Panopticon – Page 99 – Information law blog, from 11 KBW

Charges under Reg 8 EIR: a Power Cut for Public Authorities

Posted on 23rd March 2013 | by Christopher Knight

In Kirklees Council v IC & Pali Ltd [2011] UKUT 104 (AAC) the Upper Tribunal held, in the context of property search information, that reg 8(2) EIR precluded an authority from charging for allowing applicants to inspect information in situ and that a charge was only permissible if copy documents were provided to the applicant or the information was accessed other than by means of in situ inspection. The First-tier Tribunal has revisited the application of the charging rule in reg 8 EIR, again in the context of property search information, in Leeds City Council v IC & APPS Claimants (EA/2012/0020-21) (judgment of 22 March 2013).

The requestors had requested all the information the Council held which would enable them to complete and answer the questions in the relevant property search form issued by the Law Society (the CON29R form). Some of this information was made available by enabling free public inspection, but not all of it. The Council charged, under reg 8(1), the requestors £22.50 for the fulfillment of their request. This was the same sum that the Council charged for completion of the CON29R form (although the request had been for the raw data and not for the Council to complete the form itself) and the costs were calculated on the basis of staff time etc, rather than solely on the costs of disbursements (such as photocopying). The primary question for the FTT was whether the non-disbursement costs could properly be the subject of a charge under reg 8 EIR.

The FTT held that they could not. There was no authority directly on the point – Kirklees not having had to decide this issue – and the FTT had primarily to decide the issue by reference to the principles underlying the Aarhus Convention, the Directive and the EIR. It considered that the Implementation Guidance to the Convention to be of assistance because it referred only charges within the disbursement category: at [52]-[53]. As to the Directive, the FTT found the judgment of the ECJ in Case C-217/97 Commission v Germany [1999] ECR I-5087 to be helpful, finding that the meaning of the judgment was clear: “The costs that can be imposed relate to the act of supplying information in order to comply with a request, not to the act of identifying or retrieving or collating the relevant material in the first place”: at [76]. The public authority is not, following Kirklees, entitled to charge for its evaluative and collation work so that it benefits from a failure to put in place proper systems to permit EIR requests to be dealt with by free public inspection: at [78].

Unsurprisingly, given the purpose of and recitals to the Directive, the FTT accepted that any approach to the interpretation of charges must be narrow to be consistent with the aim of increasing public access to environmental information. Any interpretation which permitted charges to include more than disbursement costs would have “significant adverse consequences” to that access. A public authority may not charge “for the cost of administrative tasks or administrative acts which may include, but are not necessarily limited to, the spent by staff in locating, retrieving or redacting the information requested”: at [96]-[99].

The FTT’s conclusion on that issue resolved the appeal against the Council, but it went on to indicate its view as to the reasonableness of the charge imposed by the Council in any event. It considered that £22.50 was not a reasonable charge within the meaning of reg 8(3) EIR. In particular, the Council had automatically completed the CON29R form itself and charged the standard rate rather than answering the specific request for the raw data, as well as providing data at a charge which was already available for free. The charge was calculated by reference to matters which should not have been taken into account: “the nature of the information, the motives and assumed means of the applicants, the use to which the information would be put, and the fact that no objections had been received to the CON29R fee”: at [102](ii). Various of the other factors the FTT considered at [102] may be of assistance in other disputes over the reasonableness of the charge, although if the charge remains limited to disbursements such challenges may be relatively rare. The Council was also criticised for a failure to comply with reg 8(8) in that it had not published a schedule of charges, or the basis for their calculation, which could be scrutinised for fairness and reasonableness and as a result lost the entitlement to levy a charge under reg 8(1): at [118]-[119].

The case provides some helpful clarity to an area of some practical importance to public authorities, and is of considerable utility to those requesting environmental information. It remains to be seen whether it triggers a rash of complaints to the Commissioner about the reasonableness of the copying and postage charges levied under reg 8(1) (although they must, of course, be published in advance under reg 8(8)), but there is no doubt that the judgment in Leeds should prompt all public authorities to examine their information systems and charging structures to ensure that they are genuinely restricting themselves to charging for disbursements.

Anya Proops appeared for the Information Commissioner.

Christopher Knight

Privacy, Protests and Policing

Posted on 20th March 2013 | by Timothy Pitt-Payne KC

In Catt v ACPO and others; T v Commissioner of Police of the Metropolis and another [2013] EWCA Civ 192, the Court of Appeal considered two appeals regarding the powers of the police to collect and retain personal information about members of the public. Both cases turned on the application of Article 8 of the Convention; in both, the Court held that there had been an interference with the Article 8(1) right to respect for private life, and that the interference was not justified under Article 8(2).

