WordPress + Bootstrap

So here’s the question: you’re an individual who wants to have certain links containing information about you deindexed by Google; Google has refused to accede to your request and, upon complaint to the ICO, the Commissioner has decided that your complaint is unfounded and so he refuses to take enforcement action against Google under s. 40 DPA 1998; can you nonetheless secure the result you seek in terms of getting your data forgotten by mounting a judicial review challenge to the ICO’s decision? Well if the recent decision by the Administrative Court in the case of R(Khashaba) v Information Commissioner (CO/2399/2015) is anything to go by, it seems that you’ll be facing a rather mountainous uphill struggle.

In Khashaba, Mr Khashaba had complained to the Commissioner about Google’s refusal to de-index certain articles which apparently contained information revealing that Mr Khashaba had failed in his legal attempts to get his gun licences reinstated and had also failed to obtain placement on the Register of Medical Specialists in Ireland. The Commissioner concluded that Google had acted lawfully under the DPA 1998 in refusing to de-index the articles in question. Mr Khashaba was evidently unhappy with this result. Accordingly, he brought a judicial review claim against the Commissioner in which he contended in essence that the Commissioner had erred: (a) when he concluded, in exercise of his assessment powers under s. 42, that Google had acted lawfully in refusing to de-index the articles and (b) by failing to take enforcement action against Google under s. 40. By way of an order dated 17 July 2015, Hickinbottom J dismissed Mr Khashaba’s application for permission to judicially review the Commissioner’s decision. His reasoning was based on the Commissioner’s summary grounds, upon which the court felt itself unable to improve:

– first, permission was refused on the ground that Mr Khashaba had an alternative remedy because it was open to him to bring proceedings against Google directly in connection with its refusal of his application to be forgotten;

– second, the Commissioner had a wide discretion under s. 42 as to the manner in which he conducts his assessment and as to his conclusions on breach. He also had a wide discretion when it came to the issue of enforcement under s. 40. There was no basis for concluding that the way in which the Commissioner had exercised his powers in response to Mr Khashaba’s complaint was unreasonable or otherwise disproportionate.

All of which tends to suggest that: (a) the courts are likely to be very slow in impugning a decision of the Commissioner that particular information should not be forgotten and (b) that, if you’re an applicant who wants your data to be forgotten, you may yet find that the regulatory route offers little by way of comfort in terms of securing the necessary amnesiac effect.

11KBW’s Christopher Knight represented the Commissioner.

Anya Proops

 

An important rule of Government is to outsource anything difficult or potentially controversial to an independent body which can then deliver a report to be ignored or implemented as required or the political mood dictate. The recent investigation into new runways at Heathrow was a good example, at least until it came up with an answer the Prime Minister didn’t entirely want to hear, and the Commission on a Bill of Rights was a superlative instance of a very learned study which achieved precisely nothing other than kicking a political football into the long grass.

Now it is the turn of the Freedom of Information Act 2000 to be undergone scrutiny by the Independent Commission on Freedom of Information. Snappy title. It is chaired by Lord Burns (former senior civil servant at HM Treasury) and contains such luminaries as Jack Straw, Lord Michael Howard, Lord Carlisle and Dame Patricia Hodgson (of Ofcom). Just in case anyone was suffering under the delusion that the Commission would be looking into widening the scope and application of FOIA, the terms of reference are set by the Cabinet Office as:

• whether there is an appropriate public interest balance between transparency, accountability and the need for sensitive information to have robust protection
• whether the operation of the Act adequately recognises the need for a ‘safe space’ for policy development and implementation and frank advice
• the balance between the need to maintain public access to information, the burden of the Act on public authorities and whether change is needed to moderate that while maintaining public access to information

One would not, however, wish readers to think that the Government were anything less than fully committed to revealing information. On the contrary, the written statement laid by the Minister, Lord Bridges, opens by saying “We are committed to being the most transparent government in the world.” Well, quite. “We fully support the Freedom of Information Act [could there be a ‘but’ coming?] but [ah yes, there it is] after more than a decade in operation it is time that the process is reviewed, to make sure it’s working effectively.” The new Commission has a webpage here and is to report by November, which gives the grass limited time to lengthen… The Commission won’t, of course, be able to do anything about the EIRs.

Responsibility for FOIA has also been transferred to the Cabinet Office, which at least gives Michael Gove one less constitutional headache to deal with.

Christopher Knight

Mr Brown became a well-known figure in litigation circles when he sought to unseal the Will of Princess Margaret in the belief that it might reveal information showing him to be her illegitimate son. In the course of his unsuccessful litigation, it was revealed that there existed what had been described orally during the court proceedings as a “Practice Direction in respect of the handling of Royal Wills” (although there is dispute over precisely what form this document takes and whether it is really a Practice Direction at all), produced by the-then President of the Family Division following liaison with the Royal Household.

Having failed to unseal the Will, Mr Brown requested a copy of the document from the Attorney General. He was refused, under section 37 FOIA. The First-tier Tribunal upheld that refusal (on which see Robin’s blog here). Mr Brown appealed to the Upper Tribunal on the grounds of inadequacy of the Tribunal’s reasons and a failure to properly apply the public interest test. He was refused permission, but then successfully judicially reviewed the Upper Tribunal for failure to grant him permission (on which, see my blog here).

