By way of a (limited) update, the current expected listing for the Supreme Court hearing in Google Inc v Vidal-Hall is May-July 2016. Plenty of time to get your damages claims resolved between now and then…
CK
Data Sharing and Child Welfare in Scotland
It is not very often that this blog reports developments north of the Wall, but we like to make occasional forays, to check up on events of cross-border impact (and of course Common Services Agency and South Lanarkshire are just two examples of gifts from our Scottish brethren which just keep on giving). Assuming you’ll have had your tea, readers may wish to briefly glance at the recent judgment of the Inner House (the Court of Appeal for Scottish civil matters) in The Christian Institute v Scottish Ministers [2015] CSIH 64.
The case was a challenge to the Children and Young People (Scotland) Act 2014, an Act of the Scottish Parliament. Constitutionally minded readers will be aware that challenges can be brought against Acts of the devolved legislatures on grounds which would not be countenanced against an Act of the Westminster Parliament. Parts 1 to 5 of the 2014 Act form a comprehensive scheme intended to promote and safeguard the rights and wellbeing of children and young people. Part 3 provides for the preparation of three year “children’s services plans” for local authority areas designed to secure, inter alia, that children’s services are provided in a way which: best safeguards, supports and promotes the wellbeing of children; ensures that any action to meet their needs is taken at the earliest appropriate time; is most integrated from the point of view of recipients; and constitutes the best use of available resources. Part 4 requires service providers to make available, in relation to each child or young person, an identified individual (“named person”), whose general function is to promote, support or safeguard the wellbeing of the child or young person, on behalf of the service provider concerned.
The challenge was to the creation of the named person, based upon various Convention articles – particularly 8 and 9 – which need not concern us here. That challenge failed. However, there was also a DP challenge: to “the sections of the 2014 Act which deal with the sharing of information are incompatible with the requirement of the European Parliament and Council Directive on Data Protection (95/46/EC), as read and applied in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. For this reason also the provisions are ultra vires of the Scottish Parliament. They run contrary to the Data Protection Act 1998. The fact that data could be shared, when not strictly necessary, rendered the information sharing provisions (2014 Act, ss 26 and 27) incompatible with Article 7 of the Directive (criteria for legitimacy). There were insufficient safeguards against the unlawful sharing of data. There was no inbuilt “right to be forgotten”“: at [6].
It may be useful to set out the Inner House’s summary of the relevant provisions, at [12]-[14]:
“A set of provisions, contained in sections 23 to 27 of the 2014 Act, regulates requests to, and giving assistance by, service providers and the associated sharing and disclosure of information. Distinct provisions apply according to whether: the named person functions are transferring from one service provider to another (s 23); a service provider is requesting help from another service provider (s 25); a service provider is required to provide information to the service provider (s 26(1)), and vice versa (s 26(3)). A distinction is drawn between information sharing (s 26) and disclosure (s 27), according to the incidence of confidentiality.
A service provider must generally provide the service provider with information which is likely to be relevant to the exercise of named person functions (s 26(1) and (2)). An equivalent duty is placed upon the service provider in the reverse situation (s 26(3) and (4)). The views of the child require to be sought (s 26(5)). The information holder may decide that the information ought only to be provided if the likely benefit to wellbeing outweighs any adverse effect (s 26(7)). The holder may provide information if it is necessary or expedient for the purposes of named person functions. The sharing of information is not permitted or required where disclosure is otherwise prohibited or restricted, other than in relation to a duty of confidentiality (s 26(11)). Thus, disclosure may be permitted, notwithstanding a breach of confidentiality, if the criteria in section 26 are otherwise satisfied and there is no other legal bar to it taking place. It is between service providers, and not individual named persons, that the specified information may be shared. Where information is to be provided in breach of confidentiality, the recipient must be informed of the breach, and must not provide the information to any other person, unless otherwise permitted or required to do so by law (s 27).
In combination, the provisions are calculated to integrate services in order to secure the wellbeing of children and young people.“
The Inner House dealt with the challenge fairly swiftly. It set out the Charter provisions and those of the Directive, before noting that the Directive had been implemented by the “labyrinthine” DPA (not unfair), which was not said to have failed to properly or fully implement the Directive. There was, as a result, no need to go beyond the DPA itself: at [96]. The Court’s reasoning at [97]-[100] is admirably clear.