The retention of personal information by the police has given rise to extensive litigation in recent years: see e.g. Chief Constable of Humberside and others v Information Commissioner [2009] EWCA Civ 1079 (retention of conviction information on police national computer); and S and Marper v UK [2008] ECHR 1581 (operation of national DNA dabatase). Although the Humberside case concerned the Data Protection Act 1998, since it arose out of enforcement action taken by the Information Commissioner under that Act, most of the cases have turned on the application of Article 8. A recurring issue, and one on which the Catt case is especially important, is whether and in what circumstances the recording and retention of information about events taking place in public will constitute an interference with the Article 8 right to respect for private life.

The first appeal concerned Mr. John Catt, described in the judgment of the Court as someone who “over a long lifetime has been an ardent and frequent protestor against what he sees as a variety of forms of injustice”. He had attended public demonstrations organised by “Smash EDO”, a group campaigning against a weapons manufacturer operating on the outskirts of Brighton. Some of the core supporters of Smash EDO were prone to violence and criminal behaviour, but Mr. Catt had not been convicted of criminal conduct of any kind in connection with any demonstration that he had attended. Personal information about Mr. Catt was held on the National Domestic Extremism Database, mostly consisting of reports by police officers attending Smash EDO demonstrations. Mr. Catt had not been the specific target of observations, but was referred to incidentally in descriptions of what the police at the scene had observed. It appeared that this information was to be retained indefinitely.

In judicial review proceedings, Mr. Catt contended that the continued retention of this information about him constituted an unjustified interference with his Article 8 rights. His claim was rejected by the Divisional Court.

The second appellant, referred to as Ms T, was served with a police warning letter following an allegation that she had directed a single homophobic insult against the friend of a neighbour. She denied the allegation; in judicial review proceedings based on an alleged infringement of her Article 8 rights, she sought an order that the police should destroy their copy of the warning letter and remove from their records all references to the decision to serve it. Again, her claim failed at first instance. Before the appeal hearing the police reviewed the information and decided to expunge it, but the Court of Appeal nevertheless heard and determined the appeal because of the importance of the issues raised.

The judgment in Catt begins with a survey of recent developments in relation to Article 8. This part of the judgment is likely to become an important reference point in any future cases about the retention and use of police information.

As to the circumstances in which there would be an interference with the Article 8(1) right, the Court began by referring to the observation of Lord Nicholls in Campbell v MGN Ltd [2004] UKHL 22, that the touchstone of private life is whether in respect of the disclosed facts the person in question had a reasonable expectation of privacy. However, recent cases showed that the position was more complex. Even information of a public nature could become private over the course of time, as memories faded. Moreover, the storage and use of personal information gathered from open sources could nevertheless involve an interference with private life.

In relation to justification under Article 8(2), the Court reiterated the three well-known requirements that the conduct in question must be in accordance with the law; carried out in pursuit of a legitimate aim; and proportionate to the aim sought to be achieved. The issue of “legitimate aim” did not cause any difficulty in the present cases: the police were acting to prevent disorder and crime, and protect the rights and freedoms of others. In cases about the collection and retention of personal information about private individuals, the issues of legality and proportionality were closely related. As to proportionality, the overriding principle was that there should be a fair balance between the personal interest of the claimant in maintaining respect for his public life, and the pursuit of a legitimate aim in the interests of the public at large. The Court needed to pay careful attention to the nature of the information in question, the circumstances in which it could be obtained, the ways in which it could be processed and by whom, the period of retention, and the arrangements for its destruction.

Applying these principles to Mr. Catt’s case, the first issue was whether there was any interference with his right under Article 8(1). The Divisional Court had held that there was not: none of those attending the Smash EDO demonstrations can have had a reasonable expectation of privacy, since it was of the essence of such activity that it was of a public nature. The Court of Appeal took a different approach, focusing on the collection and retention of data about Mr. Catt rather than on the public nature of his activities at the demonstrations themselves. The processing and retention of even publicly available information could constitute a interference with Article 8 rights, especially when the information was subjected to systematic processing and entered on a database that was searchable by reference to specific individuals.

Turning to the issue of justification under Article 8(2), the Court focused on the issue of proportionality. It accepted that the police needed to obtain a better understanding of how Smash EDO was organised, so as to anticipate its future conduct and tactics. However, the Court did not consider that the information held about Mr. Catt was of sufficient value to justify its retention. It commented that the police appeared to be recording the names of any persons they could identify at Smash EDO demonstrations, regardless of the nature of their participation. The retention of Mr. Catt’s information on the database was therefore an unjustified interference with his Article 8 rights, and hence was unlawful.

