I have just had my attention drawn to this interesting article from the Japan Times about how the right to be forgotten is beginning to gain traction in Japan. Just goes to show that Europe is not the only environment within which this highly controversial right can potentially gain a foothold.
Anya Proops
Just two short but important pieces of news. First, I can now confirm that Google has applied for permission to appeal to the Supreme Court in respect of the Court of Appeal’s landmark judgment in Vidal-Hall v Google. The SC’s judgment on the application is awaited. Second, it would appear that the case of CG v Facebook which I blogged about earlier this year (see here) is also currently on appeal in Northern Ireland, with a cross-appeal being brought by CG on the question of whether the court erred when it concluded that Facebook fell outside the territorial scope of the DPA 1998. For further news on these important cases, watch this space.
Anya Proops
On a day when the country goes to the polls (or, if you a UKIP supporter, to the Poles), it is nice to be able remind people of the more important things in life than mere democratic-right exercising. The chief of these is, surely, developments under the Data Protection Act 1998. Happily, Panopticon can assist, with a quick note on an ex tempore judgment of HHJ Seymour QC in Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & 6 others (QBD, 5 May 2015). There is no transcript yet available, but a headnote is now reported on Lawtel, and this summary is taken from that.
Unfortunately, without the full reasoning, one does not get the sense of what looks likely to have been a more involved argument than the bare findings relate. The case concerned an SAR made to a company, which the Claimant asserted had been an SAR to both the company and the six individual directors of that company, all of whom were data controllers. Only the company had responded, with 400 pages of documents. One might have thought the argument that directors were also data controllers would face significant difficulties in the light of Southern Pacific Personal Loans [2013] EWHC 2485 (Admin) (see here). However, Judge Seymour QC appears to have resolved the matter on the facts: the Claimant’s statements had been that he believed only the company was the data controller, he had only paid one £10 fee and the proper construction of the SAR was that it was only made to the company. The claims were accordingly struck out against the individuals.
However, even had they not been, the Judge indicated that the individuals would most likely have been able to rely upon the domestic purposes exemption in section 36 DPA, and that he would have refused relief in his discretion to require them to search their personal email accounts in order to prove the application of section 36. That is quite an interesting little comment on the extent of section 36, and its interaction with ‘personal’ emails, and it will be useful to see the full reasoning in due course.
The case also contained a reminder that just because someone pleads section 13, even after Vidal-Hall, it is no guarantee of damages. The Judge considered that there was no indication of any identifiable class of damage, and the Claimant had not bothered to try and quantify his claim. As a result, it was difficult to contemplate that he would be able to demonstrate having suffered damage or distress. The company itself had adequately complied with its obligations (although the headnote does not explain what adequate compliance consists of, or how it fits with the language of section 7) and no further order was required. The section 13 claim was transferred to the County Court.
No pretence that Ittihadieh is going to blow your mind over your cornflakes (other breakfast comestibles are available), but there are a couple of little nuggets of interest and it will be worth keeping an eye out for the full transcript as and when it hits the shelves. We DP lawyers are not yet so overwhelmed by jurisprudence that we can afford to look a section 7(9) judgment in the mouth. And with that allusion to Ancient Greece, it falls only to this blog to remind you all of your civic duty to grasp what the Prime Minister so unnervingly insists on referring to as the “stubby pencil” and vote.
Robin Hopkins (who he?) appeared for the seven defendants.
Christopher Knight
I have today been speaking at the IAPP conference at A&O alongside David Smith (UK Deputy Information Commissioner), Bruno Gencarelli (European Commission, Head of Data Protection Unit) and Wojciech Wiewiórowski (Assistant European Data Protection Supervisor). The conference yielded a number of really interesting insights, a number of which I highlight below.