The 2014 Act was not a mechanism which trumped the DPA. “Section 26(11) of the 2014 Act expressly provides that, with the exception of rules on confidentiality, the information sharing provisions are not to be held as permitting, far less requiring, the provision of information when it is prohibited or restricted by virtue of an enactment or rule of law. This makes it clear that the operation of section 26 involves compliance with existing law. That includes the Data Protection Act 1998 and hence the rights of the Charter and the principles in the Directive.” There might well be breaches in individual cases but they could be resolved on their own facts rather than through an abstract challenge. There “is no need for the 2014 Act to incorporate data protection principles, such as the need for consent or other specific protections, including the destruction of out of date data, within its four walls. The 2014 Act creates a regime involving child welfare which directs what should happen regarding the sharing of relevant information, but it assumes that the actions of those operating the system will comply with data protection principles.”
The 2014 Act did not, held the Inner House, involve the creation or collection of any new data; personal, sensitive or otherwise. The Court was obviously significantly influenced by the social policy of the legislation, seeking to introduce a system for the co-ordination and sharing of existing data in relation to children and young persons whereby situations involving a potential risk to a child’s or young person’s well-being, as defined, can more readily be identified and the relevant agency alerted. There was not a proportionality exercise taking place expressly, but the reasoning suggests pretty clearly what the answer would have been had there been one. See too at [102]-[103].
The challenge on DP grounds consequently failed, and the judgment is one which is easy to understand and follow. The need for a single, coherent, statutory scheme for child welfare information sharing which nonetheless complied with existing DP requirements was an unsurprisingly powerful pull for the Court of Session. It is a reminder that data protection is an important safeguard, but it is neither something which prevents agencies doing their jobs nor a trump card to be played in any and all situations. Carefully calibrated and structured schemes need not fear the DPA.
Christopher Knight
Blindly Fumbling for Consent: PECR and Optical Express
PECR, long the runt of the information law litter, is beginning to take on a life of its own and, just as importantly, the ICO is beginning to really target spam texters and cold-callers. Recent changes to the enforcement provisions of PECR only assist in this task.
The ICO issued an Enforcement Notice against Optical Express in December 2014. Over 4,600 people registered concerns about Optical Express (Westfield) Limited in just seven months reporting the unsolicited messages to the mobile phone networks’ Spam Reporting Service indicating they had not given permission for the company to use their details for marketing. The Notice obliged OE to cease sending unsolicited texts to individuals without their consent.
OE appears not to have seen any problem with texting people who had never previously dealt with it, believing they had sufficient consent. Whether their laser eye surgery offers would have assisted this possible case of Nelsonian blindness is unclear.
The Tribunal has now delivered a lengthy judgment dismissing OE’s appeal: Optical Express v Information Commissioner (EA/2015/0014). Much of the initial part of the judgment is taken up with dismissing various grounds relating to the ICO’s reasoning process and the extent of the reasons set out in the Notice. That will be of some interest to practitioners, but the diligent reader is referred to the judgment itself for the discussion. In particular, the Tribunal considered that the ICO had perfectly adequately explained itself, and OE understood what was being said and why. The fact of a disagreement over the correct interpretation of PECR did not entitle OE to require a higher level of reasoning.
The Tribunal took a robust line in relation to the evidence upon which the ICO was entitled to rely, and made clear that the burden of proof fell on OE to show that consent had been given once the complaints were identified. The ICO would have no way of working out whether consent had been given – that was something within the knowledge of OE alone. A very considerable number of the complaints clearly identified the texts as spam and unwanted. The ICO had also managed to trace three individual recipients who were able to give witness statements that they had not provided any express consent to OE and were not aware of how OE had their information. When OE complained that only these three could establish a case and such a small number did not warrant enforcement action, the Tribunal dismissed this: the ICO was entitled to rely on the full 4600 and in any event would have been entitled to basis a Notice on just three individuals where their cases showed unlawful processes of obtaining data.