As to the second case, that of Ms T, the Court held that the action of the police in issuing the warning letter did not in itself amount to an interference with her Article 8(1) rights, but that the retention in police records of a copy of the letter, and information describing the circumstances in which it had been issued, did constitute an interference. While the retention of this information for a short period was justified, it was hard to see how retention for more than a year or so could be of any value. If the information had not been destroyed before the appeal hearing, then its continued retention woud have been disproportionate.

The message from both cases is that, even where events take place in public, the recording and retention of information about them can interfere with the right to respect for private life. The Court is especially concerned with the sitation where information is retained indefinitely on databases where it is searchable by reference to individual names. In relation to justification, the cases suggest that the Court will scrutinise closely both the precise nature of the information retained, and its value for policing purposes. The analysis in Catt will be an essential starting-point in any future consideration of how Article 8 applies to police use of information.

Court of Appeal rules on damages for frustration at DPA breach

Posted on 18th March 2013 | by Robin Hopkins

On a day in which the remedying of privacy breaches of the kind considered by Leveson LJ dominated parliamentary debate, the Court of Appeal (Arden LJ, Lloyd LJ and Ryder J) delivered an interesting judgment on remedies for privacy breaches of the data protection variety.

Halliday v Creation Consumer Finance concerned Mr H’s appeal against a damages award to him under s. 13 of the Data Protection Act 1998. He had obtained default judgment against CCF for its breach of the DPA: it had accidentally and temporarily passed to a credit reference agency incorrect information about his allegedly having an unpaid debt of £1500 (Mr H and CCF had in fact resolved their dispute by that point). The judge at first instance awarded Mr H nominal damages of no fixed amount, but was not satisfied that there was evidence of reputational harm or prejudice to Mr H’s credit position. Mr H therefore received nothing in the way of substantial damages.

His appeal has been allowed. Nominal damages were set at £1 – as Panopticon understands it, this appears to have sufficed as ‘damage’ for s. 13(1) purposes, thereby entitling Mr H to compensation for distress under s. 13(2). He was awarded £750 in recognition of his distress and frustration at CCF’s wrongful processing, but there was no cogent evidence of him having suffered injury to feelings at the time, and CCF’s breach was a technical error rather than an intentional mis-statement. Hence the somewhat insubstantial sum by way of substantial damages.

Mr H sought to rely on Article 24 of Directive 95/46/EC which provides that member states must provide for sanctions where data protection rights have been infringed, but the Court of Appeal held that he could not seek direct enforcement of that provision in private proceedings, and that it was not the function of the civil courts to impose sanctions on data controllers – rather, their function under s. 13 of the DPA was to compensate data subjects.

It is understood that this judgment was delivered ex tempore, with a written judgment to follow, along with more Panopticon analysis.

Robin Hopkins

Privacy and data protection developments in 2013: Google, Facebook, Leveson and more

Posted on 11th March 2013 | by Robin Hopkins

Data protection law was designed to be a fundamental and concrete dimension of the individual’s right to privacy, the primary safeguard against misuse of personal information. Given those ambitions, it is surprisingly rarely litigated in the UK. It also attracts criticism as imposing burdensome bureaucracy but delivering little in the way of tangible protection in a digital age. Arguably then, data protection law has tended to punch below its weight. There are a number of reasons for this.

One is that Directive 95/46/EC, the bedrock of data protection laws in the European Union, is the product of a largely pre-digital world; its drafters can scarcely have imagined the ubiquity of Google, Twitter, Facebook and the like.

Another is that in the UK, the evolution of Article 8 ECHR and common law privacy and breach of confidence actions has tended to deprive the Data Protection Act 1998 of the oxygen of litigation – before the House of Lords in Campbell v MGN [2004] UKHL 22, for example, it was agreed that the DPA cause of action “added nothing” to the supermodel’s breach of confidence claim (para. 130).

A further factor is that the DPA 1998 has historically lacked teeth: a court’s discretion to enforce subject access rights under s. 7(9) is “general and untrammelled” (Durant v FSA [2003] EWCA Civ 1746 at para. 74); damages under s. 13 can only be awarded if financial loss has been incurred, and the Information Commissioner has, until recently, lacked robust enforcement powers.

This landscape is, however, undergoing very significant changes which (one hopes) will improve data protection’s fitness for purpose and amplify its contribution to privacy law. Here is an overview of some of the more notable developments so far in 2013.

