High Court to hear Safari users’ privacy claim against Google

Panopticon has from time to reported on Google’s jurisdictional argument when faced with privacy/data protection actions in European countries: it tends to argue that such claims should be dismissed and must be brought in California instead. This argument is not always successful.

The same jurisdictional argument was advanced before Mr Justice Tugendhat in response to a claim brought by a group calling itself ‘Safari Users Against Google’s Secret Tracking’ who, as their name suggests, complain that Google unlawfully gathers data from Safari browser usage.

This morning, Mr Justice Tugendhat dismissed that jurisdictional argument. The case can be heard in the UK. Matthew Sparkes reports in the Daily Telegraph that the judge said “I am satisfied that there is a serious issue to be tried in each of the claimant’s claims for misuse of private information” and that “the claimants have clearly established that this jurisdiction is the appropriate one in which to try each of the above claims”.

The same article says that Google will appeal. This follows Google’s announcement yesterday that it will appeal a substantial fine issued by the French data protection authority for unlawful processing (gathering and storing) of user data.

Panopticon will continue to gather data on these and other Google-related matters.

Robin Hopkins @hopkinsrobin

UCAS and the extent of FOIA: Tribunal favours wide approach

Transparency advocates often express frustration at the number of bodies which are not within the scope of FOIA, because they are not listed or designated as ‘public authorities’ for FOIA purposes. The Coalition government responded by announcing, in January 2011, that FOIA would be extended to a number of additional bodies. This was done with effect from 1 November 2011, through the Freedom of Information (Designation as Public Authorities) Order 2011. This brought the Association of Chief Police Officers of England, Wales and Northern Ireland (ACPO); the Financial Ombudsman Service and the Universities and Colleges Admissions Service (UCAS) within the scope of FOIA.

As regards UCAS, the difficulty is that this was not done in a straightforward blanket way. In recognition of the diversity of UCAS’ functions, its amenability to FOIA was limited to information relating to the “provision and maintenance of a central applications and admissions service”. This frames UCAS’ duties in a positive way.

This is similar – but not the same as – the approach taken to the BBC, which is subject to FOIA “in respect of information held for purposes other than those of journalism, art or literature”. This frames the BBC’s duties in a negative way.

The Supreme Court in BBC v Sugar (No2) told us how to approach the extent of the BBC’s FOIA duties. How should Sugar be applied to the differently-worded UCAS provision?

This was the issue before the Tribunal in University and College Admission Service v IC and Lord Lucas (EA/2013/0124), the requester (the author of the Good Schools Guide) made a number of requests to UCAS about university admissions. Some were refused on section 12 (cost of compliance) grounds; the ICO agreed with UCAS that the remaining information was exempt under section 43(2) (prejudice to commercial interests). UCAS and the ICO disagreed, however, about the extent to which UCAS was subject to FOIA.

UCAS argued that Sugar required the Tribunal to consider whether the information was held, to any significant degree, for a purpose other than the designation (in particular, UCAS’s commercial functions), and if so, it fell outside the scope of FOIA.

The ICO argued that because the BBC and UCAS were in reverse positions (the BBC being subject to a specific exclusion, and UCAS subject to a specific inclusion), the question should be whether the information was held to any significant degree for the designated purpose, and if so, it fell within the scope of FOIA. Both parties argued that the other was turning Sugar on its head.

The Tribunal adopted the ICO’s analysis of Sugar. The primary purpose of the 2011 Order was to bring UCAS within the scope of FOIA and subject it to the principles of greater openness and transparency that such a designation was designed to bring: at [68]. The focus of the phrase “the provision and maintenance of a central applications and admissions service”, taken with section 7(5) FOIA, is on what is actually caught by FOIA and the purpose of that wording is specifically to include information: at [66].

In favouring this wider approach to the application of FOIA to UCAS, the Tribunal said this:

“71. Most persuasive is the IC’s point that, in construing the scope of the 2011 Designation Order, it is important to recall that Parliament would have been well aware of the existing exemptions provided in FOIA. There is no need to read the 2011 Designation Order narrowly to ensure there is no overlap with a commercial function of UCAS because section 43 FOIA itself provides protection to UCAS in relation to information which prejudices its commercial interests.

