Compensation for mere distress – news from across the pond

Posted on | by Anya Proops KC

Readers of this blog will doubtless be well aware of the recent landmark judgment of the Court of Appeal in Vidal-Hall & Ors v Google, where it was held that compensation is available for mere distress caused by  breach of data protection legislation. Interestingly, it is being reported today that the US Supreme Court will in due course be deciding a case on a similar issue, namely whether compensation is available where websites publish inaccurate data concerning individuals but the inaccuracy in the data causes no pecuniary loss. It appears that the issue will be considered by the Court in the context of a class action brought against an internet search engine that compiles publicly available data on people and lets subscribers view that information online – see further AP’s report on the case here. See also the Amicus Brief filed by Ebay, Facebook, Yahoo and Google in support of the appeal being brought by the ISE. That Brief, which rests heavily on in terrorem arguments, asserts not least that:

“Amici are concerned that this decision will substantially and improperly lower the bar for invoking the jurisdiction of federal courts, inviting abusive and costly litigation, including class actions seeking millions or even billions of dollars in statutory damages under FCRA [Fair Credit Reporting Act] and similar statutes. Amici are members of a rapidly growing and transforming technology industry that provides services to hundreds of millions of individuals each day. Users of amici’s services routinely conduct financial transactions, share information and content, and interact with people all over the world on platforms offered by amici. The services amici provide, the information they collect, and the interactions they facilitate arguably could be subject to laws that contain private rights of action and allow for statutory damages”

Of course, in the UK we have yet to see any comparable group litigation emerging in response to inaccurate data processed by data controllers. However, in the wake of Vidal-Hall, it can only be a matter of time before such cases are brought before the English Courts.

Anya Proops

Searching questions in the CJEU: the East Sussex County Council case

Posted on | by Timothy Pitt-Payne KC

When local authorities provide property search information, can they charge for doing so? On what legal basis? How should such charges be calculated?

A Panopticon post from February 2014 by Robin Hopkins explains the background. To summarise, at one time it was widely believed that the Local Authorities (England)(Charges for Property Searches) Regulations 2008 (“CPSR”) applied, allowing local authorities to charge by reference to staff costs, overheads, and the cost of maintaining information systems.   More recently, it has been recognised that such requests will largely fall within the Environmental Information Regulations 2004 (“EIR”). EIR regulation 8 allows reasonable charges to be imposed for making environmental information available, save that no charge may be imposed for permitting access to public registers or for examining the requested information in situ.

In East Sussex County Council v Information Commissioner and others the applicant requested answers to the questions in CON29, the Law Society’s standard property search form. The Council imposed a fixed charge (based on the CPSR approach) that took account of disbursements, staff time, overheads, office costs, and information system costs. The First Tier Tribunal had to determine whether the charge was permissible under EIR regulation 8. It referred a number of questions to the CJEU for a preliminary ruling on the construction of Directive 2003/4 (“the Directive), to which the EIR give effect.

The case has now been heard in the CJEU, and Advocate General Sharpston issued her opinion on 16th April 2015.

The case turns on the construction of Articles 5 and 6 of the Directive. Article 5(1) requires that access to any public registers or lists of environmental information, and examination in situ of such information, shall be free of charge. Article 5(2) then allows public authorities to charge for supplying environmental information on request, provided that the charge does not exceed a reasonable amount. By Article 6, Member States must provide for administrative and judicial review of public authorities’ decisions relating to access to environmental information.

The first question addressed is what is meant by “supplying” environmental information in Article 5(2). Advocate General Sharpston states that this means providing access on request, by giving such information to an applicant in the format that he specifies, in circumstances other than those set out in Article 5(1).

What constitutes a “reasonable amount” within Article 5(2)? Advocate General Sharpston refers to this term as having an autonomous EU law meaning. She sets out, in some detail, what this means in practice. She identifies four requirements. First, a reasonable charge is one that is set on the basis of objective factors that are known and capable of review by a third party. Secondly, the charge must be calculated regardless of the requester’s identity or purpose. Thirdly, the charge must be set at a level that does not dissuade people from seeking access or restrict their right of access. Fourthly, the charge must be appropriate to the reason why Member States are allowed to make this charge (that is, that a member of the public has made a request for the supply of environmental information), and must be directly correlated to the act of supplying the information.

