WordPress + Bootstrap

Following a period of considered reflection, or laziness depending on one’s view, it is worth noting the decision of the Supreme Court in In the matter of an application by JR38 for Judicial Review [2015] UKSC 42. The case is all about Article 8 ECHR, and is of particular interest because of the dispute about the breadth of the correct test for the engagement of Article 8. The context is also one which will be familiar to English data protection and privacy lawyers: the publication by the police of photographs seeking to identify a suspect. If anyone remembers that famous picture of a youth in a hoodie pointing his fingers like a gun behind an awkward looking David Cameron, JR38 is basically that, but with Molotov cocktails and a sprinkling of sectarian hatred.

In JR38, the suspect in question was a 14 year child whose photograph was published by the PSNI as someone involved in rioting in an area of Derry in 2010 which had particular sectarian tensions. The judgment of Lord Kerr makes clear that JR38 has by no means been a well-behaved young man before or since the riots of 2010. Moreover, and amusingly, it is apparent that he and his father failed to correctly identify his own appearance in pictures published, and originally sued on the basis of images which did not show JR38 at all. However, a correct image was eventually alighted upon.

The judgments contain a lengthy and detailed discussion of the domestic and Strasbourg case law on the engagement of Article 8, but there was a 3-2 split in the Court between the correct approach. Lords Toulson and Clarke (with both of whom Lord Hodge agreed) considered that the overwhelming approach of the existing domestic law was to apply the touchstone of the reasonable/legitimate expectation of privacy test: see Lord Toulson at [87]-[88]. The test (originating, of course, in Campbell) focuses on “the sensibilities of a reasonable person in the position of the person who is the subject of the conduct complained about…If there could be no reasonable expectation of privacy, or legitimate expectation of protection, it is hard to see how there could nevertheless be a lack of respect for their article 8 rights”. The warning in Campbell not to bleed justification matters into the engagement analysis was stressed.

The difference between the majority and minority of Lord Kerr (with whom Lord Wilson agreed) was explained by Lord Clarke at [105]. Does the reasonable expectation of privacy test provide the only touchstone? The majority thought that it did, it being the only test set out clearly in the cases, and it being a broad objective concept to applied in all the circumstances of the case and having regard to the underlying values involved, unconcerned with the subjective expectation of the individual, be they child or adult (see at [98] per Lord Toulson and [109] per Lord Clarke).

In essence, the majority did not consider this context to be one which Article 8 was designed to protect. The identification of a suspect was not within the scope of personal autonomy, although publication of the same picture for a different purpose, other than identification, might be: at [98] (and at [112] where Lord Clarke did not consider the mere fact of criminal activity took the matter outside Article 8). Historic or re-published photos may alter the situation: at [101].

By contrast, Lord Kerr took a broader view, holding that the reasonable expectation of privacy test might be the ‘rule of thumb’, but could not be an inflexible, wholly determinative test. The scope of Article 8 was much broader and was contextual, requiring consideration of factors such as: age, consent, stigmatisation, the context of the photographed activity and the use of the image. Reasonable expectation of privacy failed, in his view, to allow for these factors to be considered: at [56]. Rather than shoehorning such factors into the test, they should bear on the issue in a free-standing footing: at [61]. The focus must be on the publication – i.e. the infringement – rather than the activity the photo displays. For Lord Kerr, the fact that JR38 was a child, taken with the potential effect publication might have on the life of the child, was more than sufficient to engage Article 8 (in the way that it might not for an adult): at [65]-[66].

The debate is an interesting one, but there is a very strong chance that the flexibility of the majority orthodox approach is likely to mean very little difference in substance between the two. It will, however, be worth emphasising the importance of context, particularly in child cases under Article 8.

The Court was, however, unanimous in agreeing that publication was justified in any event; rioters had to be identified (and other methods had been tried internally first), with the peril in which inter-community harmony was placed being particularly important in the fair balance.

