Author: Robin Hopkins

Damages under section 13 DPA: Court of Appeal’s judgment in Halliday

Posted on | by Robin Hopkins

I blogged a while ago about the ex tempore judgment from the Court of Appeal in a potentially groundbreaking case on damages under section 13 of the DPA, namely Halliday v Creation Consumer Finance [2013] EWCA Civ 333. The point of potential importance was that ‘nominal damages’ appeared to suffice for the purposes of section 13(1), thereby opening up section 13(2). In short, the point is that claimants under the DPA cannot be compensated for distress unless they have also suffered financial harm. A ‘nominal damages’ approach to the concept of financial harm threatened to make the DPA’s compensation regime dramatically more claimant-friendly.

The Court of Appeal’s full judgment is now available. As pointed out on Jon Baines’ blog, ground has not been broken: the ‘nominal damages’ point was a concession by the defendant rather than a determination by the Court. See paragraph 3 of the judgment of Lady Justice Arden:

“… this issue, which was the main issue of the proposed appeal to this court, is now academic as the respondent, CCF, concedes an award of nominal damages is “damage” for the purposes of the Directive and for the purposes of section 13(2) of the Data Protection Act 1998.”

Other potentially important points have also fallen somewhat flat. The question of whether UK law provided an adequate remedy for a breach of a right conferred by a European Directive fell away on the facts (“proof fell short in relation to the question of damage to reputation and credit”), while the provision for sanctions under Article 24 of Directive 95/46/EC was neither directly enforceable to Mr Halliday nor of assistance to him.

Still, the judgment is not without its notable points.

One is the recognition that compensation for harm suffered is a distinct matter from penalties for wrongdoing; the former is a matter for the courts in the DPA context, the latter a matter for the Information Commissioner and his monetary penalty powers. Such was the implication of paragraph 11:

“… it is not the function of the civil court, unless specifically provided for, to impose sanctions. That is done in other parts of the judicial system.”

Another point worth noting is Lady Justice Arden’s analysis of distress and the causation thereof. The distress must be caused by the breach, not by other factors such as (in this case) a failure to comply with a court order. See paragraph 20:

“Focusing on subsection (2), it is clear that the claimant has to be an individual, that he has to have suffered distress, and that the distress has to have been caused by contravention by a data controller of any of the requirements of the Act. In other words, this is a remedy which is not for distress at large but only for contravention of the data processing requirements. It also has to be distress suffered by the complainant and therefore would not include distress suffered by family members unless it was also suffered by him. When I say that it has to be caused by breach of the requirements of the Act, the distress which I accept Mr Halliday would have felt at the non-compliance of the order is not, at least directly, relevant because that is not distress by reason of the contravention by a data controller of the requirements of this Act. If the sole cause of the distress had been non-compliance with a court order, then that would have lain outside the Act unless it could be shown that it was in substance about the non-compliance with the Data Protection Act.”

The claimant had sought to draw an analogy with guidelines and banding for discrimination awards as set by Vento v Chief Constable of West Yorkshire Police [2013] 1 ICR 31. The Court of Appeal was not attracted. See paragraph 26:

“In answer to that point, the field of discrimination is, it seems to me, not a helpful guide for the purposes of data protection. Discrimination is generally accompanied by loss of equality of opportunity with far-reaching effects and is liable to cause distinct and well-known distress to the complainant.”

Finally, Lady Justice Arden commented as follows concerning the level of the compensation to be awarded on the facts of this case: “in my judgment the sum to be awarded should be of a relatively modest nature since it is not the intention of the legislation to produce some kind of substantial award. It is intended to be compensation, and thus I would consider it sufficient to render an award in the sum of £750” (paragraph 36).