Much happened subsequently. Having fought hard to prevent disclosure of the ‘Practice Direction’ the AG then released almost all of it to Mr Brown in advance of the substantive appeal hearing before the Upper Tribunal. The unreleased aspect was one paragraph, which was supplied to him in ‘gisted’ form. Nonetheless, Mr Brown sought disclosure of the outstanding paragraph. Perhaps not entirely surprisingly, Charles J in the Upper Tribunal has just refused to give him the final missing piece: Brown v ICO & Attorney General [2015] UKUT 393 (AAC).

The Upper Tribunal decision, in the light of the release by AG, had rather less work to do than it might have done, and the judgment will be of equivalent reduced wider interest. However, Charles J does roundly endorse the proposition that there is a very powerful public interest “against the creation of undisclosed principles and procedures to be applied by the court to an application to seal any will, and this is strengthened when participants in and the decision maker on that application (the court through initially or generally the President of the Family Division) and the normal guardian of the public interest (the Attorney General) have been involved in its creation on a confidential and undisclosed basis, and so in favour of the publication of the principles and procedure to be applied on any such application (particularly if initially or generally the application will be made in private)“. In other words, the AG was right to concede that the material should be disclosed. There was no further interest in the gisted paragraph also being revealed because the essential meaning had been conveyed.

Whether this brings Mr Brown’s campaign to an end is another matter, but whatever one might think of his view as to his parentage, his uncovering of a – to put it neutrally – highly unusual document agreed between the AG, the Royal Household and the President of the Family Division concerning court procedures is a worthy effort.

Robin Hopkins appeared for the ICO; Joanne Clement appeared for the Attorney General and Anya Proops appeared for Mr Brown at some of the earlier stages of proceedings.

Christopher Knight

The principle disadvantage, to the data protection lawyer, of the failure of Esperanto is that every now and then the CJEU hands down a judgment which is only available in French, and even Panopticon cannot blog every entry in Franglais. Such is the problem raised by the Opinion of the Advocate General (Cruz Villalon) in Case C-201/14 Bara v Presedintele Casei Nationala de Asigurari de Sanatate. Readers will have to forgive any failure to capture the nuances.

Bara is a reference from the Romanian courts and contains a number of questions, the majority of which concern the compatibility of national tax authority arrangements with Article 124 TFEU (which prohibits in most cases privileged access for public bodies to financial institutions). Those need not concern us, not least because the AG considered them to be inadmissible.

However, the fourth question referred was in the following terms: “May personal data be processed by authorities for which such data were not intended where such an operation gives rise, retroactively, to financial loss?” The context appears to be that people deriving their income from independent activities were called to pay their contributions to the National Fund for health insurance, following a tax notice issued by the Romanian health insurance fund. However, that tax notice was calculated on the basis of data on income provided National Tax Administration Agency under an internal administrative protocol. The complaint was that the transfer by the Tax Agency to the Health Insurance Fund of personal data, particularly related to income, was in breach of Directive 95/46/EC because no consent had been provided to the transfer, the data subjects had not been informed of the transfer and the transfer was not for the same purpose as the data was originally supplied.

The Advocate General answered the fourth question by saying that the Directive precludes national legislation which allows a public institution of a Member State to process personal data that has been supplied by another public institution, including the data relating to the income of the persons concerned, without the latter having been previously informed of this transmission or treatment. This was despite the fact that the AG recognised that the Romanian bodies had a legitimate interest in being able to properly tax self-employed persons; the informal protocol did not constitute a legislative measure setting out a relevant national exemption under Article 13. The AG stressed that the requirement of notification in Article 11 had not been complied with, and that the data subjects accordingly had been unable to object to the transfer. The data subjects had not given their unambiguous consent. Although Article 7(e) (necessary for the performance of a task) could apply to a transfer of income data, it had to be shown that it was strictly necessary for the realisation of the functions of the Health Insurance Fund. (This appears to be a higher test being imposed than the usual interpretation of necessary as ‘reasonably necessary’, as per the Supreme Court in South Lanarkshire). The AG did not consider that test met.

It remains, of course, to be seen whether the CJEU will take the same approach; but it seems fairly likely that Bara will produce a judgment which confirms the illegality of inter-institutional transfer of personal data without express consent or a carefully defined need which is prescribed by law. There is nothing ground-breaking in that conclusion, but it is an important reiteration of the need for data controllers anywhere in the EU to think carefully about the authorisation they have to hand over personal data to other bodies; informal agreements or policy documents are not sufficient without a legal underpinning (through the DPA) or consent of the data subject.

The forthcoming judgment in Case C-582/14, Breyer will also raise issues over consent in the context of IP information retained by websites, along with the vexed question of whether an IP address can constitute personal data when combined with other information available to a third party (issues similar to those raised in Vidal-Hall v Google, on which see here). When the final judgments in Bara and Breyer appear, so will the analysis of some intrepid blogger of this parish.

Christopher Knight