What can such a charge include? It must be based on the costs actually incurred in connection with the act of supplying information in response to a specific request. Hence the charge cannot include database costs, or overheads such as heating, lighting, or internal services. However it can include the costs of staff time spent on searching for and producing the information requested, and the cost of producing it in the form requested.

It is permissible for national law to provide that a public authority must satisfy itself that a charge levied meets the reasonableness standard. However, Article 6(1) and (2) of Directive 2003/4 requires a Member State to ensure that there can be both administrative and judicial review of whether the public authority’s decision conforms with the autonomous EU law meaning of what is reasonable.

While the issue of search costs for property search information may not set the pulse racing, it is of real importance both for companies carrying on business in this area and for cash-strapped local authorities keen to recover whatever costs they can. It remains to be seen, of course, whether the CJEU will adopt the Advocate General’s opinion.

11KBW’s Anya Proops acted for the Information Commissioner in the proceedings before the CJEU.

The Secret(-ish) Diary of Andrew Lansley (aged 58 1/4)

Posted on | by Christopher Knight

Every election, the House of Commons loses some of its most popular and well-respected Members. This year, it is also losing Andrew Lansley, whose reforms whilst Secretary of State for Health have bought such unwavering support from all parts of the political spectrum. Happily, Mr Lansley kept a diary of his momentous period in office. Unhappily, a FOIA request was only made for his Ministerial diary, which records the Secretary of State’s meetings etc, a redacted version of which was released in response to the request. The ICO ordered most of the withheld information to be released, and that was broadly echoed by the First-tier Tribunal in Department of Health v ICO (EA/2013/0087), on which see here, in rejecting reliance on s35(1)(a), (b) and (d) FOIA.

The DoH appealed, and Charles J has now handed down judgment in Department of Health v ICO & Lewis [2015] UKUT 159 (AAC). The appeal was dismissed. There are a number of points of interest in the judgment, not least:

  • There is a strong public interest in the press and public having the right, subject to appropriate safeguards, to require public authorities to provide information about their activities: at [10]-[12].
  • It is unusual to see a judge refer to his own experience as Treasury Counsel in the development of the law (on public interest immunity): at [18].
  • Disclosure under FOIA should be approached on a contents, specific information, basis and not a class basis: at [19]-[21].
  • It is right to avoid suggestions of inherent weight (on which see my post here): at [22]-[24].
  • A contents based assessment must show that the actual information is an example of the type of information within the class description of an exemption and why the manner in which disclosure of its contents will cause or give rise to risk of actual harm to the public interest, and evidence which does not address this is flawed: at [29]-[30].
  • Although generic reasons in support of the public interest may be inevitable, and are not irrelevant, attempts should be made (particularly by the ICO) to identify specific public interests engaged in support of disclosure: at [35]-[38].
  • Oral evidence can be useful, particularly where it tests credibility rather than reasoning, but the FTT should ask in each case whether it is needed, why it is needed, what limitations should be placed on it and whether other parties should also give evidence: at [41]-[42], [45].
  • Senior civil servants may be taking a line that there should be transparency but only on departmental terms, and their evidence often warrants a ‘Mandy Rice Davies’ sidenote (i.e. he would say that, wouldn’t he): at [48].
  • A high degree of deference to either side is very unlikely to be appropriate when assessing the public interest balance; a thorough and critical analysis of the competing reasoning and analysis should be carried out. A judicious recognition of the extent of Government expertise (and Tribunal lack thereof) is appropriate, and proper weight should be given to the views of those who work in the field, but that does not equate to an approach whereby in an unusual case the FTT should accept the Departmental view unless it is irrational: at [57], [59]-[61], [63]-[67].
  • The FTT had rightly identified very considerable flaws in the Department’s evidence, such that a risk of harm could not be accepted: at [73]-[79], [81]-[82].
  • Charles J’s further reasons on matters not addressed by the witnesses pose clear difficulties for future attempts on the part of (particularly) Government witnesses to assert risk of harm from disclosure without specific evidence: at [80].
  • When considering whether information is held under s3(2)(a) FOIA (“otherwise than on behalf of another person”), the intention of Parliament in promoting the purpose of FOIA (first bullet above) means that University of Newcastle upon Tyne v ICO & BUAV [2011] UKUT 185 (AAC) is correct (see here) and that a predominant purpose approach between different types of information is incorrect: at [106].
  • Non-Ministerial appointments in the diary were supplied by the Minister to avoid clashes etc, and must be considered as part of the diary as a whole. There was a sufficiently direct connection between the content and the reason why the information was recorded by the Department for it to be held. Whether or not it remained held under FOIA might depend on whether it was still said to be exempt under FOIA (for non-s40 reasons). The diary remained held: at [114], [117], [119]-[121].