72. The approach of UCAS in this case would have the result that only admissions data relating to the currently live admissions round would fall within the scope of FOIA. This surprisingly narrow result is unlikely to have been the one intended by Parliament when designating UCAS as a public authority for FOIA, not least because the ‘”provision and maintenance of a central applications and admissions service” does not suggest such an outcome.”

11KBW’s Chris Knight appeared for the ICO.

Robin Hopkins @hopkinsrobin

Personal data: Tribunal analyses the ‘relates to’ and ‘identification’ limbs

I have commented in previous posts on how infrequently the Data Protection Act 1998 has been the subject of substantive litigation before the courts. One consequence of this is persistent uncertainty over how pivotal concepts such as ‘personal data’ are to be analysed and approached.

Last year, the High Court in Kelway v The Upper Tribunal, Northumbria Police and the Information Commissioner (2013) EWHC 2575 (Admin) considered how ‘personal data’ issues should be approached – see for example this piece by Cynthia O’Donoghue of Reed Smith.

The Kelway approach is rather complicated; it remains to be seen whether it is picked up as any sort of guiding test. The imminent Court of Appeal judgment in the Edem case is also likely to add to the picture on how to determine whether information is personal data.

As things stand, such determinations are not always straightforward. Oates v IC and DWP (EA/2013/0040) is a recent example at First-Tier Tribunal level. Mr Oates was medically examined by in connection with his incapacity benefit claim by a doctor engaged by Atos Healthcare. He was dissatisfied and complained to Atos. At the ‘independent tier’ of its complaint investigation, Atos engaged an independent medical practitioner and also an external company tasked with reviewing Atos’ handling of the initial complaint. Mr Oates wanted to know, inter alia, the names of the medical practitioner and of the company.

The DWP refused, relying on FOIA exemptions (section 40(2) and section 43(2)). The ICO decided that the withheld names should have been handled under the DPA rather than FOIA. This was because, in the ICO’s view, the withheld names constituted Mr Oates’ personal data –thus, by section 40(1) of FOIA, it was exempt under FOIA. Mr Oates had to seek it by a subject access request under the DPA instead.

The DWP said these names were not Mr Oates’ personal data. The Tribunal agreed. As to the ‘relates to’ limb of the definition of personal data, it applied Durant v FSA [2003] EWCA Civ 1746: it found there to be sufficient distance between the complaints review procedure and Mr Oates’ personal privacy to mean that the information did not ‘relate to’ him for DPA purposes.

As to the ‘identification’ limb of the definition of personal data, the DWP had argued that Mr Oates could not be identified from these names alone and that it was not in possession of information to link Mr Oates to the requested names. The ICO argued that the request itself provided that link. In other words, by asking for information about his own assessment and complaint, Mr Oates was providing the DWP with information which linked him to the requested names and allowed him to be identified as the person who had been assessed and who had complained.

Its argument was this: “at the moment when the DWP received the Request, it was put into possession of all the information it needed to relate the information requested to an identifiable individual, namely Mr Oates himself. The fact that he sought information about individuals who had been involved in the assessment of his particular complaint created the necessary connection between himself and the requested information – it both related to him and he could be identified from it.”

The Tribunal did not agree with that ‘linking’ argument. It said this:

“… we reject the Information Commissioner’s suggestion that we should take into account the Request itself. We are satisfied that the correct approach is to consider the body of relevant information held by the public authority in question immediately before the request was received. If that information can be seen to relate to the individual, and to identify him or her, then the case for characterising it as that individual’s personal data is made out. But if it does not do so then it is not appropriate, in our view, to close the circle by taking into account the additional information (as to the name of the individual who is both requester and data subject) which is set out in the request itself, in order to.”

Therefore, the ‘identification’ limb of the definition of personal data was not met either. The requested names did not comprise Mr Oates’ own personal data and fell to be dealt with under FOIA rather than through the subject access provisions of the DPA.