The draft Data Protection Regulation

The most fundamental feature of this landscape is of course EU law. The draft DP Regulation, paired with a draft Directive tailored to the crime and security contexts, was leaked in December 2011 and published in January 2012 (see Panopticon’s analysis here). The draft Regulation, unlike its predecessor would be directly effective and therefore not dependent on implementation through member states’ domestic legislation. Its overarching aim is harmonisation of data protection standards across the EU: it includes a mechanism for achieving consistency, and a ‘one-stop shop’ regulatory approach (i.e. multinationals are answerable only to their ‘home’ data protection authority). It also tweaks the law on international data transfers, proposes that most organisations have designated data protection officers, offers individuals a ‘right to be forgotten’ and proposes eye-watering monetary penalties for data protection breaches.

Negotiations on that draft Regulation are in full swing: the European Parliament and the Council of the European Union’s DAPIX (Data Protection and Information Exchange) subgroup working on their recommendations separately before coming together to approve the final text (for more detail on the process, see the ICO’s outline here).

What changes, if any, should be made to the draft before it is finalised? That rather depends on who you ask.

In January 2013, the UK government set out its views on the draft Regulation. It did so in the form of its response to the recommendations of the Justice Select Committee following the latter’s examination of the draft Regulation. This is effectively the government’s current negotiation stance at the EU table. It opposes direct effect (i.e. it wants a directive rather than a regulation), thinks the ‘right to be forgotten’ as drafted is misconceived, favours charging for subject access requests and opposes the mandatory data protection officer requirement. The government considers that promoters of the draft have substantially overestimated the savings which the draft would deliver to business. The government also “believes that the supervisory authorities should have more discretion in the imposition of fines and that the proposed removal of discretion, combined with the higher levels of fines, could create an overly risk-averse environment for data controllers”. For more on its stance, see here.

The ICO has also has significant concerns. It opposes the two-stream approach (a mainstream Regulation and a crime-focused Directive) and seeks clarity on psedonymised data and non-obvious identifiers such as logs of IP addresses. It thinks the EU needs to be realistic about a ‘right to be forgotten’ and about its power over non-EU data controllers. It considers the current proposal to be “too prescriptive in terms of its administrative detail” and unduly burdensome for small and medium-sized enterprises in particular.

Interestingly, while the ICO favours consistency in terms of sanctions, it cautions against total harmonisation on all fronts: “Different Member States have different legal traditions. What is allowed by law is not spelled out in the UK in the way that it is in some other countries’ legal systems. The proposed legislation needs to reflect this, particularly in relation to the concept of ‘legitimate interests’.” For more on the ICO’s current thinking, see here.

Those then are the most influential UK perspectives. At an EU level, the European Parliament’s report on the draft Regulation is more wholeheartedly supportive. The European Parliament’s Industry Committee is somewhat more business-friendly in its focus, emphasising the importance of EU-wide consistency and a ‘one-stop shop’. Its message is clear: business needs certainty on data protection requirements. It also urges further exemptions from data protection duties for small and medium-sized enterprises “which are the backbone of Europe’s economy”. The Industry Committee’s views are available here.

Negotiations continue, the aim being to finalise the text by mid-2013. The European Parliament is likely to press for the final text to resemble the draft very closely. On the other hand, Ireland holds the Presidency of the Commission and of DAPIX – until mid-2013. Its perspective is probably closer to the UK ICO’s in tenor. There are good prospects of at least some of their views to be reflected in the final draft.

A number of the themes of the draft Regulation and the current negotiations are already surfacing in litigation, as explained below.

The Leveson Report

Data protection legislation in the UK will be affected not only by EU developments but by domestic ones too.

In recent weeks, debate about Leveson LJ’s report on the culture, practices and ethics of the press has tended to focus on the Defamation Bill which is currently scraping its way through Parliament. In particular, the debate concerns the merits of an apparently-Leveson inspired amendment tabled by Lord Puttnam which, some argue, threatens to derail this legislative overhaul of libel law in the UK (for one angle on this issue, see David Allen Green’s piece in the New Statesman here).

The Leveson Report also included a number of recommendations for changes to the DPA 1998 (see Panopticon’s posts here and here). These included overhauling and expanding the reach of the ICO and allowing courts to award damages even where no financial loss has been suffered (arguably a befitting change to a regime concerned at heart with personal privacy).

