Some results may have been removed under data protection law in Europe. Learn more.

Posted on | by Robin Hopkins

This is the message that now regularly greets those using Google to search for information on named individuals. It relates, of course, to the CJEU’s troublesome Google Spain judgment of 13 May 2014.

I certainly wish to learn more.

So I take Google up on its educational offer and click through to its FAQ page, where the folks at Google tell me inter alia that “Since this ruling was published on 13 May 2014, we’ve been working around the clock to comply. This is a complicated process because we need to assess each individual request and balance the rights of the individual to control his or her personal data with the public’s right to know and distribute information”.

The same page also leads me to the form on which I can ask Google to remove from its search results certain URLs about me. I need to fill in gaps like this: “This URL is about me because… This page should not be included as a search result because…” 

This is indeed helpful in terms of process, but I want to understand more about the substance of decision-making. How does (and/or should) Google determine whether or not to accede to my request? Perhaps understandably (as Google remarks, this is a complicated business on which the dust is yet to settle), Google doesn’t tell me much about that just yet.

So I look to the obvious source – the CJEU’s judgment itself – for guidance. Here I learn that I can in principle ask that “inadequate, irrelevant or no longer relevant” information about me not be returned through a Google search. I also get some broad – and quite startling – rules of thumb, for example at paragraph 81, which tells me this:

“In the light of the potential seriousness of that interference, it is clear that it cannot be justified by merely the economic interest which the operator of such an engine has in that processing. However, inasmuch as the removal of links from the list of results could, depending on the information at issue, have effects upon the legitimate interest of internet users potentially interested in having access to that information, in situations such as that at issue in the main proceedings a fair balance should be sought in particular between that interest and the data subject’s fundamental rights under Articles 7 and 8 of the Charter. Whilst it is true that the data subject’s rights protected by those articles also override, as a general rule, that interest of internet users, that balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life.”

So it seems that, in general (and subject to the sensitivity of the information and my prominence in public life), my privacy rights trump Google’s economic rights and other people’s rights to find information about me in this way. So the CJEU has provided some firm steers on points of principle.

But still I wish to learn more about how these principles will play out in practice. Media reports in recent weeks have told us about the volume of ‘right to be forgotten’ requests received by Google.

The picture this week has moved on from volumes to particulars. In the past few days, we have begun to learn how Google’s decisions filter back to journalists responsible for the content on some of the URLs which objectors pasted into the forms they sent to Google. We learn that journalists and media organisations, for example, are now being sent messages like this:

“Notice of removal from Google Search: we regret to inform you that we are no longer able to show the following pages from your website in response to certain searches on European versions of Google.”

Unsurprisingly, some of those journalists find this puzzling and/or objectionable. Concerns have been ventilated in the last day or two, most notably by the BBC’s Robert Peston (who feels that, through teething problems with the new procedures, he has been ‘cast into oblivion’) and The Guardian’s James Ball (who neatly illustrates some of the oddities of the new regime). See also The Washington Post’s roundup of UK media coverage.

That coverage suggests that the Google Spain ruling – which made no overt mention of free expression rights under Article 10 ECHR – has started to bite into the media’s freedom. The Guardian’s Chris Moran, however, has today posted an invaluable piece clarifying some misconceptions about the right to be forgotten. Academic commentators such as Paul Bernal have also offered shrewd insights into the fallout from Google Spain.

So, by following the trail from Google’s pithy new message, I am able to learn a fair amount about the tenor of this post-Google Spain world.

Inevitably, however, given my line of work, I am interested in the harder edges of enforcement and litigation: in particular, if someone objects to the outcome of a ‘please forget me’ request to Google, what exactly can they do about it?

On such questions, it is too early to tell. Google says on its FAQ page that “we look forward to working closely with data protection authorities and others over the coming months as we refine our approach”. For its part, the ICO tells us that it and its EU counterparts are working hard on figuring this out. Its newsletter from today says for example that:

“The ICO and its European counterparts on the Article 29 Working Party are working on guidelines to help data protection authorities respond to complaints about the removal of personal information from search engine results… The recommendations aim to ensure a consistent approach by European data protection authorities in response to complaints when takedown requests are refused by the search engine provider.”

