Author Archives: Jon Baines

June 9, 2024 · 7:31 am

Drones and freedom of expression

Article 10 of the European Convention on Human Rights provides that everyone has the (qualified) right to freedom of expression, which includes the freedom to receive and impart information. And section 12(4) of the Human Rights Act 1998 requires a court: i) to have regard to the importance of freedom of expression, when considering whether to grant any relief which, if granted, might affect the exercise of the right to freedom of expression, and ii) where the proceedings relate to material which appears to the court, to be journalistic, literary or artistic material (or to conduct connected with such material), to have regard to the extent to which the material has, or is about to, become available to the public, or the extent to which it is, or would be, in the public interest for the material to be published.

In a recent case in the High Court – sitting in Manchester – an application for an interim injunction was granted against one named and a number of unknown respondents preventing them from entering the site of the former St Joseph’s seminary in Up Holland, but also preventing the flying of drones over the site. There is already a large amount of footage taken previously by such drones on the various online video-sharing sites, and some of them are fascinating and informative. The future of the site is evidently a matter of significant local interest.

The concerns of the applicants for the injunction are compelling: there have been numerous incidents of trespass on the site, and it is in a very dangerous condition.

The only published judgment I have been able to find is on the website of the chambers of the barrister representing the applicant. It appears to be a transcript of an ex tempore judgment. The judge notes that section 76 of the Civil Aviation Act 1982 provides that

No action shall lie in respect of trespass or in respect of nuisance, by reason only of the flight of an aircraft over any property at a height above the ground which, having regard to wind, weather and all the circumstances of the case is reasonable

A piece on the website of the solicitors acting for the applicants indicates that the judge proceeded on the assumption that section 76 applied to drones and that the drone operator had complied with the requirements of the Air Navigation Order 2016. He then said that either i) section 76 did not apply, because the flight involved the taking of footage for its presumed purpose of encouraging trespass (and presumably therefore it was not “by reason of the flight only” for section 76 purposes), or, ii) if section 76 did apply, then the height of the drones could not be reasonable, because of the taking of the footage.

However, nowhere in the judgment is there any indication that the judge has had regard to the court’s duties under section 12 of the Human Rights Act. It strikes me that there are clear freedom of expression issues raised. A large number of people are interested in general in abandoned buildings, and there is an enormous amount of online attention to this subject, and, more locally, there is clearly notable interest in the fate of a grade 2 listed building: the drone footage must, surely, play a part in meeting this public interest.

So it strikes me that it was incumbent on the court to conduct the balancing exercise inherent in Article 10, which provides that the exercise of freedom of expression may be

subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial disorder or crime [and] for the protection of health…

The respondents in this case did not attend the hearing but the judge was satisfied that notice had been given to them (although the judgment does not explain how notice was given to the persons unknown). Perhaps, though, if they had attended, and been represented, their counsel might have drawn the court’s attention to its section 12 duty.

In a letter to The Times in 1987 (quoted here), Lord Scarman deprecated a decision of the House of Lords, and commented that

their Lordships have, with great respect, overlooked the more fundamental law providing the right of the public to access to information … and the public right of free speech…Old ingrained habits die hard. We are not yet able to abandon the traditional emphasis of our law on private rights …

Might he have found himself writing a similar letter today?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, Article 10, drones, human rights, journalism

Tagged as ,

June 7, 2024 · 4:52 pm

Subject access: recipients, and motive

A very significant subject access judgment has been handed down in the High Court. Key rulings have been made to the effect that 1) requesters are entitled, in principle, to be informed of the identities of the recipients of their personal data (not just the categories of recipient), and 2) the subject access regime has a “specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her personal data unlawfully infringes privacy rights and, if so, to take such steps as the data protection law provides.

The underlying details of the case are interesting and alarming in themselves. A director of a gardening company (Mr Cameron) had covertly recorded threatening calls made by a wealthy homeowner working in the property investment industry (Mr Harrison) with whom the company was coming into dispute, and subsequently circulated the recordings to a limited number of unnamed family members and others.

