Category Archives: defamation

What’s in a name?

For reasons which will become obvious I have replaced the names of two people referred to in this post to “John Doe” and “Jane Doe”: I’ve no wish to perpetuate a possible wrong.

Last night I was reading a recent judgment of the High Court in the matter of an appeal by a barrister from a decision of sanction by the Bar Tribunals and Adjudication Service. The judge, Mr Justice Warby, is one of the most senior media law judges in the country. Indeed, as judge in charge of the Media and Communications List, he is arguably the most senior such judge.

Mr Justice Warby knows a lot, then, about privacy, and data protection, and harm to reputation. As the judge who decided the landmark NT1 and NT2 cases, he also knows a lot about the concept of the “right to be forgotten” and how historic, outdated or inaccurate information on the internet has the potential to cause unwarranted harm in the future.

Yet in the case I will discuss here, I think he adopts a course of action in writing his judgment (one which he implies he may well repeat in future) which has the potential to cause great harm to wholly innocent individuals.

The facts of the case are not particularly relevant. Suffice to say that the barrister in question (named Khan) was suspended because it was found that he had engaged in serious misconduct in inter alia discussing in a robing room serious allegations of sexual offences made by a former client of his against another practising barrister.

In reading the description of the agreed facts I was perturbed, to say the least, to note that the names of the former client and the alleged offender were apparently given in full:

What Mr Khan did, in summary, was this. On two occasions, in the robing rooms of two Courts in the Midlands, he spoke words that suggested to those who were present and heard him that a fellow barrister, [John Doe], had (a) stalked and then (b) raped another, female, lawyer who had been Mr Khan’s client and, (c) when she complained of this, caused serious threats to her life to be made, in an attempt to cover up what had taken place. All the information that Mr Khan had about these matters came from his former client, [Jane Doe], who was the complainant.

The explanation for using apparent full names was given by Warby J in the following paragraph:

I have…changed the name of the complainant because, as someone who has alleged rape, she is entitled to lifetime anonymity (Sexual Offences (Amendment) Act 1992, s 1). To make anonymity effective in her case, I have also changed the name of the barrister she accused. [John Doe] is not his real name. I have used this method of anonymisation, in preference to the use of initials, as it is at least as effective, less artificial, and reduces the potential for confusion

This strikes me as, with respect to the learned judge, profoundly misguided. The use of initials (obviously not the person’s actual initials) does not just anonymise the person to whom they relate, but also avoids the risk of someone else inadvertently being associated.

Because – here’s the rub – there does appear (unsurprisingly) to be a former barrister (now solicitor) called “[John Doe]”. He is clearly not the [John Doe] Warby J refers to (not least because [John Doe] in the judgment is of course a pseudonym. But, as is all too obvious in the modern world, snippets of information can sometimes become separated from their context, and used, inadvertently, or even maliciously, to harmful effect.

It is by no means unlikely that the first paragraph I quote above could be later quoted, or extracted, and read in isolation, and that the practising barrister who is really called [John Doe], but who has no connection whatsoever to the events in the judgment, could be defamed or otherwise harmed as a result.

Put it this way – if I were the practising barrister who is really called [John Doe] I would be horrified, and greatly aggrieved, by paragraph 5 of Warby J’s judgment.

A while ago, my enjoyment of a silly internet game, whereby one Googles the phrase “X was convicted of” (where X is one’s own name), was swiftly replaced by abject dismay, when I found that someone sharing my name had been convicted of a horrific offence. This was pure, if unfortunate, coincidence. What Mr Justice Warby appears to have done in this judgment, and is – I fear – proposing to do in future judgments, is deliberately try to develop (for the best of reasons) a judicial naming convention which risks great harm to wholly innocent and unwitting individuals. I hope he rethinks.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under anonymisation, defamation, Open Justice, sexual offences amendment act

Unintended data protection consequences of Defamation Act and ICO proposals?

Might changes to defamation law, and to the Information Commissioner’s practices, lead to an increase in court claims about accuracy of personal data?

A statement is not defamatory unless its publication has caused or is likely to cause serious harm to the reputation of the claimant

This is the bold subsection (1) to section 1 of the Defamation Act 2013, which was commenced in England and Wales on 1 January 2014. This – in part the culmination of a strong campaign – is a potentially significant change to domestic libel law, meaning that (in the words of the explanatory notes to the Act)

the bar [is raised] for bringing a claim so that only cases involving serious harm to the claimant’s reputation can be brought

But often where a bar is raised in one place, a gap will be found in another. I wonder if, along with another development -namely, the Information Commissioner’s proposals to change its approach to regulation of the Data Protection Act 1998 (DPA) – it might lead to an increase in DPA claims.

