Author: Robin Hopkins

(Scottish) Data protection litigation – South Lanarkshire and more

Posted on | by Robin Hopkins

I have observed (Panopticon passim) that the Data Protection Act 1998 features surprisingly sparingly in litigation. That appears to be somewhat less true of Scotland: for instance, Common Services Agency [2011] 1 Info LR 184, the leading case on anonymisation and barnardisation, came before the House of Lords from Scottish litigation. Here are two more recent examples, one from today, the other from last month.

South Lanarkshire

The Supreme Court has today given judgment in an appeal from the Inner House of the Scottish Court of Session about a FOI(S)A request for the number of individuals employed by South Lanarkshire Council on specific points in the pay structure, for the purposes of analysing compliance with Equal Pay legislation. The Council relied on the personal data exemption (contending that individuals could be identified from the requested information), but the Scottish Information Commissioner ordered disclosure. The Council’s appeal was dismissed by the Court of Session ([2012] CSIH 30) and, today, by the Supreme Court (South Lanarkshire Council v Scottish IC [2013] UKSC 55).

There were two issues for the Supreme Court. First, what does ‘necessary’ mean when it comes to condition 6(1) of schedule 2 to the DPA (the condition most often relied upon in support of disclosing personal data to the public), which provides that:

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Giving the Court’s judgment, Baroness Hale said that it was obvious that condition 6 requires three questions to be answered: (i) is the data controller or the third party or parties to whom the data are disclosed pursuing a legitimate interest or interests?, (ii) is the processing involved necessary for the purposes of those interests?, and (iii) is the processing unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject? In her view, “it is not obvious why any further exegesis of those questions is required” (paragraph 18).

Further exegesis was, however, required because of the Council’s submissions as to how strictly the term “necessary” should be construed. Baroness Hale’s answer was entirely unsurprising (see paragraphs 25-28). “Necessary” has to be considered in relation to the processing to which it relates. If the processing involves no interference with Article 8 ECHR rights, then it might be thought that all that has to be asked is whether the requester is pursuing a legitimate interest in seeking the information (which was not at issue in this case) and whether he needs that information in order to pursue it. If the processing does engage Article 8 ECHR rights, then “it is well established in community law that, at least in the context of justification rather than derogation, “necessary” means “reasonably” rather than absolutely or strictly necessary”. None of this will come as a surprise – as, for example, Jon Baines has observed in his Information Rights and Wrongs post. Indeed, as Baroness Hale observed, it is unclear that the stricter standard of necessity for which the Council argued would have been any more favourable to it.

The second issue before the Supreme Court was a natural justice challenge. The Scottish IC had asked the applicant a number of questions during his investigation, and had also received letters supporting the request from a number of MPs. This information had not been shared with the Council.

Baroness Hale observed that it was common ground that the Commissioner has a duty to act fairly (see for example Glasgow City Council v Scottish Information Commissioner [2009] CSIH 73, 2010 SC 125). The Commissioner is entitled to make his own enquiries and formulate cases on behalf of applicants, but “he must, of course, give them notice of any new material which his inquiries have elicited and which is adverse to their interests” (paragraph 31). Her Ladyship further observed (paragraphs 31-32) that:

“31. I would add that the Commissioner is fulfilling more than an administrative function. He is adjudicating upon competing claims. And in Scotland, unlike England and Wales, there is no appeal to a tribunal which can decide questions of both fact and law. The Commissioner is the sole finder of facts, with a right of appeal to the Inner House on a point of law only. These factors clearly enhance his duty to be fair. If wrong findings of fact are made as a result of an unfair process, the Inner House will not be able to correct them.

32. However, it does not follow that every communication passing between the Commissioner and the applicant, or between the Commissioner and third parties such as Members of the Scottish Parliament, has to be copied to the public authority…”

In this case, there was no breach of natural justice, and the Council’s appeal failed on both grounds.

