WordPress + Bootstrap

Anyone who has been following the litigation on charging for access to property search information under the EIR may like to know that the judgment in East Sussex v Information Commissioner is due to be given by the CJEU on 6 October 2015 (for further information on the background to the case and the Advocate-General’s Opinion, see here). One of the important issues in the East Sussex litigation has been the risks which charging for environmental information may pose in terms of the potential dissuasive effect on applicants. It will be interesting to see whether the Government has an eye to such dissuasive effects as when it is thinking how to develop its proposals on fees in the GRC (see further Chris Knight’s post on the proposals here).

Anya Proops

An intriguing summary has emerged on Lawtel (subscription required) of a decision of the Chancery Division (John Jarvis QC) in a case called Hallows v Wilson Barca LLP, which suggests that the duties imposed on public bodies by the Freedom of Information Act 2000 (FOIA) can be relevant to the common law doctrine of legal professional privilege.

The decision appears to hold that lawyers who obtain documents from public bodies for the purpose of litigation (which would therefore normally be protected by litigation privilege) need to bear in mind the existence of FOIA and make that purpose clear otherwise they will be taken to have waived privilege.  Whether, on close inspection of the full judgment, this turns out to be a true description of the ratio decidendi remains to be seen, the case seems worth noting in any event.

The issue arose in the context of a claim brought by the claimant (C) against the solicitors (D) who had acted for him to register title to a plot of land.  C alleged that D had failed to register the fact that the land benefitted from certain rights of way which would materially affect the value of any development on the land.  C’s new solicitors in that claim (S) sought the advice from the local planning authority (LPA) on whether planning permission would be likely to be granted for any development on the land.

In making the request, S said it was doing so on a confidential basis, but did not mention it was being made in connection with the litigation between C and D.  The LPA provided the advice sought, which subsequently found its way into D’s hands via a FOIA request by D.  C sought an injunction restraining D’s use of that information in the proceedings between them on the basis that it was legally privileged.

The court agreed that the advice was prima facie protected by litigation privilege but said that requesters like S had to bear in mind that the LPA was subject to duties imposed by FOIA to provide information to the public.  Since no indication had been given that the advice was sought in the context of litigation, the court said that S had accepted that the information could come into the public domain by virtue of the local authority’s duties under FOIA and had therefore necessarily and impliedly waived any privilege which had existed.

In the alternative, the court said that even if it had accepted that privilege could still be maintained, it would not have been appropriate to restrain D from relying on the advice.  The way in which S sought advice was said to have run the risk that any privilege would be waived and D had also not acted improperly in making the request it did under FOIA or in reading the information once it had received it.

As noted above, the full analysis and implications may only become apparent if and when the full judgment becomes available and this was of course a decision in the context of private law proceedings rather than under FOIA.  Nonetheless, legal professional privilege is a common law doctrine and, unlike FOIA, is absolute in the protection it affords against disclosure.  The suggestion that the Act could influence the common law in this way is a very interesting one.

In practical terms, for those involved in planning law the decision sits alongside the decision in Tidman v Reading BC [1994] 3 PLR 72 (that LPAs do not owe a duty of care in providing such advice) as another important point for those making such requests to bear in mind.

Paul Greatorex

In case you have missed this vitally important piece of news (because I certainly did), the European Data Protection Supervisor has come up with an ingenious way of weaning you off playing Angry Birds. Yes, the EU Data Protection mobile app is now available at no charge for all data protection addicts – see here. Now, instead of getting on with some paid work, you can while away your time comparing the latest proposed texts of the draft General Data Protection Regulation. Joy!

Anya Proops

By way of a (limited) update, the current expected listing for the Supreme Court hearing in Google Inc v Vidal-Hall is May-July 2016. Plenty of time to get your damages claims resolved between now and then…

CK

It is not very often that this blog reports developments north of the Wall, but we like to make occasional forays, to check up on events of cross-border impact (and of course Common Services Agency and South Lanarkshire are just two examples of gifts from our Scottish brethren which just keep on giving). Assuming you’ll have had your tea, readers may wish to briefly glance at the recent judgment of the Inner House (the Court of Appeal for Scottish civil matters) in The Christian Institute v Scottish Ministers [2015] CSIH 64.

