Category Archives: Europe

Google is not a library, Dr Cavoukian

The outgoing Ontario Information and Privacy Commissioner Ann Cavoukian, whose time in office has been hugely, and globally, influential (see in particular Privacy by Design) has co-written (with Christopher Wolf) an article strongly criticising the judgment of the Court of Justice of the European Union (CJEU) in the Google Spain case.

For anyone who has been in the wilderness for the last few weeks, in Google Spain the CJEU ruled that Google Spain, as a subsidiary of Google inc. operating on Spanish territory, was covered by the obligations of the European Data Protection Directive 95/46/EC, that it was operating as an entity that processed personal data in the capacity of a data controller, and that it was accordingly required to consider applications from data subjects for removal of search returns. Thus, what is loosely called a “right to be forgotten” is seen already to exist in the current data protection regime.

Many have written on this landmark CJEU ruling (I commend in particular Dr David Erdos’s take, on the UK Constitutional Law Blog) and I am not here going to go into any great detail, but what I did take issue with in the Cavoukian and Wolf piece was the figurative comparison of Google with a public library:

A man walks into a library. He asks to see the librarian. He tells the librarian there is a book on the shelves of the library that contains truthful, historical information about his past conduct, but he says he is a changed man now and the book is no longer relevant. He insists that any reference in the library’s card catalog and electronic indexing system associating him with the book be removed, or he will go to the authorities…

…The government agent threatens to fine or jail the librarian if he does not comply with the man’s request to remove the reference to the unflattering book in the library’s indexing system.

Is this a scenario out of George Orwell’s Nineteen Eighty-Four? No, this is the logical extension of a recent ruling from Europe’s highest court

(I pause briefly to say that if I never see another reference to Orwell in the context of privacy debate I will die a happy man).

I’m fond of analogies but Cavoukian’s and Wolf’s one (or maybe it’s a metaphor?) is facile. I think it could more accurately say

A man walks into a library. He sees that, once again, the library has chosen, because of how it organises its profit-making activities, to give great prominence to a book which contains information about his past conduct, which is no longer relevant, and which it is unfair to highlight. He asks them to give less prominence to it.

Cavoukian and Wolf accept that there should be a right to remove “illegal defamatory” content if someone posts it online, but feel that the issue of links to “unflattering, but accurate” information should be explored using “other solutions”. (I pause again to note that “unflattering” is an odd and loaded word to use here: Mr Gonzalez, in the Google Spain case, was concerned about out-of-date information about bankruptcy, and other people who might want to exercise a right to removal of links might be concerned by much worse than “unflattering” information).

I don’t disagree that other solutions should be explored to the issue of the persistence or reemergence of old information which data subjects reasonably no longer wish to be known, but people are entitled to use the laws which exist to pursue their aims, and the application by the CJEU of data protection law to the issues pleaded was, to an extent, uncontroversial (is Google a data controller? if it is, what are its obligations to respect a request to desist from processing?)

Cavoukian and Wolf criticise the CJEU for failing to provide sufficient instruction on how “the right to be forgotten” should be applied, and for failing to consider whether “online actors other than search engines have a duty to ‘scrub’ the Internet of unflattering yet truthful facts”, but a court can only consider the issues pleaded before it, and these weren’t. Where I do agree with them is in their criticism of the apparent failure by the CJEU, when giving effect to the privacy rights in Article 8 of the European Convention on Human Rights, and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, to consider adequately, if at all, the countervailing rights to freedom of expression in Article 10 of the former and Article 11 of the latter. In this respect, the prior Opinion of the Advocate General was perhaps to be preferred.

The key word in my replacement library ananolgy above is “chosen”. Google is not a passive and inert indexing system. Rather, it is a dynamic and commercially-driven system which uses complex algorithms to determine which results appear against which search terms. It already exercises editorial control over results, and will remove some which it is satisfied are clearly unlawful or which constitute civil wrongs such as breach of copyright. Is it so wrong that (if it gives appropriate weight to the (sometimes) competing considerations of privacy and freedom of expression) it should be required to consider a request to remove unfair and outdated private information?