Lord Justice Lloyd (who, along with Mr Justice Ryder agreed with Lady Justice Arden) did pause to think about a submission on this question ‘if you were so distressed, why did you not complain immediately?’, but concluded that (paragraph 47):

“I confess that I was somewhat impressed at one point by Mr Capon’s submission that it was a surprise, if Mr Halliday was so distressed by this contravention, that he did not immediately protest upon discovering, in response to his first credit reference enquiry, the fact of the contravention, and indeed he did not protest until about a month after the second report had been obtained. But I bear in mind, in response to that, Mr Halliday’s comment that he had had such difficulty in getting any sensible response, or indeed any response, out of CCF at the earlier stage, that it is perhaps less surprising that he did not immediately protest. In any event, the period in question is not a very lengthy one between his discovery of the contravention by his first reference request and his taking action in July. Accordingly, it does not seem to me that that is a matter that should be taken to reduce my assessment of the degree of distress that he suffered.”

Robin Hopkins

Information rights: proposed legislative changes and more

Posted on | by Robin Hopkins

Earlier this week, James Goudie QC blogged on the Intellectual Property Bill’s amendment to FOIA, introducing a new qualified exemption (section 22A) for continuing programmes of research intended for future publication. On the issue of research – which featured prominently in submissions from the university sector during FOIA’s post-legislative scrutiny health-check – this would bring FOIA into line with its Scottish counterpart. For an informative discussion of this topic, see this post from Kit Good.

Interestingly, that post refers to an ICO decision notice (FS50163282 of 29 March 2010) about “tree ring” data, a method used to analyse wood from archaeological sites to determine past climates. The ICO found that Queen’s University Belfast was not entitled to rely on (among other exceptions) regulations 12(4)(d) of the EIRs (material which is still in the course of completion, unfinished documents or incomplete data). As it happens, the Tribunal has today issued a decision concerned with tree ring data in a university research context: McIntyre v IC and UEA, EA/2012/0156. The Tribunal noted the ICO’s note of caution concerning ever-evolving research data: “this argument should not be used to withhold tree-ring chronologies endlessly, by arguing that they are always a ‘work in progress’”. However, on the facts of the case the Tribunal upheld UEA’s reliance on regulation 12(4)(d), as supported by the ICO.

This has not been FOIA’s only outing in Parliament this week. An early day motion was tabled on Tuesday of this week expressing concern at the Government’s proposal to make cost restrictions more public authority-friendly. The motion is worded as follows:

“That this House notes that the Government is proposing to make it easier for public authorities to refuse Freedom of Information requests on cost grounds in order to prevent disproportionate use of the Freedom of Information Act 2000 by some requesters; expresses concern that requests by those making moderate use of the legislation will also be more easily refused under the proposals; is particularly concerned at the proposal that the time which authorities spend considering whether to release information should be taken into account when calculating whether the cost limit has been reached; further notes that this proposal was expressly rejected by the Justice Committee in its post-legislative review of the Act; believes that this proposal will penalise requests raising new or complex issues which will inevitably require substantial time to consider; observes that the Government’s objective will in any case be achieved following recent decisions of an Upper Tribunal that requests which involve a disproportionate, manifestly unjustified, inappropriate or improper use of the Act can be refused as vexatious; and calls on the Government not to proceed with its proposals.”

The motion’s primary sponsor is Richard Shepherd. At present, there are 12 signatories. Maurice Frankel of the Campaign for FOI is urging more MPs to take up the cause.

Turning from FOIA to information rights concerns of a data protection variety, the Care Bill was introduced in the House of Lords last week. Notably, it contains an express provision making the provision of “false or misleading information” an offence (subject of course to the statutory definitions being met). Clause 81 provides as follows:

(1) A care provider of a specified description commits an offence if—

(a) it supplies, publishes or otherwise makes available information of a specified description,

(b) the supply, publication or making available by other means of information of that description is required under an enactment or other legal obligation, and

(c) the information is false or misleading in a material respect.

The aims of this clause are not confined to matters affecting personal privacy – indeed, the explanatory document suggests it is confined to ‘management information’. There may, however, be some crossover with information on individual cases, particularly in ‘low cell count’ cases where individuals could be identified from higher-level data. The Data Protection 1998 does not use the language of “misleading” – focusing instead on inaccuracy and fairness. There are often DPA-related grievances, however, in which “misleading” is an excellent summary of the data subject’s concern.

