Author: Robin Hopkins

Property searches under the EIRs: Tribunal refers questions to the CJEU

Posted on | by Robin Hopkins

The ability to impose charges for the provision of property search information is an important financial issue for many local authorities. Historically it had been thought by many that the imposition of such charges was governed by the Local Authorities (England) (Charges for Property Searches) Regulations 2008 (“CPSR”), which allow local authorities to recover all the costs of making such information available (including staff costs, overhead costs and the costs of maintaining relevant information systems). However, in recent years there has been an increasing awareness of the fact that requests for property search information to a large extent amount to requests for access to environmental information, such that they call for an application of the charging regime provided for in r. 8 of the Environmental Information Regulations 2004. The CPSR itself specifically provides that it does not apply to the provision of any information which is governed by other statutory charging regimes. Accordingly, it would seem that the CPSR is inapplicable in respect of requests for property search information insofar as those requests are made under the EIR.

Regulation 8 EIR allow reasonable charges to be imposed for making environmental information available, save that no charge may be imposed for permitting access to public registers or examining the requested information in situ. The question of when a public authority can impose charges and also what will constitute a reasonable charge has now been considered by the tribunal in a number of different cases, all of which concerned requests for property search information (see e.g. Kirklees Council v IC & Pali Ltd [2011] UKUT 104 (AAC) and also East Riding of Yorkshire v IC).

Earlier this year, in Leeds City Council v IC & APPS Claimants (EA/2012/0020-21); [2013] 1 Info LR 406, the First-Tier Tribunal was asked to decide whether, when making environmental information available other than by means of inspection or through public registers, the local authority was entitled under r. 8 to charge only for disbursements (the Commissioner’s case) or whether other costs, such as the cost of staff time spent searching for the requested information and overhead costs, could be factored into the charge (the Council’s case). Having carefully considered not only r. 8 but the provisions on charging in the Directive on Public Access to Environmental Information (“the Directive”), the FTT concluded that public authorities could only charge in respect of disbursement costs. It also held that Leeds had erred in determining the charge by reference to the CPSR. Leeds initially sought and was granted permission to appeal against the decision. However, the appeal was not pursued. Notably, the Commissioner argued before the FTT in the Leeds case that the question of what would constitute a lawful charge could not satisfactorily be resolved without a reference to the Court of Justice of the European Union. That argument was not supported by Leeds or the APPS claimants. The FTT decided that it could resolve the appeal without a reference and so none was made.

These issues have now resurfaced before the First-Tier Tribunal in East Sussex County Council v IC & Property Search Company & the Local Government Association (EA/2013/0037), another property search case. In this case, the applicant requested answers to questions in the standard property search form issued by the Law Society, the CON29R form. The Council imposed a fixed charge for providing this information, the fixed charge having been calculated on the basis of the approach provided for in the CPSR (i.e. was a charge which was intended to produce a cost neutral result for the Council). The charge itself factored in not only disbursement costs, but also staff time, a portion of the Council’s overhead costs, office costs and a portion of the costs of maintaining the information systems from which the relevant information is derived.

In light of an analysis of preparatory legislative materials for the Directive, the Commissioner conceded that costs beyond mere disbursement costs could in principle be factored into the charge. In particular, he argued that staff time spent searching for the information could be included. However, he disputed that other costs (e.g. overheads, office costs and the costs of maintaining the relevant information systems) could lawfully be included. However, the Commissioner’s position before the FTT was that, notwithstanding his concession, there remained substantial uncertainty as to what constituted a permissible charge under the Directive and a reference to the CJEU was still warranted. The other parties to the appeal ultimately agreed that this was an appropriate course.

The FTT has now decided that there should be a reference for a preliminary ruling. The questions being referred are:

(1) What is the meaning to be attributed to Art 5(2) of Directive 2003/4/EC and in particular can a charge of a reasonable amount for supplying a particular type of environmental information include:

(a) part of the cost of maintaining a database used by the public authority to answer requests for information of that type;

(b) overhead costs attributable to staff time properly taken into account in fixing the charge?

(2) Is it consistent with Arts 5(2) and 6 of the Directive for a Member State to provide in its regulations that a public authority may charge an amount for supplying environmental information which does “… not exceed an amount which the public authority is satisfied is a reasonable amount” if the decision of the public authority as to what is a “reasonable amount” is subject to administrative and judicial review as provided under English law?”

Hopefully the CJEU will in due course agree to give a preliminary ruling. In the meantime, local authorities and those engaged in the property search industry will have to wait with baited breath.

Anya Proops acts for the Information Commissioner.

Robin Hopkins @hopkinsrobin

Closed procedure guidance: the Browning version

Posted on | by Robin Hopkins

Reference to closed material is inherent in FOIA litigation. Some element of closed procedure is usually also needed. But how are these closed aspects to be approached so as to accord with principles of justice, fairness and openness?