11KBW’s Robin Hopkins wrote an important article last year, whose title helpfully summarises its argument: The Data Protection Act in defamation cases: increasingly relevant, potentially primary? In it, he identified a possible trend, citing two cases in particular as illustration – The Law Society and others v Rick Kordowski [2011] EWHC 3185 (QB) and Desmond v Foreman, & Ors [2012] EWHC 1900 (QB), of

The Data Protection Act 1998…increasingly being deployed as part of a claimant’s arsenal in defamation claims […] in some circumstances, the DPA may appropriately play the lead role rather than a supporting one in a complaint about unjustifiable and damaging communications about individuals

There are a number of potential claims which an aggrieved individual can make using the DPA. For our purposes here, though, the relevant provisions are those at section 14, dealing with inaccuracy

If a court is satisfied on the application of a data subject that personal data of which the applicant is the subject are inaccurate, the court may order the data controller to rectify, block, erase or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on the inaccurate data

Clearly, inaccuracy – normally in the form of an untruth – is an important part of a defamation claim. If, now, those claims formerly made in defamation which were not worth the wick, let alone the candle are (statutorily) barred by virtue of section 1 of the Defamation Act 2013, will persistent claimants seek another route? Inaccuracy of personal data is a prima facie contravention of the fourth data protection principle in Schedule One of the DPA, and section 14 is a legitimate and specific legal route by which a person may have that inaccuracy corrected.

It should be noted, though, that the court does retain discretion (n.b use of “may” in section 14) as to whether to order rectification etc. An alternative route has traditionally been, of course, by means of making a request for assessment, under section 42 of the DPA, to the Information Commissioner (IC), as to whether processing of one’s personal data has been or is being carried out in compliance with the DPA. Upon receipt of a valid request of this type, the IC is required (“shall make…”) to make an assessment (although he retains discretion as to what is an appropriate manner for it to be made). I say “traditionally” because, as David Erdos argued in a guest post on this blog recently, the IC, in a consultation on a future approach to dealing with DPA complaints and concerns

proposes to decide on its own account whether or not to assess the merits of a concern validly sent to it for assessment under the Data Protection framework

but, as David, notes, this proposal does not appear to be in accordance with the IC’s legal obligation to make an assessment in relevant circumstances.

Nonetheless, and to the extent that such a proposal (or a tweaking of it) might be held to be lawful, it certainly seems to signal a desire on the IC’s part to  (in Tim Turner’s words)

start ignoring more individual complaints, and concentrate on what it considers to be strategic priorities

If that is so, then might complainants who wish to challenge the accuracy of their personal data, more readily look to bring section 14 claims against the data controller? Might the IC be shifting its burden not only on to data controllers themselves, but also on to the already overloaded justice system?

Leave a comment

Filed under Data Protection, defamation, Information Commissioner

CQC and data protection, redux

In June this year I blogged about the furore caused when the Care Quality Commission (CQC) initially refused, citing data protection law, to identify four members of staff who were alleged to have tried to cover up an critical internally-commissioned report into its oversight of the University Hospitals Morecambe Bay NHS Trust.

Even Christopher Graham, the Information Commissioner got involved, saying

This feels like a public authority hiding behind the Data Protection Act – it’s very common but you have to go by what the law says and the law is very clear

and, perhaps as a result of his intervention, the day after the news broke, the CQC changed position, saying

We have reviewed the issues again with our legal advisers (and taken into account the comments of the Information Commissioner). In light of this further consideration, we have come to the view that the overriding public interest in transparency and accountability gives us sufficient grounds to disclose the names of the individuals who were anonymised in the report.

I had wondered if the reason for the initial non-disclosure was because of doubt as to the veracity of the reported cover-up comments, perhaps in conjunction with a challenge by the data subjects, on the basis that publishing that they had made those comments was untrue, and potentially defamatory and, therefore, in breach of the Data Protection Act 1998 (DPA):

on the information currently available, there is perhaps a lack of hard evidence to establish to an appropriate level of certainty that the person or persons alleged to have suppressed the report did so, or did so in the way they are alleged to have done. For that reason, it could indeed be a breach of the DPA to disclose the names at this stage

Yesterday, news emerged that the CQC had published a statement on its website exonerating one of the people named

  • Anna Jefferson had not used “any inappropriate phrases” as attributed to her by one witness quoted in the Grant Thornton report; and

  • Anna Jefferson had not supported any instruction to delete an internal report prepared by a colleague – Louise Dineley.

The CQC regrets any distress Anna Jefferson has suffered as a consequence of this matter

So, it looks like someone was wrongly identified as committing an act of misconduct. Ms Jefferson is said to have been “deeply upset” by the allegations, and describes it as having been a “difficult time”.