So for the moment, there remain lots of unanswered questions. For example, the tone of the CJEU’s judgment is that DPA rights will generally defeat economic rights and the public’s information rights. But what about a contest between two individuals’ DPA rights?

Suppose, for example, that I am an investigative journalist with substantial reputational and career investment in articles about a particular individual who then persuades Google to ensure that my articles do not surface in EU Google searches for his name? Those articles also contain my name, work and opinions, i.e. they also contain my personal data. In acceding to the ‘please forget me’ request without seeking my input, could Google be said to have processed my personal data unfairly, whittling away my online personal and professional output (at least to the extent that the relevant EU Google searches are curtailed)? Could this be said to cause me damage or distress? If so, can I plausibly issue a notice under s. 10 of the DPA, seek damages under s. 13, or ask the ICO to take enforcement action under s. 40?

The same questions could arise, for example, if my personal backstory is heavily entwined with that of another person who persuades Google to remove from its EU search results articles discussing both of us – that may be beneficial for the requester, but detrimental to me in terms of the adequacy of personal data about me which Google makes available to the interested searcher.

So: some results may have been removed under data protection law in Europe, and I do indeed wish to learn more. But I will have to wait.

Robin Hopkins @hopkinsrobin

GCHQ’s internet surveillance – privacy and free expression join forces

Posted on | by Robin Hopkins

A year ago, I blogged about Privacy International’s legal challenge – alongside Liberty – against GCHQ, the Security Services and others concerning the Prism/Tempora programmes which came to public attention following Edward Snowden’s whistleblowing. That case is now before the Investigatory Powers Tribunal. It will be heard for 5 days, commencing on 14 July.

Privacy International has also brought a second claim against GCHQ: in May 2014, it issued proceedings concerning the use of ‘hacking’ tools and software by intelligence services.

It has been announced this week that Privacy International is party to a third challenge which has been filed with the Investigatory Powers Tribunal. This time, the claim is being brought alongside 7 internet service providers: GreenNet (UK), Chaos Computer Club (Germany); GreenHost (Netherlands); Jimbonet (Korea), Mango (Zimbabwe), May First/People Link (US) and Riseup (US).

The claim is interesting on a number of fronts. One is the interplay between global reach (see the diversity of the claimants’ homes) and this specific legal jurisdiction (the target is GCHQ and the jurisdiction is the UK – as opposed, for example, to bringing claims in the US). Another is that it sees private companies – and therefore Article 1 Protocol 1 ECHR issues about property, business goodwill and the like – surfacing in the UK’s internet surveillance debate.

Also, the privacy rights not only of ‘ordinary’ citizens (network users) but also specifically those of the claimants’ employees are being raised.

Finally, this claim sees the right to free expression under Article 10 ECHR – conspicuously absent, for example, in the Google Spain judgment – flexing its muscle in the surveillance context. Privacy and free expression rights are so often in tension, but here they make common cause.

The claims are as follows (quoting from the claimants’ press releases):

(1) By interfering with network assets and computers belonging to the network providers, GCHQ has contravened the UK Computer Misuse Act and Article 1 of the First Additional Protocol (A1AP) of the European Convention of Human Rights (ECHR), which guarantees the individual’s peaceful enjoyment of their possessions

(2) Conducting surveillance of the network providers’ employees is in contravention of Article 8 ECHR (the right to privacy) and Article 10 ECHR (freedom of expression)

(3) Surveillance of the network providers’ users that is made possible by exploitation of their internet infrastructure, is in contravention of Arts. 8 and 10 ECHR; and

(4) By diluting the network providers’ goodwill and relationship with their users, GCHQ has contravened A1AP ECHR.

Robin Hopkins @hopkinsrobin

More on Spamalot

Posted on | by Anya Proops KC

Following on from my post earlier today on Niebel, readers may like to note that Jon Baines’s excellent blog, Information Rights and Wrongs has an interesting and detailed analysis of the Mansfield v John Lewis case – see here. The article suggests that Mr Mansfield’s damages may have garnered him the princely sum of £10!

