Category Archives: Data Protection

November 19, 2024 · 5:15 am

Can directors and trustees of charities be controllers?

[reposted from LinkedIn]

Savva v Leather Inside Out & Ors [2024] EWHC 2867 (KB), Sam Jacobs of Doughty Street Chambers, instructed by Forsters LLP for the defendants (the applicant in the instant application)

Is it the case that a director or trustee of a charity (which is a controller) cannot be a controller? That, in effect, was one of the grounds of an application by two defendants to strike out and grant summary judgment in a claim arising from alleged failures to comply with subject access requests.

The claim arises from a dispute between the claimant, a former prisoner, employed by a subsidiary of a charity (“Leather Inside Out” – currently in administration), and the charity itself. The claim is advanced against the charity, but also against the charity’s founder and two trustees, who are said on the claim form to be controllers of the claimant’s data, in addition to, or jointly with, the charity.

In a solid judgment, Deputy Master Alleyne refused to accept that such natural persons were not capable of being a controller: the term is given a broad definition in Article 4(7) UK GDPR, and “includes a natural or legal person, public authority, agency or other body and that there may be joint controllers. On plain reading of the provisions, it is incorrect to suggest that an allegation of joint controllers is, per se, not a legally recognisable claim” (re Southern Pacific Loans applied).

However, on the specific facts of this case, the pleading of the claimant (the respondent to the strike out application) failed “to allege any decisions or acts in respect of personal data which were outside the authority of the trustees as agents for [the charity]…the Respondent’s submissions demonstrated he wrongly conflated the immutable fact that a legal person must have a natural person through whom its decisions are carried into effect, with his case that the natural person must be assuming the defined status of data controller in their personal capacity”. That was not the case here – the founder and the trustees had not acted other than as agents for the charity.

Accordingly, the strike out application succeeded (notably, though, there Deputy Master said he had reached his conclusion
“not without some caution”).

Assuming the claim goes forward to trial, therefore, it can only be advanced against the charity, as sole controller.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under charities, controller, Data Protection, judgments, subject access, UK GDPR

Tagged as , ,

November 1, 2024 · 5:44 am

Dismissed FE teacher’s data protection, MOPI, HRA claims fail

[reposted from LinkedIn]

Claims in misuse of private information, data protection and for breach of the Human Rights Act, by a dismissed further education teacher against Tameside College and three employees are struck out/subject to summary judgment for the defendant.

The claimant was initially suspended after evidence came to light that he had been dismissed from previous roles. The College’s investigation involved the sending of reference requests to two previous employers, and was also informed by disclosures of Facebook and WhatsApp messages which revealed the teacher had, contrary to instruction, communicated with students on social media whilst suspended, and “sent a threatening message to a WhatsApp Group chat comprising members of staff”.

The deputy master found that in relation to the misuse of private information claims, although the claimant had a reasonable expectation of privacy in the social media messages, “those expectations were greatly outweighed by the need to investigate those messages for the purposes of the disciplinary process”. These were subject to summary judgment for the defendant.

The data protection and human rights claims against individual employees were bound to fail, as they were neither data controllers nor public authorities.

As to the data protection claim against the college, a previous determination by the ICO that the sending of the reference requests was not fair and transparent, because it was contrary to the claimant’s expectations, was wrong: it was “plain that it ought to have been well within the Claimant’s reasonable expectation that, in order to investigate whether he had failed to disclose the fact of his dismissal from those two institutions, each would be contacted and asked about it.”

The college’s processing was lawful under Article 6(1)(b) and (c) of the UK GDPR: “The processing was necessary for the purposes of the contract of employment between the [college] and the Claimant and for the performance of the [college’s] obligations to its other staff, and to safeguard and promote the welfare of its students.” The various safeguarding legal duties and obligations on the college established a clear legal basis for the processing.

Similarly, the human rights claims against the college, which included complaints of unlawful monitoring and surveillance, were bound to fail: “There is no real prospect of establishing a breach of Article 8 for the same reasons that there is no real prospect of establishing misuse of private information. The alleged breaches of Articles 10 and 11 appear to relate to the College’s instructions to the Claimant not to communicate with other staff except with permission. The instruction was plainly a reasonable one made for a legitimate purpose.”

