Googling Orgies – Thrashing out the Liability of Search Engines

Posted on | by Christopher Knight

Back in 2008, the late lamented News of the World published an article under the headline “F1 boss has sick Nazi orgy with 5 hookers”. It had obtained footage of an orgy involving Max Mosley and five ladies of dubious virtue, all of whom were undoubtedly (despite the News of the World having blocked out their faces) not Mrs Mosley. The breach of privacy proceedings before Eady J (Mosley v News Group Newspapers Ltd [2008] EWHC 687 (QB)) established that the ‘Nazi’ allegation was unfounded and unfair, that the footage was filmed by a camera secreted in “such clothing as [one of the prostitutes] was wearing” (at [5]), and also the more genteel fact that even S&M ‘prison-themed’ orgies stop for a tea break (at [4]), rather like a pleasant afternoon’s cricket, but with a rather different thwack of willow on leather.

Since that time, Mr Mosley’s desire to protect his privacy and allow the public to forget his penchant for themed tea breaks has led him to bring or fund ever more litigation, whilst simultaneously managing to remind as many people as possible of the original incident. His latest trip to the High Court concerns the inevitable fact of the internet age that the photographs and footage obtained and published by the News of the World remain readily available for those in possession of a keyboard and a strong enough constitution. They may not be on a scale of popularity as last year’s iCloud hacks, but they can be found.

Alighting upon the ruling of the CJEU in Google Spain that a search engine is a data controller for the purposes of the Data Protection Directive (95/46/EC) (on which see the analysis here), Mr Mosley claimed that Google was obliged, under section 10 of the Data Protection Act 1998, to prevent processing of his personal data where he served a notice requesting it to do so, in particular by not blocking access to the images and footage which constitute his personal data. He also alleged misuse of private information. Google denied both claims and sought to strike them out. The misuse of private information claim being (or soon to be) withdrawn, Mitting J declined to strike out the DPA claim: Mosley v Google Inc [2015] EWHC 59 (QB). He has, however, stayed the claim for damages under section 13 pending the Court of Appeal’s decision in Vidal-Hall v Google (on which see the analysis here).

Google ran a cunning defence to what, post-Google Spain, might be said to be a strong claim on the part of a data subject. It relied on Directive 2000/31/EC, the E-Commerce Directive. Article 13 protects internet service providers from liability for the cached storage of information, providing they do not modify the information. Mitting J was content to find that by storing the images as thumbnails, Google was not thereby modifying the information in any relevant sense: at [41]. Article 15 of the E-Commerce Directive also prohibits the imposition of a general obligation on internet service providers to monitor the information they transmit or store.

The problem for Mitting J was how to resolve the interaction between the E-Commerce Directive and the Data Protection Directive; the latter of which gives a data subject rights which apparently extend to cached information held by internet service providers which the former of which apparently absolves them of legal responsibility for. It was pointed out that recital (14) and article 1.5(b) of the E-Commerce Directive appeared to make that instrument subject to the Data Protection Directive. It was also noted that Google’s argument did not sit very comfortably with the judgment (or at least the effect of the judgment) of the CJEU in Google Spain.

Mitting J indicated that there were only two possible answers: either the Data Protection Directive formed a comprehensive code, or the two must be read in harmony and given full effect to: at [45]. His “provisional preference is for the second one”: at [46]. Unfortunately, the judgment does not then go on to consider why that is so, or more importantly, how both Directives can be read in harmony and given full effect to. Of course, on a strike out application provisional views are inevitable, but it leaves rather a lot of legal work for the trial judge, and one might think that it would be difficult to resolve the interaction without a reference to the CJEU. What, for example, is the point of absolving Google of liability for cached information if that does not apply to any personal data claims, which will be a good way of re-framing libel/privacy claims to get around Article 13?

The Court also doubted that Google’s technology really meant that it would have to engage in active monitoring, contrary to Article 15, because they may be able to do so without “disproportionate effort or expense”: at [54]. That too was something for the trial judge to consider.

So, while the judgment of Mitting J is an interesting interlude in the ongoing Mosley litigation saga, the final word certainly awaits a full trial (and/or any appeal by Google), and possibly a reference. All the judgment decides is that Mr Mosley’s claim is not so hopeless it should not go to trial. Headlines reading ‘Google Takes a Beating (with a break for tea)’ would be premature. But the indications given by Mitting J are not favourable to Google, and it may well be that the footage of Mr Mosley will not be long for the internet.

