Tag: data protection

Legal analysis of individual’s situation is not their personal data, says Advocate General

Posted on | by Robin Hopkins

YS, M and S were three people who applied for lawful residence in the Netherlands. The latter two had their applications granted, but YS’ was refused. All three wanted to see a minute drafted by an official of the relevant authority in the Netherlands containing internal legal analysis on whether to grant them residence status. They made subject access requests under Dutch data protection law, the relevant provisions of which implement Article 12 of Directive 95/46/EC. They were given some of the contents of the minutes, but the legal analysis was withheld. This was challenged before the Dutch courts. Questions were referred to the CJEU on the application of data protection law to such information. In Joined Cases C‑141/12 and C‑372/12, Advocate General Sharpston has given her opinion, which the CJEU will consider before giving its judgment next year. Here are some important points from the AG’s opinion.

The definition of personal data

The minutes in question contained inter alia: the name, date of birth, nationality, sex, ethnicity, religion and language of the applicant; information about the procedural history; information about declarations made by the applicant and documents submitted; the applicable legal provisions and an assessment of the relevant information in the light of the applicable law.

Apart from the latter – the legal advice – the AG’s view is that this information does come within the meaning of personal data under the Directive. She said this:

“44. In general, ‘personal data’ is a broad concept. The Court has held that the term covers, for example, ‘the name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies’, his address, his daily work periods, rest periods and corresponding breaks and intervals, monies paid by certain bodies and the recipients, amounts of earned or unearned incomes and assets of natural persons.

45. The actual content of that information appears to be of no consequence as long as it relates to an identified or identifiable natural person. It can be understood to relate to any facts regarding that person’s private life and possibly, where relevant, his professional life (which might involve a more public aspect of that private life). It may be available in written form or be contained in, for example, a sound or image.”

The suggestion in the final paragraph is that the information need not have a substantial bearing on the individual’s privacy in order to constitute their personal data.

The AG also observed that “Directive 95/46 does not establish a right of access to any or every document or file in which personal data are listed or used” (paragraph 71). This resonates with the UK’s long-established Durant ‘notions of assistance’.

Legal analysis is not personal data

AG Sharpston’s view, however, was that the legal analysis of the individuals’ situations did not constitute their personal data. Her reasoning – complete with illustrative examples – is as follows:

“55. I am not convinced that the phrase ‘any information relating to an identified or identifiable natural person’ in Directive 95/46 should be read so widely as to cover all of the communicable content in which factual elements relating to a data subject are embedded.

56. In my opinion, only information relating to facts about an individual can be personal data. Except for the fact that it exists, a legal analysis is not such a fact. Thus, for example, a person’s address is personal data but an analysis of his domicile for legal purposes is not.

57. In that context, I do not find it helpful to distinguish between ‘objective’ facts and ‘subjective’ analysis. Facts can be expressed in different forms, some of which will result from assessing whatever is identifiable. For example, a person’s weight might be expressed objectively in kilos or in subjective terms such as ‘underweight’ or ‘obese’. Thus, I do not exclude the possibility that assessments and opinions may sometimes fall to be classified as data.

58. However, the steps of reasoning by which the conclusion is reached that a person is ‘underweight’ or ‘obese’ are not facts, any more than legal analysis is.”

Interestingly, her conclusion did touch upon the underlying connection between personal data and privacy. At paragraph 60, she observed that “… legal analysis as such does not fall within the sphere of an individual’s right to privacy. There is therefore no reason to assume that that individual is himself uniquely qualified to verify and rectify it and ask that it be erased or blocked. Rather, it is for an independent judicial authority to review the decision for which that legal analysis was prepared.”

In any event, legal analysis does not amount to “processing” for data protection purposes

The AG considered that legal analysis such as this was neither ‘automatic’ nor part of a ‘relevant filing system’. “Rather, it is a process controlled entirely by individual human intervention through which personal data (in so far as they are relevant to the legal analysis) are assessed, classified in legal terms and subjected to the application of the law, and by which a decision is taken on a question of law. Furthermore, that process is neither automatic nor directed at filing data” (paragraph 63).

Entitlement to data, but not in a set form

The AG also says that what matters is that individuals are provided with their data – data controllers are not, under the Directive, required to provide it in any particular form. For example, they can extract or transcribe rather than photocopy the relevant minute:

“74. Directive 95/46 does not require personal data covered by the right of access to be made available in the material form in which they exist or were initially recorded. In that regard, I consider that a Member State has a considerable margin of discretion to determine, based on the individual circumstances in case, the form in which to make personal data accessible.