Lyons

Another of the more notable recent data protection cases is also Scottish. Additionally, it touches upon another of my observations (see here, for example) about the potential synergies and overlaps between the DPA and defamation. The case is Lyons v Chief Constable of Strathclyde Police [2013] CSIH 46 A681/10, and will be reported in the upcoming edition of the 11KBW/Justis Information Law Reports. In rough outline, the case concerned Mr Lyons’ complaints about two disclosures about him made by the police authority to regulatory/licensing bodies. The police had said that he was recorded on the Scottish Intelligence Database as having been involved in serious organised crime. Mr Lyons denied such involvement, and sued for defamation and damages under section 13 of the DPA.

His defamation claim failed because the police’s communications were made in circumstances which attracted qualified privilege, and were not tainted by malice.

The DPA claim failed too. The accuracy requirement of the fourth data protection principle had not been breached, because even if “Mr Lyons is involved in crime” were inaccurate, “Mr Lyons is recorded on the database as being involved in crime” could not be said to be inaccurate. The police’s reporting of that information arguably lent it some credence, but there was no indication on the facts of unequivocal endorsement of these statements such as to constitute the processing of inaccurate personal data by the police. Here the Court considered the Kordowski DPA/defamation case.

There was also an argument that disclosure of this information had been unfair, though (surprisingly) the case does not appear to have been pleaded as such. The essence of the unfairness argument was that, in Mr Lyons’ view, the police should have contextualised its disclosures by explaining to the recipients the source of the intelligence as to his alleged criminal involvement. The Court of Session dismissed this argument: the police could not sensibly disclose the identities of informants, given the DPA rights of the informants themselves, while Mr Lyons would not be entitled to learn through a subject access request who the informants were (see the exemptions under sections 29 and 31 of the DPA).

Here are a few interesting DPA points to emerge from the Court’s discussion. One is if a data controller endorses the veracity of inaccurate information obtained from someone else, that is not of itself a breach of the DPA (see paragraph 21). Some might query this, at least if applied inflexibly.

A second interesting point is that some might argue as follows: “to present decontextualised allegations in a manner which suggests you consider them credible could surely constitute unfairness. Perhaps you were not required to name your sources, but in the interests of fairness you could at least have made clear that you were passing on information obtained from others whom you considered to be credible”. Roughly that sort of argument seems to have been advanced here; no doubt the facts did not ultimately support it, but stepping back from the facts of this case, the (admittedly woolly and under-litigated) notion of fairness would arguably demand such an approach in many cases.

A third and final point of interest: the complainant relied on what he said were breaches by the police of a number of common law principles emerging from judicial review jurisprudence and the like. The Court was not impressed by their relevance to alleged DPA breaches, at least in the context of this case: see paragraphs 26-27, where the Court suggested that for there to be a DPA breach, there must be a particular DPA requirement which has been breached (though admittedly it did observe earlier in its judgment that ‘lawful’ in the context of the first data protection principle has no special meaning). Some might argue that fairness and lawfulness are designed to be broad enough to encompass principles outside of the black letters of DPA law. Indeed, Article 8 ECHR is increasingly the focus of arguments as to the lawfulness of processing: see for example the ICO’s enforcement notice concerning the use of ANPR cameras in the policing context, issued last week.

In other words, the DPA is not designed to be an entirely self-contained legal world, but rather to protect personal information by reference to all considerations having a bearing on what is being done with that individual’s information, whether or not they are listed by name in the DPA. This is not necessarily a point of disagreement with the Lyons outcome, but a broader observation about what kind of a creature the DPA is, or is intended to be.

Robin Hopkins (@hopkinsrobin)

Anonymity: publication and open justice

Posted on | by Robin Hopkins

The tension between transparency and individual privacy is part of what makes information rights such a fascinating and important area. When it comes to high-public interest issues involving particular individuals, prevailing wisdom has tended to be something like this: say as much as possible on an open basis, but redact and anonymise so as to protect the identity of the individuals involved. Increasingly, however, transparency is outmuscling privacy. See for example my post about the Tribunal’s order of disclosure, in the FOIA context, of the details of the compensation package of a Chief Executive of an NHS Trust (the case of Dicker v IC (EA/2012/0250).