The recordings found their way to a wider circle of people, including some of Mr Harrison’s peers and competitors in the property investment sector. Mr Harrison contended that the circulation of the recordings had caused his own company to lose out on a significant property acquisition. Accordingly, he made subject access requests, under Article 15 of the UK GDPR both to and Cameron and to Mr Cameron’s company (“ACL”). Those requests were rejected on the grounds that i) Mr Cameron, when circulating the recordings, was processing Mr Harrison’s personal data in a “purely personal and household” context, and so the processing was out of scope of the UK GDPR, ii) Mr Cameron was not personally a controller under the UK GDPR, iii) ACL could rely on the exemption to disclosure where it would involve disclosing information relating to another individual who did not consent to disclosure, and where – in the absence of such consent – it was not reasonable in the circumstances to disclose (see Article 15(4) UK GDPR and paragraph 16 of Schedule 2 to the Data Protection Act 2018).

In a lengthy judgment (dealing mostly with the facts and evidence) Mrs Justice Steyn held that Mr Cameron’s processing was not for purely personal and household reasons: he was clearly acting as a director of ACL in making the recordings and circulating them. However, she agreed that he was not a controller – he was acting in his capacity as a director, and – following Ittihadieh and In re Southern Pacific Loans – a director processing data in the course of their duties for their company is not a controller; the company is.

A crucial part of the judgment, in terms of wider relevance, is on the interpretation of Article 15(1)(c) of the UK GDPR. This provides that a data subject should be given information on “the recipients or categories of recipient” to whom personal data have been or will be disclosed. Many practitioners, and lawyers, have taken this be an option available to the controller (i.e. the controller can decide whether to provide information on the specific recipient or just on categories thereof). Not so, said Steyn J, agreeing with the CJEU in the Austrian Post case (which, as a post-Brexit case, wasn’t binding on her, but to which she could have regard, so far as it was relevant to the issues (see section 6(2) of the EU (Withdrawal) Act 2018)): the choice lies with the data subject, and, if the data subject chooses to receive information on individual recipients, he or she is entitled, in principle, to that information (unless it would be impossible or manifestly excessive to do so).

Notwithstanding this, Mr Harrison was not entitled in this case to have the identities. Mr Harrison had previously sent subject access requests individually to at least 23 employees of ACL and ACL, and he had an intention to pursue further legal options other than under the UK GDPR, if he was to identify potential claimants. ACL believed that disclosing identities of recipients of the recordings would put them at “significant risk of being the object of intimidating, harassing and hostile legal correspondence and litigation”. The judge agreed that it was “not unreasonable for the Defendants to give significant weight to [Mr Harrison’s] sustained and menacing behaviour in considering whether to protect or disclose the identities of friends, colleagues and family members”. The fact that “hostile litigation”, against the third parties to whom the recordings were disclosed, was being contemplated was a relevant factor to take into account when balancing their interests with Mr Harrison’s access rights, under paragraph 16 of Schedule 2. The judge held that

[Although there] is no general principle that the interests of the request should be treated as devalued by reason of a motive to obtain information to assist the requester in litigation…as Farbey J observed in X v Transcription Agency…the SAR regime “has a specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her ‘personal data’ unlawfully infringes privacy rights and, if so, to take such steps as the DPA 2018 provides“…[and so] it was reasonable for the Defendants to give weight to their desire to protect family, friends and colleagues from hostile litigation going beyond the exercise of rights under the UK GDPR and the DPA 2018

So, the perennial question of the extent to which a requester’s motive is relevant when responding to a subject access request rears its head again. Steyn J’s analysis is compelling, and so it certainly appears that – at the very least when it comes to the balancing test implied by paragraph 16 of Schedule 2 – the motive is capable of being taken into account.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Data Protection Act 2018, judgments, subject access, UK GDPR