75. In making that assessment, a Member State should take account of, in particular: (i) the material form(s) in which that information exists and can be made available to the data subject, (ii) the type of personal data and (iii) the objectives of the right of access.”

If the legal analysis is personal data, then the exemptions do not apply

Under the Directive, Article 12 provides the subject access right. Article 13 provides exemptions. The AG’s view was that if, contrary to her opinion, the legal analysis is found to be personal data, then exemptions from the duty to communicate that data would not be available. Of particular interest was her view concerning the exemption under Article 13(1)(g) for the “protection of the data subject or of the rights and freedoms of others”. Her view is that (paragraph 84):

“the protection of rights and freedoms of others (that is, other than the data subject) cannot be read as including rights and freedoms of the authority processing personal data. If a legal analysis is to be categorised as personal data, that must be because it is related to the private interests of an identified or identifiable person. Whilst the public interest in protecting internal advice in order to safeguard the administration’s ability to exercise its functions may indeed compete with the public interest in transparency, access to such advice cannot be restricted on the basis of the first of those two interests, because access covers only what falls within the private interest.”

If the Court agrees with the AG’s view, the case will be an important addition to case law offering guidance on the limits of personal data. It would also appear to limit, at least as regards the exemption outlined above, the data controller’s ability to rely on its own interests or on public interests to refuse subject access requests. That said, there is of course the exemption under Article 9 of the Directive for freedom of expression.

Robin Hopkins @hopkinsrobin

Facebook fan pages: data protection buck stops with Facebook, not page owners

Posted on | by Robin Hopkins

In Re Facebook, VG, Nos. 8 A 37/12, 8 A 14/12, 8 A 218/11, 10/9/13 the Schleswig-Holstein Administrative Court has allowed Facebook’s appeals against rulings of the regional data protection authority (the ULD), Thilo Weichert.

The case involved a number of companies’ use of Facebook fan pages. The ULD’s view was that Facebook breached German privacy law, including through its use of cookies, facial recognition and other data processing. He considered that, by using Facebook fan pages, the companies were facilitating Facebook’s violations by processing users’ personal data on those pages. He ordered them to shut down the fan pages or face fines of up to €50,000.

The appellant companies argued that they could not be held responsible for data protection violations (if any) allegedly committed by Facebook, as they had no control over how that data on the pages was processed and used by the social networking site. The Administrative Court agreed.

The case raises interesting questions about where the buck stops in terms of data processing – both in terms of who controls the processing, and in terms of where they are based. Facebook is based in Ireland, without a substantive operational presence in Germany. Earlier this year, the Administrative Court found – again against the Schleswig-Holstein ULD’s ruling – that Facebook’s ‘real names’ policy (i.e. a ban on pseudonymised profiles) was a matter for Irish rather than German law.

The ULD is unlikely to be impressed by the latest judgment, given that he is reported as having said in 2011 that:

“We see a much bigger privacy issue behind the Facebook case: the main business model of Google, Apple, Amazon and others is based on privacy law infringements. This is the reason why Facebook and all the other global internet players are so reluctant in complying with privacy law: they would lose their main profit resource.”

For more on this story, see links here and here.

Robin Hopkins

Fingerprints requirement for passport does not infringe data protection rights

Posted on | by Robin Hopkins

Mr Schwarz applied to his regional authority, the city of Bochum, for a passport. He was required to submit a photograph and fingerprints. He did not like the fingerprint part. He considered it unduly invasive. He refused. So Bochum refused to give him a passport. He asked the court to order it to give him one. The court referred to the Court of Justice of the European Union questions about whether the requirement to submit fingerprints in addition to photographs complied with the Data Protection Directive 95/46/EC.

Last week, the Fourth Chamber of the CJEU gave its judgment: the requirement is data protection-compliant.

The requirement had a legal basis, namely Article 1(2) of Council Regulation 2252/2004, which set down minimum security standards for identity-confirmation purposes in passports.

This pursued a legitimate aim, namely preventing illegal entry into the EU.

Moreover, while the requirements entailed the processing of personal data and an interference with privacy rights, the ‘minimum security standards’ rules continued to “respect the essence” of the individual’s right to privacy.

The fingerprint requirement was proportionate because while the underlying technology is not 100% successful in fraud-detection terms, it works well enough. The only real alternative as an identity-verifier is an iris scan, which is no less intrusive and is technologically less robust. The taking of fingerprints is not very intrusive or intimate – it is comparable to having a photograph taken for official purposes, which people don’t tend to complain about when it comes to passports.

Importantly, the underlying Regulation provided that the fingerprints could only be used for identity-verification purposes and that there would be no central database of fingerprints (instead, each set is stored only in the passport).

