Author: Robin Hopkins

Two new Upper Tribunal decisions: commercial confidentiality, ministerial communications

Posted on | by Robin Hopkins

The Upper Tribunal has issued two decisions on information rights matters this week. Both are by Upper Tribunal Judge David Williams, and both include substantive treatments of some of the issues that arise most commonly in information rights litigation.

Natural Resources Wales and SI Green (UK) Ltd v Information Commissioner and Friends of the Earth Swansea [2013] UKUT 0473 (AAC) saw the Upper Tribunal overturn a First-Tier decision on commercial confidentiality under the Environmental Information Regulations 2004, concerning the operation of a landfill site near Swansea. I was not involved in the First-Tier Tribunal proceedings, but blogged on the decision here. The Upper Tribunal’s decision is here. It found that, contrary to the approach of the First-Tier Tribunal, regulation 12(5)(e) EIR (confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest) is not the same as section 41(1) of FOIA (actionable breach of confidence).

In Judge Williams’ second judgment published this week, he upheld the First-Tier Tribunal’s decision in Cabinet Office v IC and Gavin Aitchison (EA/2011/0263). Anya blogged on the First-Tier Tribunal decision here. In essence, it concerned the takeover of Rowntree by Nestle in 1988 and what, if anything, ministers in the Thatcher government had said to each other about it. Questions also arose about the relevance of the reduction of the ‘Twenty-Year Rule’ for historical records to a ‘Ten-Year Rule’. The relevant exemptions were sections 35(1)(a) and (b) (formulation or development of government policy; Ministerial communications). The Tribunal found the public interest to favour disclosure (and, as regards one part of the request, confirming or denying whether any information was held relating to Cabinet discussions on the topic). The Upper Tribunal agreed. See here: Cab Off Aitchison GIA 4281 2012-00, and also the coverage by the requester (a journalist at the York newspaper The Press) here.

Given my involvement in both cases, I don’t offer any analysis on Panopticon today. Instead, I offer them as weekend reading for enthusiasts. You’re welcome.

Robin Hopkins

Facebook fan pages: data protection buck stops with Facebook, not page owners

Posted on | by Robin Hopkins

In Re Facebook, VG, Nos. 8 A 37/12, 8 A 14/12, 8 A 218/11, 10/9/13 the Schleswig-Holstein Administrative Court has allowed Facebook’s appeals against rulings of the regional data protection authority (the ULD), Thilo Weichert.

The case involved a number of companies’ use of Facebook fan pages. The ULD’s view was that Facebook breached German privacy law, including through its use of cookies, facial recognition and other data processing. He considered that, by using Facebook fan pages, the companies were facilitating Facebook’s violations by processing users’ personal data on those pages. He ordered them to shut down the fan pages or face fines of up to €50,000.

The appellant companies argued that they could not be held responsible for data protection violations (if any) allegedly committed by Facebook, as they had no control over how that data on the pages was processed and used by the social networking site. The Administrative Court agreed.

The case raises interesting questions about where the buck stops in terms of data processing – both in terms of who controls the processing, and in terms of where they are based. Facebook is based in Ireland, without a substantive operational presence in Germany. Earlier this year, the Administrative Court found – again against the Schleswig-Holstein ULD’s ruling – that Facebook’s ‘real names’ policy (i.e. a ban on pseudonymised profiles) was a matter for Irish rather than German law.

The ULD is unlikely to be impressed by the latest judgment, given that he is reported as having said in 2011 that:

“We see a much bigger privacy issue behind the Facebook case: the main business model of Google, Apple, Amazon and others is based on privacy law infringements. This is the reason why Facebook and all the other global internet players are so reluctant in complying with privacy law: they would lose their main profit resource.”

For more on this story, see links here and here.

Robin Hopkins

Fingerprints requirement for passport does not infringe data protection rights

Posted on | by Robin Hopkins

Mr Schwarz applied to his regional authority, the city of Bochum, for a passport. He was required to submit a photograph and fingerprints. He did not like the fingerprint part. He considered it unduly invasive. He refused. So Bochum refused to give him a passport. He asked the court to order it to give him one. The court referred to the Court of Justice of the European Union questions about whether the requirement to submit fingerprints in addition to photographs complied with the Data Protection Directive 95/46/EC.

Last week, the Fourth Chamber of the CJEU gave its judgment: the requirement is data protection-compliant.

The requirement had a legal basis, namely Article 1(2) of Council Regulation 2252/2004, which set down minimum security standards for identity-confirmation purposes in passports.

This pursued a legitimate aim, namely preventing illegal entry into the EU.

Moreover, while the requirements entailed the processing of personal data and an interference with privacy rights, the ‘minimum security standards’ rules continued to “respect the essence” of the individual’s right to privacy.