The thorniest of Leveson LJ’s DPA recommendations, however, concerned the wide-ranging ‘journalism exemption’ provided by s. 32. The ICO has begun work on a code of practice on the scope and meaning of this exemption. It has conducted a ‘framework consultation’, i.e. one seeking views on the questions to be addressed by the code, rather than the answers at this stage (further consultation will happen once a code has been drafted).

There is potential for this code to exert great influence: s. 32(3) says that in considering whether “the belief of a data controller that publication would be in the public interest was or is a reasonable one, regard may be had to his compliance with” any relevant code of practice – if it has been designated by order of the Secretary of State for this purpose. There is as yet no indication of an appetite for such designation, but it is hoped that, the wiser the code, the stronger the impetus to designate it.

The ICO’s framework consultation closes on 15 March. Watch out for (and respond to) the full consultation in due course.

Google – confidentiality, informed consent and data-sharing

Google (the closest current thing to a real ‘panopticon’?) has been the subject of a flurry of important recent developments.

First, certain EU data protection bodies intend to take “repressive action” against some of Google’s personal data practices. These bodies include the French authority, CNIL (the Commission nationale de l’informatique et des libertés) and the Article 29 Working Party (an advisory body made of data protection representatives from member states). In October 2012, following an investigation led by CNIL, the Working Party raised what it saw as deficiencies in Google’s confidentiality rules. It recommended, for example, that Google provide users with clearer information on issues such as how personal data is shared across Google’s services, and on Google’s retention periods for personal data. Google was asked to respond within four months. CNIL has reported in recent weeks that Google did not respond. The next step is for the Working Party “to set up a working group, led by the CNIL, in order to coordinate their repressive action which should take place before summer”. It is not clear what type of “repressive action” is envisaged.

Google and the ‘right to be forgotten’

Second, Google is currently involved in litigation against the Spanish data protection authority in the Court of Justice of the EU. The case arises out of complaints made to that authority by a number of Spanish citizens whose names, when Googled, generated results linking them to false, inaccurate or out-of-date information (contrary to the data protection principles) – for example an old story mentioning a surgeon’s being charged with criminal negligence, without mentioning that he had been acquitted. The Spanish authority ordered Google to remove the offending entries. Google challenged this order, arguing that it was for the authors or publishers of those websites to remedy such matters. The case was referred to the CJEU by the Spanish courts. The questions referred are available here.

The CJEU considered the case at the end of February, with judgment expected in mid-2013. The case is obviously of enormous relevance to Google’s business model (at least as regards the EU). Also, while much has been made about the ‘right to be forgotten’ codified in the draft EU Regulation (see above), this Google case is effectively about whether that right exists under the current law. For a Google perspective on these issues, see this blog post.

Another development closer to home touches on similar issues. The Court of Appeal gave judgment last month in Tamiz v Google [2013] EWCA Civ 68. Mr Tamiz complained to Google about comments on the ‘London Muslim’ blog (hosted by Google) which he contended were defamatory in nature. He asked Google to remove that blog. He also sought permission to serve proceedings on Google in California for defamation occurring between his request to Google and the taking down of the offending blog. Agreeing with Google, the Court of Appeal declined jurisdiction and permission to serve on Google in California.

Mr Tamiz’ case failed on the facts: given the small number of people who would have viewed this blog post in the relevant period, the extra-territorial proceedings ‘would not be worth the candle’.

The important points for present purposes, however, are these: the Court of Appeal held that there was an arguable case that Google was the ‘publisher’ of those statements for defamation purposes, and that it would not have an unassailable defence under s. 1 of the Defamation Act 1996. Google provided the blogging platform subject to conditions and had the power to block or remove content published in breach of those conditions. Following Mr Tamiz’s complaint, Google knew or ought to have known that it was causing or contributing to the ongoing publication of the offending material.

A ‘publisher’ for defamation purposes is not co-extensive with a ‘data controller’ for DPA purposes. Nonetheless, these issues in Tamiz resonate with those in the Google Spain case, and not just because of their ‘right to be forgotten’ subtext. Both cases raise this question: it is right to hold Google to account for its role in making false, inaccurate or misleading personal information available to members of the public? If it is, another question might also arise in due course: to what extent would Leveson-inspired amendments to the s. 32 DPA 1998 exemption (on which the ICO is consulting) affect service providers like Google?

Facebook, Google and jurisdiction

The Google Spain case also involves an important jurisdictional argument. Google’s headquarters are in California. It argued before the CJEU that Google Spain only sells advertising to the parent company, and that these complaints should therefore be considered under US data protection legislation. In other words, it argues, this is not a matter for EU data protection law at all. The Spanish authority argues that Google Spain’s ‘centre of gravity’ is in Spain: it links to Spanish websites, has a Spanish domain name and processes personal data about Spanish citizens and residents.