This is all common-sense stuff in terms of data protection compliance. Data controllers take heart!

Robin Hopkins

Refusal to destroy part of a ‘life story’ justified under Article 8(2) ECHR

Posted on | by Robin Hopkins

The High Court of Justice (Northern Ireland) has today given judgment In the matter of JR60’s application for judicial review [2013] NIQB 93. The applicant sought to challenge the right of the two Social Care Trusts to keep and use various records generated when she was a resident of children’s homes and a training school between the years 1978-1991.

In most cases of challenges to the retention of records, the applicant seeks to expunge information which suggests they have done wrong. This application is interesting because it focused (though not exclusively) on what the applicant had suffered, as opposed to what she had done. In short, she wished to erase from the record a part of her life story which was painful for her to recall. The application failed: there were weightier reasons for retaining those records, and in any event whatever her current wish to forget matters of such import, she might come to change her mind.

The applicant was described as having had a very difficult childhood, to which those records relate. It was not known who her father was. She had grown up to achieve impressive qualifications. Horner J described her as having “survived the most adverse conditions imaginable and triumphed through the force of her will. By any objective measurement she is a success”.

She wished to move on, and to have the records about her childhood expunged. The Trusts refused; their policy was to retain such information for a 75-year period. The applicant challenged this refusal on Article 8 ECHR grounds. Horner J readily agreed that the retention of such information interfered with her rights under Article 8, but dismissed her application on the grounds that the interference was justified.

The applicant had argued that (i) she did not intend to make any claim for ill-treatment or abuse while she was in care, (ii) she did not want to retrieve information about her life story, (iii) she did not want the records to be used to carry out checks on her, as persons who were not in care would not be burdened by such records in respect of their early lives, and (iv) she did not want others, including her own child, to be able to access these records.

In response to the applicant’s assertion that she did not want and did not envisage wanting access to her records, Horner J said this at paragraph 19:

“Even if the applicant does not want to know at present what is in her records, it does not follow that she may not want to find out in the future what they contain for all sorts of reasons. She may, following the birth of a grandchild, be interested in her personal history for that grandchild’s sake. She may want to find out about her genetic inheritance because she may discover, for example, that she, or her off-spring, is genetically predisposed to a certain illness whether mental or physical. She may want to know whether or not this has been passed down through her mother’s side or her father’s side. There may be other reasons about which it is unnecessary to speculate that will make her want to seek out her lost siblings. There are any number of reasons why she may change her mind in the future about accessing her care records. Of course, if the records are destroyed then the opportunity to consider them is lost forever.”

The Trusts argued that they needed to retain such records for the purposes of their own accountability, any background checks on the applicant or related individuals which may become necessary, for the purposes of (hypothetical) public interest issues such as inquiries, and for responding to subject access requests under the Data Protection Act 1998. Horner J observed that the “right for an individual to be able to establish details of his or her identity applies not just to the Looked After Child but also, inter alia, to that child’s offspring”.

In the circumstances, the application failed; the Trusts’ interference with the applicant’s Article 8 rights was justified.

Horner J added a short concluding observation about the DPA (paragraph 29):

“It is significant that no challenge has been made to the Trust’s storage of personal information of the applicant on the basis that such storage constitutes a breach of the Data Protection Act 1998. This act strengthens the safeguards under the 1984 Act which it replaced. The Act protects “personal data which is data relating to a living individual who can be identified from data whether taken alone or read with other information which is the possession (or is likely to come into possession) of the data controller: see 12-63 of Clayton and Tomlinson on The Law of Human Rights (2nd Edition). It will be noted that “personal” has been interpreted as almost meaning the same as “private”: see Durant v Financial Services Authority [2004] FSR 28 at paragraph [4].”

Robin Hopkins

Anonymity: publication and open justice

Posted on | by Robin Hopkins

The tension between transparency and individual privacy is part of what makes information rights such a fascinating and important area. When it comes to high-public interest issues involving particular individuals, prevailing wisdom has tended to be something like this: say as much as possible on an open basis, but redact and anonymise so as to protect the identity of the individuals involved. Increasingly, however, transparency is outmuscling privacy. See for example my post about the Tribunal’s order of disclosure, in the FOIA context, of the details of the compensation package of a Chief Executive of an NHS Trust (the case of Dicker v IC (EA/2012/0250).

The recent Care Quality Commission debate is the highest-profile recent illustration: the health regulator published a consultant’s report into failings regarding the deaths of babies at Furness General Hospital, but withheld the names of the individuals being criticised (including for alleged ‘cover-ups’), relying on the Data Protection Act 1998. The anonymisation was not endorsed by the Information Commissioner, and attracted widespread criticism in media and political circles. Transparency pressures held sway.