Robin Hopkins

Thirteen deadly sins: new ICO guidance on vexatious requests

Posted on | by Robin Hopkins

On Wednesday, the ICO launched its new guidance on section 14 (vexatious requests) on Wednesday. This follows the Upper Tribunal’s recent decisions on this exemption (Panopticon passim), as well as decisions such as Salford City Council v IC and TieKey Accounts (EA/2012/0047) concerning reliance on section 14 to avoid incurring unreasonable cost burdens.

The ICO’s long-standing 5 indicators are supplanted by a new list of 13 indicators – though the emphasis remains on their not being intended as pseudo-statutory tests (and thus they are not really ‘deadly sins’). The thirteen indicators are (in no particular order):

abusive or aggressive language; burden on the authority; personal grudges; unreasonable persistence; unfounded accusations; intransigence; frequent or overlapping requests; deliberate intention to cause annoyance; scattergun approach; disproportionate effort; no obvious intent to obtain information; futile requests; frivolous requests.

The guidance addresses such topics as round robins, fishing expeditions and requesters acting in concert/as part of a campaign, all of which arise frequently for consideration by public authorities. There is also a section on “recommended actions before making a final decision” (paragraphs 93-97) which public authorities would be wise to consider with an eye on complaints to the ICO from dissatisfied recipients of section 14 notices.

For discussions of the new guidance, see these blog posts from the ICO’s Deputy Commissioner, Graham Smith, and also from FOI Man.

Robin Hopkins

Google: autocomplete and the frontiers of privacy

Posted on | by Robin Hopkins

Unsurprisingly, the frontiers of privacy and data protection law are often explored and extended by reference to what Google does. Panopticon has, for example, covered disputes over Google Street View (on which a US lawsuit was settled in recent months), Google’s status as a ‘publisher’ of blogs containing allegedly defamatory material (see Tamiz v Google [2013] EWCA Civ 68) and its responsibility for search results directing users to allegedly inaccurate or out-of-date personal data (see Google Spain v Agencia Espanola de Proteccion de Datos (application C-131/12), in which judgment is due in the coming months).

A recent decision of a German appellate court appears to have extended the frontiers further. The case (BGH, VI ZR 269/12 of 14th May 2013) concerned Google’s ‘autocomplete’ function. When the complainants’ names were typed into Google’s search bar, the autocomplete function added the ensuing words “Scientology” and “fraud”. This was not because there was lots of content linking that individual with those terms. Rather, it was because these were the terms other Google users had most frequently searched for in conjunction with that person’s name. This was due to rumours the truth or accuracy of which the complainants denied. They complained that the continuing association of their names with these terms infringed their rights to personality and reputation as protected by German law (Articles 823(1) and 1004 of the German Civil Code).

In the Google Spain case, Google has said that the responsibility lies with the generators of the content, not with the search engine which offers users that content. In the recent German case, Google has argued in a similar vein that the autocomplete suggestions are down to what other users have searched for, not what Google says or does.

In allowing the complainants’ appeals, the Federal Court of Justice in Karlsruhe has disagreed with Google. The result is that once Google has been alerted to the fact that an autocomplete suggestion links someone to libellous words, it must remove that suggestion. The case is well covered by Jeremy Phillips at IPKat and by Karin Matussek of Bloomberg in Berlin.

The case is important in terms of the frontiers of legal protection for personal integrity and how we allocate responsibility for harm. Google says that, in these contexts, it is a facilitator not a generator. It says it should not liable for what people write (see Tamiz and Google Spain), not for what they search for (the recent German case). Not for the first time, courts in Europe have allocated responsibility differently.

Notably, this case was not brought under data protection law. In principle, it seems that such complaints could be expressed in data protection terms. Perhaps, if the EU’s final Data Protection Regulation retains the severe penalty provisions proposed in the draft version, data protection will move centre-stage in these sorts of cases.