The decision in Oates raises a number of questions. For example, on ‘relates to’, the Durant principles are intended to offer guidance in ‘borderline’ cases – implicitly therefore, the Tribunal in Oates appears to have considered this to be a borderline situation.

On ‘identification’, the Tribunal did not mention the principle from Common Services Agency v Scottish Information Commissioner [2008] UKHL 47; [2011] 1 Info LR 184 that the ‘other information’ which can assist with identification of the individual encompasses not only information held by the data controller, but also information held by any person.

This is not to comment on whether the Tribunal reached the right decision or not – rather, it illustrates that the definition and limits of ‘personal data’ continues to raise tricky questions.

11KBW’s Tom Cross appeared for the ICO in Oates.

Robin Hopkins @hopkinsrobin

Legal analysis of individual’s situation is not their personal data, says Advocate General

YS, M and S were three people who applied for lawful residence in the Netherlands. The latter two had their applications granted, but YS’ was refused. All three wanted to see a minute drafted by an official of the relevant authority in the Netherlands containing internal legal analysis on whether to grant them residence status. They made subject access requests under Dutch data protection law, the relevant provisions of which implement Article 12 of Directive 95/46/EC. They were given some of the contents of the minutes, but the legal analysis was withheld. This was challenged before the Dutch courts. Questions were referred to the CJEU on the application of data protection law to such information. In Joined Cases C‑141/12 and C‑372/12, Advocate General Sharpston has given her opinion, which the CJEU will consider before giving its judgment next year. Here are some important points from the AG’s opinion.

The definition of personal data

The minutes in question contained inter alia: the name, date of birth, nationality, sex, ethnicity, religion and language of the applicant; information about the procedural history; information about declarations made by the applicant and documents submitted; the applicable legal provisions and an assessment of the relevant information in the light of the applicable law.

Apart from the latter – the legal advice – the AG’s view is that this information does come within the meaning of personal data under the Directive. She said this:

“44. In general, ‘personal data’ is a broad concept. The Court has held that the term covers, for example, ‘the name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies’, his address, his daily work periods, rest periods and corresponding breaks and intervals, monies paid by certain bodies and the recipients, amounts of earned or unearned incomes and assets of natural persons.

45. The actual content of that information appears to be of no consequence as long as it relates to an identified or identifiable natural person. It can be understood to relate to any facts regarding that person’s private life and possibly, where relevant, his professional life (which might involve a more public aspect of that private life). It may be available in written form or be contained in, for example, a sound or image.”

The suggestion in the final paragraph is that the information need not have a substantial bearing on the individual’s privacy in order to constitute their personal data.

The AG also observed that “Directive 95/46 does not establish a right of access to any or every document or file in which personal data are listed or used” (paragraph 71). This resonates with the UK’s long-established Durant ‘notions of assistance’.

Legal analysis is not personal data

AG Sharpston’s view, however, was that the legal analysis of the individuals’ situations did not constitute their personal data. Her reasoning – complete with illustrative examples – is as follows:

“55. I am not convinced that the phrase ‘any information relating to an identified or identifiable natural person’ in Directive 95/46 should be read so widely as to cover all of the communicable content in which factual elements relating to a data subject are embedded.

56. In my opinion, only information relating to facts about an individual can be personal data. Except for the fact that it exists, a legal analysis is not such a fact. Thus, for example, a person’s address is personal data but an analysis of his domicile for legal purposes is not.

57. In that context, I do not find it helpful to distinguish between ‘objective’ facts and ‘subjective’ analysis. Facts can be expressed in different forms, some of which will result from assessing whatever is identifiable. For example, a person’s weight might be expressed objectively in kilos or in subjective terms such as ‘underweight’ or ‘obese’. Thus, I do not exclude the possibility that assessments and opinions may sometimes fall to be classified as data.

58. However, the steps of reasoning by which the conclusion is reached that a person is ‘underweight’ or ‘obese’ are not facts, any more than legal analysis is.”