 

 

2 Comments

Filed under Data Protection, Directive 95/46/EC, Europe, human rights, Privacy

Ticking off Neelie Kroes (sort of)

In which I take issue with the European Commission V-P about what the Consumer Rights Directive says about pre-ticked boxes

I found myself retweeting what I think was a rather misleading message from the Vice-President of the European Commission, Neelie Kroes. Her tweet said

You know those annoying “pre-ticked boxes” on shopping/travel websites? They’re banned in #EU from today http://europa.eu/rapid/press-release_IP-14-655_en.htm#eCommerce

I thought this was very interesting, particularly in light of my recent post about the implying of consent to electronic marketing if people forget to untick such boxes. The EU press release itself does say at one point

Under the new EU rules…consumers can now rely on…A ban on pre-ticked boxes on the internet, as for example when they buy plane tickets

But, it earlier says

The new rules also ban…pre-ticked boxes on websites for charging additional payments (for example when buying plane tickets online)

The emphasis I’ve added in that last quote is crucial. What DIRECTIVE 2011/83/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 October 2011 on consumer rights actually proscribes is the contractual binding of a consumer to any payment in addition to the original remuneration agreed on if

the trader has not obtained the consumer’s express consent but has inferred it by using default options which the consumer is required to reject in order to avoid the additional payment

 So, as the press release explains,

When shopping online –for example when buying a plane ticket – you may be offered additional options during the purchase process, such as travel insurance or car rental. These additional services may be offered through so-called pre-ticked boxes. Consumers are currently often forced to untick those boxes if they do not want these extra services. With the new Directive, pre-ticked boxes will be banned across the European Union.

I happen to think that that text should more properly say “With the new Directive, pre-ticked boxes of this sort will be banned across the European Union”.

So, no ban on pre-ticked boxes themselves, just on those which purport to bind a consumer to an additional payment under a contract.

The Directive has been implemented in the UK by  The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 and associated The Enterprise Act 2002 (Part 8 EU Infringements) Order 2013 the former of which says (at regulation 40)

Under a contract between a trader and a consumer, no payment is payable in addition to the remuneration agreed for the trader’s main obligation unless, before the consumer became bound by the contract, the trader obtained the consumer’s express consent.. There is no express consent (if there would otherwise be) for the purposes of this paragraph if consent is inferred from the consumer not changing a default option (such as a pre-ticked box on a website)

Having said all this, I do think it is interesting that clearly-defined concepts of “express consent” are making their way into European and domestic legislation. And in due course, we may even find that, for instance, electronic marketing will be restrained unless similarly clearly-defined express consent is given. But not just yet.

Update: Ms Kroes kindly replied to me, saying it’s difficult to get a message across in 140 characters. So true.

 

 

 

 

Leave a comment

Filed under Data Protection, Europe, marketing, PECR

Data Protection for Baddies

Should Chris Packham’s admirable attempts to expose the cruelties of hunting in Malta be restrained by data protection law? And who is protected by the data protection exemption for journalism?

I tend sometimes to lack conviction, but one thing I am pretty clear about is that I am not on the side of people who indiscriminately shoot millions of birds, and whose spokesman tries to attack someone by mocking their well-documented mental health problems. So, when I hear that the FNKF, the Maltese “Federation for Hunting and Conservation” has

presented a judicial protest against the [Maltese] Commissioner of Police and the Commissioner for Data Protection, for allegedly not intervening in “contemplated” or possible breaches of privacy rules

with the claim being that they have failed to take action to prevent

BBC Springwatch presenter Chris Packham [from] violating hunters’ privacy by “planning to enter hunters’ private property” and by posting his video documentary on YouTube, which would involve filming them without their consent

My first thought is that this is an outrageous attempt to manipulate European privacy and data protection laws to try to prevent legitimate scruting of activities which sections of society find offensive and unacceptable. It’s my first thought, and my lasting one, but it does throw some interesting light on how such laws can potentially be used to advance or support causes which might not be morally or ethically attractive. (Thus it was that, in 2009, a former BNP member was prosecuted under section 55 the UK Data Protection Act 1998 (DPA 1998) for publishing a list of party members on the internet. Those members, however reprehensible their views or actions, had had their sensitive personal data unlawfully processed, and attracted the protection of the DPA (although the derisory £200 fine the offender received barely served as a deterrent)).

I do not profess to being an expert in Maltese Data Protection law, but, as a member state of the European Union, Malta was obliged to implement Directive EC/95/46 on the Protection of Individuals with regard to the Processing of Personal Data (which it did in its Data Protection Act of 2001). The Directive is the bedrock of all European data protection law, generally containing minimum standards which member states must implement in domestic law, but often allowing them to legislate beyond those minimum standards.

It may well be that the activities of Chris Packham et al do engage Maltese data protection law. In fact, if, for instance, film footage or other information which identifies individuals is recorded and broadcast in other countries in the European Union, it would be likely to constitute an act of “processing” under Article 2(b) of the Directive which would engage data protection law in whichever member state it was processed.

Data protection law at European level has a scope whose potential breadth has been described as “breath-taking”. “Personal data” is “any information relating to an identified or identifiable natural person” (that is “one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”), and “processing” encompasses “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction”.

