Does anyone remember compact discs? Isn’t everything downloadable from iTunes, or Napster, or whatever it is that young people are using these days? Well, to the joy of crotchety old people everywhere, the court system still uses CDs. Indeed, the Upper Tribunal records hearings before it on CD, and when a litigant wants access to those recordings the Upper Tribunal may take the view that it is interests of justice to disclose it to them. (We are not yet at the thrilling stage of having Upper Tribunal hearings filmed and made available online, as in the Supreme Court. One cannot imagine why.)

So it was in the case of Mr Edem – he of ‘is a name personal data?’ fame – who did not approve of being given his recordings but under terms which did not permit him to more widely disclose them. Instead, he sought them under FOIA and was met with the fairly predictable reliance by the Ministry of Justice on the absolute exemption for court records in section 32(1)(c). Aha, said Mr Edem, but a CD is not a “document” within the meaning of section 32(1).

This may come as something of a surprise argument to anyone looking at the broad definition of information in section 84, the approach of the Court of Appeal in IPSA (see here), the Upper Tribunal decision in Peninsula Business Services v ICO & Ministry of Justice [2014] UKUT 284 (AAC), and indeed common sense. It is less of a surprise to see the argument fail in Edem v ICO & Ministry of Justice [2015] UKUT 210 (AAC).

Judge Wikeley had little difficulty in accepting that the purpose of section 32(1), to enable the courts to control access to their own files and records, indicates a broader interpretation of document than merely paper files, and the effect of the distinction that an audio record would not be caught but a transcript would be was patently not intended to be the outcome. In any event, a document is simply something which contains information. It does not determine the form or mode of container. Various cases from different contexts (including of course the Kennedy litigation under FOIA) gave support for the conclusion that “document” naturally includes an audio recording which contains relevant information. In so concluding, Judge Wikeley reached precisely the same conclusion as Judge Williams had done in Peninsula. The Upper Tribunal also dismissed the argument that simply because the use of “document” in section 25 (on national security certificates) must mean a written document because of the specific context of a certificate did not require the same interpretation generally: a written document is a document but the reverse is not true. The strike out of the appeal was upheld.

Rupert Paines appeared for the ICO; Rachel Kamm was for the MoJ.

Christopher Knight

The Court of Appeal has today handed down judgment in Dransfield v ICO & Devon County Council; Craven v ICO & Department for Energy and Climate Change [2015] EWCA Civ 454 (Dransfield Craven FINAL JUDGMENT 14 5 15. As people will recall, Dransfield is concerned only with section 14 FOIA, and Craven is concerned with whether the same approach should be adopted under the differently worded regulation 12(4)(b) EIR. For those desperately hoping it would not require completely relearning everything just as everyone was getting used to the Upper Tribunal decisions (on which see Robin’s lengthy screed here), a sigh of relief can be exhaled. Arden LJ gives the only substantive judgment (with which Gloster and Macur LJJ agree), which she helpfully summarises at [5]-[7] and which I set out in full so people with better things to do can stop reading:

“5. The appeals raise different and difficult questions. In my judgment, for the detailed reasons given below, this court should dismiss each appeal.  

6. In Mr Dransfield’s case, the request, taken on its own, is a precise and politely-worded request. There is nothing on the face of this request which could be termed “vexatious”. Nonetheless the UT held that it was vexatious because of the past history of dealings between him and the authority. So the principal issue on his appeal is whether a request can treated as vexatious if it is not itself vexatious but previous requests have been. The FTT thought that the line had to be drawn at previous requests which “infected” the request under consideration (“the current request”). The UT rejected that test and held that there was no line to be drawn. Mr Dransfield seeks to uphold the test applied by the FTT. I do not accept this submission because it involves writing words into FOIA which the court may not do. The UT went on to formulate and apply guidance as to the meaning of “vexatious” which he has not challenged.

7. In Mrs Craven’s case, the principal question is whether the tests under section 14 FOIA and regulation 12(4)(b) have the same meaning (“the two-tests-one-meaning issue”). I conclude that to all intents and purposes they do. The next questions are whether the IC could raise an objection under regulation 12(4)(b) when the authority had not done so, whether section 14 (2) affects the meaning of section 14(1) and whether the costs of compliance could be taken into account under both tests (“the costs of compliance issue”). I agree with the UT on those points too. I would therefore dismiss Mrs Craven’s appeal also.”

And so orthodoxy reigns.

As to the detail of the judgment, although it is relatively long (28 pages), when one strips out the annexed statutory provisions, the factual background and the submissions of the parties, the actual analysis only runs from [61]-[73] on Mr Dransfield’s appeal and [74]-[88] on Mrs Craven’s.