Criminal records scheme incompatible with Convention rights – Supreme Court judgment

Posted on | by Anya Proops KC

As readers of this blog will know, the application of the Government’s criminal records scheme has been subject to extensive litigation of late (see further not least my post on an appeal involving a teacher and my post on an appeal involving a taxi-driver). Perhaps most importantly, in the case of T & Anor v Secretary of State for the Home Department, questions have been raised about whether the scheme as a whole is compatible with Convention rights and, in particular, the Article 8 right to privacy. Last year, the Court of Appeal concluded that the scheme was incompatible (see further Christopher Knight’s analysis of the Court’s judgment here). In a judgment given yesterday, the majority of the Supreme Court has agreed with that conclusion (Lord Wilson dissenting). The judgment will no doubt be subject to further analysis on Panopticon over the next few days. However, in short, the Supreme Court held that:

(a)    warnings and cautions given to the appellants by the police engaged their Article 8 right to privacy

(b)    the disclosure of those warnings and cautions in enhanced criminal records certificates (ECRCs) issued under the scheme amounted to an interference with the appellants’ right to privacy,  particularly as it affected their ability to enter a particular chosen field of endeavour, for example their ability to secure particular jobs and

(c)    the interference could not be justified under Article 8(2), particularly because the indiscriminate manner in which such information was provided under the scheme was not ‘in accordance with law’ for the purposes of Article 8(2), was not ‘necessary in a democratic society’ and was not otherwise proportionate.

On the latter point, the majority of the Supreme Court was clearly concerned about the fact that, in the context of ECRCs, warnings and cautions could be included in the relevant certificate irrespective of the nature of the offence, how the case had been disposed of, the time which had elapsed since the offence took place, the relevance of the data to the employment sought and the absence of any mechanism for independent review of a decision to disclose data. The majority of the Supreme Court evidently regarded the case of T as perfectly illustrative of the dangers inherent in such an indiscriminate scheme. In T, an ECRC was issued in respect of T containing information concerning police warnings which T had received when he was 11, in connection with the theft of bicycles. In the majority’s view, it was entirely unnecessary for such information to be disclosed when T applied, aged 17, for a job which involved working with children and also when he applied, aged 19, to attend university. The majority also refused the appeal against the Court of Appeal’s declaration of incompatibility in respect of the relevant primary legislation, namely the Police Act 1997.

What we see with this judgment, as with many judgments concerning the application of Convention rights, is a reluctant to favour blanket, administratively convenient solutions over more nuanced individual-centred schemes.

11KBW’s Jason Coppel QC acted for the Secretary of State. Tim Pitt-Payne QC appeared on behalf of Liberty.

Anya Proops

Victory for Spamalot – Niebel in the Upper Tribunal

Posted on | by Anya Proops KC

The spamming industry is a decidedly irritating but sadly almost unavoidable feature of our networked world. There is no question but that spamming (i.e. the sending of unsolicited direct marketing electronic communications) constitutes an unlawful invasion of our privacy (see further regs 22-23 of the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) (PECR), implemented under EU Directive 2002/21/EC). The question is what can be done to stop it, particularly given that individual citizens will typically not want to waste their time litigating over the odd spam email or text?

Well one way to address this problem would be to have an effective penalties regime in place, one that effectively kicked the spammers where it hurts by subjecting them to substantial financial penalties. No surprise then that, in 2009, the EU Directive which prohibits spamming was amended so as to require Member States to ensure that they had in place penalties regimes which were ‘effective proportionate and dissuasive’ (see Article 15a of the Directive). This provision in turn led to amendments to PECR which resulted in the monetary penalty regime provided for under s. 55A of the Data Protection Act 1998 being effectively incorporated into PECR. Readers of this blog will be aware of recent litigation over the application of s. 55A in the context of cases involving breaches of the DPA (see further the current leading case on this issue Central London Community Healthcare NHS Trust v Information Commissioner [2014] 1 Info LR 51, which you can read about here). But is the DPA monetary penalty regime really fit for purpose when it comes to dealing with spamming activities which are prohibited by PECR? If the recent decision by the Upper Tribunal in the case of Information Commissioner v Niebel is anything to go by, the answer to that question must be a resounding no.