Interestingly, her conclusion did touch upon the underlying connection between personal data and privacy. At paragraph 60, she observed that “… legal analysis as such does not fall within the sphere of an individual’s right to privacy. There is therefore no reason to assume that that individual is himself uniquely qualified to verify and rectify it and ask that it be erased or blocked. Rather, it is for an independent judicial authority to review the decision for which that legal analysis was prepared.”

In any event, legal analysis does not amount to “processing” for data protection purposes

The AG considered that legal analysis such as this was neither ‘automatic’ nor part of a ‘relevant filing system’. “Rather, it is a process controlled entirely by individual human intervention through which personal data (in so far as they are relevant to the legal analysis) are assessed, classified in legal terms and subjected to the application of the law, and by which a decision is taken on a question of law. Furthermore, that process is neither automatic nor directed at filing data” (paragraph 63).

Entitlement to data, but not in a set form

The AG also says that what matters is that individuals are provided with their data – data controllers are not, under the Directive, required to provide it in any particular form. For example, they can extract or transcribe rather than photocopy the relevant minute:

“74. Directive 95/46 does not require personal data covered by the right of access to be made available in the material form in which they exist or were initially recorded. In that regard, I consider that a Member State has a considerable margin of discretion to determine, based on the individual circumstances in case, the form in which to make personal data accessible.

75. In making that assessment, a Member State should take account of, in particular: (i) the material form(s) in which that information exists and can be made available to the data subject, (ii) the type of personal data and (iii) the objectives of the right of access.”

If the legal analysis is personal data, then the exemptions do not apply

Under the Directive, Article 12 provides the subject access right. Article 13 provides exemptions. The AG’s view was that if, contrary to her opinion, the legal analysis is found to be personal data, then exemptions from the duty to communicate that data would not be available. Of particular interest was her view concerning the exemption under Article 13(1)(g) for the “protection of the data subject or of the rights and freedoms of others”. Her view is that (paragraph 84):

“the protection of rights and freedoms of others (that is, other than the data subject) cannot be read as including rights and freedoms of the authority processing personal data. If a legal analysis is to be categorised as personal data, that must be because it is related to the private interests of an identified or identifiable person. Whilst the public interest in protecting internal advice in order to safeguard the administration’s ability to exercise its functions may indeed compete with the public interest in transparency, access to such advice cannot be restricted on the basis of the first of those two interests, because access covers only what falls within the private interest.”

If the Court agrees with the AG’s view, the case will be an important addition to case law offering guidance on the limits of personal data. It would also appear to limit, at least as regards the exemption outlined above, the data controller’s ability to rely on its own interests or on public interests to refuse subject access requests. That said, there is of course the exemption under Article 9 of the Directive for freedom of expression.

Robin Hopkins @hopkinsrobin

Confidentiality of medical information after patient’s death: two new Upper Tribunal decisions

The absolute exemption at section 41 extends to information obtained by the public authority the disclosure of which would give to an actionable breach of confidence. Does the obligation of confidence survive the death of the confider? If so, would a breach of that obligation be actionable, even if it is not clear exactly who could bring such an action? These issues arise most notably in the context of medical records. The Upper Tribunal has had something to say on this in two recent decisions.

In Webber v IC and Nottinghamshire Healthcare NHS Trust (GIA/4090/2012), the appellant had made a FOIA request for information (including hospital records) about the death of her son in 1999 when he was compulsorily resident at Rampton hospital. This was refused on section 41 grounds. The Commissioner upheld the refusal, as did the First-Tier Tribunal. In doing so, it somewhat unusually did not see the withheld information for itself, since it had not been asked to by anyone.

Mrs Webber’s appeal to the Upper Tribunal has also been dismissed. Judge Williams considered that the Tribunal could not be faulted for not differentiating between different categories of withheld information (which it obviously could not do, as it had not seen the information): “it is the task of the tribunal to decide the case before it unless it sees reason to investigate further” (paragraph 30).

He also confirmed the well-established principle that what matters under FOIA is information rather than documents: though the records were created by the NHS Trust, the information contained in those records came from the patient. In the section 41 context, “obtained” simply means “come to have”, which can be active or passive (paragraph 38).