The legal point of interest was around the approach to consent under PECR. The Tribunal made clear that consent has to be provided to the sender: thus businesses harvesting lists acquired from third parties will not have consent to text the recipient. Here, OE appeared to have acquired the numbers from Thomas Cook customers who had made the mistake of filling in a survey, which told them that their details might be shared but did not say that OE might text them. How, asked the Tribunal, could this constitute OE fairly obtaining the data in DP terms? The customer has not solicited contact from OE, and contact is therefore in breach of PECR. The Tribunal put the point this way at [86]:
“when consent was obtained by Thomas Cook or whomever, it was not stipulated (or at least it has not been shown to have been stipulated) that the personal data would be processed by OE. Neither was the marketing of specific types of product stipulated. In my opinion it should say something about the products to be marketed if they are different from the business of, for example, Thomas Cook. This falls under the “to guarantee fair processing” category. If the data subject doesn’t know what other products might be marketed then how can he exercise his right to object to some of them whilst being happy to receive others?”
Worth a read for the discussion around the consent provisions, Optical Express now joins something of a line of Tribunal decisions roundly condemning spammers, and giving the ICO considerable latitude in how to present its case. This was not, of course, a monetary penalty notice case (doubtless because at the time the Niebel decision effectively barred such an MPN), but MPNs will doubtless follow in the event of future breaches.
It is always a good idea to ensure full and unambiguous consent where PECR is concerned. And if that means putting your glasses on to do so, so be it.
Robin Hopkins appeared for the ICO.
Christopher Knight
Operation Motorman: Latin, Leveson and Personal Data
We here at Panopticon like to adopt an occasionally light-hearted look at information law developments. Not a ‘sideways look’ you will note, because we aren’t running a smug Radio 4 panel show, but a more gentle touch of humour as a coping mechanism with what can on occasion be a dry topic. So it is with considerable pleasure that we can say that the Upper Tribunal – or at least that part of it that is formed by Judge Wikeley – has followed suit.
In Information Commissioner v Colenso-Dunne [2015] UKUT 471 (AAC), the UT was considering an appeal by the ICO concerning an order of the FTT that it disclose names of journalists that the ICO had seized during a raid on the home of Steve Whittamore in 2003. The raid was known as Operation Motorman, and it is generally supposed that Mr Whittamore, a private investigator, had a list of journalist who used his morally and legally dubious services.
Within the first two paragraphs of his judgment on appeal, Judge Wikeley manages to get in some latin (quis custodiet ipsos custodies?), a Boris Johnson reference and a hat-tip to “some of the more outlandish conspiracy theories that abound on the internet” concerning the ICO, the latter of which in particular suggests that his previous experience of section 14 FOIA cases has left something of an aftertaste… There is also a reference at [26] to a “Grand Tour” with one Mr R Hopkins of the phone-hacking saga, which sounds rather like one of those dubious looking budget cruise holidays advertised on inserts in newspaper magazines which fall out when least expected.
However, more importantly, the ICO argued that the list of names should not released because they were sensitive personal data (because they were information as to the alleged commission of a criminal offence, which was the Commissioner’s evidence to the Leveson Inquiry) and that the ICO had no lawful authority to disclose the names under section 59 of the DPA. Mr Colenso-Dunne argued that the names showed only “a cavalier attitude owards the privacy of those individuals who were the subjects of the inquiries to Mr Whittamore” rather than criminal conduct (not a stance naturally adopted by all Hacked Off members), and that the public interest in disclosure was overwhelming.
The sensitive personal data point was the critical one, because the parties agreed that no Schedule 3 condition applied, and it had to be protected much more carefully. The UT rejected an Orwellian submission that some sensitive personal data were more equal than others because s.2(g) didn’t appear in the Directive, because the commission of criminal offences was selected by Parliament and is just as much part of a life-story as any other category. However, the application of it was fact-specific. The FTT was entitled to find that even if the investigator committed criminal offences, the list of names did not show an instruction to do so or Nelsonian blindness to that effect. Nor was the UT persuaded that release of the list in context would mean that the public would assume the journalists had committed a criminal offence; data controllers are not required to conduct a search of the public domain to see whether anything else could be combined with the data to transform its sensitivity; it has to be apparent from its immediate context: at [45]. The FTT was entitled to find that the data was not sensitive.
