COURT GRANTS INJUNCTION RESTRAINING DISTRIBUTION OF PRIVATE INFORMATION AGAINST UNKNOWN BITTORRENT SEEDERS

Posted on | by Julian Wilson

I have previously blogged here on why the use of the BitTorrent peer to peer file sharing protocol to distribute large amounts of information over the internet has proved problematic for the law, see Privacy of internet users, internet file-sharing and copyright: the present “Wild West” and the Digital Economy Act 2010

On 12 January 2012, the Technology & Construction Court demonstrated a readiness to tackle BitTorrent seeders in appropriate cases. In AMP-v- Persons Unknown [2011] EWHC 3454 (TCC) the Claimant’s explicit private digital photographic images had been stored on her mobile phone which was stolen while she was at University. Following the theft, the images of her were uploaded to a free online media hosting service for the sharing of images. They were then also uploaded to a Swedish site hosting BitTorrent files.

Ramsey J granted the Claimant an interim injunction to prevent the distribution of the images both by conventional downloading and by downloading by the use of the BitTorrent Protocol.

Unsurprisingly, the court found that the publication of the images infringed the Claimant’s right to respect for her private and family life under Article 8 and that right outweighed the rights of freedom of expression of users of BitTorrent client software to download the digital photographic images using the BitTorrent protocol and to disseminate them by seeding them.

Ramsay J. found that the users of the BitTorrent client software who were downloading and uploading the digital images had no rights in that information and that information was of a personal, private and confidential nature which the Courts should protect.

The court also found that the Claimant had a good arguable case that the conduct of disseminating the digital photographic images amounted to harassment of the Claimant under the Protection from Harassment Act 1997.

Interestingly, the Respondents who were named in the application as “Persons Unknown” were neither present nor represented and the Claimant had not taken all practical steps to notify them. However, the Judge considered there were compelling reasons why they should not be notified. If each Defendant had to be notified before the Injunction were granted it would effectively deprive the Claimant of the opportunity to obtain the immediate interim relief which would otherwise be appropriate to protect her Article 8 rights.

The court accepted expert evidence to the effect that seeders of the BitTorrent files could be identified by way of their Internet Protocol Addresses whilst they were seeding and that it would therefore be possible to obtain the IP Address of every seeder and identify from that address their physical location, name and address from their Internet Service Provider. They could therefore be served with an order requiring them to take steps to stop their account from being used.

UPDATE ON RECENT TRIBUNAL DECISIONS

Posted on | by Rachel Kamm

The First Tier Tribunal (Information Rights) has had a busy start to 2012, with 7 decisions on its website already.

The first judgment out was Herbert v ICO and West Dorset District Council, EA/2011/0157. The appellant sought correspondence concerning the transfer to the Council of property previously owned by Lyme Regis Borough Council. The Council refused the request on ground that it was vexatious. The history of this case related to incidents and disputes regarding a different matter, between the appellant and the Council dating back to 1992, which culminated in 1996 when the Council revoked a license held by the appellant. The ICO agreed that the request was vexatious. The appellant submitted that he had a genuine interest in the history of Lyme Regis and that he believed that some historical documents were missing from the National Archives and that they had been retained by the Council because they related to illegally acquired property. The Council had previously allowed him to research their archives on another matter and he wished to be able to do so again to look for these missing documents. He said that he had expected the ICO to contact him so that he could put forward further arguments. The FTT agreed with the ICO and the Council that the request had been made under FOIA (and not the EIRs). The FTT set out the key principles that have been applied by Tribunals in considering whether requests were vexatious under s14 FOIA. The FTT considered the background and found that the appellant’s request was obsessive. Further, the request had the effect of harassing the Council (even though the language was not hostile), as allegations of illegality and impropriety were made at the same time as the requests and there was a context of a high volume of correspondence. The Council had made extraordinary efforts to accommodate the appellant’s requests over a considerable period of time and valuable resources of time and effort have been used which could otherwise have been used more productively. In the view of the FTT, to accommodate this request would constitute a further and significant burden on the Council. The FTT concluded that the request was vexatious.