The judgment is a lengthy one, but contains more nuggets than a KFC bargain bucket (other purveyors of fried chicken are available). Our very own secret blend of eleven herbs and spices, Robin Hopkins, appeared for the ICO.

Christopher Knight

Evans Vetos Badger Trust?

Posted on | by Christopher Knight

The world is full of obvious things which nobody by any chance ever observes.” Sherlock Holmes, The Hound of the Baskervilles.

What else can there possibly be to say about Evans not covered in Robin’s excellent post from Thursday? One can contemplate the possible amendments the Government might make (how much clearer could Parliament have made the purpose of section 53), and what other changes might be made at the same time, especially in the light of the PM referring to FOIA as one of the “buggerations” of Government in the Times magazine yesterday. One can analyse the dissenting judgments, which is certainly worthy of time. One can remark again on the constitutional importance of the Supreme Court emphasising the rule of law.

Most information law practitioners probably think there isn’t really anything in Evans that is going to be very relevant to their daily lives. Even central Government FOIA officers have onlyseen seven vetos in ten years, so Evans isn’t going to make much of a practical difference.

But. Almost in passing, there is one passage in the judgment of Lord Neuberger (if not the majority judgment, at least the leading judgment) which is worthy of notice.

As has been previously pointed out on this blog, the Upper Tribunal in Defra v ICO & the Badger Trust [2014] UKUT 526 (AAC) set the cat amongst the FOIA pigeons (if that is not too much of a mixture of animal metaphors) by suggesting at [44]-[48] that it was an open question whether the public interest balance was to be assessed at the time of the request/response or afresh at the time of the Tribunal hearing. That baton is now being taken up in the  latest round of the interminable APPGER litigation.

However, it is possible that the Supreme Court has beaten them to it. The time of the assessment of the balancing exercise was a point of some relevance to the reasoning of Lord Neuberger, because a (powerful) objection to the reasoning of the Court of Appeal (including from me) was that the two permitted exceptional categories, particularly the reliance on fresh evidence, did not leave much room for application of the veto where the public interest was adjudged at or around the time of the request. Lord Neuberger, unlike the Court of Appeal, sought to address the point. In doing so, he noted at [72] that:

It is common ground, in the light of the language of sections 50(1), 50(4) and 58(1), which all focus on the correctness of the original refusal by the public authority, that the Commissioner, and, on any appeal, any tribunal or court, have to assess the correctness of the public authority’s refusal to disclose as at the date of that refusal.”

As the text sets out, no contrary point was argued, but Lord Neuberger does not express any dissent about it and sets out the legal basis for it in the statutory language. Moreover, he went to reiterate the point, and the exceptions to it, at [72]:

However, although the question whether to uphold or overturn (under section 50 or sections 57 or 58) a refusal by a public authority must be determined as at the date of the original refusal, facts and matters and even grounds of exemption may, subject to the control of the Commissioner or the tribunal, be admissible even though they were not in the mind of the indivdual responsible for the refusal or communicated at the time of the refusal to disclose (i) if they existed at the date of the refusal, or (ii) if they did not exist at that date, but only in so far as they throw light on the grounds now given for refusal“.

It is difficult to see how the obiter musings of the Upper Tribunal in Badger Trust can withstand this, fairly prolonged, piece of Supreme Court reasoning. Arguments may be made that it was common ground, and possibly that was obiter itself, but it will self-evidently persusive that such experienced and eminent counsel agreed such a standpoint, and that the leading judgment relies upon it.

Perhaps the debate door is shut only shortly after being opened? Perhaps Evans has something to say to FOIA lawyers outside the scope of the veto power after all? Perhaps, perhaps, perhaps…

Christopher Knight

PS A prize (kudos only though) for the first person to spot the link between opening and closing of this post.