Accordingly, the data protection and Human Rights Act claims were struck out.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, employment, Further education, human rights, Information Commissioner, judgments, LinkedIn Post, misuse of private information

Tagged as , ,

October 30, 2024 · 6:09 am

Pacini & Geyer v Dow Jones – at the interface between libel and data protection

[reposted from LinkedIn]

This is an important judgment on preliminary issues (the second preliminary issues judgment in the case – the first was on an unsuccessful strike out application by the defendants) in a data protection claim brought by two businessmen against Dow Jones, in relation to articles in the Wall Street Journal in 2017 and 2018. The claim is for damages and for erasure of personal data which is said to be inaccurate.

It is believed to be the first time in a data protection claim that a court has been required to determine the meaning of personal data as a preliminary issue in an accuracy claim.

Determination of meaning is, of course, something that is common in defamation claims. The judgment is a fascinating, but complex, analysis of the parallels between determining the meaning of personal data in a publication and determining the meaning of allegedly defamatory statements in a publication. Although the judge is wary of importing rules of defamation law, such as the “single meaning rule” and “repetition rule” a key part of the discussion is taken up by them.

The single meaning rule, whereby “the court must identify the single meaning of a publication by reference to the response of the ordinary reader to the entire publication” (NT 1 & NT 2 v Google LLC [2018] EWHC 799 (QB)) is potentially problematic in a data protection claim such as this where the claimants argue that it is not the ordinary reader they are concerned about, but a reader who might be a potential business investor.

Similarly, it is not at all clear that the repetition rule, which broadly seeks to avoid a defamatory loophole by which someone argues “but I’m only reporting what someone else said – their words might be defamatory, but mine merely report the fact that they said them”, should carry over to data protection claims, not least because what will matter in defamation claims is the factual matrix at the time of publication, whereas with data protection claims “a claim for inaccuracy may be made on the basis that personal data are inaccurate at the time of the processing complained of, including because they have become misleading or out of date, regardless of whether they were accurate at the time of original publication. In that event, what matters is the factual matrix at the time when relief is sought” (at 66).

Nonetheless, and in a leap I can’t quite follow on first of the judgment, but which seems to be on the basis that the potential problems raised can be addressed at trial when fairness of processing (rather than accuracy) arises, the judge decides to determine meaning on a single meaning/repetition rule basis (at 82-84).

There’s a huge amount to take in though, and the judgment demands close reading (and re-reading). If a full trial and judgment ensue, the case will probably be a landmark one.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under accuracy, Data Protection, Data Protection Act 2018, judgments, UK GDPR

Tagged as ,

October 29, 2024 · 5:21 am

ICO, Clearview AI and Tribunal delays

[reposted from LinkedIn]

On 28 October the Information Commissioner’s Office (ICO) made the following statement in respect of the November 2023 judgment of the First Tier Tribunal upholding Clearview AI’s successful appeal of the ICO’s £7.5m fine, and posted it in an update to its original announcement about appealing:

The Commissioner has renewed his application for permission to appeal the First-tier Tribunal’s judgment to the Upper Tribunal, having now received notification that the FTT refused permission of the application filed in November 2023.

It is extraordinary that it has taken 11 months to get to this point.

So what does this mean?

If a party (here, the ICO) wishes to appeal a judgment by the First Tier Tribunal (FTT) to the next level Upper Tribunal (UT), they must first make an application to the FTT itself, which must decide “as soon as practicable” whether to grant permission to appeal its own judgment (rules 42 and 43 of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009).

If the FTT refuses permission to appeal (as has happened here), the application may be “renewed” (i.e. made again) directly to the UT itself (rule 21(2) of the Tribunal Procedure (Upper Tribunal) Rules 2008).

So, here, after 11 months (“as soon as reasonably practicable”?) the ICO has just had its initial application refused, and is now going to make an applicant under rule 21(2) of the UT Rules.

The ICO’s wording in its statement is slightly odd though: it talks of “having now received notification” that the FTT “refused” (not, say, “has now refused”) the November 2023 application. The tense used half implies that the refusal happened at the time and they’ve only just been told. If so, something must have gone badly wrong at the Tribunal.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Data Protection, GDPR, Information Commissioner, Information Tribunal, judgments, Upper Tribunal

Tagged as ,

October 24, 2024 · 11:20 am

Data (Use and Access) Bill – some initial thoughts

By me, on the Mishcon de Reya website.