The next decision to be promulgated was King v ICO, EA/2010/0126. The appellant sought from the ICO records of complaints where Crawley Borough Council had failed to comply with FOIA/EIRs and the ICO never served a ‘decision notice’. The ICO refused the request on ground that the information  consisted of ‘third party information’ that was exempt from the requirements of disclosure. It did not identify the exemption relied on for refusing to disclose the information. However, it did provide the appellant with a summary of the information requested. Further information was provided by the ICO in response to the appellant’s request for a review of the decision. The appellant then asked for the information with just the personal details of individuals removed. The ICO refused, citing s.44 FOIA, as exempting information that is prohibited from disclosure under another Act, namely s.59 DPA (which prevents disclosure of information collected in the course of an investigation where there is no lawful authority to do so). The appellant requested  review of this decision. In subsequent correspondence, the ICO  relied on s.40 FOIA (the data protection exemption). The appellant then asked the ICO to make a decision under s.50 FOIA as to whether it had complied with the Act. Having previously been acting in its capacity as a body which was itself subject to FOIA, the ICO then changed back to its normal hat. The ICO said that it was reversing its decision and it provided the appellant with the  letters which had been sent to the Council in the cases alleging non-compliance with FOIA, with personal data redacted. The appellant disputed that this resolved his request; he also wanted the documents from the individuals making complaints and from the Council. The ICO denied that these had been within the scope of his original request. The ICO subsequently issued a decision notice stating that it had provided the appellant with the information requested, but that it had breached FOIA (including by not holding an internal review at the right stage, by not providing the information at the outcome of the internal review and by not acting within the time-scales in the Act). The appellant appealed, arguing that the ICO had not provided all information which fell within the scope of his request, had misinterpreted his request and had breached the duty to provide advice and assistance. In relation to the scope of the request, the FTT criticised the ICO for not having properly analysed the request but found that in fact it had provided all information that fell within the scope of the request. The appeal therefore failed. The FTT also found that the ICO was not in breach of the duty to provide advice and assistance; the appellant argued that the ICO should have asked him to clarify his request, but the FTT found that this was not necessary because the request was in any event clear and adequately specified the information sought. This case very much turned on its facts, but it is interesting to see the application of FOIA to the ICO as a public authority and it is also a useful reminder to carefully read the request from the outset.

The third decision out in 2012 was Newcastle Upon Tyne Hospital NHS Foundation Trust v ICO, EA/2011/0236. This appeal was struck out because the judge considered that there was no reasonable prospect of it succeeding. The disputed information was statistics about the number of people dismissed over a three year period. The Trust refused to provide the information, on ground that it was reasonably accessible (s.21 FOIA) by way of an application in the employment tribunal litigation. The Trust subsequently provided the information voluntarily. The ICO found that the Trust had misapplied s.21 FOIA. The Trust appealed, arguing that “The point at issue is one of prioritising the correct forum by which information is provided. The Trust point is that once proceedings are issued, the correct forum lies within the proceedings that have been issued, in this case the Employment Tribunal“. Not surprisingly, the judge found that this argument had no reasonable prospect of success. FOIA rights are not put on hold if there is litigation between the parties. Further, information obtained under FOIA can be used for any purpose whereas information obtained in litigation can only be used for that purpose and so litigation disclosure is not an answer.

Cross v ICO, EA/2011/025 is also a strike out decision. The appellant sought from Havant Borough Council a building control decision notice, plans and inspection records relating to a loft conversion to his home carried out in 1987. The Council refused the request under the EIRs, on ground that it was not held at the time of receipt of the request. The appellant believed that he had seen these documents on a visit to the Council and that, whilst it was possible that they had subsequently disappeared, his appeal should not be struck out. However, the Council had conducted a six day trawl for the information and the judge found that it was obviously willing to provide the information if it could be found. The appeal was therefore struck out as having no reasonable prospect of success.

