It has been a relatively quiet summer on the information law front. However, this has very much been the calm before the storm. Important up-coming hearings include not least:

–       Kennedy in the Supreme Court (application of the Article 10 right to freedom of expression in the context of FOIA; previously discussed on Panopticon here, here and here): hearing listed for 29-31 October;

–       T v Secretary of State for the Home Department in the Supreme Court (whether CRB disclosure regime is compatible with Article 8; Court of Appeal judgment previously discussed on Panopticon here): hearing listed for 9-10 December;

–       Edem v Information Commissioner & FSA in the Court of Appeal (appeal against Upper Tribunal FOIA decision that information comprising an individual’s name taken together with information as to their role within an organisation constitutes ‘personal data’, such that it may fall within the scope of s. 40 FOIA): hearing listed for 14 November;

 –       Central London Community Healthcare NHS Trust v Information Commissioner in the Upper Tribunal (appeal against the first ever tribunal decision on the imposition of a monetary penalty notice by the Information Commissioner under the DPA; see previous post on this case here): hearing listed for 16 and 17 October;

–       East Sussex County Council v Information Commissioner & Anor in the First-Tier Tribunal: hearing listed for 12-13 November 2013. The case in question is the fourth case to come before the tribunal concerning the imposition of charges by local authorities under the EIR for the provision of property search information – see further the tribunal decisions in East Riding of Yorkshire Council v IC, Kirklees Council v IC and Leeds City Council v IC. In the Leeds case, the Tribunal held that the relatively substantial charges which the Council had sought to impose were impermissible under the EIR. In reaching this conclusion, the Tribunal held that, under r. 8 EIR, a public authority was entitled to impose charges only in respect of the costs of transmitting the information to the applicant and was not entitled to charge for other costs such as the costs of searching for, retrieving and redacting the information. The Tribunal held that this conclusion was in keeping with the conclusions which had been reached by the ECJ in Commission v Germany (Case C-217/97) (the decision is discussed in more detail here). In East Sussex, both the Council and the Commissioner will be inviting the Tribunal to refer to the CJEU the question of the scope of a public authority’s power to charge applicants for environmental information, having regard to the relevant provisions in the Directive.

And in other news…

–       This week the First Tier Tribunal heard the first ever appeal against the imposition of a monetary penalty notice under the Privacy and Electronic Communications Regulations 2003. The appeal was brought by Tetrus Telecoms and concerned the sending of unsolicited text messages. You can read the relevant MPN here. A second set of appeals is due to be heard later on this year, this time concerning Nationwide Energy Services and We Claim U Gain Limited. It concerns the sending of unsolicited telephone calls (see the relevant MPN here). It will be interesting to see whether the Tribunal calibrates its approach depending on the type of communication in issue.

11KBW heavily dominates in all of the above cases. No doubt they will all be subject to further comment on Panopticon in due course.

Anya Proops

We are thrilled to report that 11KBW has been chosen by the Legal 500 as the leading chambers in the field of data protection. Comments include in the directory: the ‘set of choice’ for data protection matters; ‘high-quality, value-for-money’ service is ‘a standout feature’ of the ‘knowledgeable and responsive’ team, which is also noted for its ‘excellence in the area of information rights cases’. 11KBW’s Timothy Pitt-Payne QC and Anya Proops are listed respectively as the pre-eminent Silk and Leading Junior in this area. Ben Hooper is also listed as a Leading Junior. Other members of Chambers singled out for praise for their data protection work include Jonathan Swift QC, Akhlaq Choudhury, Karen Steyn and Robin Hopkins – see the listing here. 11KBW has also this week won both the Chambers & Partners Human Rights & Public Law set of the year and the Legal 500 Employment set of the year – see here and here. Many thanks to all those of our readers who have supported us over the years and helped us to reach these heady heights.

Panopticon is fairly sure that it can imagine the breakfast table dialogue in most right-thinking households this morning. Namely:

“Who owes obligations under the Environmental Information Regulations 2004? Public authorities: regulation 2.

Who is a public authority? Erm, well, not water companies: Smartsource v IC and a Group of 19 additional water companies [2010] UKUT 415 (AAC).