As to the balancing exercise under condition 6(1) of Schedule 2, the UT held that the FTT had considered that any reputational damage to journalists was justified in that they would be subject to legitimate criticism for their use of Mr Whittamore. Perhaps worryingly, one only gets the reputational rights one deserves: at [55] (although it is not quite clear in whose eyes these just deserts are to be judged: quis custodiet ipos custards?). The fact that Leveson declined to name the journalists was not determinative, and nor was the fact that the FTT had not followed the precise taxonomy set out in Goldsmith (on which see here and which, for reasons unfathomable, still appears not to have become known as the ‘Knight Principles’). Essentially, the UT was wholly unpersuaded that the FTT’s balancing exercise that the public interest in disclosure and furthering the debate over the ICO’s own role had erred in any way, noting that not all of the 305 names were ordered to be disclosed following the careful analytical exercise undertaken by the FTT.
Judge Wikeley noted that the ICO had been correct to drop an argument that a higher standard of public interest was required to meet the section 59 DPA test, and thus avoid the application of s.44 FOIA. No truck was had with a steps discretion argument – very much in vogue at the moment, although not yet in Vogue – not least because it had not been raised below. Subject to any appeal, the names ordered to be disclosed by the FTT will now have to be disclosed by the ICO. The fall-out from Leveson is not over yet.
Robin Hopkins appeared for the ICO in his capacity as lead tour guide.
Christopher Knight
Refusing a subject access request: proportionality, anxious scrutiny and judicial discretion
Zaw Lin and Wai Phyo v Commissioner of Police for the Metropolis [2015] EWHC 2484 (QB), a judgment of Green J handed down today, is an interesting – if somewhat fact-specific – contribution to the burgeoning body of case law on how subject access requests (SARs) made under the Data Protection Act 1998 (DPA) should be approached, both by data controllers and by courts.
The Claimants are on trial in Thailand for the murder in September 2014 of British tourists Hannah Witheridge and David Miller. They could face the death penalty if convicted.
Under the Police Act 1996, and following high-level discussions (including at Prime Ministerial level), it was agreed that the Metropolitan Police Service (MPS) would send an officer to observe and review – but not assist with – the Thai police investigation. The MPS compiled a detailed Report. They agreed to keep this confidential, except that it could be summarised verbally to the families of the victims so as to reassure about the state of the investigation and proceedings. The Report has never been provided to the families or the Thai authorities.
The Claimants made SARs, seeking disclosure of the MPS’ Report. Green J summarised their objectives as follows (para 29):
“The Claimants have endeavoured to clothe their arguments in the somewhat technical language of the DPA. It seems to me that the bottom line of these arguments, stripped bare of technical garb, can be put in two ways. First, the views of the MPS carry weight. Scotland Yard has an international reputation. If the Report is seen as favourable to the prosecution and contains material supportive of the RTP [Royal Thai Police] investigation (which is in effect how the Claimants say it has been presented in public by the families) then they should have the right to see the personal data so they can correct any misapprehensions. Secondly, that in any event they should be able to use any personal data which is favourable to their defence.”
The Claimants were entitled to request disclosure of at least some of the contents of the Report, though Green J estimated that only a small percentage of its contents constituted their personal data (para 25).
The MPS refused the SARs, relying on the exemption for crime and taxation under section 29 DPA.
In determining the claim under section 7(9) DPA, Green J considered arguments as to the applicability (or not) of Directive 95/46/EC (which contains exceptions for criminal matters: see Articles 3 and 13) and the European Convention on Human Rights. His view was that not much turned on these points here (para 49). At common law, the court’s scrutiny must always be fact- and context-specific. In a life-and-death context, anxious scrutiny would be applied to a data controller’s refusal. See para 69:
“… when construing the DPA 1998 (whether through common law or European eyes) decision makers and courts must have regard to all relevant fundamental rights that arise when balancing the interest of the State and those of the individual. There are no artificial limits to be placed on the exercise.”