In relation to Dransfield, the issue was the degree to which a prior course of conduct of the requestor could infect a request which in and of itself was inoffensive. Arden LJ agreed that no comprehensive or exhaustive definition should be adopted, but considered that the focus should be “on an objective standard and that the starting point is that vexatiousness primarily involves making a request which has no reasonable foundation, that is, no reasonable foundation for thinking that the information sought would be of value to the requester, or to the public or any section of the public“. The test should be a high one to meet, but all relevant circumstances should be considered. Where a motive can be established, that may be evidence of vexatiousness, although if the request is aimed at disclosure of important information which ought to be publicly available then even a “vengeful” request may not meet the test: at [68]. Motive was relevant here; section 14 is an exception to the ordinary approach that the reason why a right is exercised is irrelevant: at [66]. The FTT’s approach had been wrong; there were no bright lines and attempting them was illogical. Evidence of prior requests was capable of throwing light on the current request and the motivation behind it: at [69]. Had it been necessary to do so, the Court would have accepted that the Upper Tribunal had made an unchallengeable finding that the belligerent and unreasonable tone linked to the present request: at [71]. Because, as stressed at [6], there was no challenge to the Upper Tribunal’s general guidance, the Court of Appeal cast no doubt upon it and it will continue to be a useful source of assistance (with the caveat that protection of public resources cannot lower the high standard of vexatiousness required: at [72]).

In relation to Craven, Arden LJ dealt with a slightly wider range of issues. She made further comments on section 14 itself, noting that vexatiousness could not mean a requirement for persistent requests, still less for persistent requests to a range of different authorities, which would not be readily discoverable: at [77]. Section 14(2), on repeat requests, is a separate power which does not assist in interpreting section 14(1): at [82]. A key question in Craven was whether there should be any difference between the two regimes. Arden LJ held that there was not, particularly because section 14 was primarily an objective analysis, which accorded with the natural meaning of “unreasonable“. The word “manifestly” simply means that it must be clearly shown, and does not require detailed investigation by the authority into things it does not know: at [78]. There was no suggestion that the answer would have been any different under section 14: at [79] (although of course CJEU case law may develop in a different direction). One notable aspect of Craven is that it was a single request which was particularly burdensome and costly to deal with, but there was no section 12 equivalent in the EIR, and on this Arden LJ agreed with the Upper Tribunal’s approach: cost of compliance can be taken into account, although those costs would have to be balanced against the benefits of disclosure: at [83]. An unconcluded view was expressed that a higher hurdle might apply to rely on the costs burden under the EIR than FOIA, but no decision was reached: at [84]. The Court was satisfied that a costs burden could indeed apply to section 14: at [85].

We are, as a result, more or less where we were before the Court of Appeal’s judgment. Indeed all it has probably added is the weight of authority in some places and a bit of confusion (mostly around section 14 being objective, which is unhelpfully expressed but not, it appears, substantively different) in others. People can sensibly continue to guide themselves by the much more detailed guidance of the Upper Tribunal, subject to the caveats noted here. All the important clarifications made by the Upper Tribunal survive, and one suspects very limited changes will be required to the ICO’s Guidance. Repeat requestors should beware, particularly if they are unreasonable ones, and those making single but large requests should too.

The ICO was represented in both appeals by Tom Cross; Devon CC by Rachel Kamm and DECC by James Cornwell.

Christopher Knight

I have just had my attention drawn to this interesting article from the Japan Times about how the right to be forgotten is beginning to gain traction in Japan. Just goes to show that Europe is not the only environment within which this highly controversial right can potentially gain a foothold.

Anya Proops

Just two short but important pieces of news. First, I can now confirm that Google has applied for permission to appeal to the Supreme Court in respect of the Court of Appeal’s landmark judgment in Vidal-Hall v Google. The SC’s judgment on the application is awaited. Second, it would appear that the case of CG v Facebook which I blogged about earlier this year (see here) is also currently on appeal in Northern Ireland, with a cross-appeal being brought by CG on the question of whether the court erred when it concluded that Facebook fell outside the territorial scope of the DPA 1998. For further news on these important cases, watch this space.

Anya Proops

On a day when the country goes to the polls (or, if you a UKIP supporter, to the Poles), it is nice to be able remind people of the more important things in life than mere democratic-right exercising. The chief of these is, surely, developments under the Data Protection Act 1998. Happily, Panopticon can assist, with a quick note on an ex tempore judgment of HHJ Seymour QC in Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & 6 others (QBD, 5 May 2015). There is no transcript yet available, but a headnote is now reported on Lawtel, and this summary is taken from that.