In a similar vein, the BBC has come under great pressure over the past week – particularly from Parliament’s Public Accounts Committee – to reveal the names of approximately 150 departing senior managers who received pay-offs averaging £164,000 in the past three years. As the Telegraph reports, the Committee is threatening to use parliamentary privilege to publish those names. The BBC admits that it “got things wrong” by overpaying in many cases (as confirmed by the National Audit Office), but is concerned to protect the DPA and privacy rights of the affected individuals, as well as to safeguard its own independence. The Committee says the public interest in transparency is compelling; Lord Patten, chair of the BBC Trust, says there will be “one hell of an argument” about this.

Such arguments become all the more thorny in the context of open justice disputes, of which there have been a number in recent weeks.

In the matter of Global Torch Ltd/Apex Global Management Ltd (The Guardian, The Financial Times and others intervening) [2013] EWCA Civ 819 involved competing petitions of unfair prejudice alleging misconduct in the affairs of a particular company. Two Saudi Arabian princes and one of their private advisers applied to have the interlocutory hearings held in private under CPR rule 39.2(3). The Court of Appeal agreed with the judge who dismissed those applications. It rejected the contention that the judge had elevated open justice above Article 8 ECHR rights as a matter of law. Rather, he noted that some general presumptions were valid (for example, open justice is likely to trump reputational damage) and applied those in the factual context of this case. Maurice Kay LJ said  (paragraph 34) that there was sometimes a “need for a degree of protection so as to avoid the full application of the open justice principle exposing a victim to the very detriment which his cause of action is designed to prevent… If such an approach were to be extended to a case such as the present one, it could equally be applied to countless commercial and other cases in which allegations of serious misconduct are made. That would result in a significant erosion of the open justice principle. It cannot be justified where adequate protection exists in the form of vindication of the innocent through the judicial process to trial”.

Open justice is of course fundamental not only to freedom of expression, but is also the default setting for fair trials. This is illustrated in the regulatory/disciplinary context by Miller v General Medical Council [2013] EWHC 1934 (Admin). The case involved a challenge to a decision by a Fitness to Practise Panel of the Council’s Medical Practitioners Tribunal Service that a fitness to practise hearing should take place in private because it considered that the complainant, a former patient of the claimant, was otherwise unlikely to give evidence. HHJ Pelling quashed the decision; there was insufficient evidence for the Panel’s conclusion about witness participation, and in any event the Panel “fell into error at the outset by not reminding itself sufficiently strongly or at all that the clear default position under Article 6 is that the hearing should be in public. It failed to remind itself that Article 6 creates or declares rights that are the rights of the Claimant and that it was for the GMC to prove both the need for any derogation from those rights and for a need to derogate to the extent claimed” (paragraph 20).

Robin Hopkins

Prism and Tempora: Privacy International commences legal action

Posted on | by Robin Hopkins

Panopticon has reported in recent weeks that, following the Edward Snowden/Prism disclosures, Liberty has brought legal proceedings against the UK’s security bodies. This week, Privacy International has announced that it too is bringing a claim in the Investigatory Powers Tribunal – concerning both the Prism and Tempora programmes. It summarises its claim in these terms:

“Firstly, for the failure to have a publicly accessible legal framework in which communications data of those located in the UK is accessed after obtained and passed on by the US National Security Agency through the Prism programme.  Secondly, for the indiscriminate interception and storing of huge amounts of data via tapping undersea fibre optic cables through the Tempora programme.”

Legal complaints on Prism-related transfers have been made elsewhere on data protection grounds also. A group of students who are members of a group called Europe vs. Facebook have filed complaints to the data protection authorities in Ireland (against Facebook and Apple), Luxembourg (against Skype and Microsoft) and Germany (against Yahoo).

European authorities have expressed concerns on these issues in their own right. For example, the Vice President of the European Commission, Viviane Reding, has written to the British Foreign Secretary, William Hague, about the Tempora programme, and has directed similar concerns at the US (including in a piece in the New York Times). The European Parliament has also announced that a panel of its Committee on Civil Liberties, Justice and Home Affairs will be convened to investigate the Prism-related surveillance of EU citizens. It says the panel will report by the end of 2013.

In terms of push-back within the US, it has been reported that Texas has introduced a bill strengthening the requirements for warrants to be obtained before any emails (as opposed to merely unread ones) can be disclosed to state and local law enforcement agencies.

Further complaints, litigation and potential legal challenges will doubtless arise concerning Prism, Tempora and the like.

Robin Hopkins