Tagged as , , ,

June 6, 2024 · 7:45 am

The demise of portmanteau data breach claims

Many defendants in data protection proceedings will have experienced claims which also plead a misuse of private information (MPI). Often, on the face of things, the latter appears to add nothing to the data protection claim, but there can be procedural and costs/other financial implications. Importantly, where claimants have secured after-the-event (ATE) insurance, premiums can be recovered from losing defendants (as there is an exception for certain claims, including MPI ones, to the general rule introduced by the Legal Aid, Sentencing and Punishment of Offenders Act 2012, by which ATE premiums became generally irrecoverable between parties). This can be perceived as a factor which might impel defendants to settle otherwise weak claims.

The practice of bundling data protection and MPI claims (sometimes with a bonus breach of confidence claim) in “data breach” proceedings was struck a blow in 2021, when Mr Justice Saini, in Warren v DSG, held that, as both MPI and breach of confidence require there to have been a “use”, a “positive action”, they do not impose a data security obligation on a defendant, or create liability where the defendant was, instead, alleged to have failed to do something.

This inevitably led to a drop in claims pleading MPI (and breach of confidence) in data security cases, but not a complete stop: after all – I imagine some claimant lawyers thought, a claim can still be pleaded as a MPI claim – even if it might not look like one (following Warren v DSG).

However, in a costs judgment from September last year, but only recently published, Deputy Costs Judge Roy held that a “spurious” (as opposed to a “genuine”) MPI claim (in Saini J’s characterisation “an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI”) can’t avail itself of the ATE premium irrecoverability exception. (The claim was against Equiniti, but seems to be separate to the recent attempted group litigation against the same defendant.)

I suspect the story is not entirely over. Claimants will quite possibly say “yes, spurious MPI claims can’t be shoehorned into data protection claims, but this one – Judge – is not spurious on the facts”. Nonetheless, the days of portmanteau data breach claims seem to disappearing into the past.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, data security, judgments, litigation

Tagged as ,

June 4, 2024 · 6:16 pm

How far can a legal fiction go?

When the Information Commissioner, as a public authority subject to the Freedom of Information Act 2000 (FOIA), is required to consider, as regulator, his own handling of a FOIA request, he enters into a legal fiction, whereby he separates himself into two, along these lines (taken from a decision notice):

This decision notice concerns a complaint made against the Information Commissioner (‘the Commissioner’). The Commissioner is both the regulator of FOIA and a public authority subject to FOIA. He’s therefore under a duty as regulator to make a formal determination of a complaint made against him as a public authority…In this notice the term ‘ICO’ is used to denote the ICO dealing with the request, and the term ‘Commissioner’ denotes the ICO dealing with the complaint.

It’s a legal fiction because the Information Commissioner is a corporation sole: every single function he has vests in him (and he has powers of delegation).

With this in mind, it is interesting to consider section 132(1) of the Data Protection Act 2018. This provides that

A person who is or has been the Commissioner, or a member of the Commissioner’s staff or an agent of the Commissioner, must not disclose information which— (a) has been obtained by, or provided to, the Commissioner in the course of, or for the purposes of, the discharging of the Commissioner’s functions, (b) relates to an identified or identifiable individual or business, and (c) is not available to the public from other sources at the time of the disclosure and has not previously been available to the public from other sources. (Unless the disclosure is made with lawful authority.)

When partaking in the legal fiction described above, can it be said that the Commissioner, or the Commissioner’s staff, have obtained, or been provided with, information, when the Commissioner is the person who holds the information? I think not. And if I’m right, that should mean that the Commissioner cannot rely on the exemption at section 44 of FOIA, on the grounds that there is a statutory bar on disclosure. But that’s what he does in response to this recent FOIA request. It will be interesting if the applicant asks for a decision notice.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection Act 2018, Freedom of Information, Information Commissioner, Uncategorized

Tagged as , ,

June 1, 2024 · 10:43 am

EIR and sewage discharges: a shift in the ICO’s position

It’s interesting (and encouraging) to see that, in a notable shift of position, the Information Commissioner’s Office (ICO) is now ordering water companies to disclose data relating to allegedly unlawful discharges of dry spillage sewage.