Green J expressed his discomfort about the application of section 15(2) DPA, which allows the court – but not the data subject – to view the withheld information. This, together with the prospect of a closed session, raised concerns as to natural and open justice. Given the expedited nature of the case before him, it was not appropriate to appoint a special advocate, but that may need to be considered in future cases where the stakes are very high. Green J proceeded by asking questions and hearing submissions on an open basis in a sufficiently generic and abstract way.
In expressing those procedural misgivings, Green J has touched on an important aspect of DPA litigation which has received little attention to date.
He also took a narrower view of the breadth of his discretion under section 7(9) DPA than has often been assumed. At para 98, he said this of the ‘general and untrammelled’ nature of that judicial discretion:
“If Parliament had intended to confer such a broad residual discretion on the court then, in my view, it would have used far more specific language in section 7(9) than in fact it did. In any event I do not understand the observations in the authorities referred to above to suggest that if I find that the MPS has erred that I should simply make up and then apply whatever test I see fit. If I find an error on the part of the MPS such that I must form my own view then I should do in accordance with the principles set out in the DPA 1998 and taking account of the relevant background principles in the Directive and the Convention. My discretion is unfettered by the decision that has gone before, and which I find unlawful, but I cannot depart from Parliament’s intent.”
Such an approach to section 7(9) could make a material difference to litigation concerning SARs.
Green J then set out and determined the issues before him as follows:
Issue I: Who has the burden of proof of proving both the right to invoke the exemption? What is the standard of proof?
Following R (Lord) v Secretary of State of the Home Department [2003] EWHC 2073 (Admin), the answer is that the data controller bears the burden. “The burden of proof is thus upon the MPS in this case to show its entitlement to refuse access and it must do this with significant and weighty grounds and evidence” (para 85).
Issue II: Was the personal data in the MPS report “processed” for purposes of (a) the prevention or detection of crime or (b) the apprehension or prosecution of offenders?
Green J’s answer was yes. Although the purposes behind the Report differed from the usual policing context, there should be no artificially narrow interpretation of the ‘prevention and detection of crime/apprehension or prosecution of offenders’.
Issue III: Would granting access be likely to prejudice any of those purposes?
This required a balancing exercise to be performed between the individual’s right to access and the interests being pursued by the data controller in refusing disclosure. This called for a “classic proportionality balancing exercise to be performed” (para 78).
Here, the starting point was the Claimant’s prima facie right to the personal data. This was bolstered by the life-and-death context of the present case.
The MPS’ refusal, however, pursued legitimate and weighty objectives. In assessing those objectives, it was relevant to consider what precedent would be set by disclosure: the “focus of attention was not just on the facts of the instant case but could also take account of the impact on other cases” (as per Lord).
On that basis, and in light of the evidence, the MPS’ ‘chilling effect’ argument was powerful. See para 107:
“… I accept their judgment and opinion as to the risks that release of the Report would give rise to and in particular, their position on: the considerable benefit to the public interest (in relation to crime enforcement and public security) generally in the MPS (and other relevant police authorities) being able to engage with foreign authorities; the high importance that is attached by foreign authorities to confidentiality; and the risk that not being able to give strong assurances as to confidentiality would pose to the ability of the MPS and others to enter into meaningful working relationship with such overseas authorities.”
It was also important to avoid any potential interference with a criminal trial in a foreign country.
The Claimants’ SARs were not made for any improper purposes, i.e. for purposes other than those which Directive 95/46/EC sought to further. In that respect, the present case was wholly unlike Durant.
The balancing exercise, however, favoured the MPS. Having considered each item of personal data, Green J said his “ultimate conclusion is that there is nothing in the personal data which would be of any real value to the Claimants” (para 125). He expressed his unease with both the procedure and the outcome. Permission to appeal was granted, though Panopticon understands that an appeal is not being pursued by the Claimants.
Anya Proops and Christopher Knight acted for the Defendant.
Robin Hopkins @hopkinsrobin
Privacy and data protection – summer roundup
August tends to be a quiet month for lawyers. There has, however, been little by way of a summer break in privacy and data protection developments. Here are some August highlights.