Christopher Knight

Information Law Conference 2015

Posted on | by Panopticon Blog

Join us at 11KBW’s Annual Information Law Conference on 19th March 2015.  As well as providing an over-view of the key developments in the field of information law, the conference will cover a range of topical issues including: whether the law governing State surveillance is fit for purpose, the relationship between data protection and the media and whether, at 10 years old, FOIA should be seen a boon to or a burden on society. Keynote speaker to be confirmed.

Click here to download the Information Conference Programme.

Venue and Booking information

Venue The Royal College of Surgeons of England, 35 – 43 Lincoln Inn Fields, London WC2A 3PE

Cost £99 + VAT (20%) = £118.80 to attend half day plus lunch; £150 + VAT (20%) = £180.00 to attend full day

EARLY BIRD DISCOUNT – 10% off if you book before 27th February 2015 on both half and full day places.

To Book To book your place on this conference please email RSVP@11kbw.com stating if you would to attend full or half day, the delegate name, firm, email address and any purchase order details you may require. You will be then sent a confirmation email of your place and invoiced. We do not have the facilities to accept payments by credit or debit cards.

CPD accredited with SRA and BSB: 4.5 hours

Data protection: three developments to watch

Posted on | by Robin Hopkins

Panopticon likes data protection, and it likes to keep its eye on things. Here are three key developments in the evolution of data protection law which, in Panopticon’s eyes, are particularly worth watching.

The right to be forgotten: battle lines drawn

First, the major data protection development of 2014 was the CJEU’s ‘right to be forgotten’ judgment in the Google Spain case. Late last year, we received detailed guidance from the EU’s authoritative Article 29 Working Party on how that judgment should be implemented: see here.

In the view of many commentators, the Google Spain judgment was imbalanced. It gave privacy rights (in their data protection guise) undue dominance over other rights, such as rights to freedom of expression. It was clear, however, that not all requests to be ‘forgotten’ would be complied with (as envisaged by the IC, Chris Graham, in an interview last summer) and that complaints would ensue.

Step up Max Moseley. The BBC reported yesterday that he has commenced High Court litigation against Google. He wants certain infamous photographs from his past to be made entirely unavailable through Google. Google says it will remove specified URLs, but won’t act so as to ensure that those photographs are entirely unobtainable through Google. According to the BBC article, this is principally because Mr Moseley no longer has a reasonable expectation of privacy with respect to those photographs.

The case has the potential to be a very interesting test of the boundaries of privacy rights under the DPA in a post-Google Spain world.

Damages under the DPA

Second, staying with Google, the Court of Appeal will continue its consideration of the appeal in Vidal-Hall and Others v Google Inc [2014] EWHC 13 (QB) in February. The case is about objections against personal data gathered through Apple’s Safari browser. Among the important issues raised by this case is whether, in order to be awarded compensation for a DPA breach, one has to establish financial loss (as has commonly been assumed). If the answer is no, this could potentially lead to a surge in DPA litigation.

The General Data Protection Regulation: where are we?

I did a blog post last January with this title. A year on, the answer still seems to be that we are some way off agreement on what the new data protection law will be.

The latest text of the draft Regulation is available here – with thanks to Chris Pounder at Amberhawk. As Chris notes in this blog post, the remaining disagreements about the final text are legion.

Also, Jan Philipp Albrecht, the vice-chairman of the Parliament’s civil liberties committee, has reportedly suggested that the process of reaching agreement may even drag on into 2016.

Perhaps I will do another blog post in January 2016 asking the same ‘where are we?’ question.

Robin Hopkins @hopkinsrobin

How to apply the DPA

Posted on | by Robin Hopkins

Section 40 of FOIA is where the Freedom of Information Act (mantra: disclose, please) intersects with the Data Protection Act 1998 (mantra: be careful how you process/disclose, please).

When it comes to requests for the disclosure of personal data under FOIA, the DPA condition most commonly relied upon to justify showing the world the personal data of a living individual is condition 6(1) from Schedule 2:

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

That condition has multiple elements. What do they mean, and how do they mesh together? In Goldsmith International Business School v IC and Home Office (GIA/1643/2014), the Upper Tribunal (Judge Wikeley) has given its view. See here Goldsmiths. This comes in the form of its endorsement of the following 8 propositions (submitted by the ICO, represented by 11KBW’s Chris Knight).

Proposition 1: Condition 6(1) of Schedule 2 to the DPA requires three questions to be asked:

(i) Is the data controller or the third party or parties to whom the data are disclosed pursuing a legitimate interest or interests?