However, the broad scope does not necessarily means broad prohibitions on activities involving processing. Personal data must be processed “fairly and lawfully”, and can (broadly) be processed without the data subject’s consent in circumstances where there is a legal obligation to do so, or where it is necessary in the public interest, or necessary where the legitimate interests of the person processing it, or of a third party, outweigh the interests for fundamental rights and freedoms of the data subject. These legitimising conditions are implemented into the Maltese Data Protection Act 2001 (at section 9), so it can be seen that the FKNF’s claim that Packham requires the hunters’ consent to film might not have legs.

Moreover, Article 9 of the Directive, transposed in part at section 6 of the 2001 Maltese Act, provides for an exemption to most of the general data protection obligations where the processing is for journalistic purposes, which almost certainly be engaged for Packham’s activities. Whether, however, any other Maltese laws might apply is, I’m afraid, well outside my area of knowledge.

But what about activists who might not normally operate under the banner of “journalism”? What if Packham were, rather than a BBC journalist/presenter, “only” a naturalist? Would he be able to claim the journalistic data protection exemption?

Some of these sorts of issues are currently edging towards trial in litigation brought in the UK, under the DPA 1998, by a mining corporation (or, in its own words, a “diversified natural resources business”), BSG Resources, against Global Witness, an NGO one of whose stated goals is to “expose the corrupt exploitation of natural resources and international trade systems”. BSGR’s claims are several, but are all made under the DPA 1998, and derive from the fact they have sought to make subject access requests to Global Witness to know what personal data of the BSGR claimants is being processed, for what purposes and to whom it is being or may be disclosed. Notably, BSGR have chosen to upload their grounds of claim for all to see. For more background on this see the ever-excellent Panopticon blog, and this article in The Economist.

This strikes me as a potentially hugely significant case, firstly because it illustrates how data protection is increasingly being used to litigate matters more traditionally seen as being in the area of defamation law, or the tort of misuse of private information, but secondly because it goes to the heart of questions about what journalism is, who journalists are and what legal protection (and obligations) those who don’t fit the traditional model/definition of journalism have or can claim.

I plan to blog in more detail on this case in due course, but for the time being I want to make an observation. Those who know me will not have too much trouble guessing on whose side my sympathies would tend to fall in the BSGR/Global Witness litigation, but I am not so sure how I would feel about extending journalism privileges to, say, an extremist group who were researching the activities of their opponents with a view to publishing those opponents’ (sensitive) personal data on the internet. If society wishes to extend the scope of protection traditionally afforded to journalists to political activists, or citizen bloggers, or tweeters, it needs to be very careful that it understands the implications of doing so. Freedom of expression and privacy rights coexist in a complex relationship, which ideally should be an evenly balanced one. Restricting the scope of data protection law, by extending the scope of the exemption for journalistic activities, could upset that balance.

7 Comments

Filed under Data Protection, Europe, human rights, journalism, Privacy, Uncategorized

The care.data leaflet campaign – legally necessary?

Readers of this blog [sometimes I imagine them1] may well be fed up with posts about care.data (see here, here and here). But this is my blog and I’ll cry if I want to. So…

Doyen of information rights bloggers, Tim Turner, has written in customary analytic detail on how the current NHS care.data leafleting campaign was not necessitated by data protection law, and on how, despite some indications to the contrary, GPs will not be in the Information Commissioner’s firing line if they fail adequately to inform patients about what will be happening to their medical data.

He’s right, of course: where a data controller is subject to a legal obligation to disclose personal data (other than under a contract) then it is not obliged, pace the otherwise very informative blogpost by the Information Commissioner’s Dawn Monaghan, to give data subjects a privacy, or fair processing notice.

(In passing, and in an attempt to outnerd the unoutnerdable, I would point out that Tim omits that, by virtue of The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000, if a data subject properly requests a privacy notice in circumstances where a data controller is subject to a legal obligation to disclose personal data (other than under a contract) and would, thus, otherwise not be required to issue one, the data controller must comply2.)

Tim says, though

The leaflet drop is no way to inform people about such a significant step, but I don’t think it is required

That appears to be true, under data protection law, but, under broader obligations imposed on the relevant authorities under Article 8 of the European Convention on Human Rights (ECHR), as incorporated in domestic law in the Human Rights Act 1998, it might not be so (and here, unlike with data protection law, we don’t have to consider the rigid controller/processor dichotomy in order to decide who the relevant, and liable, public authority is, and I would suggest that NHS England (as the “owner of the care.data programme” in Dawn Monaghan’s words) seems the obvious candidate, but GPs might also be caught).