Are we sure? No and it has been necessary to refer the question to the Court of Justice of the EU to find out: Fish Legal v IC [2012] UKUT 177 (AAC) (again about water companies).

What have the CJEU got to do with the price of fish (legal)? Because the EIR implements Directive 2003/4/EC and so the correct interpretation is a matter on which definitive guidance can be sought from Luxembourg.

And what does the CJEU think? We don’t know yet, but we are a bit closer after Advocate General Villalon delivered the AG’s Opinion in the case yesterday: see Case C-279/12 Fish Legal v Information Commissioner, Opinion of 5 September 2013.

So what does the AG say? The test is posed along the following lines. It is for the national court to establish whether the water companies concerned may impose on individuals obligations for which they did not require the consent of those individuals, with the result that the companies concerned were in a position substantially equivalent to that of the administrative authorities. An individual was under the control of a body if his actions were subject to a degree of control exercised by that body or person which prevented him from acting with real autonomy in private affairs, thereby reducing him to the status of an instrument of the will of the State. Bodies or persons who also performed other, completely separate, non-public activities were not under an obligation to provide the information which they obtained in relation to those activities. [This sounds a bit like hybrid public authorities under s.6 of the Human Rights Act 1998, which has caused no difficulties in application at all. Ahem.] If in doubt, they should have to disclose the information.

And will the CJEU adopt this test? Wait and see. But usually the AG’s Opinion forms a key part of the Court’s analysis. So it is a good pointer, even if not the definitive answer.

And will the judgment, when it comes, tell us whether privatised water companies are public authorities? Probably not. That will almost certainly be left to the Upper Tribunal to decide in the light of the CJEU’s Delphic pronouncements.”

Doubtless there will be plenty more litigation to come, not to mention the cases stayed pending Fish Legal, and Panopticon will bring you the CJEU judgment when it appears.

11KBW’s Anya Proops appeared for the Commissioner in the CJEU, and Rachel Kamm did the same before the Upper Tribunal.

Christopher Knight

The First-Tier Tribunal has today issued its decision in the Scottish Borders Council monetary penalty notice case – the decision can be found on the tribunal’s website here (11KBW’s Robin Hopkins acted for the ICO). The background to the case is that the ICO had issued SBC with a monetary penalty notice requiring it to pay a penalty of £250,000. The penalty was issued in circumstances where a data processor, appointed by SBC to digitise its pension records, had ended up placing the hard copies of the records in the post box bins at Tesco and another supermarket. In total about 1,600 files had been disposed of in this way. SBC appealed against the imposition of the penalty to the Information Tribunal. The Tribunal held that the penalty was unlawful and, indeed, that the Commissioner had no power to issue a penalty under s. 55A DPA. This was because, whilst SBC had seriously contravened the DPA, the facts and circumstances of the case were such that the contravention was not of a kind likely to cause substantial damage or distress. Thus, an essential precondition for the engagement of the Commissioner’s power to issue a penalty under s. 55A had not been met. I am reluctant to comment further on this decision as I am shortly to be appearing against Timothy Pitt-Payne QC in the first ever appeal to the Upper Tribunal on the application of the monetary penalty regime (Central London Community Healthcare Trust NHS v IC). However, doubtless one of my colleagues will in due course provide illuminating analysis of this important decision.

Anya Proops

Yesterday I posted about a new and important High Court judgment on the application of the subject access regime. As it happens, yesterday was also the day on which the Information Commissioner published his new ‘Subject Access Code of Practice’. This is an important document which requires careful consideration by anyone working in the DPA field. Points which are particularly worthy of note include the following:

• subject access a ‘fundamental right’ – The Commissioner identifies the data subject’s right to access his or her personal data as a ‘fundamental right’ (p. 7). However, interestingly the code does not examine in any detail why this is such an important right. Instead, it simply says: ‘Enabling individuals to find out what personal data you hold about them, why you hold it and who you disclose it to is fundamental to good information-handling practice. The Data Protection Act 1998 (DPA) gives individuals the right to require you to do this.’  (p. 5). However, it is important that data controllers understand why the subject access right is such a fundamental right. The answer to this question lies very clearly in the recitals to the EU Directive from which the DPA is derived, Data Protection Directive 95/46/EC. Those recitals make clear that the underlying objective of the data protection regime is to ensure that personal data is handled in a way that properly protects the privacy of data subjects. The subject access regime is designed to support the privacy rights of individuals by ensuring that they are, in effect, able to monitor how data controllers are processing their data.