Victory for Google on this point would significantly curtail the data protection rights of EU citizens in this context.

Also on jurisdictional matters, Facebook has won an important recent victory in Germany. Schleswig-Holstein’s Data Protection Commissioner had ruled that Facebook’s ‘real names policy’ (i.e. its policy against accounts in psuedonymous names only) was unfair and unlawful. The German administrative court granted Facebook’s application for the suspension of that order on the grounds that the issue should instead be considered by the Irish Data Protection Authority, since Facebook is Dublin-based.

Here then, is an example of ‘one-stop shop’ arguments surfacing under current EU law. The ‘one-stop shop’ principle is clearly very important to businesses. In the Facebook case, it would no doubt say that its ‘home’ regulator understands its business much better and is therefore best equipped to assess the lawfulness of its practices. The future of EU law, however, is as much about consistency across member states as about offering a ‘one-stop shop’. The tension between ‘home ground advantage’ and EU-wide consistency is one of the more interesting practical issues in the current data protection debate.

Enforcement and penalties issued by the ICO

One of the most striking developments in UK data protection law in recent years has been the ICO’s use of its enforcement and (relatively new) monetary penalty powers.

On the enforcement front, the Tribunal has upheld the ICO’s groundbreaking notice issued against Southampton City Council for imposing audio recording requirements in taxis (see Panopticon’s post here).

The issuing of monetary penalties has continued apace, with the ICO having issued in the region of 30 notices in the last two years. In 2013, two have been issued.

One (£150,000) was on the Nursing and Midwifery Council, for losing three unencrypted DVDs relating to a nurse’s misconduct hearing, which included evidence from two vulnerable children. The second (£250,000) was on a private sector firm, Sony Computer Entertainment Europe Limited, following the hacking of Sony’s PlayStation Network Platform in April 2011, which the ICO considered “compromise[ed] the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk.”

In the only decision of its kind to date, the First-Tier Tribunal upheld a monetary penalty notice issued against Central London Community Care NHS Trust for faxing patient details to the wrong number (see Panopticon’s post here). The First-Tier Tribunal refused the Trust permission to appeal against that decision.

Other penalty notices are being appealed to the Tribunal – these include the Scottish Borders notice (which the Tribunal will consider next week) and the Tetrus Telecoms notice, the first to be issued under the Privacy and Electronic Communications Regulations 2003.

It is only a matter of time before the Upper Tribunal or a higher court considers a monetary penalty notice case. At present, however, there is no binding case law. To that extent, the monetary penalty system is a somewhat uncertain business.

The question of EU-wide consistency raises more fundamental uncertainty, especially when one considers the mandatory fining regime proposed in the draft EU Regulation, with fines of up to €1,000,000 or 2% of the data controller’s global annual turnover.

By way of contrast, 13 administrative sanctions for data protection breaches were issued in France in 2012, the highest fine being €20,000. Enforcement in Germany happens at a regional level, with Schleswig-Holstein regarded as on the stricter end; overall however, few fines are issued in Germany. How the ‘one-stop shop’ principle, the consistency mechanism and the proposed new fining regime will be reconciled is at present anyone’s guess.

From a UK perspective, however, the only point of certainty as regards monetary penalty notices is that there will be no slowing down in the ICO’s consideration of such cases in the short- to medium-term.

It is of course too early to say whether the developments outlined above will elevate data protection law from a supporting to a leading role in protecting privacy. It is clear, however, that – love them or hate them – data protection duties are increasingly relevant and demanding.

Robin Hopkins

Upper Tribunal issues further decision in Prince Charles’ letters saga

Posted on 21st February 2013 | by Holly Stout

In the latest round of the legal and political boxing match that the Evans case has become, the Upper Tribunal (“UT”), chaired by Walker J, has decided that the government should release its “schedules and lists” of “advocacy correspondence” between Prince Charles and various government departments (see the judgment here).

The UT had previously determined, in September 2012 (see Robin Hopkins’ post) that the government should release the “advocacy correspondence” it had received from Prince Charles and which had been requested by Mr Evans as long ago as 2005. The UT had not, though, issued a substituted decision notice pursuant to that determination because it had sought the parties’ further submissions on the question of appropriate redactions to the correspondence in question.

Before any further submissions had been made, however, the Attorney General had issued a veto under s 53, which veto renders the UT’s determination in relation to the “advocacy correspondence” of no effect*. (See Christopher Knight’s previous post.)