The case was a challenge to the Children and Young People (Scotland) Act 2014, an Act of the Scottish Parliament. Constitutionally minded readers will be aware that challenges can be brought against Acts of the devolved legislatures on grounds which would not be countenanced against an Act of the Westminster Parliament. Parts 1 to 5 of the 2014 Act form a comprehensive scheme intended to promote and safeguard the rights and wellbeing of children and young people. Part 3 provides for the preparation of three year “children’s services plans” for local authority areas designed to secure, inter alia, that children’s services are provided in a way which: best safeguards, supports and promotes the wellbeing of children; ensures that any action to meet their needs is taken at the earliest appropriate time; is most integrated from the point of view of recipients; and constitutes the best use of available resources.  Part 4 requires service providers to make available, in relation to each child or young person, an identified individual (“named person”), whose general function is to promote, support or safeguard the wellbeing of the child or young person, on behalf of the service provider concerned.

The challenge was to the creation of the named person, based upon various Convention articles – particularly 8 and 9 – which need not concern us here. That challenge failed. However, there was also a DP challenge: to “the sections of the 2014 Act which deal with the sharing of information are incompatible with the requirement of the European Parliament and Council Directive on Data Protection (95/46/EC), as read and applied in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.  For this reason also the provisions are ultra vires of the Scottish Parliament.  They run contrary to the Data Protection Act 1998.  The fact that data could be shared, when not strictly necessary, rendered the information sharing provisions (2014 Act, ss 26 and 27) incompatible with Article 7 of the Directive (criteria for legitimacy).  There were insufficient safeguards against the unlawful sharing of data.  There was no inbuilt “right to be forgotten”“: at [6].

It may be useful to set out the Inner House’s summary of the relevant provisions, at [12]-[14]:

“A set of provisions, contained in sections 23 to 27 of the 2014 Act, regulates requests to, and giving assistance by, service providers and the associated sharing and disclosure of information.  Distinct provisions apply according to whether: the named person functions are transferring from one service provider to another (s 23); a service provider is requesting help from another service provider (s 25); a service provider is required to provide information to the service provider (s 26(1)), and vice versa (s 26(3)).  A distinction is drawn between information sharing (s 26) and disclosure (s 27), according to the incidence of confidentiality.

A service provider must generally provide the service provider with information which is likely to be relevant to the exercise of named person functions (s 26(1) and (2)).  An equivalent duty is placed upon the service provider in the reverse situation (s 26(3) and (4)).  The views of the child require to be sought (s 26(5)).  The information holder may decide that the information ought only to be provided if the likely benefit to wellbeing outweighs any adverse effect (s 26(7)).  The holder may provide information if it is necessary or expedient for the purposes of named person functions. The sharing of information is not permitted or required where disclosure is otherwise prohibited or restricted, other than in relation to a duty of confidentiality (s 26(11)).  Thus, disclosure may be permitted, notwithstanding a breach of confidentiality, if the criteria in section 26 are otherwise satisfied and there is no other legal bar to it taking place. It is between service providers, and not individual named persons, that the specified information may be shared.  Where information is to be provided in breach of confidentiality, the recipient must be informed of the breach, and must not provide the information to any other person, unless otherwise permitted or required to do so by law (s 27).

In combination, the provisions are calculated to integrate services in order to secure the wellbeing of children and young people.“

The Inner House dealt with the challenge fairly swiftly. It set out the Charter provisions and those of the Directive, before noting that the Directive had been implemented by the “labyrinthine” DPA (not unfair), which was not said to have failed to properly or fully implement the Directive. There was, as a result, no need to go beyond the DPA itself: at [96]. The Court’s reasoning at [97]-[100] is admirably clear.

The 2014 Act was not a mechanism which trumped the DPA. “Section 26(11) of the 2014 Act expressly provides that, with the exception of rules on confidentiality, the information sharing provisions are not to be held as permitting, far less requiring, the provision of information when it is prohibited or restricted by virtue of an enactment or rule of law.  This makes it clear that the operation of section 26 involves compliance with existing law.  That includes the Data Protection Act 1998 and hence the rights of the Charter and the principles in the Directive.” There might well be breaches in individual cases but they could be resolved on their own facts rather than through an abstract challenge. There “is no need for the 2014 Act to incorporate data protection principles, such as the need for consent or other specific protections, including the destruction of out of date data, within its four walls.  The 2014 Act creates a regime involving child welfare which directs what should happen regarding the sharing of relevant information, but it assumes that the actions of those operating the system will comply with data protection principles.”