Robin Hopkins

Data protection: trends, possibilities and FOI disclosures

Posted on | by Robin Hopkins

At 11KBW’s information law seminar in May, one of the discussion topics was ‘the future of data protection’. Here are some further thoughts on some interesting trends and developments.

Progress at the EU level

A major issue on this front is of course progress on the draft EU Data Protection Regulation – on which see this blog post from the ICO’s David Smith for an overview of the issues currently attracting the most debate. While that negotiation process runs its course, the Article 29 Working Party continues to provide influential guidance for users and regulators on some of the thorniest data protection issues. Its most recent opinion addresses purpose limitation, i.e. the circumstances under which data obtained for one purpose can be put to another. A summary of its views is available here.

Subject access requests

Turning to domestic DPA litigation in the UK, practitioners should watch out for a number of other developments (actual or potential) over the coming months. On the subject access request front, for example, data controllers have tended to take comfort from two themes in recent judgments (such as Elliott and Abadir, both reported on Panopticon). In short, the courts in those cases have agreed that (i) data controllers need only carry out reasonable and proportionate searches, and (ii) that section 7(9) claims being pursued for the collateral purpose of aiding other substantive litigation will be an abuse of process.

Data controllers should, however, note that neither of those points is free from doubt: there are plenty who doubt the legal soundness of the proportionality point, and the abuse of process point has arisen for section 7(9) claims to the court – it should not, in other words, be relied upon too readily to refuse requests themselves.

Damages

Damages under section 13 of the DPA is another area of potentially important change. The Halliday v Creation Consumer Finance case (briefly reported by Panopticon) has been given further discussion in the Criminal Law & Justice Weekly here. Based on that information, perhaps the most interesting point is this: defendants have rightly taken comfort from the requirement under section 13 that compensation for distress can be awarded only where damage has also been suffered. In Halliday, however, nominal damages (of £1) were awarded, thereby apparently fulfilling the ‘damage’ requirement and opening the door for a ‘distress’ award (though note that Panopticon has not yet seen a full judgment from the Court of Appeal in this case, so do not take this as a definitive account). If that approach becomes standard practice, claimants may be in much stronger positions for seeking damages.

A further potential development on the damages front arises out of monetary penalty notices: data controllers who are subject to hefty penalties by the ICO may in some cases also find themselves facing section 13 claims from the affected data subjects themselves, presenting a worrying prospect of paying out twice for the same mistake.

Disclosure of personal data in the FOIA context

In general terms, requesters struggle to obtain the personal data of others through FOIA requests. A couple of very recent decisions have, however, gone the other way.

In White v IC and Carmarthenshire County Council (EA/2012/0238), the First-Tier Tribunal allowed the requester’s appeal and ordered disclosure of a list of licensed dog-breeders in the council’s area. In particular, it concluded that (paragraphs 21-23):

“…the Tribunal believes – on the facts of this case – that an important factor for any assessment in relation to the “fairness” of the disclosure of the personal data is best discovered from the context in which the personal data was provided to the Council in the first place.

22. The context, here, is to secure a commercial licence required by law to breed dogs. That license is necessary for the local authority to know who the licensed dog breeders in that area are, and so that the law can be enforced and welfare checks can be conducted as and when necessary in relation to the welfare of the dogs being bred commercially.

23. Licensing – in the ordinary course of things – is a public regulatory process. Indeed it was a public process in Carmarthenshire, in relation to the information that is at the core of this appeal, until the Council changed its policy in 2008.”

The Tribunal was unimpressed by the suggestive language of a survey of dog breeders which the council had carried out to support its case for non-disclosure. It also noted that a neighbouring council had disclosed such information.

The First-Tier Tribunal issued its decision in Dicker v IC (EA/2012/0250) today. It allowed the requester’s appeal and ordered disclosure of the salary of the chief executive of the NHS Surrey PCT over specified time periods, including total remuneration, expenses allowance, pension contributions and benefit details. As to legitimate interests in disclosure, the Tribunal said that (paragraph 13):

“In this case the arrangements (including secondment and recharge from another public authority at one stage) mean that the arrangements are not as transparent as might be wished and it is not entirely clear from the information published (as opposed to the assurances given) that the national pay guidance has been complied with. Mr Dicker asserted that the CEO was paid in excess of the national framework. The Tribunal was satisfied that there was a legitimate public interest in demonstrating that the national framework had been complied with and that the published information did not properly establish this”.