(ii) Is the processing involved necessary for the purposes of those interests?

(iii) Is the processing unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

Proposition 2: The test of “necessity” under stage (ii) must be met before the balancing test under stage (iii) is applied.

Proposition 3: “Necessity” carries its ordinary English meaning, being more than desirable but less than indispensable or absolute necessity.

Proposition 4: Accordingly the test is one of “reasonable necessity”, reflecting the European jurisprudence on proportionality, although this may not add much to the ordinary English meaning of the term.

Proposition 5: The test of reasonable necessity itself involves the consideration of alternative measures, and so “a measure would not be necessary if the legitimate aim could be achieved by something less”; accordingly, the measure must be the “least restrictive” means of achieving the legitimate aim in question.

Proposition 6: Where no Article 8 privacy rights are in issue, the question posed under Proposition 1 can be resolved at the necessity stage, i.e. at stage (ii) of the three-part test.

Proposition 7: Where Article 8 privacy rights are in issue, the question posed under Proposition 1 can only be resolved after considering the excessive interference question posted by stage (iii).

The UT also added this proposition 8, confirming that the oft-cited cases on condition 6(1) were consistent with each other (proposition 8: The Supreme Court in South Lanarkshire did not purport to suggest a test which is any different to that adopted by the Information Tribunal in Corporate Officer).

Those who are called upon to apply condition 6(1) will no doubt take helpful practical guidance from that checklist of propositions.

Robin Hopkins @hopkinsrobin

Happy birthday FOIA: orthodoxy and liberalism

Posted on | by Robin Hopkins

With FOIA celebrating its tenth birthday this month, it is striking that one of its most taken-for-granted axioms has been called into question. The axiom is this: the relevant time is the time of the request, extending perhaps until the statutory time for compliance with the request. When you are assessing the public interest balance and the engagement of exemptions, that is the time you look to; you ignore later developments.

In Defra v IC and the Badger Trust (GI/79/2014), the requester (the Badger Trust) had requested information about Defra’s risk assessments for the proposed badger culling programme. The ICO ordered disclosure. Defra appealed. The case was transferred to the Upper Tribunal due to a witness anonymity issue. The Upper Tribunal dismissed Defra’s appeal. It was not persuaded by Defra’s evidence as to the public interest balance. The judgment is here DEFRA v ICO and Badger Trust – Judgment on Public Interest.

In its judgment, the UT pondered the question of the relevant time. It declined to rule, but stated that it considered this question to be an open one: see paragraphs 44-48. A central tenet of FOIA/EIR orthodoxy over the past decade has been called into question.

Another recent UT judgment is worthy of note as FOIA turns ten. It does not introduce uncertainty, but rather – from the point of view of FOIA’s fans – provides a heartening affirmation of the purpose of the legislation. The case is UCAS v IC and Lord Lucas [2014] UKUT 0557 (AAC): see here UCAS. It was about the extent to which FOIA applied to UCAS. The point I draw out here is this one, at paragraph 39 of the decision of Judge Wikeley:

“I agree with Mr Knight that the starting point in this exercise in statutory interpretation must be the principle that FOIA is a constitutionally important piece of legislation, the scope of which must be interpreted broadly. This much is plain from Sugar (No. 2) itself (see Lord Walker at [76] and Lord Mance at [110]), as well as from other decisions of the House of Lords and Supreme Court (see Common Services Agency v Scottish Information Commissioner [2008] UKHL 47 at [4] per Lord Hope and Kennedy v Charity Commission [2014] UKSC 20 at [153] per Lord Sumption). This emphasis on a liberal construction is, to borrow a phrase from a different context of statutory interpretation, the golden thread which runs through the FOIA case law, whether in the rarefied atmosphere of the Supreme Court or on the judicial shop floor at the First-tier Tribunal.”

So then, happy birthday FOIA. Some of the assumptions of your youth may be in question, but your golden thread is strong. Somebody put that in a greeting card, please.

I appeared in the Badger Trust case. Chris Knight appeared in the UCAS case.

Robin Hopkins @hopkinsrobin

Campaigning journalism is still journalism: Global Witness and s.32 DPA

Posted on | by Peter Lockley

In an important development in the on-going saga of Steinmetz and others v Global Witness, the ICO has decided that the campaigning NGO is able to rely on the ‘journalism’ exemption under s.32 of the Data Protection Act 1998 (DPA).