First and perhaps most importantly, Mr Gencarelli made clear that, so far as the draft General Data Protection Regulation was concerned, the firm expectation within Europe was that the GDPR would be agreed by the end of this year. This is obviously important given that the apparently endless European wranglings over the shape of the GDPR had led some to question whether the GDPR would be finalised within the foreseeable future. Mr Gencarelli also pointed out that we could expect that, over the ensuing two year transition period, the GDPR principles would be further refined and developed, as the European Commission engaged in a trilogue with the European Data Protection Authorities and industry bodies. This inevitably suggests that the conclusion of the formal negotiations over the GDPR will not in any sense bring the process of developing European data protection principles to an end.
Mr Gencarelli also highlighted the significant impact which the EU Charter had had on the legal approach to data protection. As he put it, the fact that data protection rights were given specific protection under the Charter meant that data protection rights now had a greater legal resonance and significance than was previously the case. Notably, Mr Gencarelli’s observations on this issue obviously chime closely with the approach to the application of Charter rights adopted by the Court of Appeal in its recent judgment in Vidal-Hall v Google.
Mr Wiewiórowski also provided some fascinating insights into the European perspective on data protection. He reflected in particular upon the role being played by the CJEU in terms of pushing the privacy agenda within Europe under the existing Directive. Mr Wiewiórowski made clear that, in his view, this was a judicial trend which was itself born out of discussions on the new privacy-preoccupied agenda embodied in the Commission’s proposals for the GDPR. Thus, in effect, the EU judiciary was working in a highly dialectical relationship with the EU legislature to produce a new cultural approach to privacy rights within Europe.
Mr Wiewiórowski also made the interesting point that developments in the UK data protection jurisprudence had a disproportionately large impact on the development of data protection law within Europe as a whole. As he observed, this was not because UK lawyers and judges were seen as being cleverer than their European counterparts. Rather it was simply a product of the somewhat prosaic fact that UK judgments are in English, with the result that they are more readily comprehensible to our EU colleagues. Thus, he suggested that the Court of Appeal’s judgment in Vidal-Hall was now being discussed very widely within Europe, particularly because it was a judgment which could be accessed and understood by practitioners across the European piste.
Mr Wiewiórowski also made some very interesting observations about the approach taken within the GDPR to the ‘journalistic exemption’. As many readers of this blog will know, there is currently a debate going on within Europe as to whether the approach to the exemption proposed by the Council of Europe gives enough protection to classic journalistic freedoms. This debate has arisen particularly because the Council’s proposed text removes any reference to journalism per se. This has prompted many within the media to raise concerns that Europe is unacceptably seeking to dilute protection for journalists in a way that fundamentally offends against Article 10 of the European Convention on Human Rights and Article 11 of the EU Charter. Mr Wiewiórowski expressed the view that the scope of the journalistic exemption was perhaps one of the most challenging issues to arise under the draft GDPR and he was not at all confident that this issue would be satisfactorily resolved by the time the GDPR was finalised. These are obviously really important observations, not least because they suggest that existing questions as to how data protection rights are to be reconciled with Article 10 rights are unlikely to be finally resolved merely as a result of the enactment of the GDPR.
In terms of the domestic regulatory perspective, David Smith’s presentation very helpfully illuminated how the ICO was approaching the right to be forgotten regime.
On this regime, Mr Smith made clear that, since Google Spain was decided, the ICO had received approximately 200 complaints from data subjects in response to refusals by Google to delete particular links. Of those 200 complaints, roughly 150 had been decided in Google’s favour, with the remaining 50 being decided in favour of the data subjects. Mr Smith indicated that the ICO was now engaged in discussions with Google about this latter set of cases.
Mr Smith also made clear that the ICO had been impressed with Google’s overall approach to the right to be forgotten regime and that there were generally no significant differences of approach between the ICO and Google in terms of how the regime was to be applied. He did however indicate that one area of disagreement was as to whether Google should be notifying publishers when they receive requests from individual applicants. Google’s position on this issue is that typically publishers should be notified. By way of contrast, the ICO’s position is that notification should take place only in exceptional cases. Obviously, this divergence of view takes us back to the important and, as yet, unresolved question as to how data protection rights should be reconciled with Article 10 freedom of expression rights. Clearly as matters currently stand, Google is preferring a more pro-Article 10 approach than the ICO. Query whether Google will continue to adopt such a stance in future.