Leave a comment

Filed under Data Protection, Data Protection Bill, Information Commissioner, Open Justice, ROPA, subject access

Tagged as

October 24, 2024 · 8:06 am

Harassment of terrorism victims

[reposted from LinkedIn]

It is impossible to imagine claimants with whom one has more sympathy than Martin Hibbert and his daughter Eve, who each suffered grave, life-changing injuries in the 2017 Manchester Arena attack, and who then found themselves targeted by the bizarre and ghoulish actions of Richard Hall, a “conspiracy theorist” who has claimed the attack was in fact a hoax.

Martin and Eve brought claims in harassment and data protection against Hall, and, in a typically meticulous judgment Mrs Justice Steyn DBE yesterday gave judgment comprehensively in their favour on liability in the harassment claim. Further submissions are now invited on remedies.

The data protection claim probably adds nothing, but for those pleading and defending such claims it is worth reading Steyn J’s (mild) criticisms of the flaws, on both sides, at paragraphs 246-261. She has also invited further submissions on the data protection claim, although one wonders if it will be pursued.

Other than that, though, one hopes this case consigns Hall to the dustbin of history.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, UK GDPR

Tagged as ,

October 15, 2024 · 5:41 am

Third party rights under FOIA

[reposted from LinkedIn]

In a Freedom of Information Act (FOIA) matter there are two parties with express rights and obligations – the requester and the public authority (PA) – with the potential for the regulator – the Information Commissioner’s Office – to become involved if there is a dispute.

But there is often a third party involved, and one who has no express rights under FOIA – the person to whom requested information relates. This can be a corporate, but sometimes it will be an individual (think, for example of MPs whose expense claims were sought from the Commons many years ago).

The code of practice issued by the Cabinet Office under section 45 of FOIA recommends as best practice that, where a PA receives a request for information where a third party’s interests are engaged, the third party should be consulted, and given the opportunity to make representations. But the Code is clear that those representations cannot bind the PA, and that the decision on disclosure is ultimately for the PA to make.

All of this should, of course, run its course within the 20 working days that FOIA allows for responding to a request. So quite how a request from 2019, to the Legal Services Agency (LSA) for Northern Ireland, regarding the grant of legal aid to a self-styled peace campaigner, has only just been determined in the High Court is a pressing question. Nonetheless, the judgment (though slightly odd) is worth reading.

The man in question, Raymond McCord, was invited to make representations on the request (made by a unionist MP), having been informed of the LSA’s intention to disclose. He brought immediate judicial review proceedings to prevent disclosure and the LSA undertook not to disclose until the ICO had given a view on the lawfulness of processing (I pause to note that the LSA’s suggestion that McCord had an alternative remedy by way of a complaint to the ICO after disclosure for a determination as to whether FOIA had been complied with was wrong in law, and flawed in logic).

The ICO gave an opinion in June 2020 that disclosure would likely be both unfair and unlawful, but stressed that the opinion “is in no way legally binding in this case, however, it should be of assistance to the court in making a final decision.”

No explanation is given in the judgment of why it then took over four years for the court to rule on the application. This is simply ridiculous.

Nevertheless, the court conducted a rather eccentric analysis of the authorities on disclosure of personal data under FOIA (and of various non-authoritative prior ICO decision notices) before determining, five whole years (rather than twenty working days) after the FOIA request, that the information should be disclosed, holding that “the applicant cannot complain of any breach of privacy in respect of his pursuit of high‑profile public interest litigation in circumstances where he himself has commented publicly on the issues”.

The judgment, ultimately, is rather unsatisfactory. The interim judgment (in 2020(!)) of Keegan J, which noted the undertaking by the LSA not to disclose pending the ICO’s ruling, discusses alternative remedies, and implies that McCord would have a right to appeal the ICO’s decision to the First tier Tribunal. However, this predates the Killock and Delo cases which make clear that there is no substantive data subject right of appeal from an ICO data protection decision through the tribunal system. In Killock the Upper Tribunal made clear that a substantive data subject challenge (rather than a procedural one) to the ICO should, indeed, be by way of judicial review proceedings.

And it remains the case that, if you are a third party who has an interest (maybe a profound interest) in information which a public authority is proposing to disclose, in response to a FOIA request, your rights are unclear and limited.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, FOIA, Information Commissioner, judgments, judicial review

Tagged as , , ,

October 11, 2024 · 6:24 am

Still no clearer on reprimands

[reposted from LinkedIn]

What is a reprimand, and how does the ICO decide to issue one? This, bizarrely, remains a bit of a mystery – apparently even to the ICO themselves.