In 1997 the European Court of Human Rights addressed the very-long-standing concept of the confidentiality of doctor-patient relations, in the context of personal medical data, in Z v Finland (1997) 25 EHRR 371, and said

the Court will take into account that the protection of personal data, not least medical data, is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention (art. 8). Respecting the confidentiality of health data is a vital principle in the legal systems of all the Contracting Parties to the Convention. It is crucial not only to respect the sense of privacy of a patient but also to preserve his or her confidence in the medical profession and in the health services in general…Without such protection, those in need of medical assistance may be deterred from revealing such information of a personal and intimate nature as may be necessary in order to receive appropriate treatment and, even, from seeking such assistance, thereby endangering their own health and, in the case of transmissible diseases, that of the community

This, I think, nicely encapsulates why so many good and deep-thinking people have fundamental concerns about care.data.

Now, I am not a lawyer, let alone a human rights lawyer, but it does occur to me that a failure to inform patients about what would be happening with their confidential medical records when GP’s were required to upload them, and a failure to allow them to opt-out, would have potentially infringed patients’ Article 8 rights. We should not forget that, initially, there was no intention to inform patients at all (there had no attempt to inform patients about the similar upload of hospital medical data, which has been going on for over twenty years). It is, surely, possible therefore, that NHS England is not just “helping” GPs to inform patients without having any responsibility to do so (as Dawn Monaghan suggests), but that it recognises its potential vulnerability to an Article 8 challenge, and is trying to avoid or mitigate this. Whether the leaflets themselves, and the campaign to deliver them, are adequate to achieve this aim is another matter. As has been noted, the leaflet contains no opt out form, and there seem to be numerous examples of people (often vulnerable people, for instance in care homes, or refuges) who will have little or no chance of receiving a copy.

At the launch of the tireless MedConfidential campaign last year, Shami Chakrabarti, of Liberty, spoke passionately about the potential human rights vulnerabilities of the care.data programme. Notifying patients of what is proposed might not have been necessary under data protection law, but it is quite possible that the ECHR aspect of doing so was one of the things on which the Health and Social Care Information Centre (HSCIC) has been legally advised. Someone made an FOI request for this advice last year, and it is notable that HSCIC seem never to have completed their response to the request.

1I make no apologies for linking to one of Larkin’s most beautiful, but typically bleak and dystopian, pieces of prose, but I would add that it finishes “…These have I tried to remind of the excitement of jazz, and tell where it may still be found.”

2Unless the data controller does not have sufficient information about the individual in order readily to determine whether he is processing personal data about that individual, in which case the data controller shall send to the individual a written notice stating that he cannot provide the requisite information because of his inability to make that determination, and explaining the reasons for that inability

2 Comments

Filed under care.data, Confidentiality, Data Protection, data sharing, Europe, human rights, Information Commissioner, NHS, Privacy

Will there be blood?

The First-tier Tribunal (Information Rights) (FTT) has overturned a decision by the Information Commissioner that the Northern Ireland Department for Health, Social Services and Public Safety (DHSSPS) should disclose advice received by the Minister of that Department from the Attorney General for Northern Ireland regarding a policy of insisting on a lifetime ban on males who have had sex with other males (“MSM”) donating blood.

On 11 October 2013 the Northern Ireland High Court handed down judgment in a judicial review application, challenging the decision of the Minister and the DHSSPS maintain the lifetime ban. The challenge arose because, in 20011, across the rest of the UK, the blanket ban which had existed since 1985 had been lifted.

DHSSPS lost the judicial review case, and lost relatively heavily: the decision of the Minister was unlawful for reasons that i) the Secretary of State, and not the Minister, by virtue of designation under the Blood Safety and Quality Regulations 2005, was responsible for whether to maintain or not the lifetime ban, ii) similarly, as (European) Community law dictated that this was a reserved matter (an area of government policy where the UK Parliament keeps the power to make legislate in Scotland, Northern Ireland and Wales), the decision was an act which was incompatible with Community law, iii) the Minister had taken a decision in breach of the Ministerial Code, by failing to refer the matter, under Section 20 of the Northern Ireland Act 1998, to the Executive Committee, and iv) although a ban in itself might have been defensible, the fact that blood was then imported from the rest of the UK (where the ban had been lifted) rendered the decision irrational.