Where, readers of this blog might ask, was the DPA in all this namby-pamby human rights discussion? Why is there no mention of schedules and data protection principles and all the other black letter statutory stuff that so gets the blood pumping? Well, it was mentioned, at [70], by Lord Kerr who considered that compliance with the DPA would mean that the limb of proportionality which requires the act to be in accordance with the law would be met. In very brief reasoning, Lord Kerr concluded that this type of case was within section 29 because publication was processing for the purposes of prevention and detection of crime, and that the relevant condition met in both Schedule 2 and 3 (because he agreed it was clearly sensitive personal data) was that of the processing being necessary for the administration of justice. Unfortunately, there was no analysis of the way in it was necessary for the administration of justice, or the extent to which this is the same as the prevention and detection of crime. Nor is it quite the same reasoning as adopted by Lord Woolf CJ in the well-known ‘naming and shaming’ case of R (Ellis) v Chief Constable of Essex Police [2003] EWHC 1321 (Admin), which, at [29], appeared to apply the conditions in Schedules 2 and 3 whereby processing was necessary for the performance of functions by or under any enactment (without further specification). Where the Supreme Court speaks, we follow, but it might have been helpful to detail this aspect a little more, although it is another example of a case in which Article 8 is presumed to do all of the work and the DPA be raced through in a paragraph to avoid having to think about it too much. That Article 8 and the DPA are ensured to be pulling in the same direction is, however, a relief to us all.

 Christopher Knight

Since the CJEU’s controversial decision in Google Spain,the debates have raged about how the so-called right to be forgotten should cash out in the online world. Particular concerns have been expressed by the media that the judgment rides rough shod over Article 10 rights, including not least the Article 10 rights of the website authors whose stories are being deindexed. Now it seems the BBC is seeking to reassert its Article 10 rights by publishing a list of all the stories which have been deindexed by Google thus far – see here.

The BBC’s position is that the publication of the list does not seek to frustrate the Court’s judgment, because it will not ‘make the stories more findable for anyone looking for a name’. What it will do, according to the BBC is enable a ‘meaningful debate’ about the right to be forgotten to take place. This is a bold step coming from one of the world’s most respected media organisations. It will doubtless provoke a copycat reaction from other media organisations which regard the CJEU’s judgment in Google Spain as an affront to their Article 10 rights. What is interesting about this new approach is that it does very clearly allow the wider public to examine how the right to be forgotten is in practice being weighed against the fundamental right to free expression. No doubt the BBC’s actions will attract criticism from those individuals who had hoped that their requests to be forgotten would result in the relevant links sinking for all time into the soup of online forgetfulness. It remains to be seen how the Information Commissioner will respond to this important and provocative development.

Anya Proops

The transnational nature of many modern commercial enterprises can create significant difficulties when it comes to the application of domestic data protection legislation within the EU. Questions can often arise as to whether the enterprise has the necessary territorial presence in order to enable the domestic legislation to apply. These questions can be particularly difficult to resolve where the enterprise in question comprises an online business which has ethereal tentacles stretching into multiple jurisdictions. Of course, we have now all just about got to grips with the interesting intellectual gymnastics embarked upon by the CJEU in Google Spain. Now the issue of the territorial application of data protection legislation has resurfaced in a case concerning a spat between a Slovakian company operating a property-dealing website (W) and various disgruntled Hungarians who sought to sell their properties through the site: Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (Case 230/14).

You can read about the background to the Weltimmo case here. In short, the core question which arose in Weltimmo was whether the Hungarian Data Protection Authority (HDPA) had jurisdiction to fine W in circumstances where:

(a) W had its registered seat in Slovakia;

(b) one of W’s owners was a Hungarian living in Hungary who had legally represented W before the HDPA;

(c) W had received personal data from individuals in Hungary who wished to advertise their Hungarian properties on W’s website and

(d) W had apparently then gone onto misuse the personal data it had received.

The Hungarian Kúria court was unsure as to how to answer this question. This was because it was unclear as to the legal effects of two Articles of Directive 95/46/EC: Article 4 (concerning the territorial scope of domestic data protection laws) and Article 28 (concerning the role of the domestic supervisory authority). Accordingly, the court referred a number of questions to the CJEU, all of which were essentially focused on identifying the territorial reach of the domestic data protection laws and domestic supervisory authorities under the Directive (you can find the questions here). Advocate-General Cruz Villalón (yes he of Digital Ireland fame) has now given his opinion on these questions: see here. Rather frustratingly however, the opinion is not currently available in English. It is available in French and a host of other European languages (including for the multi-lingual amongst you Bulgarian and Czech). My admittedly rather untutored take on the French language version is that it contains the following key conclusions (see in particular paragraph 72):

– The effects of Articles 4 and 28 are that a supervisory authority in Member State X cannot assert jurisdiction over a data controller which is not ‘established’ in Member State X. Instead, that supervisory authority only has jurisdiction in respect of data controllers which are ‘established’ within its own territory (i.e. within Member State X).

– When considering the extent to which a data controller is ‘established’ in Member State X, the focus should be on the de facto, rather than the de jure, position. The crucial question is: from where, in a physical, logistical sense, does the data controller operate the business in question? Answering this question is likely to require a focus on where the business’ human and technical resources are located.