Google and the DPA – RIP section 13(2)

Posted on | by Christopher Knight

Well, isn’t this an exciting week (and I don’t mean Zayn leaving One Direction)? First, Evans and now Vidal-Hall. We only need Dransfield to appear before Easter and there will be a full red bus analogy. Robin opened yesterday’s analysis of Evans by remarking on the sexiness of FOIA. If there is one thing you learn quickly as an information law practitioner, it is not to engage in a sexiness battle with Robin Hopkins. But high-profile though Evans is, the judgment in Vidal-Hall will be of far wider significance to anyone having to actually work in the field, rather than simply tuning every now and then to see the Supreme Court say something constitutional against a FOIA background. Vidal-Hall might not be the immediate head-turner, but it is probably going to be the life-changer for most of us. So, while still in the ‘friend zone’ with the Court of Appeal, before it all gets serious, it is important to explain what Vidal-Hall v Google [2015] EWCA Civ 311 does.

The Context

The claims concern the collection by Google of information about the internet usage of Apple Safari using, by cookies. This is known as “browser generated information” or “BGI”. Not surprisingly, it is used by Google to more effectively target advertising at the user. Anyone who has experienced this sort of thing will know how bizarre it can sometimes get – the sudden appearance of adverts for maternity clothes which would appear on my computer followed eerily quickly from my having to research pregnancy information for a discrimination case I was doing. Apple Safari users had not given their consent to the collection of BGI. The Claimants brought claims for misuse of private information, breach of confidence and breach of the DPA, seeking damages under section 13. There is yet to be full trial; the current proceedings arise because of the need to serve out of the jurisdiction on Google.

The Issues

These were helpfully set out in the joint judgment of Lord Dyson MR and Sharp LJ (with whom Macfarlane LJ agreed) at [13]. (1) whether misuse of private info is a tort, (2) whether damages are recoverable under the DPA for mere distress, (3) whether there was a serious issue to be tried that the browser generated data was personal data and (4) whether permission to serve out should have been refused on Jameel principles (i.e. whether there was a real and substantial cause of action).

Issues (1) and (4) are less important to readers of this blog, and need only mention them briefly (#spoilers!). Following a lengthy recitation of the development of the case law, the Court held that the time had come to talk not of cabbages and kings, but of the tort of misuse of private information, rather than being an equitable action for breach of confidence: at [43], [50]-[51]. This allowed service out under the tort gateway in PD6B. The comment of the Court on issue (4) is worth noting, because it held that although claims for breach of the DPA would involve “relatively modest” sums in damages, that did not mean the claim was not worth the candle. On the contrary, “the damages may be small, but the issues of principle are large”: at [139].

Damages under Section 13 DPA

Issue (2) is the fun stuff for DP lawyers. As we all know, Johnson v MDU [2007] EWCA Civ 262 has long cast a baleful glare over the argument that one can recover section 13 damages for distress alone. The Court of Appeal have held such comments to be obiter and not binding on them: at [68]. The word ‘damage’ in Art 23 of the Directive had to be given an autonomous EU law meaning: at [72]. It also had to be construed widely having regard to the underlying aims of the legislation: the legislation was primarily designed to protect privacy not economic rights and it would be strange if data subjects could not recover compensation for an invasion of their privacy rights merely because they had not suffered pecuniary loss, especially given Article 8 ECHR does not impose such a bar: at [76]-[79]. However, it is not necessary to establish whether there has also been a breach of Article 8; the Directive is not so restricted (although something which does not breach Article 8 is unlikely to be serious enough to have caused distress): at [82].

What then to do about section 13(2) which squarely bars recovery for distress alone and is incompatible with that reading of Article 23? The Court held it could not be ‘read down’ under the Marleasing principle; Parliament had intended section 13(2) to impose this higher test, although there was nothing to suggest why it had done so: at [90]-[93]. The alternative was striking it down on the basis that it conflicted with Articles 7 and 8 of the EU Charter of Fundamental Rights, which the Court of Appeal accepted. In this case, privacy and DP rights were enshrined as fundamental rights in the Charter; breach of DP rights meant that EU law rights were engaged; Article 47 of the Charter requires an effective remedy in respect of the breach; Article 47 itself had horizontal direct effect (as per the court’s conclusion in Benkharbouche v Embassy of Sudan [2015] EWCA Civ 33); the Court was compelled to disapply any domestic provision which offended against the relevant EU law requirement (in this case Article 23); and there could be no objections to any such disapplication in the present case e.g. on the ground that the Court was effectively recalibrating the legislative scheme: at [95]-[98], [105].