Unfortunately, without the full reasoning, one does not get the sense of what looks likely to have been a more involved argument than the bare findings relate. The case concerned an SAR made to a company, which the Claimant asserted had been an SAR to both the company and the six individual directors of that company, all of whom were data controllers. Only the company had responded, with 400 pages of documents. One might have thought the argument that directors were also data controllers would face significant difficulties in the light of Southern Pacific Personal Loans [2013] EWHC 2485 (Admin) (see here). However, Judge Seymour QC appears to have resolved the matter on the facts: the Claimant’s statements had been that he believed only the company was the data controller, he had only paid one £10 fee and the proper construction of the SAR was that it was only made to the company. The claims were accordingly struck out against the individuals.

However, even had they not been, the Judge indicated that the individuals would most likely have been able to rely upon the domestic purposes exemption in section 36 DPA, and that he would have refused relief in his discretion to require them to search their personal email accounts in order to prove the application of section 36. That is quite an interesting little comment on the extent of section 36, and its interaction with ‘personal’ emails, and it will be useful to see the full reasoning in due course.

The case also contained a reminder that just because someone pleads section 13, even after Vidal-Hall, it is no guarantee of damages. The Judge considered that there was no indication of any identifiable class of damage, and the Claimant had not bothered to try and quantify his claim. As a result, it was difficult to contemplate that he would be able to demonstrate having suffered damage or distress. The company itself had adequately complied with its obligations (although the headnote does not explain what adequate compliance consists of, or how it fits with the language of section 7) and no further order was required. The section 13 claim was transferred to the County Court.

No pretence that Ittihadieh is going to blow your mind over your cornflakes (other breakfast comestibles are available), but there are a couple of little nuggets of interest and it will be worth keeping an eye out for the full transcript as and when it hits the shelves. We DP lawyers are not yet so overwhelmed by jurisprudence that we can afford to look a section 7(9) judgment in the mouth. And with that allusion to Ancient Greece, it falls only to this blog to remind you all of your civic duty to grasp what the Prime Minister so unnervingly insists on referring to as the “stubby pencil” and vote.

Robin Hopkins (who he?) appeared for the seven defendants.

Christopher Knight

I have today been speaking at the IAPP conference at A&O alongside David Smith (UK Deputy Information Commissioner), Bruno Gencarelli (European Commission, Head of Data Protection Unit) and Wojciech Wiewiórowski (Assistant European Data Protection Supervisor). The conference yielded a number of really interesting insights, a number of which I highlight below.

First and perhaps most importantly, Mr Gencarelli made clear that, so far as the draft General Data Protection Regulation was concerned, the firm expectation within Europe was that the GDPR would be agreed by the end of this year. This is obviously important given that the apparently endless European wranglings over the shape of the GDPR had led some to question whether the GDPR would be finalised within the foreseeable future. Mr Gencarelli also pointed out that we could expect that, over the ensuing two year transition period, the GDPR principles would be further refined and developed, as the European Commission engaged in a trilogue with the European Data Protection Authorities and industry bodies. This inevitably suggests that the conclusion of the formal negotiations over the GDPR will not in any sense bring the process of developing European data protection principles to an end.

Mr Gencarelli also highlighted the significant impact which the EU Charter had had on the legal approach to data protection. As he put it, the fact that data protection rights were given specific protection under the Charter meant that data protection rights now had a greater legal resonance and significance than was previously the case. Notably, Mr Gencarelli’s observations on this issue obviously chime closely with the approach to the application of Charter rights adopted by the Court of Appeal in its recent judgment in Vidal-Hall v Google.

Mr Wiewiórowski also provided some fascinating insights into the European perspective on data protection. He reflected in particular upon the role being played by the CJEU in terms of pushing the privacy agenda within Europe under the existing Directive. Mr Wiewiórowski made clear that, in his view, this was a judicial trend which was itself born out of discussions on the new privacy-preoccupied agenda embodied in the Commission’s proposals for the GDPR. Thus, in effect, the EU judiciary was working in a highly dialectical relationship with the EU legislature to produce a new cultural approach to privacy rights within Europe.

Mr Wiewiórowski also made the interesting point that developments in the UK data protection jurisprudence had a disproportionately large impact on the development of data protection law within Europe as a whole. As he observed, this was not because UK lawyers and judges were seen as being cleverer than their European counterparts. Rather it was simply a product of the somewhat prosaic fact that UK judgments are in English, with the result that they are more readily comprehensible to our EU colleagues. Thus, he suggested that the Court of Appeal’s judgment in Vidal-Hall was now being discussed very widely within Europe, particularly because it was a judgment which could be accessed and understood by practitioners across the European piste.