The recent Care Quality Commission debate is the highest-profile recent illustration: the health regulator published a consultant’s report into failings regarding the deaths of babies at Furness General Hospital, but withheld the names of the individuals being criticised (including for alleged ‘cover-ups’), relying on the Data Protection Act 1998. The anonymisation was not endorsed by the Information Commissioner, and attracted widespread criticism in media and political circles. Transparency pressures held sway.

In a similar vein, the BBC has come under great pressure over the past week – particularly from Parliament’s Public Accounts Committee – to reveal the names of approximately 150 departing senior managers who received pay-offs averaging £164,000 in the past three years. As the Telegraph reports, the Committee is threatening to use parliamentary privilege to publish those names. The BBC admits that it “got things wrong” by overpaying in many cases (as confirmed by the National Audit Office), but is concerned to protect the DPA and privacy rights of the affected individuals, as well as to safeguard its own independence. The Committee says the public interest in transparency is compelling; Lord Patten, chair of the BBC Trust, says there will be “one hell of an argument” about this.

Such arguments become all the more thorny in the context of open justice disputes, of which there have been a number in recent weeks.

In the matter of Global Torch Ltd/Apex Global Management Ltd (The Guardian, The Financial Times and others intervening) [2013] EWCA Civ 819 involved competing petitions of unfair prejudice alleging misconduct in the affairs of a particular company. Two Saudi Arabian princes and one of their private advisers applied to have the interlocutory hearings held in private under CPR rule 39.2(3). The Court of Appeal agreed with the judge who dismissed those applications. It rejected the contention that the judge had elevated open justice above Article 8 ECHR rights as a matter of law. Rather, he noted that some general presumptions were valid (for example, open justice is likely to trump reputational damage) and applied those in the factual context of this case. Maurice Kay LJ said  (paragraph 34) that there was sometimes a “need for a degree of protection so as to avoid the full application of the open justice principle exposing a victim to the very detriment which his cause of action is designed to prevent… If such an approach were to be extended to a case such as the present one, it could equally be applied to countless commercial and other cases in which allegations of serious misconduct are made. That would result in a significant erosion of the open justice principle. It cannot be justified where adequate protection exists in the form of vindication of the innocent through the judicial process to trial”.

Open justice is of course fundamental not only to freedom of expression, but is also the default setting for fair trials. This is illustrated in the regulatory/disciplinary context by Miller v General Medical Council [2013] EWHC 1934 (Admin). The case involved a challenge to a decision by a Fitness to Practise Panel of the Council’s Medical Practitioners Tribunal Service that a fitness to practise hearing should take place in private because it considered that the complainant, a former patient of the claimant, was otherwise unlikely to give evidence. HHJ Pelling quashed the decision; there was insufficient evidence for the Panel’s conclusion about witness participation, and in any event the Panel “fell into error at the outset by not reminding itself sufficiently strongly or at all that the clear default position under Article 6 is that the hearing should be in public. It failed to remind itself that Article 6 creates or declares rights that are the rights of the Claimant and that it was for the GMC to prove both the need for any derogation from those rights and for a need to derogate to the extent claimed” (paragraph 20).

Robin Hopkins

The Prince Charles veto: JR fails due to availability of JR

Posted on | by Robin Hopkins

As Chris Knight reported this morning, judgment has been handed down in R (Evans) v HM Attorney General [2013] EWHC 1960 (Admin). The Upper Tribunal had ordered disclosure of certain correspondence between Prince Charles and government ministers (termed ‘advocacy correspondence’). The government – the Attorney General specifically – exercised the power of veto under section 53 of FOIA. The requester, Guardian journalist Rob Evans, brought judicial review proceedings. The Administrative Court dismissed his claim.

It did so despite “troublesome concerns” about the section 53, which it considered to be a “remarkable provision”.

For example, the Lord Chief Justice said: “The possibility that a minister of the Crown may lawfully override the decision of a superior court of record involves what appears to be a constitutional aberration” (paragraph 2); “It is an understatement to describe the situation as unusual. Indeed the researches of counsel suggest that it is a unique situation and that similar statutory arrangements cannot be found elsewhere in this jurisdiction” (paragraph 9); “It is not quite a pernicious “Henry VIII clause”, which enables a minister to override statute but, unconstrained, it would have the same damaging effect on the rule of law” (paragraph 10).