One might have thought that that would be the end of the matter so far as the UT was concerned. However, there was a second part of Mr Evans’ request which had not been ruled on substantively as part of the UT’s decision of September 2012. As well as requesting the actual correspondence, Mr Evans had requested lists and schedules of that correspondence. At the substantive hearing, Mr Evans had conceded that, if the UT found in his favour in relation to the actual correspondence there would be no need for it to go on to consider his “lists and schedules request” because he would, if in possession of that actual correspondence, be able to produce such lists and schedules himself.

Faced with the government’s veto annulling his victory with regards to the actual correspondence, Mr Evans applied to the UT inviting it now to rule on his “lists and schedules request”. The government, represented by Jonathan Swift QC and Julian Milford, argued that the UT had no power to reopen its previous decision, contending that the UT had in its September 2012 decision made a final determination that it was unnecessary to make a substantive ruling on the “lists and schedules request”. The Information Commissioner, represented by Tim Pitt-Payne QC, agreed with the government. All parties, including Mr Evans, agreed that the limited express powers that the UT has to review its own decisions did not apply in this case.

However, Mr Evans argued that none of this mattered: he said he was not asking the UT to review its decision, or to reopen it. He was simply asking the UT to decide a part of his appeal that it had not yet decided. The UT agreed.

It went on to find that, for the same reasons as it had considered the actual correspondence should be disclosed, the lists and schedules should be disclosed. The UT said that the only difference in terms of the balance of public interests so far as the lists and schedules were concerned was that both the public interest in disclosing the information and the public interest in maintaining the exemptions relied upon were less than with the actual correspondence. Overall, though, the balance was still the same and the lists and schedules should be disclosed.

We will now have to wait and see whether the government will deliver a further punch in the form of a second veto.

The government may not, however, have the last word since Mr Evans has commenced judicial review proceedings challenging the use of the veto in this case – proceedings which will be the first such challenge to the use of the veto.

Holly Stout

* There is a question mark about the effect of the veto in this case as the power of veto in s 53(2) is drafted by reference to a ‘decision notice’, but the UT had not in fact issued a substitute decision notice at the point that the veto was exercised. This is not a point that the UT needed to address in this decision, and it appears it will probably not be dealt with as part of the judicial review proceedings either.

Court of Appeal gives judgment on credit reference agencies and accuracy of personal data

Posted on 20th February 2013 | by Robin Hopkins

The fourth data protection principle requires that “personal data shall be accurate and, where necessary, kept up to date”. It does not, however “impose an absolute and unqualified obligation on [data controllers] to ensure the entire accuracy of the data they maintain. Questions of reasonableness arise in the application of the fourth principle, as paragraph 7 of Part II of Schedule I spells out.” This statement by Davis LJ (at para. 80) encapsulates the case of Smeaton v Equifax plc [2013] EWCA Civ 108, in which the Court of Appeal handed down judgment today.

Equifax is a well-known credit reference agency. Between 22 May 2002 and 17 July 2006 Equifax included in its credit file concerning the Respondent, Mr Smeaton, an entry to the effect that he was subject to a bankruptcy order. This was incorrect – that order had been rescinded in 2002.

He was subsequently declined a business loan, with serious detrimental consequences for that business. He brought a claim against Equifax for those business losses and “other losses and distress consequent upon his descent into a chaotic lifestyle”.

Initially, his cause of action was defamation. By the time of trial in 2011, it had become (a) a claim under s. 13 of the Data Protection Act 1998, and (b) a parallel common law tort claim.

The judge, HHJ Thornton QC (having substantially amended the first draft of his judgment following submissions at handing down), found that Equifax had breached the fourth data protection principle (as well as the first and the fifth, though he had heard no argument on these points), that it owed Mr Smeaton a parallel duty in tort and that he had suffered losses as a result of these breaches.

The Court of Appeal disagreed in strong terms, Tomlinson LJ saying this at para. 11 about the judge’s approach and conclusions – particularly on causation:

“In retrospect it is I think unfortunate that the judge attempted to resolve the causation issue in principle, divorced from the question what loss could actually be shown to have been caused by the asserted breaches of duty. I have little doubt that Mr Smeaton believes in all sincerity that a good number of the vicissitudes that have befallen him can be laid at the door of Equifax, but a close examination of the relationship between the losses alleged and the breaches of duty found by the judge would perhaps have introduced something in the way of a reality check. Had the judge looked at both issues together he might I think have had a better opportunity to assess the proposition in the round. As it is, the judge’s conclusion that the breaches of duty which he identified caused Mr Smeaton loss in that they prevented Ability Records from obtaining a loan in and after mid-2006 is in my view not just surprising but seriously aberrant. It is without any reliable foundation and completely unsupported, indeed contradicted, by the only evidence on which the judge could properly rely.”