I blogged last year on the case of Browning v IC and DBIS [2013] 2 Info LR 1, in which the Upper Tribunal appeared to answer those questions. A curious feature of that judgment was that the Upper Tribunal said it was not giving guidance on closed material/procedures, whereas the substance of its judgment seemed to contain precisely that.

The coming months will bring greater clarity. The Court of Appeal has recently given permission to appeal in Browning.

Panopticon understands that the appeal is likely to be heard in the first half of 2014, that it will be heard by three Lord/Lady Justices of Appeal and that consideration is to be given to including among those three the Master of the Rolls or the Vice-President of the Court of Appeal (Civil Division). All of these factors seem to point towards the considerable importance which is – rightly – being attached to the issues concerning closed material and procedures in FOIA/EIR litigation.

Panopticon will report further – on an open basis – in due course.

Robin Hopkins @hopkinsrobin

The EU’s Data Protection Regulation: where are we?

Posted on | by Robin Hopkins

The replacement of Directive 95/26/EC – the bedrock of data protection in Europe – with a new Regulation is intended as a radical overhaul, making protections for personal data fit for the digital world. It has now been over two years since the first substantive draft of that Regulation was made public. I dimly recall Tim Pitt-Payne and I summarising it – see here.

The Regulation is yet to emerge. As a number of Panopticon readers have asked: where have we got to? Here are five points by way of summary.

1. Two members of the trinity are on board

Following seemingly interminable negotiations, the European Parliament’s civil liberties committee (LIBE) now endorses the European Commission’s position on the modified draft. This means that two of the three key bodies at the EU level appear to be of one mind. The next step is for the third body, the European Council, to be persuaded during negotiations. See this blog post by the ICO’s Deputy Commissioner, David Smith.

2. In search of the cardinal virtues – consent, consistency, proportionality

In a very illuminating summary of the major principles at issue, the ICO tells us that it welcomes the following features of the current draft: a stringent approach to consent (or, in low-risk situations, a ‘legitimate interests’ condition justifying the processing of personal data); consistency and an EU-wide ‘one-stop shop’ model; ensuring that processing conditions are proportionate to risk (by, for example, requiring data subjects to be notified ‘without delay’ rather than within 24 hours, as was originally proposed).

The ICO remains concerned, however, that the draft Regulation continues to suffer from some vices: its use of the ‘pseudonymisation’ concept muddies the distinction between personal and non-personal data; the approach to profiling is insufficiently nuanced, and the international transfer rules may be unrealistically stringent.

3. The Regulation is dead!

Peter Fleischer, Google’s global privacy counsel, considers that the stalled progress of 2013 effectively means that “the old draft is dead”. His view, however, is that this delay will provide an opportunity for a more realistic re-think: “Whatever comes next will be the most important privacy legislation in the world, setting the global standards. I’m hopeful that this pause will give lawmakers time to write a better, more modern and more balanced law.”

4. Long live the Regulation!

EU officials are, however, optimistic about the current draft being spurred on to finality in 2014. Peter Hustinx, the outgoing European Data Protection Supervisor (curiously, no successor has yet been appointed), hopes that Greece’s imminent turn in the presidency seat will provide a fresh impetus for productive negotiation. Importantly, he sees Germany (often characterised as setting very stringent standards for data protection) as being in the driving seat: “The new German government can tackle this subject with the necessary drive and energy and thereby gain acceptance of the German position at European level and lead Europe to a higher level of data protection.”

5. Are the Americans Safe?

The processing of EU citizens’ data by US-based companies sits outside the direct reach of the envisaged Regulation, as with the current Directive. Since 2000, transfers of personal data to the US have been governed by the Safe Harbour Agreement, under which approximately 3,300 companies have been certified as safe (in the sense of being EU compliant in their data protection standards).

The European Council and Parliament have, however, expressed concern about the fitness for purpose of the Safe Harbour scheme. They have observed that “Web companies such as Google, Facebook, Microsoft, Apple, Yahoo have hundreds of millions of clients in Europe and transfer personal data for processing to the US on a scale inconceivable in the year 2000 when the Safe Harbour was created”. They area also concerned about the ongoing revelations about surveillance: “divergent responses of data protection authorities to the surveillance revelations demonstrate the real risk of the fragmentation of the Safe Harbour scheme and raise questions as to the extent to which it is enforced”.

Progress by the US Department of Commerce is now sought – by March 2014 – on improving transparency, the application of EU principles and enforcement. The arrangements will be further reviewed in 2014.