And thus, section 13(2) was no more. May it rest in peace. It has run down the curtain and joined the bleedin’ choir invisible.

What this means, of course, is a potential flood of DP litigation. All of a sudden, it will be worth bringing a claim for ‘mere’ distress even without pecuniary loss, and there can be no doubt many will do so. Every breach of the DPA now risks an affected data subject seeking damages. Those sums will invariably be small (no suggestion from the Court of Appeal that Article 23 requires a lot of money), and perhaps not every case will involve distress, but it will invariably be worth a try for the data subject. Legal costs defending such claims will increase. Any data controllers who were waiting for the new Regulation with its mega-fines before putting their house in order had better change their plans…

Was BGI Personal Data

For the DP geeks, much fun was still to be had with Issue (3). Google cannot identify a particular user by name; it only identifies particular browsers. If I search for nasal hair clippers on my Safari browser, Google wouldn’t recognise me walking down the street, no matter how hirsute my proboscis. The Court of Appeal did not need to determine the issue, it held only that there was a serious issue to be tried. Two main arguments were run. First, whether the BGI looked at in isolation was personal data (under section 1(1)(a) DPA); and secondly, whether the BGI was personal data when taken together with gmail account data held by Google (application of limb (b)).

On the first limb, the Court held that it was clearly arguable that the BGI was personal data. This was supported by the terms of the Directive, an Article 29 WP Opinion and the CJEU’s judgment in Lindqvist. The fact that the BGI data does not name the individual is immaterial: it clearly singles them out, individuates them and therefore directly identifies them: at [115] (see more detail at [116]-[121]).

On the second limb, it was also clearly arguable that the BGI was personal data. Google had argued that in practice G had no intention of amalgamating them, therefore there was no prospect of identification. The Court rejected this argument both on linguistic grounds (having regard to the wording of the definition of personal data, which does not require identification to actually occur) and on purposive grounds (having regard to the underlying purpose of the legislation): at [122]-[125].

A third route of identification, by which enable individual users could be identified by third parties who access the user’s device and then learn something about the user by virtue of the targeted advertising, the Court concluded it was a difficult question and the judge was not plainly wrong on the issue, and so it should be left for trial: at [126]-[133].

It will be interesting to see whether the trial happens. If it does, there could be some valuable judicial discussion on the nature of the identification question. For now, much is left as arguable.

Conclusion

The Court of Appeal’s judgment in Vidal-Hall is going to have massive consequences for DP in the UK. The disapplication of section 13(2) is probably the most important practical development since Durant, and arguably more so than that. Google are proposing to seek permission to appeal to the Supreme Court, and given the nature of the issues they may well get it on Issues (1) and (2) at least. In meantime, the Court’s judgment will repay careful reading. And data controllers should start looking very anxiously over their shoulders. The death of their main shield in section 13(2) leaves them vulnerable, exposed and liable to death by a thousand small claims.

Anya Proops and Julian Milford appeared for the ICO, intervening in the Court of Appeal.

Christopher Knight

PS No judicial exclamation marks to be found in Vidal-Hall. Very restrained.

Why Evans gets the spiders

Posted on | by Robin Hopkins

I told you FOI was sexy.

The Supreme Court’s judgment in R (Evans) v Attorney General [2015] UKSC 21 has received vast amounts of media coverage – more in a single day than everything else about FOI has received in ten years, I reckon. No need to explain what the case was about – the upshot is that Rob Evans gets Prince Charles’ ‘black spider’ letters. Here’s why.

In other words, this post summarises why the judgment went Evans’ way 5:2 on the FOIA veto and 6:1 on the EIR veto. I leave aside the trenchant dissenting judgments (Lord Wilson on both FOIA and the EIRs; Lord Hughes on FOIA only), which merit a post in their own right.