Finally, in Martyres v ICO and NHS Cambridgeshire, EA/2011/020, the FTT dismissed an appeal by an appellant who sought all information held by NHS Cambridgeshire (and its relevant community services provider), in respect of her deceased mother who had died on 29 August 2009 including information about the care received by her mother at a care home she was staying at prior to her death. The appellant argued that she was the next of kin, proposed executor and trustee of one of the Wills and had a valid claim against her mother’s estate under the intestacy  rules. In relation to s.41 (FOIA), the FTT found that the information was obtained from another person (social care professionals), it possessed the necessary quality of confidence and disclosure would constitute such an actionable breach of confidence. The FTT further concluded that s.21 FOIA did not apply, in that the appellant would not have been able to obtain the disputed information under the Access to Health Record Act 1980 (as the appellant claimed); whilst she was the nearest relative, she was not the personal representative. The FTT also dismissed the appellant’s arguments under the Human Rights Act 1998.

Rachel Kamm

LATE RELIANCE ON EIR EXEMPTIONS AS OF RIGHT

Posted on | by Rachel Kamm

Readers will recall that the Upper Tribunal decided in early 2011 that public authorities are entitled as of right to rely on any exception / exemption under either the Freedom of Information Act 2000 or the Environmental Information Regulations 2004 at any stage of the proceedings.

In that case, the Upper Tribunal considered two appeals together. The first was an appeal brought by DEFRA, challenging the Tribunal’s decision that it could not now seek to rely on additional exemptions under the EIRs and that it was limited to the exemption that it had relied on at the time of its refusal to disclose environmental information to Mr Birkett (the founder of the cross-party Campaign for Clean Air in London). The second was an appeal brought by the Information Commissioner, challenging the Tribunal’s decision that the Home Office was entitled as of right to rely on new exemptions under FOIA.  At the hearing of the appeals before the Upper Tribunal, DEFRA submitted that it was entitled as of right to rely on the new exceptions/exemptions, Mr Birkett said that a public authority could not lawfully rely on new exceptions/exemptions before the Commissioner and the Tribunal, and the Commissioner adopted a middle course (namely that while there was no right to rely on new exceptions/exemptions, a public authority could be permitted to do so at the discretion of either the Commissioner or the Tribunal). The Upper Tribunal agreed with the public authorities that they could rely on a new exception/exemption at any time under either FOIA or the EIRs.

Mr Birkett appealed against this decision about the EIRs to the Court of Appeal: Birkett v The Department for the Environment, Food and Rural Affairs [2011] EWCA Civ 1606.

Lord Justice Sullivan (with whose judgment Lord Justices Lloyd and Carnworth agreed) started by considering the Aarhus Convention on Access to Information, Public Participation in Decision Making and Access to Justice in Environmental Matters. The Council Directive 2003/4/EC on public access to environmental information implements the Aarhus Convention and is itself implemented in domestic law by the EIRs. Mr Birkett argued that it was necessary to interpret the Directive (and in turn the EIRs) as preventing a public authority from relying on a new or different exemption after the internal review stage; otherwise the complainant would not have an effective remedy because they would not know the reasons for the public authority’s refusal of their request for information.

Lord Justice Sullivan rejected Mr Birkett’s argument. He took into account that the Directive does not proceed upon “the unlikely premise” that within the prescribed “tight timescale the public authority will always “get it right the first time”, hence the review process provided for by Article 6. While some decisions may be relatively straightforward, the question whether some information, and if so how much of that information, falls within one or more of the exceptions may well be a question of some complexity. Are documents protected by legal advice or litigation privilege, are there intellectual property rights in certain information, etc.? The exceptions are concerned with important public interests.” (paragraph 21). He held that “The Court or other legal body conducting the review under Article 6(2) is not reviewing the decision made by the administrative reviewer under Article 6(1), it is reviewing “the acts or omissions of the public body concerned.” Thus, the court must consider de novo the propriety of releasing the information. Such a process is bound to discover errors and omissions in the exceptions relied upon in initial decisions, and it would be surprising, given the balancing exercise required by the Directive, if those errors were incapable of subsequent correction.” (paragraph 23).

Lord Justice Sullivan went on to give a hypothetical example of a public authority which mistakenly fails to rely in its refusal notification upon an adverse effect upon public security or national defence. Mr Birkett considered that this would happen rarely and that the solution was for the Commissioner / Tribunal to refuse to allow the public authority to rely on that exception / exemption late but to exercise its discretion to refuse to order disclosure of the information where that was necessary to avoid a breach of human rights (paragraphs 24 and 25).