– The data controller may be established in a number of different Member States, provided that its operations in those Member States have the necessary quality of stability.

– Factors such as where the data has been downloaded, the nationality of the injured parties, the domicile of the owners of the company responsible for processing the data or the fact that the service provided is directed at the territory of another Member State are not directly relevant or decisive. They may however be indirectly relevant insofar as they may shed light on the question of where the data controller is established.

It remains to be seen whether the CJEU will follow the Advocate-General’s opinion. If it does, then that will reaffirm the essentially fragmented, patchwork nature of the protections afforded under the current Directive. Of course, if and when the draft General Data Protection Regulation becomes law, this patchwork of protections will give way to a more unified approach, as the era of the one-stop shop will be upon us.

Anya Proops

Last month I posted about the settlement of the Max Mosley litigation against Google (see my post here). Had that case been fought to its conclusion, we would at the very least have had the pleasure of gaining greater insight into the weird and wonderful world of the E-commerce legislation. However, sadly that was not to be. The good news is that E-Commerce cases now appear to be like buses. No sooner has one case settled, than another one comes motoring down the litigation highway. This time E-Commerce principles have surfaced, not in the context of a right to be forgotten case, but rather in the context of a Strasbourg case concerning the application of Article 10 rights.

The case in question, Delfi AS v Estonia (Case no. 64569/09), concerned an Estonian internet news portal called Delfi. In common with many internet news organisations, Delfi permits readers to write comments about the online stories which they publish. In 2006, Delfi published a story concerning the alleged destruction of certain Estonian ice roads by a particular company (S). The story, which was itself legally unobjectionable, attracted lots of reader comments, including comments which were very attacking of S’s majority shareholder (L). The comments in question were not only defamatory but also amounted to hate speech and an incitement to violence against L, all of which is unlawful under Estonian law. Upon complaint by L, Delfi immediately removed the comments (this was some six weeks after they had first been posted). However, L was not happy with this retrospective deletion of the comments. He brought a claim for damages against Delfi on the basis that Delfi had acted unlawfully by publishing the comments on the site. L eventually won his case in the domestic court and was awarded 320 Euros in compensation.

Delfi then took the case to the Strasbourg court. It alleged that the domestic court’s findings breached its Article 10 right to freedom of expression. A core plank of Delfi’s case was that it had to be treated as a mere intermediary under EU E-Commerce legislation, with the result that it was not liable in respect of the comments. Delfi contended that any other approach to the application of the E-Commerce principles would result in an undue interference with its Article 10 rights. The Strasbourg court rejected Delfi’s case. It held that Delfi was not acting merely as an intermediary in connection with the comments. This was particularly given that:

• Delfi had comprehensive powers of editorial control over the comments once they had been posted;
• moreover, Delfi positively encouraged the posting of comments on the basis that this would increase its potential to accrue advertising revenue.

In this respect, the comments on the Delfi site were, in the court’s view, to be contrasted with: ‘other fora on the Internet where third-party comments can be disseminated, for example an Internet discussion forum or a bulletin board where users can freely set out their ideas on any topics without the discussion being channelled by any input from the forum’s manager; or a social media platform where the platform provider does not offer any content and where the content provider may be a private person running the website or a blog as a hobby’ (§116).

The court went on to hold that whilst Delfi could not be expected to pre-vet comments prior to their publication, its obligations as online publisher of the comments were such that it should immediately and of its own motion detect and remove unlawful content (i.e. without waiting for a complaint brought). The court held that such an approach to the management of the comments constituted a justified interference with Delfi’s Article 10 rights.

This is an important judgment for a number of reasons.

• First, it suggests that the defences available to online intermediaries under the E-Commerce are to be narrowly construed. In short, the greater the degree of editorial control over and entrepreneurial interest in the data in question, the more likely it is that the court will find that the defences are not available.
• Second, it suggests that, when it comes to the publication of data online, Article 10 cannot be treated as an all-purpose get out of jail free card. Instead, as with speech expressed through traditional media, Article 10 rights must be balanced against other affected rights (although note paragraph 113 where the court alluded to the need to adopt a ‘differentiated’ and ‘graduated’ approach to the enforcement of rights as against internet service providers, as opposed to traditional publishers).
•  Third, it suggests that, in this post Google-Spain world, the CJEU is not alone in its desire to create strong controls around the ways in which data is managed online, particularly where there is a profit-making element to the data processing scheme.

So put simply, online comment is not free, at least not for those media organisations which seek to profit from facilitating free expression within the online environment.

Anya Proops