The background to the Niebel case is as follows. Mr Niebel had sent out unsolicited text messages on an industrial scale. The texts sought out potential claimants in respect of misselling of PPI loans. The Information Commissioner, who had received hundreds of complaints about the texts, went on to issue Mr Niebel with a monetary penalty of £300,000. So far so unsurprising you might say. However, Mr Niebel has since managed to persuade the First-Tier Tribunal (FTT) to quash the penalty in its entirety (see its decision here) and now the Upper Tribunal (UT) has decided that the penalty should be left firmly quashed (see the UT’s decision here).

So how has Mr Niebel been able to avoid any penalty despite the patently unlawful nature of his activities? To answer that question one first has to understand the ostensibly high threshold which must be cleared if the power to impose a penalty is to be engaged. In short, the legislation only permits a penalty to be issued if there is ‘a serious contravention’ of the legislation (s. 55A(1)(a) and that contravention was ‘of a kind likely to cause substantial damage or substantial distress’ (s. 55A(1)(b) – there is also a knowledge requirement (s. 55A(1)(c)) however that requirement will typically be made out in the case of unlawful spammers). But can it really be said that the sending of relatively anodyne spam text message is ‘of a kind likely to cause recipients substantial damage or substantial distress’? Both the FTT and the UT have now firmly answered this question in the negative.

In the course of its decision, the UT considered the following arguments advanced by the Commissioner.

–        First, when deciding whether the contravention was ‘of a kind’ likely to cause substantial damage or substantial distress, it was possible to take into account not only the scale of the particular texts in issue but also the scale of Mr Niebel’s overall spamming operation. This was an important argument in the context of the appeal because, whilst there was no doubt that over time Mr Niebel had sent out hundreds of thousands of unsolicited communications, the Commissioner had identified ‘the contravention’ as relating only to 286 text messages in respect of which he had received complaints. (He had accepted that some 125 other complaints could not be taken into account as they related to communications sent prior to the coming into force of the penalties regime). The issue was therefore whether the wider context could be taken into account when deciding whether the contravention was ‘of a kind’ likely to cause substantial damage or substantial distress.

–        Second, the word ‘substantial’ in this context must be construed as meaning merely that the damage or distress was more than trivial. This is because the penalties regime was plainly intended to bite on unlawful spammers who caused low level damage or mere irritation, and such individuals would not be caught by the legislation if the word ‘substantial’ was construed as carrying any greater weight.

–        Third, the FTT had otherwise erred when it concluded that the 286 texts in issue were not of a kind likely to cause substantial damage or substantial distress.

On the first argument, the UT accepted that the scale of the contravention could be taken into account when deciding whether it was of a kind likely to cause substantial damage or substantial distress. However, it rejected the argument that Mr Niebel’s wider spamming activities were relevant to the analysis. The UT concluded that activities these did not form part of the ‘contravention’ relied upon by the Commissioner and were not therefore relevant to the analysis when it came to deciding whether s. 55A was engaged (para. 38).

On the second argument, the UT accepted Mr Niebel’s argument that it was not appropriate to try and deconstruct the meaning of the word ‘substantial’ and that the FTT had not erred when it had concluded simply that the question whether the substantial element was made out was ‘ultimately a question of fact and degree’ (paras. 42-51).

On the third argument, the UT held that the FTT’s decision that the 286 texts in issue were not of a kind to cause substantial damage was ‘simply unassailable’. The FTT had been entitled to conclude that the mere fact that recipients might have felt obliged to send ‘STOP’ messages to Mr Niebel did not amount to ‘substantial damage’ (para. 54). On the question of substantial distress, the FTT had been right to conclude that not all injury to feelings would amount to ‘distress’ and that irritation or frustration was not the same as distress. It concluded that there was nothing in the recent judgments in Halliday v Creation Consumer Finance or Vidal-Hall v Google which required a different result. Moreover, the UT was not prepared to accept that the FTT had failed to take into account evidence before it arguably suggesting that individual complainants were in fact substantially distressed by the messages. In the UT’s view the FTT had plainly been mindful of this evidence when it reached its conclusions (paras. 67-73).

