned from the Force before the hearing concerning his alleged disciplinary offences. His resignation was accepted. The Force provided him with a standard reference, but the Chief Constable then took the view that – given the particular, unusual circumstances – he should provide the prospective employer with a second reference, explaining the allegations about AB.

The second reference was to say inter alia that:

“[AB’s] resignation letter pre-dated by some 13 days a gross misconduct hearing at which he was due to appear to face allegations of (i) lack of honesty and integrity (ii) discreditable conduct and (iii) abuse of authority in relation to a recruitment issue. It is right to record that he strenuously denied those allegations. In the light of his resignation the misconduct hearing has been stayed as it is not in the public interest to incur the cost of a hearing when the officer concerned has already resigned, albeit his final date of service post-dating the hearing.”

AB objected to the giving of the second reference and issued a section 10 notice under the Data Protection Act 1998. The lawfulness of the Force’s proposed second reference arose for consideration by Cranston J.

The first issue was this: was the Chief Constable legally obliged to provide a second reference explaining those concerns?

Cranston J held that, in terms of the common/private law duty of care (on the Hedley Byrne line of authority), the answer was no. As a matter of public law, however – and specifically by reference to the Police Conduct Regulations – the answer was yes: “the Chief Constable was obliged by his duty to act with honesty and integrity not to give a standard reference for the recipient because that was misleading. Something more was demanded. In this case the Chief Constable was prima facie under a duty to supply the Regulatory Body at the least with the information about disciplinary matters in the second reference.”

Note the qualifier ‘prima facie’: the upshot was that the duty was displaced if the provision of the second reference would breach the DPA. This raised a number of issues for the Court.

First, no information about AB’s health could be imparted: this was sensitive personal data, and the Chief Constable did not assert that a Schedule 3 DPA condition was met (as required under the First Data Protection Principle).

What about the information as to the disciplinary allegations AB faced? This was not sensitive personal data. Therefore, under the First Data Protection Principle, it could be disclosed if to do so would be (a) fair, (b) lawful, and (c) in accordance with a Schedule 2 condition.

The last two were unproblematic: given the prima facie public law duty to make the second reference here, it would lawful to do so and condition 3 from Schedule 2 would be met.

This left ‘fairness’, which Cranston J discussed in the following terms:

“There is no definition of fairness in the 1998 Act. The Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, to which the 1998 Act gives effect, contains a reference to protecting privacy rights, as recognised in article 8 of the European Convention on Human Rights and in general principles of EU law: recital 10. However, I cannot accept Mr Lock QC’s submission that the duty of fairness under the Directive and the 1998 Act is a duty to be fair primarily to the data subject. The rights to private and family life in Article 8 are subject to the countervailing public interests set out in Article 8(2). So it is here: assessing fairness involves a balancing of the interests of the data subject in non-disclosure against the public interest in disclosure.”

In conducting this balance between the interests of AB and those of others (including the public interests), Cranston J ultimately – on the particular facts – concluded that it would have been unfair to provide the second reference. There were strong fairness arguments in favour of disclosure – a see paragraph 78 (my emphasis):

“… The focus must be on fairness in the immediate decision to disclose the data [as opposed to a wider-ranging inquiry into the data subject’s conduct in the build-up to disclosure]. In this case the factors making it fair to disclose the information were the public interest in full and frank references, especially the duty of the police service properly to inform other police forces and other regulatory bodies of the person they are seeking to employ. To disclose the information in the second reference would patently have been fair to the Regulatory Body, so it could make a rounded assessment of the claimant, especially given his non-disclosure during the application process.”

However, the balance tipped in AB’s favour. This was partly because the Force’s policy – as well as the undertaken specifically given to AB – was to provide only a standard reference. But (see paragraph 79):

“… what in my view is determinative, and tips the balance of fairness in this case in favour of the claimant, is that he changed his position by resigning from the Force and requesting it to discontinue the disciplinary proceedings, before knowing that the Chief Constable intended to send the second reference. That second reference threatened the job which he had accepted with the Regulatory Body. It is unrealistic to think that the claimant could have taken steps to reverse his resignation in the few weeks before it would take effect. Deputy Chief Constable CD for one had indicated that he would not allow it. The reality was that the claimant was in an invidious position, where in reliance on what the Force through GH had said and done, he was deprived of the opportunity to reinstate the disciplinary proceedings and to fight the allegations against him. This substantive unfairness for the claimant was coupled with the procedural unfairness in the decision to send the second reference without giving him the opportunity to make representations against that course of action. Asking him to comment on its terms after the final decision to send the second reference was too little, too late.”

Therefore, because of unfairness in breach of the DPA and because of AB’s legitimate expectations, the second reference was not lawful.

While Cranston J rightly emphasised the highly fact-specific nature of his overall conclusion, aspects of his discussion of fairness will potentially be of wider application.

So too will his reminder (by way of quoting ICO guidance) that, when it comes to section 10 notices, “Although this [section 10] may give the impression that an individual can simply demand than an organisation stops processing personal data about them, or stops processing it in a particular way, the right is often overstated. In practice, it is much more limited”. Again, in other words, a balancing of interests and an assessment of the justification for the processing is required.

