Kennedy reaches the Supreme Court

Posted on | by Timothy Pitt-Payne KC

The most eagerly awaited Information Law hearing of 2013 starts today.  The Supreme Court will be considering the appeal against the decision of the Court of Appeal in Kennedy v Charity Commission and others [2012] EWCA Civ 317.  The case raises the issue of whether Article 10 of the European Convention on Human Rights confers a right of access to information held by public authorities.  It also requires the Court to construe section 32(2) of the Freedom of Information Act 2000 (an absolute exemption applicable to information held for the purpose of an inquiry).  The Supreme Court is being asked to reconsider aspects of its judgment in BBC v Sugar (No 2) and as a result the appeal has been listed before a panel of seven Justices.

For details of the extensive 11KBW involvement in the hearing, see here.

 

Timothy Pitt-Payne QC

Two new Upper Tribunal decisions: commercial confidentiality, ministerial communications

Posted on | by Robin Hopkins

The Upper Tribunal has issued two decisions on information rights matters this week. Both are by Upper Tribunal Judge David Williams, and both include substantive treatments of some of the issues that arise most commonly in information rights litigation.

Natural Resources Wales and SI Green (UK) Ltd v Information Commissioner and Friends of the Earth Swansea [2013] UKUT 0473 (AAC) saw the Upper Tribunal overturn a First-Tier decision on commercial confidentiality under the Environmental Information Regulations 2004, concerning the operation of a landfill site near Swansea. I was not involved in the First-Tier Tribunal proceedings, but blogged on the decision here. The Upper Tribunal’s decision is here. It found that, contrary to the approach of the First-Tier Tribunal, regulation 12(5)(e) EIR (confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest) is not the same as section 41(1) of FOIA (actionable breach of confidence).

In Judge Williams’ second judgment published this week, he upheld the First-Tier Tribunal’s decision in Cabinet Office v IC and Gavin Aitchison (EA/2011/0263). Anya blogged on the First-Tier Tribunal decision here. In essence, it concerned the takeover of Rowntree by Nestle in 1988 and what, if anything, ministers in the Thatcher government had said to each other about it. Questions also arose about the relevance of the reduction of the ‘Twenty-Year Rule’ for historical records to a ‘Ten-Year Rule’. The relevant exemptions were sections 35(1)(a) and (b) (formulation or development of government policy; Ministerial communications). The Tribunal found the public interest to favour disclosure (and, as regards one part of the request, confirming or denying whether any information was held relating to Cabinet discussions on the topic). The Upper Tribunal agreed. See here: Cab Off Aitchison GIA 4281 2012-00, and also the coverage by the requester (a journalist at the York newspaper The Press) here.

Given my involvement in both cases, I don’t offer any analysis on Panopticon today. Instead, I offer them as weekend reading for enthusiasts. You’re welcome.

Robin Hopkins

Facebook fan pages: data protection buck stops with Facebook, not page owners

Posted on | by Robin Hopkins

In Re Facebook, VG, Nos. 8 A 37/12, 8 A 14/12, 8 A 218/11, 10/9/13 the Schleswig-Holstein Administrative Court has allowed Facebook’s appeals against rulings of the regional data protection authority (the ULD), Thilo Weichert.

The case involved a number of companies’ use of Facebook fan pages. The ULD’s view was that Facebook breached German privacy law, including through its use of cookies, facial recognition and other data processing. He considered that, by using Facebook fan pages, the companies were facilitating Facebook’s violations by processing users’ personal data on those pages. He ordered them to shut down the fan pages or face fines of up to €50,000.

The appellant companies argued that they could not be held responsible for data protection violations (if any) allegedly committed by Facebook, as they had no control over how that data on the pages was processed and used by the social networking site. The Administrative Court agreed.

The case raises interesting questions about where the buck stops in terms of data processing – both in terms of who controls the processing, and in terms of where they are based. Facebook is based in Ireland, without a substantive operational presence in Germany. Earlier this year, the Administrative Court found – again against the Schleswig-Holstein ULD’s ruling – that Facebook’s ‘real names’ policy (i.e. a ban on pseudonymised profiles) was a matter for Irish rather than German law.

The ULD is unlikely to be impressed by the latest judgment, given that he is reported as having said in 2011 that:

“We see a much bigger privacy issue behind the Facebook case: the main business model of Google, Apple, Amazon and others is based on privacy law infringements. This is the reason why Facebook and all the other global internet players are so reluctant in complying with privacy law: they would lose their main profit resource.”