On the questions of distress and privacy infringements, the Tribunal took this view (paragraph 14):

“The CEO is a prominent public servant discharging heavy responsibilities who must expect to be scrutinised. Individuals in such circumstances are rational, efficient, hard-working and robust. They are fully entitled to a high degree of respect for their private lives. However the protection of personal information about their families and their health is a very different matter from having in the public domain information about income… The Tribunal simply cannot accept that anyone in such a role would feel the slightest distress, or consider that there has been any intrusion or that they would be prejudiced in any way by such information. From the perspective of the individual such information is essentially trivial; indeed, in other European societies, such information would be routinely available.”

If this approach were to become standard, the implications for public authorities would be significant.

Further, there are two very important personal data FOIA cases to look out for in the coming months. Following its decision in the Edem case late in 2012, the Upper Tribunal’s next consideration of personal data in the FOIA context is the appeal in the Morley v IC & Surrey Heath Borough Council (EA/2011/0173) case, in which the Tribunal – in a majority decision in which Facebook disclosures played a significant part – ordered the disclosure of names of certain youth councillors.

More importantly, the Supreme Court will hear an appeal from the Scottish Court of Session in July about a FOISA request for the number of individuals employed by the Council on specific points in the pay structure. The council relied on the personal data exemption (contending that individuals could be identified from the requested information), but the Scottish Information Commissioner ordered disclosure and succeeded before Scotland’s highest court. The Supreme Court will consider issues including the approach to ‘legitimate interests’ under condition 6(1) of schedule 2 to the DPA (the condition most often relied upon in support of disclosing personal data to the public). The case is likely to have far-reaching implications. For more detail, see Alistair Sloan’s blog.

Panopticon will, as ever, keep its eye on these and other related developments.

Robin Hopkins

Court of Appeal rules on damages for frustration at DPA breach

Posted on | by Robin Hopkins

On a day in which the remedying of privacy breaches of the kind considered by Leveson LJ dominated parliamentary debate, the Court of Appeal (Arden LJ, Lloyd LJ and Ryder J) delivered an interesting judgment on remedies for privacy breaches of the data protection variety.

Halliday v Creation Consumer Finance concerned Mr H’s appeal against a damages award to him under s. 13 of the Data Protection Act 1998. He had obtained default judgment against CCF for its breach of the DPA: it had accidentally and temporarily passed to a credit reference agency incorrect information about his allegedly having an unpaid debt of £1500 (Mr H and CCF had in fact resolved their dispute by that point). The judge at first instance awarded Mr H nominal damages of no fixed amount, but was not satisfied that there was evidence of reputational harm or prejudice to Mr H’s credit position. Mr H therefore received nothing in the way of substantial damages.

His appeal has been allowed. Nominal damages were set at £1 – as Panopticon understands it, this appears to have sufficed as ‘damage’ for s. 13(1) purposes, thereby entitling Mr H to compensation for distress under s. 13(2). He was awarded £750 in recognition of his distress and frustration at CCF’s wrongful processing, but there was no cogent evidence of him having suffered injury to feelings at the time, and CCF’s breach was a technical error rather than an intentional mis-statement. Hence the somewhat insubstantial sum by way of substantial damages.

Mr H sought to rely on Article 24 of Directive 95/46/EC which provides that member states must provide for sanctions where data protection rights have been infringed, but the Court of Appeal held that he could not seek direct enforcement of that provision in private proceedings, and that it was not the function of the civil courts to impose sanctions on data controllers – rather, their function under s. 13 of the DPA was to compensate data subjects.

It is understood that this judgment was delivered ex tempore, with a written judgment to follow, along with more Panopticon analysis.

Robin Hopkins