With the ‘right to be forgotten’ very much in vogue, that is a useful point to keep in mind.

Robin Hopkins @hopkinsrobin

Section 13 DPA in the High Court: nominal damage plus four-figure distress award

Posted on | by Robin Hopkins

Given the paucity of case law, it is notoriously difficult to estimate likely awards of compensation under section 13 of the Data Protection Act 1998 for breaches of that Act. It is also very difficult to assess any trends in compensation awards over time.

AB v MoJ [2014] EWHC 1847 (QB) is the Courts’ (Mr Justice Jeremy Baker) latest consideration of compensation under the DPA. The factual background involves protracted correspondence involving numerous subject access requests. Ultimately, it was held that the Defendant failed to provide certain documents to which the Claimant was entitled under section 7 of the DPA within the time frames set out under that section.

Personal data?

There was a dispute as to whether one particular document contained the Claimant’s ‘personal data’. Baker J noted the arguments from Common Services Agency, and he is not the first to observe (at his paragraph 50) that it is sometimes not a ‘straightforward issue’ to determine whether or not information comes within the statutory definition of personal data. Ultimately, he considered that the disputed document did not come within that definition: it “is in wholly neutral terms, and is indeed merely a conduit for the provision of information contained in the letters which it enclosed which certainly did contain the claimant’s personal data”.

Nonetheless, the DPA had been breached in virtue of the delays in the provision of other information to which the Claimant was entitled under section 7. What compensation should he be awarded?

Damage under section 13(1) DPA

Baker J was satisfied, having considered In Halliday v Creation Consumer Finance Limited [2013] EWCA Civ 333, [2013] 2 Info LR 85 (where the same point was conceded), that nominal damage sufficed as ‘damage’ for section 13(1) purposes: “In this regard the word “damage” in this sub-section is not qualified in any way, such that to my mind provided that there has, as in this case, been some relevant loss, then an individual who has also suffered relevant distress is entitled to an award of compensation in respect of it”.

Here the Court was satisfied that nominal damages should be awarded. The Claimant had spent a lot of time pursuing his requests, albeit that much of that time also involved pursuing requests on clients’ behalves, and albeit that no actual loss had been quantified:

“Essentially the claimant is a professional man who, it is apparent from his witness statement, has expended a considerable amount of time and expense in the pursuit of the disclosure of his and others’ data from various Government Departments and other public bodies, including the disclosed and withheld material from the defendant. Having said that, the claimant has not sought to quantify his time and expense, nor has he allocated it between the various requests on his own and others’ behalves. In these circumstances, although I am satisfied that he has suffered damage in accordance with s.13(1) of the DPA 1998, I consider that this is a case in which an award of nominal damages is appropriate under this head, which will be in the conventional sum of £1.00.”

Distress under section 13(2) DPA

That finding opened the door to an award for distress. The Court found that distress had been suffered, although it was difficult to disentangle his distress attributable to the breaches of the DPA from his distress as to the other surrounding circumstances: “doing the best I am able to on the evidence before me I consider that any award of compensation for distress caused as a result of the relevant delays in this case, should be in the sum of £2,250.00”.

Until this week, Halliday was the Courts’ last reported (on Panopticon at any rate) award of compensation under section 13 DPA. That was 14 months ago. In AB, the Court awarded precisely triple that sum for distress.

For a further (and quicker-off-the-mark) discussion of AB, see this post on Jon Baines’ blog, Information Rights and Wrongs.

Robin Hopkins @hopkinsrobin

Privacy, electronic communications and monetary penalties: new Upper Tribunal decision

Posted on | by Robin Hopkins

Panopticon reported late last year that the First-Tier Tribunal overturned the first monetary penalty notice issued by the Information Commissioner for breaches of the Privacy and Electronic Communications Regulations 2003. This was the decision in Niebel v IC (EA/2012/0260).

The Information Commissioner appealed against that decision. The Upper Tribunal gave its decision on the appeal yesterday: see here IC v Niebel GIA 177 2014. It dismissed the Commissioner’s appeal and upheld the First-Tier Tribunal’s cancellation of the £300,000 penalty imposed for the sending of marketing text messages.

I appeared in this case, as did James Cornwell (also of the Panopticon fold), so I will not be offering an analysis of the case just now. With any luck, one of my colleagues will be cajoled into doing so before too long.

It is worth pointing out simply that this is the first binding decision on the meaning of the various limbs of s. 55A of the DPA 1998, which contains the preconditions for the issuing of a monetary penalty notice.

Robin Hopkins @hopkinsrobin

11KBW at PDP’s FOI Conference

Posted on | by Robin Hopkins

PDP Conferences is hosting its 10th annual Freedom of Information Conference in London on 15 and 16 May, with 11KBW hosting the wine and canapés reception.

The conference will be chaired by Robin Hopkins.

The Deputy Information Commissioner, Graham Smith, is the keynote speaker, with Timothy Pitt-Payne QC also among the speakers on day 1 of the conference.

On day 2, 11KBW’s Ben Hooper will host one of the workshops.

The full programme can be found here.