Nonetheless, a close examination of the wording and features of section 53 satisfied the court that it was not flawed on constitutional grounds. Parliament was mindful of what it was doing in enacting section 53. There are strict time limits and limits on who can issue a section 53 certificate; it must be laid before Parliament with reasons, it must be made on “reasonable grounds” and “the jurisdiction of the courts does not even purport to be ousted” (paragraph 81 in the judgment of Davis LJ). In effect, Parliament chose to build section 53 into a FOIA as an express check and balance on disclosure.

The Lord Chief Justice summed up the court’s assessment of section 53: “These provide that the ministerial override will be ineffective unless reasonable grounds for its exercise are identified. These reasons must be laid before Parliament for scrutiny and, if appropriate, parliamentary action. Making the reasons public in this way ensures that they are also immediately available for press and public scrutiny and, if appropriate, critical comment. More important, perhaps, is that the override decision of the minister is not final. The exercise of the override is itself subject to judicial scrutiny” (paragraph 13).

The court considered the meaning of “on reasonable grounds”, the key language from section 53. What standard did this connote? Davis LJ said “reasonable” meant just that: it did not needed to be glossed either by reference to Wednesbury standards, nor by reference to any higher standard.

The court was persuaded that the statement of the Attorney General’s reasons in this case did indeed demonstrate “reasonable grounds” for the decision. The Attorney General had guided himself by the government’s published policy which states that the veto will only be used in exceptional cases. He had considered and engaged with the Upper Tribunal’s decision. He addressed both FOIA and the EIR. He gave his view that great weight should be attributed to the importance of the convention of preparation for kingship, the need to avoid a chilling effect on related communications, the preservation of confidences and the need to avoid damage to the perception of political neutrality. The Commissioner himself had agreed with those factors and conclusions in his decision notice.

In the court’s view, the Attorney General’s reasons ‘made sense’. There can be “cogent” arguments for and against disclosure (as indeed the Upper Tribunal acknowledged were present in this case), and FOIA/EIR public interest assessments are not so much matters of fact or law (or a mix of both), but are exercises in evaluation. In that light, if it was said that the Attorney General could not simply prefer his own opinion to that of the Upper Tribunal, the rhetorical answer was “why not?”. Moreover, he was entitled to address the correspondence as a whole, rather than on a document-by-document basis.

Mr Evans had also argued that insofar as the veto related to environmental information, it was incompatible with the “access to justice” provisions of the Aarhus Convention and of the Environmental Information Directive. The court was not persuaded: the availability of judicial review sufficed for those purposes.

The Guardian has announced its intention to appeal.

Postscript:

It should also be remembered that this is not the only strand of the Rob Evans/Prince of Wales letters litigation. As Panopticon reported earlier this year, the Upper Tribunal has separately ordered disclosure of a schedule describing the withheld information. That decision is also subject to appeal: it has not (yet?) been vetoed. The saga continues.

Robin Hopkins

Prism and Tempora: Privacy International commences legal action

Posted on | by Robin Hopkins

Panopticon has reported in recent weeks that, following the Edward Snowden/Prism disclosures, Liberty has brought legal proceedings against the UK’s security bodies. This week, Privacy International has announced that it too is bringing a claim in the Investigatory Powers Tribunal – concerning both the Prism and Tempora programmes. It summarises its claim in these terms:

“Firstly, for the failure to have a publicly accessible legal framework in which communications data of those located in the UK is accessed after obtained and passed on by the US National Security Agency through the Prism programme.  Secondly, for the indiscriminate interception and storing of huge amounts of data via tapping undersea fibre optic cables through the Tempora programme.”

Legal complaints on Prism-related transfers have been made elsewhere on data protection grounds also. A group of students who are members of a group called Europe vs. Facebook have filed complaints to the data protection authorities in Ireland (against Facebook and Apple), Luxembourg (against Skype and Microsoft) and Germany (against Yahoo).

European authorities have expressed concerns on these issues in their own right. For example, the Vice President of the European Commission, Viviane Reding, has written to the British Foreign Secretary, William Hague, about the Tempora programme, and has directed similar concerns at the US (including in a piece in the New York Times). The European Parliament has also announced that a panel of its Committee on Civil Liberties, Justice and Home Affairs will be convened to investigate the Prism-related surveillance of EU citizens. It says the panel will report by the end of 2013.