Robin Hopkins @hopkinsrobin

George Osborne, Nigel Lawson and FOIA – political vs official information

Posted on | by Robin Hopkins

Government ministers wear two hats (apart from Vince Cable – he seems to like hats, and probably has quite a few). They are public officials, but they are also party politicians. Both of those activities are likely to generate recorded information. FOIA extends to the official information, but not the party political. This is well established in principle, but not straightforward to apply, since the two categories will often overlap. It is also surprisingly untested before Tribunals. Michael Gove was due to test the principle in a 2012 appeal, but that was withdrawn.

The issue has now been considered by the Tribunal in Brendan Montague v IC and HM Treasury (EA/2013/0074): 029 070114 Final Decision EA-2013-0074. The information in dispute was a record of a telephone conversation which took place on a Sunday morning in September 2011 between the Chancellor of the Exchequer, George Osborne, and one of his predecessors, Lord Lawson.

The ICO’s position (and that of HMT) was that some of that information was predominantly party political in nature and was thus not held by HM Treasury for FOIA purposes. The remainder was exempt under section 35(1)(a), i.e. insofar as official business was being discussed, it related to the formulation or development of government policy, and the public interest favoured maintaining the exemption.

The Tribunal disagreed on the first point: while it accepted the principle, it had “no hesitation” in concluding that all of the disputed information in this case was held by HMT for official purposes rather than Mr Osborne’s party-political ones. It was not attracted by dissecting and partitioning the record between the party-political and the official in this instance, and it favoured a restrictive approach to a principle by which information could be taken outside of FOIA’s reach.

On the section 35(1)(a) point, the Tribunal agreed that there was a need for a safe space, given the high-level economic policy issues – including concerning the banking sector – which were being discussed. It was satisfied that the disputed information did not indicate that any impropriety or lobbying was at play.

I appeared for the ICO; my colleague Julian Milford appeared for HMT. No further analysis from me, given my involvement in the case, but I post it here because of the relative novelty of the political/official information point which, one suspects, will rear its head in other cases in future.

Robin Hopkins @hopkinsrobin

Personal data and fitness to practice investigations – Tribunal overturns ‘neither confirm nor deny’ position

Posted on | by Robin Hopkins

When an identifiable individual has been the subject of a formal complaint about their competence or conduct, that fact constitutes their personal data. In terms of privacy/publicity decisions, such situations are often approached in this way: where the complaint is well founded or at least merits serious consideration, publication is warranted, but otherwise confidentiality is maintained, lest unjustified aspersions be cast against that person.

In that respect, the process outlined by the Tribunal in Foster v IC (EA/2013/0176) – which concerned a complaint to the Nursing & Midwifery Council – is typical:

“The complaints procedure administered by the NMC has two stages. The first stage is designed to determine whether or not the matter should be referred to the NMC’s Fitness to Practice Panel. If it is, then the Panel will meet in public and its decision will be made publicly available. But if the complaint does not proceed beyond the first stage, (either because a decision is made not to investigate or because the NMC’s Investigating Committee Panel concludes that the complaint does not justify a reference to the Fitness to Practice Panel), then the process remains confidential. The rationale appears to be that an individual’s professional reputation should not be undermined by the publication of allegations that are found not to have sufficient merit to justify being referred to the Fitness to Practice Panel”.

The Appellant, whose son died following his participation in a drug trial, considered that the NMC investigation in this case – which did not pass the first stage – may have been inadequate. She asked for information about its investigation into her complaint about a named practitioner.

The NMC adopted a ‘neither confirm nor deny’ position under section 40(5), i.e. it considered that to say whether or not it held information on a complaint about this individual would be to tell the world at large whether or not that person had been the subject of a professional complaint of this description. The ICO agreed, but the Tribunal overturned that decision, ordering the NMC to confirm or deny whether it held the requested information.

In reaching that view, the Tribunal – while not passing judgment on the merits of the complaint or the NMC’s investigation – considered the criticisms that had been made:

“If it were to be the case that any member of the care team had realised the error earlier, but had not raised the alarm until after its very sad consequences had become clear, then there would seem to us to be strength in the Appellant’s argument that the evidential basis for the decision of the NMC’s Investigating Committee Panel required investigation”.

In those circumstances, the Tribunal thought the fairness balance favoured confirming or denying whether the requested information was held:

“In reaching that conclusion we reject the Information Commissioner’s argument that it is always unfair, and therefore in breach of the Data Protection Principles, to make a statement that discloses the existence of a complaint of professional misconduct against an individual, where there has been no finding of wrongdoing or malpractice. That would create an inflexible test which prevented all relevant circumstances being taken into account. Nor do we accept the Information Commissioner’s argument that the limited degree of disclosure involved in a “confirm or deny” response would constitute unwarranted interference into X’s privacy, without satisfying a legitimate public interest in disclosure”.

Public authorities who routinely adopt a default ‘neither confirm nor deny stance’ of the type outlined at the start of this post will wish to note that, at least in some circumstances, that approach can be called into question.