Privacy injunction: sexual affairs of sportsman (not philosophers)
Mrs Justice Laing’s August does not appear to have begun restfully. Following a telephone hearing on the afternoon of Saturday 1 August, she granted what became a widely-reported privacy injunction (lasting only until 5 August) restraining the publication of a story about an affair which a prominent sportsman had some years ago: see the judgment in AMC and KLJ v News Group Newspapers [2015] EWHC 2361 (QB).
As usual in such cases, Article 8 and Article 10 rights were relied upon to competing ends. There is no automatic favourite in such contests – an intense focus on the facts is required.
In this case, notwithstanding submissions about the extent to which the affected individuals ‘courted publicity’ or were not ‘private persons’ – there was a reasonable expectation of privacy about a secret sexual affair conducted years ago. The interference needed to be justified.
The right to free expression did not constitute adequate justification without more: “I cannot balance these two incommensurables [Articles 8 and 10] without asking why, and for what purposes, X and R seek to exercise their article 10 rights… The public interest here is, I remind myself, a contribution to a debate in the general interest”.
On the facts, there was insufficient public interest to justify that interference. The sportsman was not found to have hypocritically projected himself as ‘whiter than white’, and his alleged deceits and breaches of protocols in the coducting of his affair were not persuasive – especially years after the event. In any event, the sportsman was a role model for sportsmen or aspiring sportsmen: “he is not a role model for cooks, or for moral philosophers”. The latter point will no doubt be a weight off many a sporting shoulder.
Subject access requests: upcoming appeals
Subject access requests have traditionally received little attention in the courts. As with data protection matters more broadly, this is changing.
Holly Stout blogged earlier this month about the High Court’s judgment in Dawson-Damer and Ors v Taylor Wessing and Ors [2015] EWHC 2366 (Ch). The case concerned legal professional privilege, manual records and relevant filing systems, disproportionate searches and the court’s discretion under section 7(9) DPA. That case is on its way to the Court of Appeal.
So too is the case of Ittihadieh [2015] EWHC 1491 (QB), in which I appeared. That case concerned, among other issues, identification of relevant data controllers and the domestic purposes exemption. It too is on its way to the Court of Appeal.
Subject access requests: the burden of review and redaction
There has also been judgment this month in a County Court case in which I appeared for the Metropolitan Police Service. Mulcahy v MPS, a judgment of District Judge Langley in the Central London County Court, deals in part with the purposes behind a subject access request. It also deals with proportionality and burden, which – as Holly’s recent post discusses – has tended to be a vexed issue under the DPA (see Ezsias, Elliott, Dawson-Damer and the like).
Mulcahy deals with the proportionality of the burden imposed not so much by searching for information within the scope of a subject access request, but for reviewing (and, where necessary, redacting) that information before disclosure. This is an issue which commonly concerns data controllers. The judgment is available here: Mulcahy Judgment.
Privacy damages: Court of Appeal to hear Gulati appeal
May of 2015 saw Mr Justice Mann deliver a ground-breaking judgment on damages awards for privacy breaches: see Gulati & Ors v MGN Ltd [2015] EWHC 1482 (Ch), which concerned victims of phone-hacking (including Paul Gascoigne and Sadie Frost). The awards ranged between £85,000 and £260,250. The judgment and grounds of appeal against the levels of damages awards are explained in this post by Louise Turner of RPC.
Earlier this month, the Court of Appeal granted MGN permission to appeal. The appeal is likely to be expedited. It will not be long before there is a measure of certainty on quantum for privacy breaches.
ICO monetary penalties
Lastly, I turn to privacy-related financial sanctions of a different kind. August has seen the ICO issue two monetary penalty notices.
One was for £50,000 against ‘Stop the Calls’ (ironically, a company which markets devices for blocking unwanted marketing calls) for serious contraventions of regulation 21 of the Privacy and Electronic Regulations 2003 (direct marketing phone calls to persons who registered their opposition to such calls with the Telephone Preference Service).
Another was for £180,000 for a breach of the seventh data protection principle. It was made against The Money Shop following a burglary in which an unencrypted server containing customers’ personal information was stolen.
Robin Hopkins @hopkinsrobin