WordPress + Bootstrap

The question of the extent to which privacy rights have a practical purchase in the online world is very much in the news this week (see below my post on this topic earlier today). An important aspect of this issue is the extent to which individuals are positively identifiable as and when they operate within the online environment. If they are not identifiable then, certainly from a data protection perspective, it cannot be said that their data privacy rights are engaged. This identifiability issue was itself central to the Court of Appeal’s analysis in the case of Vidal-Hall v Google. There the issue was whether the tracking data which Google amassed in respect of the online browsing habits of Google users amounted to personal data, so as to engage data protection legislation. The Court of Appeal had no difficulty in concluding that there was at the very least a serious issue to be tried on this question.

But what about dynamic IP addresses are they also sufficiently identifying to amount to personal data? This is the issue which is currently before the Court of Justice of the European Union in the case of Breyer Case C582/14. Importantly, the Advocate General has now given his opinion on the issue, concluding that dynamic IP addresses can indeed constitute personal data (see here). This is an important development, not least because it reaffirms the fact that the clear direction of travel within Europe is firmly in favour of putting data privacy rights centre stage within the online environment.

Finally, it is worth noting that 11KBW’s Tim Pitt-Payne QC and Robin Hopkins have recently been engaged in battle on a very similar issue before the UK’s information tribunal – see here.

Anya Proops QC

Google has today published an op-ed in which it makes clear its intention to appeal against the CNIL’s ruling that the so-called ‘right to be forgotten’ has global reach, requiring Google to deindex links not just within Europe but across the world – see here.

This is an important step by Google and brings into sharp focus the question of how privacy rights should operate within an effectively globalised online environment. It is interesting that this development comes so soon after the Supreme Court’s judgment in PJS (as to which see Robin’s post here). In PJS, we have seen the Supreme Court trying to hold back the tide of online publicity in order to protect the remnants of PJS’s privacy. Now Google is mounting an appeal which is effectively designed to geo-locate privacy rights, giving them a purchase in some jurisdictions but not others. Of course, the PJS case itself illustrates the practical difficulties which such a parochialising approach to the protection of privacy rights can create. On the other hand, is it really right that domestic courts within Europe are in effect able to foist their legal culture on other jurisdictions, jurisdictions which may well approach the protection of privacy rights in a very different way? Is this a kind of intolerable legal imperialism or is it an approach which can be justified on the basis that the right to privacy is indeed a universal right which does not wax and wane based on geographical factors? These are all really important questions which now lie at the heart of debates surrounding the relationship between data privacy rights and online freedoms.

Anya Proops QC

The Supreme Court has today given judgment in PJS v News Group Newspapers [2016] UKSC 26. It has overturned by a majority (Lords Mance, Neuberger, Reed and Lady Hale) the Court of Appeal’s judgment of 18 April 2015 in the ‘celebrity threesome’ case and restored the interim reporting injunction pending trial. It concluded that, notwithstanding internet publications and articles in the press outside of this jurisdiction, it was not pointless to maintain the interim injunction, and that no genuine public interest in this story had yet been demonstrated. Continue reading →

A few transparency-related updates for readers, which will have a potential impact on (a) the engagement of exemptions under FOIA and the EIR, and (b) the public interest balance. As the Government insists on more openness about certain types of information, including its own, so the withholding of similar information will be harder to justify. There is also now a confirmation that a revised Code of Practice under section 45 FOIA is on its way. Continue reading →

There has long been considerable public concern over the restraint techniques used in young offender institutions and secure training centres. In Willow v Information Commissioner & Ministry of Justice [2016] UKUT 157 (AAC), the Upper Tribunal had to consider the public interest balance as it applied to section 31(1)(f) FOIA, i.e. information prejudicial to the maintenance of security and good order in prisons or other institutions in which people are detained. The request had been for the physical restraint training manual, and the FTT had upheld the application of the exemption.

Much of the judgment is concerned with a reasons challenge of fairly limited wider interest, although Judge Markus stressed that the balancing exercise involves weighing the risk of actual harm and the real chance of benefits, taking account of consequences which are realistic possibilities, and that where the ‘likely to prejudice’ limb was being run concrete evidence was likely to be in short supply. So far, so orthodox, and the reasons/lack of evidence challenge was really a re-run of arguments which failed in the FTT.

More unusual was the centrality to the arguments of the UN Convention on the Rights of the Child. Everyone accepted that the interests of children were part of the balance, but the Respondents (not unfairly) pointed out, that was what the whole case was about, and those interests did not all point one way. However, the argument for the requestor went beyond that, suggesting that article 3(1) of the Convention required particularly close focus on those interests and that FOIA should be construed so far as possible in accordance with that provision.

Judge Markus was having none of this. The Convention is an unincorporated treaty, and she carefully analysed the case law to explain that the authorities did not require unambiguous legislation to be construed consistently with an unincorporated provision, particularly where no ECHR right was engaged (which can be sidewind route to using the Convention). She firmly held that FOIA was not ambiguous, there was no ECHR issue and FOIA could not be incorporating or reflecting article 3(1) in any way. In short, everyone had been thinking of the children, and they were not required to think about them with any greater force.

Christopher Knight

If you thought the GDPR had a disappointing ring of informality to it, you will be delighted to hear that the final translated text of the GDPR has now been published in the Official Journal. As a result, it has a number: Regulation 2016/679. But it is not just a number; it is also a free man, having a lengthy name (“Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”). The OJ English text in html can be found here, and the pdf here. Article 99(2) provides that it shall apply from 25 May 2018.

Altogether now: ‘Remember my name: Regulation 2016/679! I’m going to live forever!* I’m going to learn how to fly!**”

*Or at least until the next burst of data protection enthusiasm.

**Although better details on learning to fly may be found in the new Passenger Name Record Directive, or Directive 2016/681. The Criminal Law Enforcement Data Protection Directive, or Directive 2016/680, has also now been published.

Regulation 2016/679 doesn’t sound very catchy, but we’ll all know it off by heart soon enough.

Christopher Knight