In a postscript to my original blog post I wondered idly about

the rather interesting (if unlikely) possibility that the persons now named could complain to the ICO for a determination as to whether disclosure was in fact in breach of their rights under the DPA

It is possible that the statement on the CQC website is in fact an attempt to avoid this, or alternative, legal action. I wonder if Christopher Graham is going to revisit his comments.

1 Comment

Filed under Confidentiality, Data Protection, defamation, Information Commissioner

ICO Social Media Guidance – Shirking Responsibility?

The Information Commissioner has issued guidance on when the Data Protection Act is held to apply to Social Networking and Online Forums. While I recognise the pragmatic approach it takes, it appears to be in conflict with the leading legal authorities.

The Guidance

Apparently without much fanfare, unless I’ve missed it or am ahead of it, the Information Commissioner’s Office (ICO) has issued guidance for the public on Social networking and online forums when does the DPA apply? The short answer, applying European law, should be “always”. But this would a) make the guidance rather short, and b) not be in line with the ICO’s persistent line that his office should not have to regulate what people say about each other on the internet.

The guidance says

The DPA contains an exemption for personal data that is processed by an individual for the purposes of their personal, family or household affairs. This exemption is often referred to as the ‘domestic purposes’ exemption. It will apply whenever an individual uses an online forum purely for domestic purposes

There are several interesting things about this position statement. First, it omits that the Data Protection Act 1998 (DPA) says that personal data only processed for domestic purposes is exempt from the obligations under the Act. Second, it also, strangely, omits the phrase “including recreational purposes” which arguably supports the ICO’s position (although, as I will mention later, it is controversial wording). Third, it is in direct contradiction of the leading European judicial authority on the exemption.

The guidance goes on to accept that some forms of individual self-expression on the internet will not be caught by the domestic purposes exemption, but as a whole (see the section entitled “ICO involvement in complaints against those running social network sites, organisations and individuals”) it appears to be an exercise in saying “don’t come to us if you don’t like what someone is saying about you on the internet”.

This subject is, of course, of considerable current relevance, given concerns expressed that a regulatory scheme imposed subsequent to the Leveson inquiry might end up applying to the blogosphere, or even to social media in general. I’ve written previously on this, arguing that existing data protection law already applies to such activities.

The Law

Article 3(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Directive”) says that

This Directive shall not apply to the processing of personal data…by a natural person in the course of a purely personal or household activity

and recital 12 to the Directive says that the data protection principles contained therein do not apply to the processing

of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses

These provisions are given domestic effect in section 36 of the DPA, which says

Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III [emphasis added]

In the leading European case on the provisions of the Directive, Lindqvist (Approximation of laws) [2003] EUECJ C-101/01, the European Court of Justice held that

[the] exception must…be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people

Lest there be any doubt as to the meaning of this, the ECJ issued a press release to accompany the judgment, which said

the act of referring, on an internet page, to various persons and identifying them by name…does not fall within the category of activities for the purposes…of purely personal or domestic activities, which are outside the scope of the directive [emphasis in original]

Lindqvist is, I would submit, unequivocal authority for the proposition that referring to an identifiable person or persons on the internet constitutes the processing of personal data, and is processing which is not exempt under Article 3(2) of the Directive.

The ICO has never accepted that Lindqvist has general application to internet publication of personal data. For instance, the ICO’s internal 2011 guidance on “Dealing with complaints about information published online” says

the Lindqvist judgement [sic]…related to a specific set of circumstances and cannot be applied to all cases of online publication

Try as I might I cannot square this with ECJ’s authority in Lindqvist. Still less can I square with it the comment, in an ICO paper on the proposed General Data Protection Regulation that