Perhaps the most telling line in the judgment is to be found in paragraph 65 where the UT, having noted that the Commissioner had probably done all he could to draw Mr Niebel into the cross-hairs of the legislation, went on to conclude that the most profitable course would be for ‘the statutory test to be revisited with a view to making it better fit the objectives of the 2002 Directive (as amended). So, for example, a statutory test that was formulated in terms of e.g. annoyance, inconvenience and/or irritation, rather than “substantial damage or substantial distress”, might well have resulted in a different outcome. What cannot be doubted is that, absent a successful appeal against the UT’s decision, this legislation will need to be revisited so as to avoid a situation where the spammers end up laughing all the way to the bank whilst the penalties regime descends into obsolescence.

However, I should add that the picture is not altogether rosy for the spammers of this world. According to recent media reports, John Lewis has recently had to pay out damages to Roddy Mansfield, Sky News producer, after it sent him an unsolicited marketing email (see the Sky News report of the matter here – the report does not confirm the quantum of the damages). This rather raises the question of whether, in the face of an apparently deficient monetary penalty regime, the best cure for the disease of unlawful spamming might be to mount a group action.

The Niebel case was another 11KBW affair with Robin Hopkins acting for Mr Niebel and James Cornwell acting for the ICO.

Anya Proops

Fairness under the DPA: public interests can outweigh those of the data subject

Posted on | by Robin Hopkins

Suppose a departing employee was the subject of serious allegations which you never had the chance properly to investigate or determine. Should you mention these (unproven) allegations to a future employer? Difficult questions arise, in both ethical and legal terms. One aspect of the legal difficulty arises under data protection law: would it be fair to share that personal information with the prospective employer?

The difficulty is enhanced because fairness – so pivotal to data protection analysis – has had little or no legal treatment.

This week’s judgment of Mr Justice Cranston in AB v A Chief Constable [2014] EWHC 1965 (QB) is in that sense a rare thing – a judicial analysis of fairness.

AB was a senior police officer – specifically, a chief superintendent. He was given a final written warning in 2009 following a disciplinary investigation. Later, he was subject to further investigation for allegedly seeking to influence the police force’s appointment process in favour of an acquaintance of AB; this raised a number of serious questions, including about potential dishonesty, lack of integrity, and so on.

AB was on sick leave (including for reasons related to psychological health) for much of the period when that second investigation was unfolding. He was unhappy with how the Force was treating him. He got an alternative job offer from a regulator. He then resigned from the Force before the hearing concerning his alleged disciplinary offences. His resignation was accepted. The Force provided him with a standard reference, but the Chief Constable then took the view that – given the particular, unusual circumstances – he should provide the prospective employer with a second reference, explaining the allegations about AB.

The second reference was to say inter alia that:

“[AB’s] resignation letter pre-dated by some 13 days a gross misconduct hearing at which he was due to appear to face allegations of (i) lack of honesty and integrity (ii) discreditable conduct and (iii) abuse of authority in relation to a recruitment issue. It is right to record that he strenuously denied those allegations. In the light of his resignation the misconduct hearing has been stayed as it is not in the public interest to incur the cost of a hearing when the officer concerned has already resigned, albeit his final date of service post-dating the hearing.”

AB objected to the giving of the second reference and issued a section 10 notice under the Data Protection Act 1998. The lawfulness of the Force’s proposed second reference arose for consideration by Cranston J.

The first issue was this: was the Chief Constable legally obliged to provide a second reference explaining those concerns?

Cranston J held that, in terms of the common/private law duty of care (on the Hedley Byrne line of authority), the answer was no. As a matter of public law, however – and specifically by reference to the Police Conduct Regulations – the answer was yes: “the Chief Constable was obliged by his duty to act with honesty and integrity not to give a standard reference for the recipient because that was misleading. Something more was demanded. In this case the Chief Constable was prima facie under a duty to supply the Regulatory Body at the least with the information about disciplinary matters in the second reference.”