The fingerprint requirement was proportionate because while the underlying technology is not 100% successful in fraud-detection terms, it works well enough. The only real alternative as an identity-verifier is an iris scan, which is no less intrusive and is technologically less robust. The taking of fingerprints is not very intrusive or intimate – it is comparable to having a photograph taken for official purposes, which people don’t tend to complain about when it comes to passports.

Importantly, the underlying Regulation provided that the fingerprints could only be used for identity-verification purposes and that there would be no central database of fingerprints (instead, each set is stored only in the passport).

This is all common-sense stuff in terms of data protection compliance. Data controllers take heart!

Robin Hopkins

PRISM and TEMPORA: ECtHR proceedings issued against UK

Posted on | by Robin Hopkins

Panopticon reported in July that Privacy International had commenced proceedings in the Investigatory Powers Tribunal against the UK intelligence and security agencies concerning PRISM and TEMPORA.

Big Brother Watch, the Open Rights Group, English PEN and Dr Constance Kurz announced yesterday that they have issued proceedings on the same issues – this time in the European Court of Human Rights. They have also published their pleadings and expert evidence (see the bottom of this page). To quote from their pleadings, they challenge on Article 8 ECHR grounds:

(a)    The soliciting or receipt and use by the UK intelligence services (“UKIS”), of data obtained from foreign intelligence partners, in particular the US National Security Agency’s “PRISM” and “UPSTREAM” programmes; and

(b)   The acquisition of worldwide and domestic communications by the Government Communications Head Quarters (“GCHQ”) for use by UKIS and other UK and foreign agencies through the interception, under global and rolling warrants, of electronic data transmitted on transatlantic fibre-optic cables (the “TEMPORA” programme).

The claim is put in summary terms as follows (again, quoting from the pleadings):

(1) In relation to receipt of foreign intercept material—i.e. the receipt, use, retention and dissemination of information received by UKIS from foreign intelligence partners which have themselves obtained it by communications intercept—the legal framework [including RIPA 2000] is inadequate to comply with the “in accordance with the law” requirement under Article 8(2).

(2) In relation to GCHQ’s own generic interception capability, the provisions contained in RIPA relating to external communications warrants allow UKIS to obtain general warrants permitting indiscriminate capturing of vast amounts of communication, effectively on an indefinite basis. The legal provisions which permit generic warrants in relation to such external communications are insufficiently protective to provide an ascertainable check against arbitrary use of secret and intrusive state power.

(3) Such legal provisions do not enable persons to foresee the general circumstances in which external communications may be the subject of surveillance (other than that any use may be made of communications if considered in the interests of national security—a concept of very broad scope in UK law); they do not require authorisations to be granted in relation to specific categories of persons or premises; they permit indiscriminate capture of communications data by reference only to its means of transmission; and they impose no significant restrictions on the access that foreign intelligence partners may have to such intercepted material. In short, there are no defined limits on the scope of discretion conferred on the competent authorities or the manner of its exercise. Moreover, there is no adequate degree of independent or democratic oversight. Indiscriminate and generic interception and the legal provisions under which it is carried out thereby breach the requirements that interferences with Article 8 must be “in accordance with the law” and must be proportionate.

To quote the briefing note, the applicants “are asking the Court to declare that the UK’s internet surveillance practices are disproportionate and that the legislation intended to protect the public’s rights to privacy in this context is not fit for purpose”.

In other words, this is challenge not only to specific actions, but to the UK’s regulatory regime for surveillance more broadly. The applicants also draw attention (pleadings, paragraph 121.7) to the fact that the Data Protection Act 1998 is powerless to protect personal data in this context, given the exemption for national security at s. 28 of that Act.

Robin Hopkins

Refusal to destroy part of a ‘life story’ justified under Article 8(2) ECHR

Posted on | by Robin Hopkins

The High Court of Justice (Northern Ireland) has today given judgment In the matter of JR60’s application for judicial review [2013] NIQB 93. The applicant sought to challenge the right of the two Social Care Trusts to keep and use various records generated when she was a resident of children’s homes and a training school between the years 1978-1991.

In most cases of challenges to the retention of records, the applicant seeks to expunge information which suggests they have done wrong. This application is interesting because it focused (though not exclusively) on what the applicant had suffered, as opposed to what she had done. In short, she wished to erase from the record a part of her life story which was painful for her to recall. The application failed: there were weightier reasons for retaining those records, and in any event whatever her current wish to forget matters of such import, she might come to change her mind.

The applicant was described as having had a very difficult childhood, to which those records relate. It was not known who her father was. She had grown up to achieve impressive qualifications. Horner J described her as having “survived the most adverse conditions imaginable and triumphed through the force of her will. By any objective measurement she is a success”.