Previously, the ICO had tended to agree with the companies’ arguments that disclosure would adversely affect investigations by Ofwat and the Environment Agency, and the information was, therefore, exempt from disclosure under regulation 12(5)(b) of the Environmental Information Regulations 2004 (EIR). Those arguments were rather forcefully undermined by a statement to the Public Accounts Committee by the CEO of Ofwat last November that

We do not think that the investigation itself is a good reason for companies not to provide data. They have some legal obligations to disclose information, and there is a process for working that through. That process does not involve Ofwat directly, but we would encourage companies to be open and transparent about their environmental performance.

Additionally, the ICO has taken note of the judgment of the Information Tribunal in the recent Lavelle case.

This Decision Notice neatly summarises the issues and the ICO’s new position.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Information Commissioner, Uncategorized

Tagged as ,

June 1, 2024 · 8:36 am

Disastrous data protection advice in child protection proceedings

I am only going to link at the foot of this post to the recent judgment in the Family Court, as it is long, contains distressing and graphic references to alleged sexual offences and how a school and a local authority dealt with the allegations and only deals in passing with the issue I raise in this post. Please be aware of that.

However, the issue is of real importance.

The reason for referring to it is the extraordinary, and extraordinarily worrying, references in the judgment to a discussion a deputy head teacher had with the nine year old child in question. The judgment records the teacher’s evidence that, although

she took notes of the discussion she destroyed any notes that she had made. This appeared to be in accordance with a school-wide misunderstanding of data protection guidance. She fairly admitted that after a year she could only guess at those notes now

The judge stresses that she

“[does] not criticise GG – she was a caring and conscientious teacher who was doing her best and believed she was following advice and good practice. She lacked specialist training and some of the advice was unhelpful. I have carefully considered the problems with her record of this discussion, and I am mindful that these challenges add to the difficulty of appraising the reliability of what she recorded.”

[nb, this was said not solely in the context of the destruction of the notes]

The London Borough involved recognised, during the course of the proceedings, “the importance of addressing a wide range of gaps and concerns that emerged during the course of this hearing”, and the judge invited the parties to draw up an agreed list of issues for the Council to consider and provide a response to as a positive problem-solving exercise. Among these agreed issues was this

“Contemporaneous notes need to be taken when a child makes any allegation of physical, sexual or emotional abuse against a third party…. It needs to be made clear within the policy that contemporaneous notes ought to be kept and stored securely (electronically if possible). This includes any handwritten notes even if, only key words are noted down and later entered onto any electronic system. THIS DOES NOT INFRINGE GDPR.”

Those final words resound, even if they shouldn’t need saying.

Prior to GDPR, there were certainly a multitude of misunderstandings about data protection, but the idea that personal data should not be recorded, or should be quickly destroyed, is one of the most pernicious of misunderstandings that seems to have emerged since GDPR – in part from terrible advice and training given by people who shouldn’t have ever been engaged to train the public sector. I implore those involved in training and advising in these complex areas of social care and education to consider the import and impact of the advice they give.

Finally, the importance and meaning of the first word of the third data protection principle is often overlooked. Yes, it’s the “data minimisation” principle, but personal data must still be adequate.

This is the judgment.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, GDPR, local government, retention, UK GDPR

Tagged as , ,

May 24, 2024 · 8:48 am

Dead as a dodo – the DPDI Bill is no more

I’ve written on the Mishcon de Reya website on the news that the Data Protection and Digital Information Bill will not now be enacted, following the calling of the general election on 4 July.

https://www.mishcon.com/news/the-end-of-the-data-protection-and-digital-information-bill

Leave a comment

Filed under Uncategorized

April 30, 2024 · 5:58 am

ICO applies public sector fine approach to charity

The Information Commissioner’s Office has fined the CENTRAL YOUNG MEN’S CHRISTIAN ASSOCIATION (YMCA) of London £7500.