FOIA and the ministerial veto

Three of the five JSCs who found that the Attorney General’s veto under FOIA was unlawful took the following view (that of Lord Neuberger).

The constitutional context and the restrictive view of section 53

“A statutory provision which entitles a member of the executive… to overrule a decision of the judiciary merely because he does not agree with it would not merely be unique in the laws of the United Kingdom. It would cut across two constitutional principles which are also fundamental components of the rule of law”, i.e. (i) that a court’s decisions are binding and cannot be ignored or set aside by anyone, and (ii) that the executive’s actions are reviewable by the court on citizens’ behalf. “Section 53, as interpreted by the Attorney General’s argument in this case, flouts the first principle and stands the second principle on its head” (paragraphs 51-52).

Therefore, if Parliament intends to permit the executive to override a judicial decision merely because it disagrees with that decision, it must ‘squarely confront what it is doing’ and make its intentions ‘crystal clear’. Section 53 FOIA is a long way from authorising such an override on the grounds of disagreement (paragraphs 56-58).

The upshot is that a minister cannot use section 53 to override a judicial decision simply on the grounds that, having considered the issue based on the same facts and arguments as the court or tribunal, he reaches a different view. In their context, and in light of the serious constitutional implications, the words “on reasonable grounds” in section 53 FOIA must be construed more restrictively: mere disagreement with the court/tribunal will not do.

The threshold is higher: a section 53 certificate will be lawful if there has been a material change in circumstances, or if facts or matters come to light at some point which (a) indicate that the judicial decision being overturned was seriously flawed, but (b) cannot give rise to an appeal against that decision. Such cases will be exceptional, but they are a real possibility, in Lord Neuberger’s judgment. Section 53 therefore retains some utility (see paragraphs 68, 77 and 78). Lord Kerr and Lord Reed agreed with Lord Neuberger’s restrictive view of section 53.

A less restrictive view of section 53

Lord Mance (with whom Lady Hale agreed) also found the Attorney General’s veto in this case to have been unlawful. He agreed that mere disagreement with the decision being overturned will not do. Lord Mance’s interpretation of section 53, however, is markedly less restrictive than that of Lord Neuberger: the accountable person is entitled under section 53 to reach a different view on the balancing of competing interests, even in the absence of the sorts of new considerations Lord Neuberger envisages, provided he gives properly explained and solid reasons against the background and law established by the judicial decision (see paragraphs 130-131).

There is thus more scope for a lawful veto on Lord Mance’s view – but his was not the majority view. Lord Neuberger’s more restrictive view commanded wider support. This makes a big difference to the future use of section 53.

What about First-Tier and ICO decisions?

Here are some further important implications addressed by Lord Neuberger.

This veto was against a decision of the Upper Tribunal, which is a court of record. Do the same stringent restrictions apply to an attempt to veto a decision of the First-Tier Tribunal? Answer: yes.

What about the ICO’s decisions? Is the threshold for a lawful veto equally high, or is it lower? Answer: it is lower, as the ICO’s evaluation can seldom be as exhaustive as that of a Tribunal. Nonetheless, the option to appeal to the Tribunal will be a relevant consideration: to use the section 53 power to achieve what you could also achieve by the more constitutionally appropriate route of an appeal may be an abuse of that power.

Those distinctions are important. Some section 53 certificates have been issued against First-Tier Tribunal decisions – the NHS risk register veto, for example. Others have been against ICO decisions – the High Speed 2 veto, for example. The Iraq war cabinet minutes have been the subject of two section 53 certificates – one against a Tribunal decision, the other against an ICO decision.

The EIRs and the ministerial veto

By comparison, the answer under the EIRs was relatively straightforward: Article 6 of Directive 2003/4/EC requires that refusals to disclose environmental information can be challenged before court whose decisions will be final. The ministerial veto provision does not square with that requirement. Environmental information cannot be the subject of the ministerial veto. These were the arguments advanced by Mr Evans, and by Tim Pitt-Payne on the ICO’s behalf. They were accepted by six of the seven JSCs.

So, a triumphant day for Rob Evans and The Guardian – and indeed for FOIA, the EIRs, transparency and the rule of law.

The outlook for the future use of section 53 is challenging, though there is nuance aplenty, even aside from the dissenting judgments.

Robin Hopkins @hopkinsrobin