Mr Wiewiórowski also made some very interesting observations about the approach taken within the GDPR to the ‘journalistic exemption’. As many readers of this blog will know, there is currently a debate going on within Europe as to whether the approach to the exemption proposed by the Council of Europe gives enough protection to classic journalistic freedoms. This debate has arisen particularly because the Council’s proposed text removes any reference to journalism per se. This has prompted many within the media to raise concerns that Europe is unacceptably seeking to dilute protection for journalists in a way that fundamentally offends against Article 10 of the European Convention on Human Rights and Article 11 of the EU Charter. Mr Wiewiórowski expressed the view that the scope of the journalistic exemption was perhaps one of the most challenging issues to arise under the draft GDPR and he was not at all confident that this issue would be satisfactorily resolved by the time the GDPR was finalised. These are obviously really important observations, not least because they suggest that existing questions as to how data protection rights are to be reconciled with Article 10 rights are unlikely to be finally resolved merely as a result of the enactment of the GDPR.

In terms of the domestic regulatory perspective, David Smith’s presentation very helpfully illuminated how the ICO was approaching the right to be forgotten regime.

On this regime, Mr Smith made clear that, since Google Spain was decided, the ICO had received approximately 200 complaints from data subjects in response to refusals by Google to delete particular links. Of those 200 complaints, roughly 150 had been decided in Google’s favour, with the remaining 50 being decided in favour of the data subjects. Mr Smith indicated that the ICO was now engaged in discussions with Google about this latter set of cases.

Mr Smith also made clear that the ICO had been impressed with Google’s overall approach to the right to be forgotten regime and that there were generally no significant differences of approach between the ICO and Google in terms of how the regime was to be applied. He did however indicate that one area of disagreement was as to whether Google should be notifying publishers when they receive requests from individual applicants. Google’s position on this issue is that typically publishers should be notified. By way of contrast, the ICO’s position is that notification should take place only in exceptional cases. Obviously, this divergence of view takes us back to the important and, as yet, unresolved question as to how data protection rights should be reconciled with Article 10 freedom of expression rights. Clearly as matters currently stand, Google is preferring a more pro-Article 10 approach than the ICO. Query whether Google will continue to adopt such a stance in future.

Notably, Mr Smith also made clear that the ICO’s view was that google.com should be treated as caught by the CJEU’s judgment in Google Spain. Again this is an important point. As matters currently stand, Google’s position is that google.com is not caught by the judgment. This has the result that users within Europe can potentially avoid all the amnesiac effects of the Google Spain judgment simply by setting their default browsers to google.com. Evidently the ICO regards this as an illegitimate loophole which Google should now look to close.

In terms of the wider question of whether the CJEU’s judgment in Google Spain had had a damaging effect on the internet as a whole, Mr Smith made clear that in his view that this was not the case. He pointed out that Google had now delivered important results for data subjects in hundreds of thousands of cases. By way of contrast, he said the ICO had received only a handful of complaints about deletion. Mr Smith pointed out that obviously the introduction of the right to be forgotten regime had not resulted in the internet grinding to a halt, and that it had not sounded the death-knell of Article 10 rights. Instead, what it had done in his view was deliver real tangible results for data subjects in a wide range of cases. As Mr Smith put it, what the judgment in Google Spain had achieved was the practical recognition within the online world of important human values, including values relating to the autonomy of the individual and the need for forgiveness.

Additionally Mr Smith made clear that, whereas once the ICO’s voice may not have been seen as an important voice in litigation on data protection issues, now the ICO was increasingly being recognised by the courts as an important contributor in legal debates on those issues. He used the ICO’s involvement in the recent case of Vidal-Hall as an illustration of this important development. As Mr Smith put it the effect of these developments was that the ICO could now be more active and assertive when it came to litigation on key data protection issues.

Finally, it is worth pointing out that Mr Smith, Mr Gencarelli and Mr Wiewiórowski all agreed that, so far as the concept of ‘personal data’ was concerned, the GDPR did not expand the existing definition. Instead, all it did was clarify the existing law, as adopted in the Directive. Notably, this is consistent with the approach taken to the definition by the ICO in the case of Vidal-Hall.

So much food for thought emerging from the conference. Incidentally, those who are interested in future IAPP events may like to note that the IAPP is holding its European Data Protection Congress in Brussels in December 2015. No doubt the congress will offer an important opportunity to debate some of the issues referred to above.

Anya Proops