Notably, Mr Smith also made clear that the ICO’s view was that google.com should be treated as caught by the CJEU’s judgment in Google Spain. Again this is an important point. As matters currently stand, Google’s position is that google.com is not caught by the judgment. This has the result that users within Europe can potentially avoid all the amnesiac effects of the Google Spain judgment simply by setting their default browsers to google.com. Evidently the ICO regards this as an illegitimate loophole which Google should now look to close.
In terms of the wider question of whether the CJEU’s judgment in Google Spain had had a damaging effect on the internet as a whole, Mr Smith made clear that in his view that this was not the case. He pointed out that Google had now delivered important results for data subjects in hundreds of thousands of cases. By way of contrast, he said the ICO had received only a handful of complaints about deletion. Mr Smith pointed out that obviously the introduction of the right to be forgotten regime had not resulted in the internet grinding to a halt, and that it had not sounded the death-knell of Article 10 rights. Instead, what it had done in his view was deliver real tangible results for data subjects in a wide range of cases. As Mr Smith put it, what the judgment in Google Spain had achieved was the practical recognition within the online world of important human values, including values relating to the autonomy of the individual and the need for forgiveness.
Additionally Mr Smith made clear that, whereas once the ICO’s voice may not have been seen as an important voice in litigation on data protection issues, now the ICO was increasingly being recognised by the courts as an important contributor in legal debates on those issues. He used the ICO’s involvement in the recent case of Vidal-Hall as an illustration of this important development. As Mr Smith put it the effect of these developments was that the ICO could now be more active and assertive when it came to litigation on key data protection issues.
Finally, it is worth pointing out that Mr Smith, Mr Gencarelli and Mr Wiewiórowski all agreed that, so far as the concept of ‘personal data’ was concerned, the GDPR did not expand the existing definition. Instead, all it did was clarify the existing law, as adopted in the Directive. Notably, this is consistent with the approach taken to the definition by the ICO in the case of Vidal-Hall.
So much food for thought emerging from the conference. Incidentally, those who are interested in future IAPP events may like to note that the IAPP is holding its European Data Protection Congress in Brussels in December 2015. No doubt the congress will offer an important opportunity to debate some of the issues referred to above.
Anya Proops
It has been said in the recent past that FOIA is sexy. We at 11KBW know all too well how difficult it can be to maintain a constant level of supreme attractiveness. Like all sexy beasts, even FOIA can have a day on which even its own mother would struggle would struggle to describe it as worthy of a second glance. The decision of the Court of Appeal in The Independent Parliamentary Standards Authority v ICO & Leapman [2015] EWCA Civ 388 might be thought to be one of FOIA’s off-days.
For those avid readers who remember my post on the Upper Tribunal decision (here for those hard of sleeping), the issues will be vividly recalled. For everyone else, a short recitation may be useful.
Section 1 FOIA gives us a right to request information from listed public authorities, but what does “information” mean? Information is defined by section 84 of FOIA (“‘information’ (subject to sections 51(8) and 75(2)) means information recorded in any form”). This somewhat opaque definition has generally been treated as meaning that a request is for information. It is not for copies of documents. If the public authority wants to type out the document in a different format, they can, so long as the information contained within that document is provided.
Mr Leapman had made a request to IPSA for receipts and invoices provided by particular MPs in support of their expenses claims. IPSA provided him with transcribed versions of those receipts and invoices. Mr Leapman was not satisfied; he wanted the originals. The ICO agreed, as did the FTT and the UT on appeal. IPSA appealed to the Court of Appeal. Mr Leapman, formerly of the Daily Telegraph, did not participate in the Court of Appeal, doubtless being otherwise engaged in his detention at Her Majesty’s pleasure for offences of rape and downloading child abuse images.
