Is a request for information made in a tweet a valid request within the meaning of sections 1 and 8 FOIA? Not in Ghafoor v Information Commissioner (EA/2015/0140). The FTT held that section 8(1) requires the request for information to be made using the “real name” of the person making it, and that the provision of an address for correspondence must one which is “suitable for correspondence” between the requestor and the public authority about the request. Continue reading
GDPR & the media – words of warning
Since the CJEU gave judgment in Google Spain, there has been much discussion on the conference circuit about whether the judgment rides rough shod over free speech rights. Certainly the lack of any procedural protections for the media within the right to be forgotten regime has been the subject of much heated debate. For those of you wishing to understand how Article 10 rights are likely to fare under the new General Data Protection Regulation, you would do well to start with this excellent article by Daphne Keller, Director for Intermediary Liability at Stanford Law’s Center for Internet and Society (and notably former Assistant General Counsel to Google).
As Daphne makes clear, the GDPR does not offer the media much by way of solace. Quite the contrary, what we see with the new Regulation is a continuing failure on the part of European legislators to accommodate free speech rights within the data protection regime in a structured and systematic manner. To a large extent this lack of protection for Article 10 rights is a product of the fact that historically data protection and the media have rarely crossed swords. Certainly within our own jurisdiction, it is only over the last 18 months or so that an awareness of the potentially very substantial areas of tension have begun to surface (see further not least the discussion of the Steinmetz case on this blog). However, the reality is that the European quest to place data privacy rights centre-stage, in the online world and beyond, now poses serious challenges for the media. This is something which will hopefully start to register at least with those EU regulators who will in due course be charged with applying the GDPR.
Anya Proops
Navigating the Harbours: The Commission Awakens
Like everyone else who operates in the field, this blog may have touched once or twice on the issues arising out of Schrems. Both Robin (here) and Tim (here) have provided some summaries of the sorts of alternatives data controllers will need to think about, and the guidance issued by the Article 29 Working Party as a result. But what, everyone has been asking, does the European Commission have to say about all this?
Happily, the heavy lids of ignorance may be lifted as the Commission has awoken. (Whether it more closely resembles the Force or a Kraken is perhaps a matter of personal preference.) It has produced a lengthy document which is actually both helpful and readily understandable. Not adding umpteen recitals probably helps. It draws together a lot of the practical issues and much of the existing guidance from the Article 29 WP already discussed for a sort of cheat-sheet document to help you navigate the ongoing choppy waters. You can find and download it here. Continue reading
Multi-billion dollar actions for inaccurate personal data?
Data protection has developed a curious habit of churning up heroic (or anti-heroic, depending on how you view it) figures who take on global behemoths to surprising effect. Maybe I am being too dramatic, but think of Mario Costeja González, the complainant at the heart of the Google Spain ‘right to be forgotten’ case, and Max Schrems, whose litigation has thrown Safe Harbor and transatlantic data transfers into turmoil.
If we maintain a transatlantic gaze, another such figure comes into view. On Monday of this week, the Supreme Court of the United States heard argument in the case of Spokeo Inc v Thomas Robins. Mr Robins – the potential David in this important new David v Goliath episode – is at the forefront of litigation against the ‘people search engine’ Spokeo (see Anya’s earlier post here).
The profile Spokeo compiled about him said he was a graduate, a professional in his 50s and a married man with children. Hardly defamatory stuff, except that none of it was correct. He did not establish that these errors caused him any financial loss, but he seeks damages for the publication of factually incorrect information about his life.
So what, you say? Well, consider the Amicus Briefs put before SCOTUS by Ebay, Facebook, Google and Yahoo. They all say that this is a very big deal. They point out that, as major global tech innovators, they are exposed to numerous federal and state laws which contain statutory damages provisions for private causes of actions. If standing is granted for “no injury” lawsuits “plaintiffs may pursue suits against amici even where they are not actually harmed by an alleged statutory violation, and in certain circumstances, seek class action damages that could run into the billions of dollars”.
The issues in Robins (should you be compensated for mere breaches or for ‘digital injuries’?) resonate with live issues before the courts in the UK: can you be compensated under the Data Protection Act 1998 for mere distress (see Vidal-Hall v Google, en route to the Supreme Court)? How should one compensate for privacy violations (see Gulati, on which the Court of Appeal’s judgment is awaited)?
Regardless of whether Mr Robins emerges as a Goliath-slayer, his case adds to the law’s increasingly intense scrutiny of global tech companies whose stock in trade is personal data.
Robin Hopkins @hopkinsrobin
FOI and Article 10: life after Kennedy (and Kenedi)
The right to freedom of expression under Article 10(1) of the European Convention on Human Rights includes “freedom… to receive and impart information and ideas without interference by public authority”. Does that mean that there is a human right to freedom of information?
The question has haunted the courtrooms of the UK and other EU member states in recent years. In England and Wales, the last domestic word has been Kennedy v Charity Commission [2014] UKSC 20. The answer in Kennedy was ‘no’: Article 10 ECHR does not impose a positive, free-standing duty on public authorities to disclose information upon request.
That is not, however, the final word. Kennedy is to be heard by the European Court of Human Rights in Strasbourg – but the case has been stayed. This is because the Grand Chamber accepted another case raising essentially the same question.
The case is Magyar Helsinki Bizottság v Hungary (18030/11). The applicant, a human rights NGO, asked police forces to disclose information about ‘public defenders’, i.e. defence counsel appointed in criminal proceedings. The police forces refused, and the Hungarian court refused to order disclosure. The applicant complains that the refusal interferes with its rights under Article 10.
The case Bizottság was heard by the Grand Chamber today.
The UK government was an intervener. It urged the Court to conclude that Article 10 ECHR does not create a right to receive information from a public authority, in accordance with a line of authority (Leander v Sweden (1987) 9 EHRR 433, Gaskin v United Kingdom (1990) 12 EHRR 36, Guerra v Italy (1998) 26 EHRR 357 and Roche v United Kingdom (2006) 42 EHRR 30).
The Hungarian government’s position was to the same effect. It contended that concessions made in cases supporting the link between Article 10 and freedom of information (such as Társaság a Szabadsagjogokert v Hungary (2011) 53 EHRR 3 and Kenedi v Hungary 27 BHRC 335) were fact-specific.
Statutory rights to freedom of information in England and Wales are currently under threat of curtailment. Kennedy introduced (or confirmed) that, at least in certain circumstances, freedom of information also has a common law foundation. The Grand Chamber’s judgment in Bizottság will reveal whether, in addition to its statutory and common law pillars, freedom of information has a human rights basis as well.
Jason Coppel QC, Karen Steyn QC and Christopher Knight of 11KBW represented intervening parties in Bizottság.
Robin Hopkins @hopkinsrobin
11KBW ranked No. 1 in Data Protection and Information Law in Chambers and Partners and Legal 500 for another year
We are thrilled to be, once again, the only chambers ranked in the top tier in the leading legal directories for data protection and information law. With 5 silks and 9 juniors listed in Chambers, and 5 silks and 8 juniors listed in Legal 500 as leaders in this field, we are recognised as the pre-eminent set having “an impressive roster of highly accomplished counsel at all levels of seniority” acting for both public and private clients and with a breadth and depth of experience second-to-none. Our information law blog, Panopticon, received special mention in Chambers and Partners as impressing clients. We look forward to another successful year and are grateful to our clients for their continuing support.
11KBW remains ‘the set others aspire to beat in data protection work’ – Legal 500, 2015