Panopticon – Page 60 – Information law blog, from 11 KBW

Expectations of privacy abroad

Posted on 23rd November 2015 | by Paul Greatorex

As all celebrities know, to get the High Court to stop paparazzi pictures of you from being published, the first thing you have to do is show you had a reasonable expectation of privacy. But what if you were snapped outside of the jurisdiction and whilst English law principles suggest that you did have such an expectation, the local law where the photographs were taken says you do not?

The answer given by the Court of Appeal in Weller v Associated Newspapers [2015] EWCA Civ 1176 is that the local law is not determinative and the weight to be given to it is a matter for the judge. Continue reading →

Legislative process

Posted on 18th November 2015 | by James Goudie KC

As is well known, Section 35 of FoIA creates a class-based exemption from disclosure designed to protect the effective formulation of Government policy; and Section 36 creates an exemption related to effective conduct of public affairs. The scope of the Section 35 exemption is that information may be exempt if it relates to the formulation or development of Government policy. However, the wide scope of the exemption is narrowed by the provision that once a decision as to Government policy has been taken statistical information used to provide an informed background to the decision is no longer exempt. Moreover, in determining whether the public interest in maintaining the exemption outweighs the public interest in its disclosure, regard must be had to the particular public interest in the disclosure of factual information that has been used, or is intended to be used, to provide an informed background to decision making. Continue reading →

Tweet Tweet? #silencingFOIontwitter

Posted on 17th November 2015 | by Christopher Knight

Is a request for information made in a tweet a valid request within the meaning of sections 1 and 8 FOIA? Not in Ghafoor v Information Commissioner (EA/2015/0140). The FTT held that section 8(1) requires the request for information to be made using the “real name” of the person making it, and that the provision of an address for correspondence must one which is “suitable for correspondence” between the requestor and the public authority about the request. Continue reading →

GDPR & the media – words of warning

Posted on 12th November 2015 | by Anya Proops KC

Since the CJEU gave judgment in Google Spain, there has been much discussion on the conference circuit about whether the judgment rides rough shod over free speech rights. Certainly the lack of any procedural protections for the media within the right to be forgotten regime has been the subject of much heated debate. For those of you wishing to understand how Article 10 rights are likely to fare under the new General Data Protection Regulation, you would do well to start with this excellent article by Daphne Keller, Director for Intermediary Liability at Stanford Law’s Center for Internet and Society (and notably former Assistant General Counsel to Google).

As Daphne makes clear, the GDPR does not offer the media much by way of solace. Quite the contrary, what we see with the new Regulation is a continuing failure on the part of European legislators to accommodate free speech rights within the data protection regime in a structured and systematic manner. To a large extent this lack of protection for Article 10 rights is a product of the fact that historically data protection and the media have rarely crossed swords. Certainly within our own jurisdiction, it is only over the last 18 months or so that an awareness of the potentially very substantial areas of tension have begun to surface (see further not least the discussion of the Steinmetz case on this blog). However, the reality is that the European quest to place data privacy rights centre-stage, in the online world and beyond, now poses serious challenges for the media. This is something which will hopefully start to register at least with those EU regulators who will in due course be charged with applying the GDPR.

Anya Proops

Navigating the Harbours: The Commission Awakens

Posted on 7th November 2015 | by Christopher Knight

Like everyone else who operates in the field, this blog may have touched once or twice on the issues arising out of Schrems. Both Robin (here) and Tim (here) have provided some summaries of the sorts of alternatives data controllers will need to think about, and the guidance issued by the Article 29 Working Party as a result. But what, everyone has been asking, does the European Commission have to say about all this?

Happily, the heavy lids of ignorance may be lifted as the Commission has awoken. (Whether it more closely resembles the Force or a Kraken is perhaps a matter of personal preference.) It has produced a lengthy document which is actually both helpful and readily understandable. Not adding umpteen recitals probably helps. It draws together a lot of the practical issues and much of the existing guidance from the Article 29 WP already discussed for a sort of cheat-sheet document to help you navigate the ongoing choppy waters. You can find and download it here. Continue reading →

Multi-billion dollar actions for inaccurate personal data?

Posted on 4th November 2015 | by Robin Hopkins

Data protection has developed a curious habit of churning up heroic (or anti-heroic, depending on how you view it) figures who take on global behemoths to surprising effect. Maybe I am being too dramatic, but think of Mario Costeja González, the complainant at the heart of the Google Spain ‘right to be forgotten’ case, and Max Schrems, whose litigation has thrown Safe Harbor and transatlantic data transfers into turmoil.

If we maintain a transatlantic gaze, another such figure comes into view. On Monday of this week, the Supreme Court of the United States heard argument in the case of Spokeo Inc v Thomas Robins. Mr Robins – the potential David in this important new David v Goliath episode – is at the forefront of litigation against the ‘people search engine’ Spokeo (see Anya’s earlier post here).

The profile Spokeo compiled about him said he was a graduate, a professional in his 50s and a married man with children. Hardly defamatory stuff, except that none of it was correct. He did not establish that these errors caused him any financial loss, but he seeks damages for the publication of factually incorrect information about his life.

So what, you say? Well, consider the Amicus Briefs put before SCOTUS by Ebay, Facebook, Google and Yahoo. They all say that this is a very big deal. They point out that, as major global tech innovators, they are exposed to numerous federal and state laws which contain statutory damages provisions for private causes of actions. If standing is granted for “no injury” lawsuits “plaintiffs may pursue suits against amici even where they are not actually harmed by an alleged statutory violation, and in certain circumstances, seek class action damages that could run into the billions of dollars”.

The issues in Robins (should you be compensated for mere breaches or for ‘digital injuries’?) resonate with live issues before the courts in the UK: can you be compensated under the Data Protection Act 1998 for mere distress (see Vidal-Hall v Google, en route to the Supreme Court)? How should one compensate for privacy violations (see Gulati, on which the Court of Appeal’s judgment is awaited)?
Regardless of whether Mr Robins emerges as a Goliath-slayer, his case adds to the law’s increasingly intense scrutiny of global tech companies whose stock in trade is personal data.

Robin Hopkins @hopkinsrobin

WordPress + Bootstrap