The 2014 Act did not, held the Inner House, involve the creation or collection of any new data; personal, sensitive or otherwise. The Court was obviously significantly influenced by the social policy of the legislation, seeking to introduce a system for the co-ordination and sharing of existing data in relation to children and young persons whereby situations involving a potential risk to a child’s or young person’s well-being, as defined, can more readily be identified and the relevant agency alerted. There was not a proportionality exercise taking place expressly, but the reasoning suggests pretty clearly what the answer would have been had there been one. See too at [102]-[103].

The challenge on DP grounds consequently failed, and the judgment is one which is easy to understand and follow. The need for a single, coherent, statutory scheme for child welfare information sharing which nonetheless complied with existing DP requirements was an unsurprisingly powerful pull for the Court of Session. It is a reminder that data protection is an important safeguard, but it is neither something which prevents agencies doing their jobs nor a trump card to be played in any and all situations. Carefully calibrated and structured schemes need not fear the DPA.

Christopher Knight

PECR, long the runt of the information law litter, is beginning to take on a life of its own and, just as importantly, the ICO is beginning to really target spam texters and cold-callers. Recent changes to the enforcement provisions of PECR only assist in this task.

The ICO issued an Enforcement Notice against Optical Express in December 2014. Over 4,600 people registered concerns about Optical Express (Westfield) Limited in just seven months reporting the unsolicited messages to the mobile phone networks’ Spam Reporting Service indicating they had not given permission for the company to use their details for marketing. The Notice obliged OE to cease sending unsolicited texts to individuals without their consent.

OE appears not to have seen any problem with texting people who had never previously dealt with it, believing they had sufficient consent. Whether their laser eye surgery offers would have assisted this possible case of Nelsonian blindness is unclear.

The Tribunal has now delivered a lengthy judgment dismissing OE’s appeal: Optical Express v Information Commissioner (EA/2015/0014). Much of the initial part of the judgment is taken up with dismissing various grounds relating to the ICO’s reasoning process and the extent of the reasons set out in the Notice. That will be of some interest to practitioners, but the diligent reader is referred to the judgment itself for the discussion. In particular, the Tribunal considered that the ICO had perfectly adequately explained itself, and OE understood what was being said and why. The fact of a disagreement over the correct interpretation of PECR did not entitle OE to require a higher level of reasoning.

The Tribunal took a robust line in relation to the evidence upon which the ICO was entitled to rely, and made clear that the burden of proof fell on OE to show that consent had been given once the complaints were identified. The ICO would have no way of working out whether consent had been given – that was something within the knowledge of OE alone. A very considerable number of the complaints clearly identified the texts as spam and unwanted. The ICO had also managed to trace three individual recipients who were able to give witness statements that they had not provided any express consent to OE and were not aware of how OE had their information. When OE complained that only these three could establish a case and such a small number did not warrant enforcement action, the Tribunal dismissed this: the ICO was entitled to rely on the full 4600 and in any event would have been entitled to basis a Notice on just three individuals where their cases showed unlawful processes of obtaining data.

The legal point of interest was around the approach to consent under PECR. The Tribunal made clear that consent has to be provided to the sender: thus businesses harvesting lists acquired from third parties will not have consent to text the recipient. Here, OE appeared to have acquired the numbers from Thomas Cook customers who had made the mistake of filling in a survey, which told them that their details might be shared but did not say that OE might text them. How, asked the Tribunal, could this constitute OE fairly obtaining the data in DP terms? The customer has not solicited contact from OE, and contact is therefore in breach of PECR. The Tribunal put the point this way at [86]:

“when consent was obtained by Thomas Cook or whomever, it was not stipulated (or at least it has not been shown to have been stipulated) that the personal data would be processed by OE. Neither was the marketing of specific types of product stipulated. In my opinion it should say something about the products to be marketed if they are different from the business of, for example, Thomas Cook. This falls under the “to guarantee fair processing” category. If the data subject doesn’t know what other products might be marketed then how can he exercise his right to object to some of them whilst being happy to receive others?”

Worth a read for the discussion around the consent provisions, Optical Express now joins something of a line of Tribunal decisions roundly condemning spammers, and giving the ICO considerable latitude in how to present its case. This was not, of course, a monetary penalty notice case (doubtless because at the time the Niebel decision effectively barred such an MPN), but MPNs will doubtless follow in the event of future breaches.

It is always a good idea to ensure full and unambiguous consent where PECR is concerned. And if that means putting your glasses on to do so, so be it.

Robin Hopkins appeared for the ICO.

Christopher Knight