The decision has major implications for journalists working both within and outside the mainstream media, not least because it makes clear that those engaged in campaigning journalism can potentially pray in aid the s. 32 exemption. Importantly, it also confirms that the Article 10 right to freedom of expression remains a significant right within the data protection field, notwithstanding recent developments, including Leveson and Google Spain, which have tended to place privacy rights centre-stage (Panopticons passim, maybe even ad nauseam).

Loyal readers will be familiar with the background to the Global Witness case, for which see original post by Jason Coppel QC.

In brief: Global Witness is an NGO which reports and campaigns on natural resource related corruption around the world. Global Witness is one of a number of organisations which has been reporting on allegations that a particular company, BSG Resources Ltd (“BSGR”), secured a major mining concession in Guinea through corrupt means. A number of individuals who are all in some way connected with BSGR (including Benny Steinmetz, reported to be its founder) brought claims against Global Witness under the DPA. The claims included a claim under s. 7 (failure to respond to subject access requests); s. 10 (obligation to cease processing in response to a damage and distress notification); s. 13 (claim for compensation for breach of the data protection principles) and s. 14 (claim for rectification of inaccurate data). Significantly, Mr Steinmetz alleged, amongst other things, that because he was personally so closely connected to BSGR, any information about BSGR amounted to his own personal data. If successful, the claims would have the effect of preventing Global Witness from investigating or publishing further reports on the Guinea corruption controversy.

Global Witness’s primary line of defence in the High Court proceedings was that all of the claims were misconceived because it was protected by the ‘journalism’ exemption provided for by s. 32 of the DPA. After a procedural spat in March (Panopticon report here), Global Witness’s application for a stay of the claims under s. 32(4) DPA was allowed by the High Court. The matter was then passed to the ICO for a possible determination under s.45 DPA. (In summary, such a determination will be made if the ICO concludes, against the data controller, either: (a) that the data controller is not processing the personal data only for the purposes of journalism or (b) it is not processing the data with a view to future publication of journalistic material).

In fact, the ICO declined to make a determination under s. 45. Moreover, he decided that, with respect to the subject access requests made by the claimants, Global Witness had been entitled to rely on the exemption afforded under s. 32. With respect to the latter conclusion, the ICO held that there were four questions which fell to be considered:

(1) whether the personal data is processed only for journalism, art or literature (s.32(1))

When dealing with this question, the ICO referred to his recent guidance Data Protection and journalism: a guide for the media, in which he accepted that non-media organisations could rely on the s.32 exemption, provided that the specific data in question were processed solely with a view to publishing information, opinions or ideas for general public consumption (p.30). He went on to conclude that this requirement could be met even where the publication is part of a wider campaign, provided that the data is not also used directly for the organisation’s other purposes (e.g. research or selling services). The ICO was satisfied that this condition was met for the data in question.

(2) whether that processing is taking place with a view to publication of some material (s.32(1)(a))

It is apparent from the decision letter that Global Witness was able to point to articles it had already published on the Simandou controversy, and since the controversy was on-going, to show it intended to publish more such articles. The ICO was satisfied that, in the circumstances, this second question should be answered in the affirmative.

(3) whether the data controller has a reasonable belief that publication is in the public interest (s.32(1)(b))

The ICO emphasised that the question he had to ask himself was not whether, judged objectively, the publication was in the public interest, but rather whether Global Witness reasonably believed publication was in the public interest. In the circumstances of this case – small NGO shines a spotlight on activities of large multinational in one of the world’s poorest countries amid allegations of serious corruption – he readily accepted that Global Witness held such a belief, particularly as the data related to the data subjects’ professional activities, for which they in any event had a lower expectation of privacy than in relation to their private lives.

(4) whether the data controller has a reasonable belief that compliance is incompatible with journalism. (s.32(1)(c))

Again, the focus here was on Global Witness’ reasonable beliefs. The ICO accepted that Global Witness had reasonable concerns that complying with the subject access requests which had been made by the claimants would prejudice its journalistic activity in two ways:, first, by giving the data subjects advance warning of the nature and direction of Global Witness’ investigations, which could be used to thwarting effect and, second, by creating an environment in which the organisation’s sources might lose confidence in Global Witness’ ability to protect their identities.

The decision will no doubt substantially reassure campaigning and investigative journalists everywhere. Unsurprisingly, it has been widely reported in the media (see e.g. Guardian article, Times article and FT article here). Notably, the FT reports that the claimants are asserting that they intend to challenge the decision. We will have to wait until the New Year to discover whether these assertions translate into action and, if they do translate into action, what form that action will take.

Anya Proops of 11KBW acts for Global Witness.

Peter Lockley