Lord Justice Sullivan rejected Mr Birkett’s proposed solution. The public interests protected by the exemptions in the EIRs were not just human rights. Further, the Commissioner and the Tribunal were able to exercise effective judicial control, for example by requiring an appellant to set out his grounds at an early stage in the grounds of appeal. “Any application by the public authority to rely upon a new exception made after the time limit for its grounds of appeal/response would be subject to the Tribunal’s case management powers under rule 5; see also rules 22(4) and 23(5) which deal with the submission of notices of appeal and responses out of time.” (paragraph 28). He concluded that the public authority was entitled to rely as of right on new EIR exemptions in the notice of appeal to the Tribunal.

Note that there was no appeal from the Upper Tribunal’s decision in the Home Office case about FOIA, which remains good law. It is also noteworthy that the Commissioner chose not to participate in the appeal, which meant that the Court of Appeal did not hear submissions on the middle course which it had proposed to the Upper Tribunal in the Home Office case. Lord Justice Carnworth commented that “There would have been attractions in an alternative approach, which could have reconciled the need for urgency, implicit in the CJEU case-law, with the need for flexibility in the operation of the scheme” (paragraph 31).

As a result of this decision, the general rule is that public authorities can rely on any exception / exemption at any time under the EIRs or FOIA. However, note that there is still a different approach where the public authority seeks to rely on the cost exception in FOIA after its initial decision; see our post on this topic here.

Rachel Kamm

GOOGLE

Posted on | by James Goudie KC

Tugendhat J ended in his Judgment on 19 December 2011 in AB v Barristers Benevolent Association Ltd [2011] EWHC 3413 (QB) by saying: “This judgment may alert practitioners to the possibility that information stored on a cache by Google may take several days to have removed”.

The BBA provides support to barristers in many different circumstances, including by way of loans. AB is a barrister who sought a loan from the BBA about six or seven years ago. On 5 December 2011 it was brought to her attention that confidential correspondence between herself and the BBA was available on the internet. She conducted a search through Google and found the information herself.

On 6 and 7 December 2011 the judge on out of hours duty granted an injunction without notice to the BBA. The injunction was discharged because an injunction against the BBA was unnecessary. There was no dispute that the documents in question contained confidential information, and that its confidentiality should be preserved.

On 5 December AB had contacted the BBA. The official she spoke to was already aware of the problem.  The BBA assured AB that the BBA’s IT consultant was addressing the issue as a matter of urgency.

The information remained accessible on Google throughout 6 December. The IT consultant said he was doing everything he could. He explained that the problem lay with Google, and that it might take some time for all their servers to be synchronised so as to remove the information from the caches. He explained he had been calling Google offices all over the world to try to get action, without success.

What had happened to give rise to this affair was explained by the IT consultant in a witness statement.  In 2005 or 2006 his firm had been asked by the BBA to assist in removing data from one hard drive to a new one. The process was carried out by copying data to a temporary file, which should have been deleted, but was not. It was retained inadvertently on a server. At the time that did no harm, because the server was not publicly available. However a technical change by the firm’s broadband supplier O2 led to the server becoming available to Google to pick up the data without the firm knowing that that was happening.

On Friday 2 December 2011 the BBA became aware that the information was available through Google. The BBA immediately contacted the IT consultant and asked him to deal with it as a matter of extreme urgency. The IT consultant’s firm identified what had happened. He removed the source of information from its server and disconnected the server from the internet. All the data that had been inadvertently stored was deleted. He then contacted Google via the webmaster tools requesting the removal of the material from the Google cache. This is where the problem arose.

On 5 and 6 December the IT consultant made numerous further attempts to contact Google to have the information removed from the caches as a matter of urgency. According to his evidence, and the e-mails that he has exhibited, he could not have expressed himself more forcefully, or more urgently, but he received no prompt response from Google. It was not until 10 pm on Tuesday 6 December that he found some files had been removed by Google.

On the morning of 7 December the IT consultant discovered that there was still information that had not been removed from the caches. He contacted Google again on more than one occasion.  It was not until Friday 9 December that Google had fully complied with his request to remove the information in its entirety.