The penalty notice is not published at the time of writing (nor anything else yet on the ICO website), although the fine is said to have already been paid, and the press release issued by the ICO says the fine was issued for “a data breach where emails intended for those on a HIV support programme were sent to 264 email addresses using CC instead of BCC, revealing the email addresses to all recipients. This resulted in 166 people being identifiable or potentially identifiable”.

The press release also says that the fine was reduced from an initially-recommended £300,000, “in line with the ICO’s public sector approach”. When I queried the rather obvious point that a charity is not a public authority, an ICO spokesman initially told me that “as Central YMCA is a charity that does a lot of good work, they engaged with us in good faith after the incident happened, recognised their mistake immediately and have made amends to their processing activities and they paid the fine in full straight away, we applied the spirit of the public sector approach to them even though they’re not strictly a public sector body”.

This led to a further follow-up query from me because as a matter of logic and timing, how could the fact that a controller “paid the fine in full straight away” be a mitigating factor in reducing the amount of the fine to be paid? The further response was “The point was that they engaged fully and subsequently paid the fine in full, thus confirming our position that they were engaging and taking the breach seriously. The calculation comes before the payment which has no bearing on the assessed amount.”

I’m not quite sure what to make of this. Can any controller which “does a lot of good work”, engages with the ICO in good faith and remedies processing activities also benefit from a 3900% decrease in fine from an originally-recommended sum? What does “a lot of good work” mean? Is it something only charities do? What about private companies with a strong ESG ethos, or who make significant charitable contributions?

[this post was originally published on my LinkedIn page.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, fines, Information Commissioner, LinkedIn Post, monetary penalty notice, Uncategorized

Tagged as ,

April 27, 2024 · 6:41 am

Douglas Adams and the EIR

[I tend to do a lot my posting these days on LinkedIn, and less here. But the combination of LinkedIn’s poor search capability and my memory means I forget about some things I’ve written about that I’d quite like to remember. So I’m going to put some of them on this blog to remind me. This one is on a doozy of a Tribunal judgment.]

This Information Tribunal judgment about whether photographs of planning notices should be disclosed begins with a long quote from The Hitchhiker’s Guide to the Galaxy, and gets even more extraordinary as it goes on.

By the end of the judgment the judge has called the Information Commissioner’s Office’s decision a “pitiful failure to understand the scope and significance of material in the public domain and the role of data protection in protecting rights”, uses the term “bankruptcy” to describe the approach to the matter by both the ICO and Shropshire Council, and appears to have declared the Council’s handling of not just the individual planning application, but its planning policy as a whole unlawful (the judgment says, for instance that the council’s implementation of The Town and Country Planning (Development Management Procedure) (England) Order 2015 “failed to accord local residents their rights”).

This last point surely illustrates the Tribunal straying well beyond its jurisdiction, and it is difficult to see how it will escape having its judgment appealed. That’s actually a pity, because the underlying point in it is that the ICO’s approach failed to understand that data protection law has to be considered “in relation to its function in society and be balanced against other fundamental rights” (recital 4 GDPR) and failed to consider the Environmental Information Regulations’ context, whereby access to environmental information is one of the three pillars of the Aarhus Convention – the others being public participation in decision-making, and access to justice in environmental matters.

And even if the judgment gets appealed, I would hope the ICO acknowledges the key point that data protection rights don’t automatically trump all other rights.

https://www.bailii.org/uk/cases/UKFTT/GRC/2024/330.html

Leave a comment

Filed under Data Protection, Environmental Information Regulations, LinkedIn Post

Tagged as

April 12, 2024 · 1:37 pm

8000% in people affected by central government data breaches

Yes, you read that correctly. Here’s what we’ve just published on the Mishcon de Reya website:

https://www.mishcon.com/news/data-breach-crisis-in-central-government-time-for-ico-to-act

Leave a comment

Filed under Uncategorized