In terms of push-back within the US, it has been reported that Texas has introduced a bill strengthening the requirements for warrants to be obtained before any emails (as opposed to merely unread ones) can be disclosed to state and local law enforcement agencies.

Further complaints, litigation and potential legal challenges will doubtless arise concerning Prism, Tempora and the like.

Robin Hopkins

Yet more on Article 10 ECHR and FOIA

Posted on | by Robin Hopkins

The question of whether the right to freedom of expression conferred by Article 10 of the European Convention on Human Rights has a bearing on the Freedom of Information Act 2000 (particularly as regards absolute exemptions) is an interesting and important one. The Supreme Court will address it later this year in the Kennedy litigation.

In the meantime, there is free expression aplenty on this issue within the Panopticon fold. Joseph Barrett’s post of earlier today is not the only example; Christopher Knight’s recent piece in Public Law is a must-read. The reference is: CJS Knight, ‘Article 10 and a Right of Access to Information’ [2013] PL 468.

Robin Hopkins

Google and data protection: no such thing as the ‘right to be forgotten’

Posted on | by Robin Hopkins

Chris Knight has blogged recently about enforcement action against Google by European Data Protection authorities (but not yet the UK’s ICO). I blogged last month about a German case (BGH, VI ZR 269/12 of 14th May 2013) concerning Google’s ‘autocomplete’ function, and earlier this year about the Google Spain case (Case C‑131/12). The latter arises out of complaints made to that authority by a number of Spanish citizens whose names, when Googled, generated results linking them to allegedly false, inaccurate or out-of-date information (contrary to the data protection principles) – for example an old story mentioning a surgeon’s being charged with criminal negligence, without mentioning that he had been acquitted. The Spanish authority ordered Google to remove the offending entries. Google challenged this order, arguing that it was for the authors or publishers of those websites to remedy such matters. The case was referred to the CJEU by the Spanish courts.

Advocate General Jääskinen this week issued his opinion in this case.

The first point concerns territorial jurisdiction. Google claims that no processing of personal data relating to its search engine takes place in Spain. Google Spain acts merely as commercial representative of Google for its advertising functions. In this capacity it has taken responsibility for the processing of personal data relating to its Spanish advertising customers. The Advocate General has disagreed with Google on this point. His view is that national data protection legislation is applicable to a search engine provider when it sets up in a member state, for the promotion and sale of advertising space on the search engine, an office which orientates its activity towards the inhabitants of that state.

The second point is substantive, and is good news for Google. The Advocate General says that Google is not generally to be considered – either in law or in fact – as a ‘data controller’ of the personal data appearing on web pages it processes. It has no control over the content included on third party web pages and cannot even distinguish between personal data and other data on those pages.

Thirdly, the Advocate General tells us that there is no such thing as the so-called “right to be forgotten” (a favourite theme of debates on the work-in-progress new Data Protection Regulation) under the current Directive. The Directive offers accuracy as to safeguards and so on, but Google had not itself said anything inaccurate here. At paragraph 108 of his opinion, the Advocate General says this:

“… I consider that the Directive does not provide for a general right to be forgotten in the sense that a data subject is entitled to restrict or terminate dissemination of personal data that he considers to be harmful or contrary to his interests. The purpose of processing and the interests served by it, when compared to those of the data subject, are the criteria to be applied when data is processed without the subject’s consent, and not the subjective preferences of the latter. A subjective preference alone does not amount to a compelling legitimate ground within the meaning of Article 14(a) of the Directive.”

It remains to be seen of course whether the Court agrees with the Advocate General. The territorial issue and the ‘data controller’ question are of great significance to Google’s business model – and to those whose businesses face similar issues. The point about objectivity rather than subjectivity being the essential yardstick for compliance with data protection standards is potentially of even wider application.

“This is a good opinion for free expression,” Bill Echikson, a spokesman for Google, said in an e-mailed statement reported by Bloomberg.

Robin Hopkins