Robin Hopkins @hopkinsrobin

The Google/Safari users case: a potential revolution in DPA litigation?

Posted on | by Robin Hopkins

I posted earlier on Tugendhat J’s judgment this morning in Vidal-Hall and Others v Google Inc [2014] EWHC 13 (QB). The judgment is now available here – thanks as ever to Bailii.

This is what the case is about: a group of claimants say that, by tracking and collating information relating to their internet usage on the Apple Safari browser without their consent, Google (a) misused their private information (b) breached their confidences, and (c) breached its duties under the Data Protection Act 1998 – in particular, under the first, second, sixth and seventh data protection principles. They sought damages and injunctive relief.

As regards damages, “what they claim damages for is the damage they suffered by reason of the fact that the information collected from their devices was used to generate advertisements which were displayed on their screens. These were targeted to their apparent interests (as deduced from the information collected from the devices they used). The advertisements that they saw disclosed information about themselves. This was, or might have been, disclosed also to other persons who either had viewed, or might have viewed, these same advertisements on the screen of each Claimant’s device” (paragraph 24).

It is important to note that “what each of the Claimants claims in the present case is that they have suffered acute distress and anxiety. None of them claims any financial or special damage. And none of them claims that any third party, who may have had sight of the screen of a device used by them, in fact thereby discovered information about that Claimant which was detrimental” (paragraph 25).

The Claimants needed permission to serve proceedings on the US-based Google. They got permission and served their claim forms. Google then sought to have that service nullified, by seeking an order declaring that the English court has no jurisdiction to try these particular claims (i.e. it was not saying that it could never be sued in the English courts).

Tugendhat J disagreed – as things stand, the claims will now progress before the High Court (although Google says it intends to appeal).

Today’s judgment focused in part on construction of the CPR rules about service outside of this jurisdiction. I wanted to highlight some of the other points.

One of the issues was whether the breach of confidence and misuse of private information claims were “torts”. Tugendhat J said this of the approach: “Judges commonly adopt one or both of two approaches to resolving issues as to the meaning of a legal term, in this case the word “tort”. One approach is to look back to the history or evolution of the disputed term. The other is to look forward to the legislative purpose of the rule in which the disputed word appears”. Having looked to the history, he observed that “history does not determine identity. The fact that dogs evolved from wolves does not mean that dogs are wolves”.

The outcome (paragraphs 68-71): misuse of private information is a tort (and the oft-cited proposition that “the tort of invasion of privacy is unknown in English law” needs revisiting) but breach of confidence is not (given Kitetechnology BV v Unicor GmbH Plastmaschinen [1995] FSR 765).

Google also objected to the DPA claims being heard. This was partly because they were raised late; this objection was dismissed.

Google also said that, based on Johnson v MDU [2007] EWCA Civ 262; (2007) 96 BMLR 99, financial loss was required before damages under section 13 of the DPA could be awarded. Here, the Claimants alleged no financial loss. The Claimants argued against the Johnson proposition: they relied on Copland v UK 62617/00 [2007] ECHR 253, argued for a construction of the DPA that accords with Directive 95/46/EC as regards relief, and argued that – unlike in Johnson – this was a case in which their Article 8 ECHR rights were engaged. Tugendhat J has allowed this to proceed to trial, where it will be determined: “This is a controversial question of law in a developing area, and it is desirable that the facts should be found”.

If the Johnson approach is overturned – i.e. if the requirement for financial loss is dispensed with, at least for some types of DPA claim – then this could revolutionise data protection litigation in the UK. Claims under section 13 could be brought without claimants having suffered financially due to the alleged DPA breaches they have suffered.

Tugendhat went on to find that there were sufficiently serious issues to be tried here so as to justify service out of the jurisdiction – it could not be said that they were “not worth the candle”.

Further, there was an arguable case that the underlying information was, contrary to Google’s case, “private” and that it constituted “personal data” for DPA purposes (Google say the ‘identification’ limb of that definition is not met here).

Tugendhat was also satisfied that this jurisdiction was “clearly the appropriate one” (paragraph 134). He accepted the argument of Hugh Tomlinson QC (for the Claimants) that “in the world in which Google Inc operates, the location of documents is likely to be insignificant, since they are likely to be in electronic form, accessible from anywhere in the world”.

Subject to an appeal from Google, the claims will proceed in the UK. Allegations about Google’s conduct in other countries are unlikely to feature. Tugendhat J indicated a focus on what Google has done in the UK, to these individuals: “I think it very unlikely that a court would permit the Claimants in this case to adduce evidence of what Mr Tench refers to as alleged wrongdoing by Google Inc against other individuals, in particular given that it occurred in other parts of the world, governed by laws other than the law of England” (paragraph 47).

Robin Hopkins @hopkinsrobin