For more on this story, see links here and here.

Robin Hopkins

Data protection reform in the EU

Posted on | by Timothy Pitt-Payne KC

In 1913, Parliament was debating the Welsh Church Disestablishment Bill.  F. E. Smith described it as “a Bill which has shocked the conscience of every Christian community in Europe”.  This prompted a stinging rebuke from G.K. Chesterton:  was it remotely plausible that, say Breton fishermen, or Russian peasants, had the slightest interest in any of this?

“ Do they, fasting, trembling bleeding

Wait the news from this our city?

Groaning, ‘That’s the Second Reading!’

Hissing ‘There is still Committee!’

If the voice of Cecil falters,

If McKenna’s point has pith,

Do they tremble for their altars?

Do they, Smith?”

A hundred years later, the European Parliament is debating data protection reform.  To suggest that every citizen of the Union is hanging on the words of Jan-Philipp Albrecht or Viviane Reding would invite Chestertonian derision.  But there must be a number of businesses that are trembling (if not perhaps fasting or bleeding, as yet) at talk of fines of up to 100 million Euros (or 5% of global turnover, whichever is the greater) for breach of the new requirements.  And the level of interest among ordinary citizens, at any rate in some countries in the EU, should not be underestimated.

The above reflections are prompted by the news that the LIBE Committee of the European Parliament has adopted an agreed position on the proposed new Regulations and Directive.  This gives a mandate for the rapporteurs – MEPs Jan-Philipp Albrecht and Dimitrious Droutsas – to negotiate with the EU Council on Parliament’s behalf.

The full text of the proposed version of the legislation approved by the LIBE Committee has not been made public.  However, this press release from the Commission indicates that there are some important differences between the Commission’s original proposal in January 2012 and the text being put forward by the LIBE Committee.  Notably, the Committee is proposing maximum sanctions of 100 million euros or up to 5% of annual worldwide turnover, as compared with 1 million euros or up to 2% of annual worldwide turnover.

The Committee also wishes to strengthen the territorial scope of the reforms.  The Commission’s original proposal was that in specified circumstances the Regulation should apply to the processing of personal data of subject residing in the Union, by a controller not established in the Union.  The Committee is proposing that the Regulation should apply to the processing by a controller or processor not established in the Union.

The Commission’s proposal was that this extra-territorial reach of the Regulation should apply where the processing activities were related to the offering of goods and services to data subjects in the Union, or to the monitoring of their behaviour.  The Committee is proposing that the Regulation should apply to the offering of goods or services to data subjects in the Union irrespective of whether a payment of the data subject is required.  So, on the Committee’s text, a social networking site established outside the EU would be caught if it offered membership to individuals in the Union, even if membership was free.   The Committee also proposes that the Regulation should apply to the monitoring of such subjects (not just to the monitoring of their behaviour).

The Committee’s text also would prohibit disclosure outside the EU of personal data processed in the EU, where such disclosure was ordered by a non-EU court or tribunal, unless the transfer was authorised in advance by the relevant EU national data protection authority.  So, it would appear, if a US court ordered disclosure of personal data about UK citizens, then a US company that complied with that order without the prior authorisation of the ICO would be in breach of the Regulation and could be fined.

Media and online comment (see e.g. here and here) has suggested that the European Parliament’s current approach – strengthening the protection for data subjects, in particular in relation to international transfers – is partly a reaction to the revelations by Edward Snowden about the disclosure of personal information to the NSA.

The next step will be for the Council to decide on its position.  There will be a Council discussion between heads of state and government on 24th – 25th October, relating to the digital single market, followed by a meeting of Justice Ministers on data protection reform on 4th – 5th December.  There will then be a “trilogue” between Parliament, the Council, and the Commission.  The President of the European Commission has called for a final text to be agreed before the European Parliamentary elections in May 2014 – though it seems likely that there will be a further 2 years or so before the new legislation comes into effect.

Timothy Pitt-Payne

 

Fingerprints requirement for passport does not infringe data protection rights

Posted on | by Robin Hopkins

Mr Schwarz applied to his regional authority, the city of Bochum, for a passport. He was required to submit a photograph and fingerprints. He did not like the fingerprint part. He considered it unduly invasive. He refused. So Bochum refused to give him a passport. He asked the court to order it to give him one. The court referred to the Court of Justice of the European Union questions about whether the requirement to submit fingerprints in addition to photographs complied with the Data Protection Directive 95/46/EC.