Under Article 58(2)(b) of the UK GDPR the Information Commissioner’s Office has the power to issue reprimands to a controller or a processor where processing operations have infringed provisions of the UK GDPR.

Since January 2022 the ICO has issued 84 reprimands that it has made public (it’s possible there are others it hasn’t published – that’s certainly happened in the past). Yet there is still no clearly documented process that the ICO will follow to decide what might trigger the decision to issue a reprimand.

In February 2023 I was informed by the ICO that “there is no specific written policy or procedure covering the issuing of reprimands [but that they were] currently working on putting together a formalised process specifically for reprimands, which will be added to our Investigations Manual once finalised”.

So I followed this up recently (18 months on from the previous request). And I’ve had a couple of documents disclosed to me, one a checklist that begins “Once reprimand agreed…” and another on how to apply redactions, but, otherwise, there appears still to be no way of an organisation – or even the ICO themselves(!) – knowing what might lead to a reprimand being issued, and how the decision will be made.

So, six years on from the ICO getting the power, those organisations placed on the naughty step appear to be no clearer to understanding what exactly they did to deserve it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Information Commissioner, reprimand, UK GDPR

Tagged as ,

October 8, 2024 · 4:39 am

Is the purchase of a watch “private information”?

[reposted from LinkedIn]

An interesting (if it gets to trial) Northern Ireland case of Frampton and Van Der Horst [2024] NIMaster 17, in which the plaintiff former boxer (P) has sought damages in, variously, passing off, copyright, breach of confidence, misuse of private information and data protection, as a result of the defendant watch seller’s (D) publication of a YouTube video revealing that P had bought a watch from D.

P had obtained judgment in default and D sought to set this aside. In deciding to do so the master only had to determine whether the D has an arguable defence.

The analyses of whether the MOPI and data protection defences are arguable are interesting (and in the latter case, flawed).

On MOPI, the master noted that the “Murray factors” (“the attributes of the claimant, the nature of the activity in which the claimant was engaged, the place at which it was happening, the nature and purpose of the intrusion, the absence of consent and whether it was known or could be inferred, the effect on the claimant, and the circumstances in which and the purposes for which the information came into the hands of the publisher”) will require consideration at trial, and also noted that the authoritative law books on the topic identify “personal financial and tax related information” as one of the types of information that will normally (but not invariably) be regarded as giving rise to a reasonable expectation of privacy. All these points could only, said the master, be determined by a trial judge, having heard all the evidence.

On the data protection claim, the defence consisted in an argument that D’s processing was based on his legitimate interests. Here, the master seems to have erred, in assessing that “This would appear a particularly weak argument as there was no express consent from the plaintiff and the purported legitimate reason for processing the data was effectively to make money, which is not an exemption under UK General Data Protection Regulations [sic]”. But, of course, reliance on Article 6(1)(f) UK GDPR legitimate interests does not (cannot) require the consent of the data subject; rather, it requires the controller’s legitimate interests to be balanced against the interests, rights and freedoms of the data subject. Nor is there any authority for the proposition that an interest or interests cannot be “legitimate” because they are commercial interests (indeed, the CJEU, in a finding which I am certain would be followed by the domestic courts, only last week ruled that a commercial interest is capable of being a legitimate interest).

This, of course, was not a fully argued case (the master only had affidavits and draft pleadings to go on). If the case goes to trial we may well see all of the claims more properly argued and considered.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, misuse of private information

Tagged as ,

October 5, 2024 · 9:11 am

Join NADPO, get free Tim Turner training

If I told you that you could secure attendance at two half-day online training sessions on data protection, with one of the UK’s leading experts and trainers, for the meagre sum of £130 and that payment bought you two years’ membership of NADPO, with all the other benefits that brings (regular webinars, a stellar annual conference, regular newsletters, discounts on training), you would snap it up, wouldn’t you?

Well, dear friends, that’s what we’re offering our members. On Wednesday 9 October and Wednesday 16 October the fantastic Tim Turner of 2040 Training will be delivering sessions exclusively for NADPO members. So, if you purchase a membership in the next few days you’ll be entitled to attend both sessions (plus get all those other benefits).

I can’t think how any rational person could turn such an offer down.

Leave a comment

Filed under Data Protection, NADPO, Uncategorized

Tagged as ,