Legal professional privilege does not automatically engage an EIR exception

Posted on | by Robin Hopkins

FOIA provides an exemption (s. 42) expressly for legal professional privilege; as is well known, there is ‘strong inherent weight’ in maintaining that exemption. What about the EIRs? LPP is not expressly mentioned, but regulation 12(5)(b) EIR applies to information the disclosure of which would adversely affect “the course of justice, the ability of a person to receive a fair trial or the ability of a public authority to conduct an inquiry of a criminal or disciplinary nature”. Does information attracting LPP automatically come within that exception? Many practitioners operate on the assumption that the answer is ‘yes’. The Upper Tribunal has on a previous occasion, however, left that question open: DCLG v IC and Robinson [2012] UKUT 103 (AAC); [2012] 2 Info LR 43.

That question has recently been revisited. In GW v IC, Local Government Ombudsman and Sandwell MBC [2014] UKUT 0130 (AAC), the Upper Tribunal answered ‘no’: just because LPP applies, it does not automatically follow that regulation 12(5)(b) EIR is engaged. Further analysis is needed – and the onus is on the public authority to make out its case on adverse effects on the course of justice etc.

The requester has complained to the Council about what was being emitted from the chimneys of two of his neighbours who were using wood-burning stoves. The Council obtained written legal advice from counsel. It told the requester it could not progress his complaint as he wished. He complained to the Ombudsman. The Council shared its legal advice with the Ombudsman, expressly on a confidential basis. The requester sought that advice from the Ombudsman. His request was refused. The IC’s decision went against him. So too did that of the First-Tier Tribunal.

The Upper Tribunal, however, found that the FTT went wrong in attributing too much weight to the prejudicial effects which it thought likely to arise “simply through the weakening of this important doctrine” [of LPP].

UT Judge Turnbull considered the wording of regulation 12(5)(b) EIR and said this: “In my judgment that requires attention to be focused on all the circumstances of the particular case, and there is no room for an absolute rule that disclosure of legally privileged information will necessarily adversely affect the course of justice”.

The crux, in his judgment was this: “What particularly matters for present purposes is in my judgment that the rationale for the doctrine and its absolute nature is established as being the need for the client to be able to obtain legal advice on a full and frank basis”.

In the present case, disclosure would be unlikely to prejudice that underlying principle – the Council’s ability to obtain free and frank advice would not be impeded. “What might be damaged would be not the course of justice but the ability of the LGO to conduct future investigations on a fully informed basis” – but that was a different point to the one at the heart of the FTT’s reasoning. The FTT had thus gone wrong in its public interest analysis.

Interestingly, one factor in the UT’s reasoning appears to have been that it was not taken to “any particular part or feature of the Advice which the Council would be unhappy about disclosing, or pointed to any specific concern which it has about Mr W or the public in general seeing it. Nor has it been suggested, for example, that the Advice needs to be qualified because of some inaccuracy or incompleteness in the instructions to counsel. The weight to be accorded to the adverse effect on the course of justice in this case is in my judgment very substantially less than it would have been if the LGO had been able to rely on the weakening of the doctrine of LPP which compulsory disclosure of legal advice will almost always involve”. This offers useful indications of what, in this UT’s view, might suffice to engage regulation 12(5)(b) EIR in respect of information which attracts LPP.

The public authorities also sought to rely on regulation 12(5)(d) EIR (confidentiality of proceedings). By regulation 12(9), however, that exception cannot be relied upon “to the extent that the environmental information to be disclosed relates to information on emissions”. Did that disapplication provision bite here? No, said the UT: “In substance the Advice did not “relate to” information as to the particular nature and extent of those emissions, but rather it related to the meaning and effect of the legislation”. In this case, regulation 12(5)(d) EIR was engaged.

Turning to the public interest balance, a preliminary point addressed by the UT concerned timing: matters post-dating the statutory time for compliance with a request can only properly be taken into account to the extent that they shed light on matters as they stood up to that time, or if they are relevant to the IC’s ‘steps discretion’ under s. 50(4) FOIA. They are not otherwise relevant to the public interest balance.

What might count in favour of the disclosure of privileged information? “In my judgment, therefore, when considering this issue it is relevant to consider not only whether the Council (and/or the LGO) made statements which were positively wrong, but whether they made statements which were liable to mislead or confuse the reader, and so have generated a confusing picture as to the effect of and reasoning behind the Advice”.

In this case, while there was no intention to mislead, “the combined effect of the information which the LGO and the Council had given up to this point was liable to create substantial confusion, in the mind of any reasonable reader, as to what the Advice did say”.

As to the public interest in maintaining the exception, the main factor was “the effect which disclosure would have on the ability of the LGO to obtain legally privileged information from local authorities on the footing that it should remain confidential” – especially given that the Ombudsman cannot compel local authorities to share such information with it. There would thus be a chilling effect on such information-sharing.

In contrast, the unfairness to the Council of having its legal advice shared with the requester was a relatively weak factor.

Overall, however, the balance very firmly favoured the maintenance of the exception. In this case therefore, the likely damage to the LGO’s work prevailed where LPP had not.

Robin Hopkins @hopkinsrobin