Last week, the Fourth Chamber of the CJEU gave its judgment: the requirement is data protection-compliant.

The requirement had a legal basis, namely Article 1(2) of Council Regulation 2252/2004, which set down minimum security standards for identity-confirmation purposes in passports.

This pursued a legitimate aim, namely preventing illegal entry into the EU.

Moreover, while the requirements entailed the processing of personal data and an interference with privacy rights, the ‘minimum security standards’ rules continued to “respect the essence” of the individual’s right to privacy.

The fingerprint requirement was proportionate because while the underlying technology is not 100% successful in fraud-detection terms, it works well enough. The only real alternative as an identity-verifier is an iris scan, which is no less intrusive and is technologically less robust. The taking of fingerprints is not very intrusive or intimate – it is comparable to having a photograph taken for official purposes, which people don’t tend to complain about when it comes to passports.

Importantly, the underlying Regulation provided that the fingerprints could only be used for identity-verification purposes and that there would be no central database of fingerprints (instead, each set is stored only in the passport).

This is all common-sense stuff in terms of data protection compliance. Data controllers take heart!

Robin Hopkins

Penalties, PECR and PPI

Posted on | by Timothy Pitt-Payne KC

 Niebel v Information Commissioner is the first Tribunal decision about penalties under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).  Mr.Niebel successfully appealed against a penalty of £300,000.

The First-tier Tribunal stated that the material before them showed that Mr. Niebel and his company, Tetrus, had sent hundreds of thousands of unsolicited text messages seeking out potential claims for the mis-selling of PPI or for accidents.  There was no dispute that he had breached the requirements under PECR regulation 22, relating to the sending of text messages for direct marketing.  Until 26th May 2011 there was no power to impose penalties for such a breach, but with effect from that date the monetary penalty provisions in the Data Protection Act 1998 (sections 55A-E of the Act) had been extended to cover breaches of PECR.

In the present case, the monetary penalty notice was imposed on 26th November 2011, requiring payment of £300,000.  The Tribunal emphasised the importance of a clear statement in the notice identifying the contravention for which a penalty was imposed.  At the very least this should indicate the regulation contravened, the content of the contravention, and its scale, including roughly how many individual acts there were and how many people were affected.

In this case the Tribunal considered that the notice had failed clearly to identify the contravention.  The notice seemed to be confined to 411 cases, involving a total of 732 texts, in which the recipient had complained to the ICO.  However, some parts of the penalty notice referred to contravention on a much wider scale.

A further difficulty was that the ICO subsequently discovered that most of the 732 texts referred to had been sent before 26th May 2011 (the date when the power to issue penalties came into effect); and the ICO accepted that these earlier texts could not properly be taken into account.  The ICO therefore relied at the Tribunal hearing on 286 texts, not 732:  the number of affected individuals was not stated, but the Tribunal indicated (if the ratio of texts to complaints was consistent) that this would be about 160.

The appeal was brought on one short point.  It was argued that the contravention was not of a kind likely to cause substantial damage or substantial distress, since it was now described as relating to just 286 texts; therefore one of the statutory preconditions for a monetary penalty was not satisfied.

The Tribunal proceeded on the basis that the likelihood of damage and distress should be assessed by reference to the 286 texts now relied upon by the ICO as constituting the contravention, rather than by reference to other evidence showing very large numbers of unsolicited text messages.  On this basis, the requirement that the contravention was not likely to cause substantial damage or substantial distress was not satisfied.  As far as damage was concerned, recipients might incur charges for replying “stop”, and there might be a small charge if texts were received abroad, but none of this was likely to cause substantial damage.  As to distress, the Tribunal considered that the effect of the contravention was likely to be widespread irritation rather than substantial distress.  The Tribunal allowed the appeal and cancelled the penalty notice.

The decision leaves open one very important question.  Would the sending of hundreds of thousands of unwanted marketing messages be likely to give rise to substantial damage or substantial distress?  Could one say that, in aggregate, the small costs imposed on a very large number of individuals amounted to substantial damage? Or that the irritation caused to such a large number constituted substantial distress? This issue will no doubt be of great importance in future appeals about monetary penalties under PECR.

Two of my colleagues appeared in this case:  James Cornwell for the ICO, and Robin Hopkins for the Appellant.  Neither of them, of course, bears any responsibility for the content of this blog post.

Timothy Pitt-Payne