 

• requests made by social media – applicants are entitled in principle to make subject access requests via the data controller’s Facebook page, its Twitter account or any other social media sites to which it subscribes, although the Commissioner accepts that this may not be the most effective way to deliver a request in a form which will enable the data controller to respond to it easily and quickly (p. 10).

 

• a child’s right of access – Data about a child belongs to that child, rather than to any parent or guardian. It is therefore the child which enjoys the right of access to their data, albeit that that right may be exercised on their behalf by their parent or guardian. A variety of considerations come into play when a data controller is asked to respond to a request made by a child directly (p. 11).

 

• purpose of the request not a relevant consideration at the stage when requests are being responded to – The Commissioner continues to take the position that an applicant’s purpose or motive in making a subject access request does not affect the request’s validity or the data controller’s duty to respond to it (p. 20). This is an important consideration because very often subject access requests are not made for the purpose of ensuring that a data controller is processing the data subject’s data in a manner which safeguards their privacy but rather in order to afford a data subject an advantage in litigation which they are conducting, usually against the data controller. It should be noted that the Commissioner’s position on this issue has yet to be tested by the High Court or any appellate court (cf. the Southern Pacific Personal Loans case I blogged about yesterday and compare the conclusion reached by the Court of Appeal in Abadir, which you can read about here). See further the discussion of the Commissioner’s enforcement powers below.

 

• scope of the data controller’s search obligations – A key consideration for data controllers when they are responding to subject access requests is how far they have to go when searching their complex, multi-layered information systems for potentially relevant data. The Commissioner has now made clear that considerations of reasonableness and proportionality can properly come into play as and when a data controller is considering how to discharge its search obligations. Thus, the code states that, whilst there are ‘no express limits’ on the search obligation provided for under the DPA, data controllers are: ‘not required to do things that would be unreasonable or disproportionate to the importance of providing subject access to the information’. That said, the code goes on to attenuate the effect of this conclusion by stating that: data controllers should still ‘be prepared to make extensive efforts to find and retrieve the requested information’; any decision as to the scope of the data controller’s search obligations should take into account the fundamental nature of the right afforded under s. 7 and, further, requests cannot be refused simply because they are ‘labour-intensive or inconvenient’ (p. 22). This analysis will give little comfort to small and medium sized businesses where wide-ranging subject access requests may have commercially crippling effects.

 

• Commissioner’s enforcement functions – The code alludes to the Commissioner’s power to issue an enforcement notice in cases where a data controller has failed to comply with its obligations under the subject access provisions. It makes clear that: a notice will not necessarily be served ‘simply because an organisation has failed to comply with the subject access provisions’; the Commissioner will consider whether the failure is likely to cause or has caused the data subject to suffer damage or distress (as per the requirements of s. 40(2) DPA); whilst he can serve a notice in the absence of  damage or distress, ‘it must be reasonable, in all the circumstances, for him to do so’; and importantly ‘he will not require organisations to take unreasonable or disproportionate steps to comply with the law on subject access’ (p. 53).

 

• Importantly, the code goes on to allude to the fact that, where an applicant seeks to enforce their subject access rights by going to the court under s. 7(9) DPA, the court may treat the application as an abuse of process if the request has been made against a backdrop of litigation and as a means of accessing information which ought properly to be dealt with through the disclosure process. However, somewhat unhelpfully the code is entirely unclear on whether the Commissioner would regard this as a relevant consideration in the context of the discharge of his statutory enforcement functions. Instead, it simply refers the reader back to the point made in chapter 9 of the code that request cannot be refused based on the purpose for which it was made (p. 59). Of course from the data controllers point of view, it would obviously be entirely unsatisfactory if there were to be an asymmetry in the enforcement regime, with a data subject being able to get a better result if they seek enforcement from the Commissioner under s. 40 as opposed to the result they would get if they went to court under s. 7(9). Query whether the Commissioner ought in the circumstances to be striving to achieve an approach to enforcement which is aligned with the approach adopted by the courts.

Anya Proops