Turning from the facts of the case and the question of causation to the approach to the fourth data protection principle in general, Tomlinson LJ said this at para. 44:

“The judge was also in my view wrong to regard the mere fact that the data had become inaccurate and remained accessible in its inaccurate form for a number of years as amounting to a “clearly established breach of the fourth principle” – judgment paragraph 106. Paragraph 7 of Part II provides that the fourth principle is not, in circumstances where the data accurately records [erroneous] information obtained by the data controller from the data subject or a third party, to be regarded as contravened if the data controller has, putting it broadly, taken reasonable steps to ensure the accuracy of the data. A conclusion as to contravention cannot in such a case be reached without first considering whether reasonable steps have been taken. As the facts of this case show, that may not always be a straightforward enquiry. Perhaps often it will and it may not therefore usually be difficult to establish a contravention. Once it is concluded that reasonable steps were not taken in this regard, a consumer may seek compensation under s.13. It will then be a defence for the data controller to show that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned. It may be that that enquiry is in substance no different from that required under paragraph 7 of Part II in the limited class of case to which that paragraph refers. However it should be noted that in cases not covered by paragraph 7 a contravention may be established without consideration of the reasonableness of the steps taken by the data controller. In such a case reasonableness would arise only if a defence were mounted under s.13(3).”

Tomlinson LJ then summarised the law and relevant legal guidance on credit reference agencies and bankruptcy proceedings. At para. 59, he concluded that:

“The judge’s approach begins with the observation, at paragraph 95 of the judgment, that erroneous or out of date data which remains on a consumer’s credit file can be particularly damaging. Of course this is true, and nothing I say in this judgment is intended to undermine the importance of the fourth data protection principle. But before deciding what is the ambit of the duty cast upon CRAs to ensure the accuracy of their data, it is necessary to put this important principle into context and to maintain a sense of proportion. In the context of lending, arrangements have been put in place to ensure that an applicant for credit should not suffer permanent damage as a result of inaccurate information appearing on his file. As recorded above these safeguards are set out in the Guide to Credit Scoring and are further explained in at least two other published documents…. The judge made no reference to these arrangements which are in my view relevant to the question how onerous a duty should be imposed upon a CRA to ensure that its data is accurate. I agree with Mr Handyside that in most cases of applications for credit failed on account of incorrect data the harm likely to be suffered is temporary inconvenience. It is possible that the judge overlooked this as a result of his flawed conclusion that it was inaccurate data, or more precisely the alleged breach of duty which gave rise thereto, which prevented Mr Smeaton / Ability Records from obtaining credit in and after July 2006.”

He continued at para 62:

“The judge ought in my view to have taken into account that these various publications demonstrate that both the methods by which CRAs collected and updated their data and the shortcomings in those methods were well-known to and understood by the Information Commissioner and the Insolvency Service.”

Tomlinson LJ also concluded (at paras. 67-68) that part of the judge’s conclusions on DPA breach “amounts to a conclusion that Equifax was in breach of the duty required of it under the DPA because it failed to attempt to persuade the Secretary of State and the Insolvency Service to initiate modifications to the legislative and regulatory framework and in particular failed to secure the reversal of the legislative choice made in 1986 no longer to require the automatic advertisement of annulments and rescissions. I do not consider that this is a realistic conclusion. Self-evidently it is not realistic to conclude that an exercise of this sort was either necessary or feasible in relation to a tiny number of cases where the consequences of inaccuracy could not normally be expected to be anything other than temporary inconvenience. A duty the content of which is to lobby for a change in the law must be very uncertain in its ambit and extent and in my view is implausible.”

Finally, not only had the judge erred in his approach to causation and the fourth data protection principle, he was also wrong to find that there was a parallel duty in common law: the House of Lords said in Customs and Excise Commissioners v Barclays Bank [2007] 181 that statutory duties cannot generate parallel common law ones, and on the raditional three-fold test of foreseeability, proximity and whether it is fair, just and reasonable to impose a duty, the answer here would also be ‘no’.

The judgment will be welcomed not only by credit reference agencies, but by all those data controllers whose particular circumstances mean that data inaccuracy is, best efforts notwithstanding, an occupational hazard.

For another blog post on this judgment, see Information Rights and Wrongs, where Jon Baines was quick off the mark.

Robin Hopkins

WordPress + Bootstrap