Judge Williams confirmed a further touchstone of FOIA, namely that whatever the particular interests of the requester, this “remained an application to put the information into the public domain” (paragraph 37), that being the effect of disclosure under FOIA.

Disclosure would entail a breach of confidence which was actionable after the patient’s death, notwithstanding the argument that, in this case, the only person who could sue would be the personal representative (who was likely to have been the requester: thus it was submitted that she would in effect have been suing herself).

Judge Williams also found that there would not have been a public interest defence to the breach of confidence. Here he gave weight to the fact that some of the information sought would or could come into the public domain or be obtained in another way: a coroners’ inquest, or through an application under the Access to Health Records Act 1990 (now largely supplanted by FOIA, but not as regards deceased persons) which allows for requests for access to information to be made by (inter alia) patients’ personal representatives. Such an application was outside the Upper Tribunal’s jurisdiction but it was “relevant to note that it exists as a specific if limited remedy for some aspects of the application made for the appellant in this case” (see paragraphs 23-24).

In M v IC and Medicines and Health Products Regulatory Authority (GIA/3017/2010), Upper Tribunal Judge Lloyd-Davies allowed the requester’s appeal for information in a report held by the public information concerning a pharmaceutical trial of a drug developed by Pfizer. That information had again been withheld under section 41, with the Commissioner and First-Tier Tribunal agreeing – regardless of whether the participants in the trial were dead or alive at the time of the request.

The appeal was allowed because of a procedural error – the Tribunal had authorised more extensive redactions than were in fact being put to it.

The remitted hearing is to include questions of identifiability of patients in the context of anonymised drug trial data. The line of authorities on statistical information (Common Services Agency, Department of Health) will no doubt be considered.

The decision contained this obiter observation on actionable breaches of confidence in the case of deceased patients: “where the confidence arises in the context of a patient/healthcare professional relationship, I am minded to conclude that the obiter observations of Mr Justice Foskett in R (Lewis) v Secretary of State for Health [2008] EWHC 2196 (QB) are correct”.

I acted for the Commissioner in the M case; my colleague Joe Barrett acted for the appellant in Webber.

Robin Hopkins @hopkinsrobin

Two new Upper Tribunal decisions: commercial confidentiality, ministerial communications

The Upper Tribunal has issued two decisions on information rights matters this week. Both are by Upper Tribunal Judge David Williams, and both include substantive treatments of some of the issues that arise most commonly in information rights litigation.

Natural Resources Wales and SI Green (UK) Ltd v Information Commissioner and Friends of the Earth Swansea [2013] UKUT 0473 (AAC) saw the Upper Tribunal overturn a First-Tier decision on commercial confidentiality under the Environmental Information Regulations 2004, concerning the operation of a landfill site near Swansea. I was not involved in the First-Tier Tribunal proceedings, but blogged on the decision here. The Upper Tribunal’s decision is here. It found that, contrary to the approach of the First-Tier Tribunal, regulation 12(5)(e) EIR (confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest) is not the same as section 41(1) of FOIA (actionable breach of confidence).

In Judge Williams’ second judgment published this week, he upheld the First-Tier Tribunal’s decision in Cabinet Office v IC and Gavin Aitchison (EA/2011/0263). Anya blogged on the First-Tier Tribunal decision here. In essence, it concerned the takeover of Rowntree by Nestle in 1988 and what, if anything, ministers in the Thatcher government had said to each other about it. Questions also arose about the relevance of the reduction of the ‘Twenty-Year Rule’ for historical records to a ‘Ten-Year Rule’. The relevant exemptions were sections 35(1)(a) and (b) (formulation or development of government policy; Ministerial communications). The Tribunal found the public interest to favour disclosure (and, as regards one part of the request, confirming or denying whether any information was held relating to Cabinet discussions on the topic). The Upper Tribunal agreed. See here: Cab Off Aitchison GIA 4281 2012-00, and also the coverage by the requester (a journalist at the York newspaper The Press) here.

Given my involvement in both cases, I don’t offer any analysis on Panopticon today. Instead, I offer them as weekend reading for enthusiasts. You’re welcome.

Robin Hopkins