Richards LJ gave the only judgment and it is fair to say that while it is of practical importance, the issue does not stir the blood. Nonetheless, the Court remained awake long enough to dismiss the appeal on all grounds. On the main issue, Richards LJ agreed with the ICO. Information was to be construed broadly and there would be cases where it is necessary in practice to disclose the record itself in order to communicate the entirety of the information contained in it: at [36]. There was no collapse in the distinction between the record and the information contained within it. The request had not been for copies as opposed to the information, but rather for all the recorded information contained on the receipts/invoices. Without the copies themselves, there was an inevitable shortfall in the information provided: at [39]. Counsel for ISPA conceded that some presentational elements may reveal recorded information, and that, Richards LJ held, indicated that there was no clear line between presentational elements and recorded information, even if it was sometimes difficult to spot where the line was: at [43]. If something is on the face of the document it is more readily about the information itself, rather than the form of the record (whereas the weave of the paper would go only to the record): at [42]. What is important is that the material sought is informative in the sense that tells you something, which may be visual or linguistic: at [44]. The fact that such information may go to an assessment of genuineness is a factor (but not the only factor) in assessing whether it is relevantly informative, without infringing the motive-blind approach of FOIA: at [45].
IPSA also managed to achieve the seemingly challenging feat of advancing a ground even less enthralling than the meaning of information, namely the scope of the section 11 duty to communicate information by reasonably practicable means. Here Richards LJ indulged IPSA in dealing in full with an argument which failed at the first hurdle. Section 11 is not an aspect of the section 1 obligation on public authorities; it cannot cut down the twin duties in section 1 to confirm or deny, and to release subject to exemptions. Section 11 poses a separate, additional, duty where a preference as to the means of communication is specified: at [52]-[53]. Although unnecessary to do so, Richards LJ gave the tentative view that in the light of the informal nature of requests they should not be interpreted like contracts (something of a relief to all one would imagine), and their interpretation was a question of fact, or at least a mixed question of fact and law: at [58]. The only point on which IPSA made any ground was one of total irrelevance, namely that had the analysis got to section 11(2), the wording of “in all the circumstances” was appropriately broad enough to encompass the cost consequences of future compliance, rather than limited to the consequences of responding to the specific request.
So, three appeals later, we end at exactly the point we started; namely that the ICO’s DN was a model of sensible reasoning and common sense. Information includes visual aspects to a document which may be informative, even if they cannot be readily transcribed by a reluctant public authority. That does not mean FOIA is now a route of documentary disclosure, any more than the DPA is. But it does call for a holistic approach to the information in issue. It requires dealing with substance and appearance, taking the information as a whole and examining it carefully. Hang on… Maybe it is a little bit sexy after all.
Robin Hopkins appeared for the ICO.
Christopher Knight
Readers of this blog will doubtless be well aware of the recent landmark judgment of the Court of Appeal in Vidal-Hall & Ors v Google, where it was held that compensation is available for mere distress caused by breach of data protection legislation. Interestingly, it is being reported today that the US Supreme Court will in due course be deciding a case on a similar issue, namely whether compensation is available where websites publish inaccurate data concerning individuals but the inaccuracy in the data causes no pecuniary loss. It appears that the issue will be considered by the Court in the context of a class action brought against an internet search engine that compiles publicly available data on people and lets subscribers view that information online – see further AP’s report on the case here. See also the Amicus Brief filed by Ebay, Facebook, Yahoo and Google in support of the appeal being brought by the ISE. That Brief, which rests heavily on in terrorem arguments, asserts not least that:
“Amici are concerned that this decision will substantially and improperly lower the bar for invoking the jurisdiction of federal courts, inviting abusive and costly litigation, including class actions seeking millions or even billions of dollars in statutory damages under FCRA [Fair Credit Reporting Act] and similar statutes. Amici are members of a rapidly growing and transforming technology industry that provides services to hundreds of millions of individuals each day. Users of amici’s services routinely conduct financial transactions, share information and content, and interact with people all over the world on platforms offered by amici. The services amici provide, the information they collect, and the interactions they facilitate arguably could be subject to laws that contain private rights of action and allow for statutory damages”
Of course, in the UK we have yet to see any comparable group litigation emerging in response to inaccurate data processed by data controllers. However, in the wake of Vidal-Hall, it can only be a matter of time before such cases are brought before the English Courts.
Anya Proops