Note the qualifier ‘prima facie’: the upshot was that the duty was displaced if the provision of the second reference would breach the DPA. This raised a number of issues for the Court.

First, no information about AB’s health could be imparted: this was sensitive personal data, and the Chief Constable did not assert that a Schedule 3 DPA condition was met (as required under the First Data Protection Principle).

What about the information as to the disciplinary allegations AB faced? This was not sensitive personal data. Therefore, under the First Data Protection Principle, it could be disclosed if to do so would be (a) fair, (b) lawful, and (c) in accordance with a Schedule 2 condition.

The last two were unproblematic: given the prima facie public law duty to make the second reference here, it would lawful to do so and condition 3 from Schedule 2 would be met.

This left ‘fairness’, which Cranston J discussed in the following terms:

“There is no definition of fairness in the 1998 Act. The Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, to which the 1998 Act gives effect, contains a reference to protecting privacy rights, as recognised in article 8 of the European Convention on Human Rights and in general principles of EU law: recital 10. However, I cannot accept Mr Lock QC’s submission that the duty of fairness under the Directive and the 1998 Act is a duty to be fair primarily to the data subject. The rights to private and family life in Article 8 are subject to the countervailing public interests set out in Article 8(2). So it is here: assessing fairness involves a balancing of the interests of the data subject in non-disclosure against the public interest in disclosure.”

In conducting this balance between the interests of AB and those of others (including the public interests), Cranston J ultimately – on the particular facts – concluded that it would have been unfair to provide the second reference. There were strong fairness arguments in favour of disclosure – a see paragraph 78 (my emphasis):

“… The focus must be on fairness in the immediate decision to disclose the data [as opposed to a wider-ranging inquiry into the data subject’s conduct in the build-up to disclosure]. In this case the factors making it fair to disclose the information were the public interest in full and frank references, especially the duty of the police service properly to inform other police forces and other regulatory bodies of the person they are seeking to employ. To disclose the information in the second reference would patently have been fair to the Regulatory Body, so it could make a rounded assessment of the claimant, especially given his non-disclosure during the application process.”

However, the balance tipped in AB’s favour. This was partly because the Force’s policy – as well as the undertaken specifically given to AB – was to provide only a standard reference. But (see paragraph 79):

“… what in my view is determinative, and tips the balance of fairness in this case in favour of the claimant, is that he changed his position by resigning from the Force and requesting it to discontinue the disciplinary proceedings, before knowing that the Chief Constable intended to send the second reference. That second reference threatened the job which he had accepted with the Regulatory Body. It is unrealistic to think that the claimant could have taken steps to reverse his resignation in the few weeks before it would take effect. Deputy Chief Constable CD for one had indicated that he would not allow it. The reality was that the claimant was in an invidious position, where in reliance on what the Force through GH had said and done, he was deprived of the opportunity to reinstate the disciplinary proceedings and to fight the allegations against him. This substantive unfairness for the claimant was coupled with the procedural unfairness in the decision to send the second reference without giving him the opportunity to make representations against that course of action. Asking him to comment on its terms after the final decision to send the second reference was too little, too late.”

Therefore, because of unfairness in breach of the DPA and because of AB’s legitimate expectations, the second reference was not lawful.

While Cranston J rightly emphasised the highly fact-specific nature of his overall conclusion, aspects of his discussion of fairness will potentially be of wider application.

So too will his reminder (by way of quoting ICO guidance) that, when it comes to section 10 notices, “Although this [section 10] may give the impression that an individual can simply demand than an organisation stops processing personal data about them, or stops processing it in a particular way, the right is often overstated. In practice, it is much more limited”. Again, in other words, a balancing of interests and an assessment of the justification for the processing is required.

With the ‘right to be forgotten’ very much in vogue, that is a useful point to keep in mind.

Robin Hopkins @hopkinsrobin