She wished to move on, and to have the records about her childhood expunged. The Trusts refused; their policy was to retain such information for a 75-year period. The applicant challenged this refusal on Article 8 ECHR grounds. Horner J readily agreed that the retention of such information interfered with her rights under Article 8, but dismissed her application on the grounds that the interference was justified.

The applicant had argued that (i) she did not intend to make any claim for ill-treatment or abuse while she was in care, (ii) she did not want to retrieve information about her life story, (iii) she did not want the records to be used to carry out checks on her, as persons who were not in care would not be burdened by such records in respect of their early lives, and (iv) she did not want others, including her own child, to be able to access these records.

In response to the applicant’s assertion that she did not want and did not envisage wanting access to her records, Horner J said this at paragraph 19:

“Even if the applicant does not want to know at present what is in her records, it does not follow that she may not want to find out in the future what they contain for all sorts of reasons. She may, following the birth of a grandchild, be interested in her personal history for that grandchild’s sake. She may want to find out about her genetic inheritance because she may discover, for example, that she, or her off-spring, is genetically predisposed to a certain illness whether mental or physical. She may want to know whether or not this has been passed down through her mother’s side or her father’s side. There may be other reasons about which it is unnecessary to speculate that will make her want to seek out her lost siblings. There are any number of reasons why she may change her mind in the future about accessing her care records. Of course, if the records are destroyed then the opportunity to consider them is lost forever.”

The Trusts argued that they needed to retain such records for the purposes of their own accountability, any background checks on the applicant or related individuals which may become necessary, for the purposes of (hypothetical) public interest issues such as inquiries, and for responding to subject access requests under the Data Protection Act 1998. Horner J observed that the “right for an individual to be able to establish details of his or her identity applies not just to the Looked After Child but also, inter alia, to that child’s offspring”.

In the circumstances, the application failed; the Trusts’ interference with the applicant’s Article 8 rights was justified.

Horner J added a short concluding observation about the DPA (paragraph 29):

“It is significant that no challenge has been made to the Trust’s storage of personal information of the applicant on the basis that such storage constitutes a breach of the Data Protection Act 1998. This act strengthens the safeguards under the 1984 Act which it replaced. The Act protects “personal data which is data relating to a living individual who can be identified from data whether taken alone or read with other information which is the possession (or is likely to come into possession) of the data controller: see 12-63 of Clayton and Tomlinson on The Law of Human Rights (2nd Edition). It will be noted that “personal” has been interpreted as almost meaning the same as “private”: see Durant v Financial Services Authority [2004] FSR 28 at paragraph [4].”

Robin Hopkins

What does ‘surveillance’ mean?

Posted on | by Robin Hopkins

A five-member panel of the Investigatory Powers Tribunal last week issued its decision in Re: a Complaint of Surveillance (case no: IPT/A1/2013). The decision was on a preliminary point arising from this sort of factual scenario: suppose you voluntarily participate in an interview with policing/investigatory authorities but, unbeknownst to you, the investigators use a device to record that interview? Would this act of recording constitute ‘surveillance’ for the purposes of the Regulation of Investigatory Powers Act 2000 (RIPA), such that it requires authorisation (assuming it to be ‘directed’) was required? Would it engage your rights under Article 8 ECHR?

There are arguments both ways. As the IPT observed, “the wording in Part II [of RIPA] presents some difficulties for the reasonable reader”. The official guidance publications answer the above questions differently: the Office of the Surveillance Commissioners answers ‘yes’, but the Home Office answers ‘no’.

The IPT has agreed with the Home Office’s interpretation.

By s. 48(2) RIPA, Parliament has chosen not to define ‘surveillance’ as such, but to deem that surveillance shall be construed so as to include certain activities. Those deeming examples extend or amplify the ordinary meaning of ‘surveillance’, the essence of which is that person who is subject to surveillance is intended to remain unaware of those means and does not engage with the person secretly gathering the intelligence. In the IPT’s view, “the notion of a ‘covert interview’ requiring RIPA authorisation is one that is difficult to grasp. An interview is by its very nature an overt intelligence gathering operation in which the interviewee actively participates, even if only to the extent of refusing to answer questions”. Such interviews cannot constitute ‘surveillance’ and Article 8 rights are not engaged here.

It follows that the recording of the interview is not observing or listening to “in the course of surveillance” within the meaning of s. 48(2)(b) of RIPA, and no authorisation is required. The making of the recording only involves the recording process itself. It does not involve a separate act of “observing or listening to” the person being interviewed.

The IPT expressly rejected the contention that, regardless of the purpose, nature or circumstances of the intelligence-gathering activities in question, every act of “observing or listening to persons”, their conversations or communications is automatically treated as surveillance.

Robin Hopkins (@hopkinsrobin)