There has been some suggestion the Regulation should be used to ‘implement’ the Lindqvist decision – in short meaning that information posted openly on the internet necessarily falls outside the law’s personal or household processing exemption. We never wholly accepted the reasoning in Lindqvist…
One might take a moment to reflect on what is being said here. The paper’s author appears to understand the meaning of Lindqvist, regarding the lack of exemption for information posted openly on the internet, but says the ICO doesn’t (wholly) accept what is the binding decision of the ECJ.
One possible justification for the position lies in the additional wording Parliament inserted into section 36 of the DPA relating to “recreational purposes” (although, as I note above, the new guidance doesn’t put much emphasis on this). It is perhaps possible to construe – as the ICO clearly does – this to permit the section 36 exemption to extend to internet publication of personal data. Indeed, the apparently interminable infraction proceedings brought against the UK by the European Commission (tracked doggedly by Dr Chris Pounder) for numerous examples of apparent lack of proper domestic implementation of the Directive include criticism that
the inclusion of “recreational purposes” in the Data Protection Act…in the Commission’s view appeared to be broader than household activities.
However, even if this addition of “recreational purposes” to the UK statutory scheme arguably extends – perhaps impermissibly – the ambit of the exemption, the ICO was told in unequivocal terms in The Law Society & Ors v Kordowski [2011] EWHC 3185 (QB) that
The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully
In Kordowski the ICO had been asked by the Law Society to intervene to prevent the publication of defamatory and unfair postings on a website called “Solicitors from Hell”. The ICO had declined, citing – in a letter to the Law Society – the domestic purposes exemption as the reason for not investigating
I do sympathise with solicitors and others who may find it extremely difficult, and in many cases impossible, to have offensive material about them removed from the internet. Perhaps this is a case where the law is out of step with technology. However, I am afraid the DPA is simply not designed to deal with the sort of problem that you have brought to my attention.
Tugendhat J expressed his sympathy
with the Commissioner in what he says about the practical difficulties raised by cases such as the present. It is also beyond doubt that the DPA was not designed to deal with the way in which the internet now works
but said that the ICO had an obligation to investigate a complaint “where there is no room for argument that processing is unlawful”.
The ICO (in the form of David Smith, the Deputy Commissioner responsible for data protection) has argued that the mistake the ICO made in the Kordowski matter was in holding that the site owner and administrator (Kordowski himself) was covered by the section 32 exemption. He does not appear to accept that the people submitting the “ratings” and comments about solicitors were not covered by the same
we took the view, quite rightly I think, that the individuals who posted the comments on the Solicitors from Hell website are just individuals, they are acting in their personal, domestic capacity…I think where we actually went a bit wrong in our analysis…we said the Solicitors from Hell website doesn’t exercise control, is not a data controller and so is not caught by the law. When this case came to court, quite rightly the court looked in more detail at what the operators of the site did, the notice board and it was a lot more than just a notice board, they were actually charging people to put information there and charging solicitors to have information taken down…The intermediary there was clearly a data controller. But this establishing who is a data controller and who isn’t in this whole environment is extremely difficult. [from a transcript of an oral presentation]
While this is an interesting argument, that the site owner, as clearly the primary data controller, holds some sort of primary liability for publication on his or her site, while those posting on it are exempt because of the domestic purposes exemptions, it is hugely problematic. This is because, firstly, it is inconsistent with the judgment in Lindqvist and, secondly, becuase it tends towards an illogical argument that an individual commenter on a site, perhaps a social media site, posting a defamatory, or even a criminal, statement, does so only for domestic purposes.
European developments
In Kordowski the judge’s sympathy rested in part on the fact that the DPA, and the ICO who must regulate it, are creatures of the 1995 Directive
In 1995 search engines were in their infancy. Google was incorporated in 1998. There have been many developments since that time, including the increasing use of third party facilities
In Janaury 2012 the European Commission began the lengthy process of introducing a new European data protection framework. The draft General Data Protection Regulation (GDPR) retains exemption provisions for domestic activities, and introduces new concepts: Article 2(2) states
This Regulation does not apply to the processing of personal data…by a natural person without any gainful interest in the course of its own exclusively personal or household activity [emphasis added]
and Recital 15 explains
This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus without any connection with a professional or commercial activity [emphasis added]
This might shift the scenery set by Lindqvist to a degree, and it is possible that the ICO’s guidance, although dealing with the current DPA, was written with an eye on the European developments. Indeed, the rest of Recital 15 says
the exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities.
However, it is to be noted that Peter Hustinx, the European Data Protection Supervisor, did not think the draft domestic purposes provisions of the GDPR were adequate
Recital 15 indicates that the exception applies in the absence of gainful interest, but it does not address the common issue of processing of data for personal purposes ona wider scale, such as the publication of personal information within a social network…In line with the rulings of the Court of Justice in Lindquist and Satamedia, the EDPS suggests that a criterion be inserted to differentiate public and domestic activities based on the indefinite number of individuals who can access the information. This criterion should be understood as an indication that an indefinite number of contacts shall in principle mean that the household exemption does no longer apply. It is without prejudice to a stricter requirement for a genuine personal and private link, to prevent that individuals making data available to several hundreds or even thousands of individuals would automatically fall underthe exemption.
But a final development has occurred with the release on 31 May of Irish Presidency of the Council of the European Union’s Justice and Home Affairs draft compromise text which adds to Recital 15 the following words
Personal and household activities include social networking and on-line activity undertaken within the context of such personal and household activities.
One wonders if the ICO was aware, when drafting his Social Media Guidance, of this development. However, and while it remains to be seen what the GDPR will ultimately say, much could still turn on what “undertaken within the context” means within Recital 15.
And we should not get ahead of ourselves. The ICO regulates the DPA, and as the (European) law currently stands, the act of referring to a person on the internet does not attract the domestic purpose exemption. The ICO guidance implies it might. Will this be challenged?

4 Comments

Filed under Data Protection, defamation, Europe, GDPR, Information Commissioner, social media