Courting Disclosure under Section 32

Posted on | by Christopher Knight

The Institute of Chartered Accountants (“ICA”) has a policy of seeking the Certificate of Conviction of any of its members who have been found guilty of an offence which may relate to their appropriateness to act as a chartered accountant. However, the Courts Service (“HMCTS”) refused to confirm or deny holding an individual’s Certificate under section 32 FOIA because it was a document created by the court for the purpose of proceedings. A Certificate of Conviction is currently governed by section 73 of the Police and Criminal Evidence Act 1984, but has existed since the mid-nineteenth century. It acts as conclusive proof of conviction.

In ICAEW v IC & Ministry of Justice (EA/2011/0148, judgment of 8 December 2011) the Tribunal upheld the Commissioner’s decision notice that the HMCTS was not required to confirm or deny holding the information. The Tribunal followed the decision of the Court of Appeal in Kennedy v IC [2011] EWCA Civ 367 that the protection of section 32 was ongoing after the conclusion of proceedings, and that it could not logically matter whether the court created the document before or after the verdict because it was for the purpose of the proceedings. The ICA’s attempt to construe “proceedings” as excluding the issuing of a Certificate of Conviction was said to be “narrow and artificial” by the Tribunal: at [42].

The Tribunal also reiterated the section 32 jurisprudence that the purpose of the exemption is to ensure that the court can regulate access to its own files. Access to court records can be sought under the Civil Procedure Rules, but the Criminal Procedure Rules do not provide for access to a Certificate and the Tribunal considered this to be very relevant. A Certificate is not itself publicly accessible, even if the information it contains may be reported publicy elsewhere. (Section 32 being an absolute exemption, this fact provided the ICA with no assistance.)

There is not a large amount of case law on the application of section 32 – and my involvement on behalf of the Commissioner precludes analysis of the Tribunal’s judgment – but the ICAEW case does provide some helpful reiteration of the purpose and scope of the absolute exemption, stressing that access to court records is very much a matter for that court and is not to be circumvented by FOIA.

Christopher Knight

PRIVATE EMAILS AND TEXTS SUBJECT TO FOIA

Posted on | by Robin Hopkins

Following the emergence earlier this year that Department for Education officials had, apparently routinely, used personal email accounts for the conducting of official business, the ICO has considered this issue. It has today issued guidance that many FOI officers and lawyers will find notable, to say the least.

The key points:

  • FOIA applies to official information held in private email accounts when held on behalf of the public authority. So too text messages. This much is obvious from the definition of ‘held’ in s. 3 of FOIA. The question is exactly what this means, and what to do about it.
  • There will be occasions on which, having searched its own systems, the public authority will be expected to ask employees (or contractors etc) to search their personal email accounts/text messages for information described in a FOIA request.
  • The ICO expects such occasions to be ‘rare’. I think this means that the ICO will not expect the public authority to do so simply because a requester asks it to; something more will be required.
  • What is that ‘something more’? The ICO recommends public authorities look out for ‘relevant factors’ which may trigger the duty to ask.
  • These factors include the nature, wording and subject matter of the request.
  • They also include “how the issues to which the request relates have been handled within the public authority”. This may be another way of asking: is the public authority aware that this sort of thing has been going on?
  • Another relevant factor is “by whom and to whom the information was sent and in what capacity, e.g. public servant or political party member”. This is often a blurred line, one imagines. Not sure how this could be scrutinised (other than hacking into private systems, which is not nice, not fashionable and not legal).
  • Public authorities should establish procedures for dealing with such situations.
  • They should keep records of any private email account/text message searches they have requested.
  • Public authorities should remind staff that, where a request for information to which the requester would be entitled has been made, it is a criminal offence to erase or conceal that information with the intention of preventing disclosure (see s. 77 of FOIA).
  • ‘Concealment’ would include denying that anything of an ‘official capacity’ nature is (or, at the time of the request, was) in one’s private email inbox or text message folder.
  • Public authorities should tell their employees not to use private channels for official business in the first place.

Panopticon understands from some of its friends in the media that requests aiming at exactly this sort of information were fired off this morning (or earlier this week, in anticipation of the new ICO line).

Meanwhile, a decision on the complaint against the Department for Education is in the pipeline.

Panopticon will be keeping its Benthamite eye on how these matters unfold.

Robin Hopkins