Running almost concurrently with the judicial review proceedings was a request, made under the Freedom of Information Act 2000 (FOIA), for advice given to the Minister by the Attorney General for Ireland. The FOIA exemption, at section 42, for information covered by legal professional privilege (LPP) was thus engaged. The original decision notice by the Information Commissioner had rather surprisingly found that it was advice privilege, as opposed to litigation privilege. The IC correctly observed that for litigation privilege to apply

at the time of the creation of the information, there must have been a real prospect or likelihood of litigation occurring, rather than just a fear or possibility

and, because the information was dated October 2011, and leave for judicial review had not been sought until December 2011

at the time the information was created, ltigation was nothing more than a possibility

But one questions whether this can be correct, when one learns from the FTT judgment that DHSSPS had been sent a pre-action protocol letter on 27 September 2011. Again rather surprisingly, though, the FTT does not appear to have made a clear decision one way or the other which type of privilege applied, but its observation that

when the request was made judicial review proceedings…were already underway

would imply that they disagreed with the IC.

This discrepancy might lie behind the fact that the FTT afforded greater weight to the public interest in favour of maintaining the exemption. It was observed that

[the existence of the proceedings] at the time of the request seems to us to be an additional specific factor in favour of maintaining the exemption. It seems unfair that a public authority engaged in litigation should have a unilateral duty to disclose its legal advice [para 19]

Additionally, the fact that the advice was sought after the decision had been taken meant that it could give “no guide to the Minister’s motives or reasoning”.

Ultimately – and this is suggestive that the issue was finely balanced – it was the well-established inherent public interest in the maintenance of LPP which prevailed (para 21). This was a factor of “general importance” as found in a number of cases summarised by the Upper Tribunal in DCLG v The Information Commissioner and WR (2012) UKUT 103 (AAC).

Because the appeal succeeded on the grounds that the section 42 exemption applied, the FTT did not go on to consider the other exemptions pleaded by DHSSPS and the Attorney General – sections 35(1)(a) and 35(1)(c), although it was very likely that the latter at least would have also applied.

Aggregation of public interest factors

Because the other exemptions did not come into play, the FTT’s observation on the IC’s approach to public interest factors where more than one exemption applies are strictly obiter, but they are important nonetheless. As all good Information Rights people know, the European Court of Justice ruled in 2011, that when more than one exception applies to disclosure of information under the Environmental Information Regulations 20040 (EIR), the public authority may (not must)  weigh the public interest in disclosure against the aggregated weight of the public interest arguments for maintaining all the exceptions. The IC does not accept that this aggregation approach extends to FOIA, however (see para 73 of his EIR exceptions guidance) and this was reflected in his decision notice in this matter, which considered separately the public interest balance in respect of the two exemptions he took into account. He invited the FTT to take the same approach, but, said the FTT, had the need arisen, the IC would have needed to justify how this “piecemeal approach” tallied with the requirement at section 2(2)(b) of FOIA to consider “all the circumstances of the case”. Moreover, the effect of the IC’s differing approaches under EIR and FOIA means that

there will be a large number of cases in which public authorities, the ICO and the Tribunal will be required to make a sometimes difficult decision about which disclosure regime applies in order to find out how to conduct the public interest balancing exercise

I am not aware of anywhere that the IC has explained his reasoning that aggregation does not apply in FOIA, and it would be helpful to know, before the matter becomes litigated (as it surely will).

And I will just end this rather long and abstruse piece with two personal observations. Firstly, donating blood is simple, painless and unarguably betters society – anyone who can, should donate. Secondly, denying gay men the ability, in this way, to contribute to this betterment of society is absurd, illogical and smacks of bigotism.

Leave a comment

Filed under Environmental Information Regulations, Europe, Freedom of Information, Information Commissioner, Information Tribunal, Upper Tribunal

The future of the ICO’s funding and functions

In February of this year the House of Commons Justice Committee took evidence from the Information Commissioner and his two deputies, and in March published a lengthy, sympathetic and wide-ranging report on The functions, powers and resources of the Information Commissioner. The Committee has now published the government response, which was in the form of a letter from Lord McNally, Minister of State for Justice. With the greatest of respect for the Ministry of Justice, the response seems to be little more than a deft kick into touch. Here are some examples.

Funding

The report raised various concerns about future funding for the Information Commissioner’s Office (ICO). Firstly, it noted that the ICO cannot use the money it receives for FOI work in the form of grant-in-aid for Data Protection work, and not can it use the funding it receives for Data Protection work from notification fees for FOI work. The report recommended that

The Government should consider relaxing the governing rules around virement and overheads

Lord McNally’s response says

…my officials have been working with the ICO to explore the potential for greater flexibility in the way the ICO apportions shared costs between the Freedom of Information (FOI) and Data Protection (DP) funding streams, in line with the Committee’s recommendation

Which adds little, if any, new information.

The report also noted that, if the European draft General Data Protection Regulation (GDPR) is passed in its current form, the ICO’s main funding for Data Protection work – notification fees – will be removed. It recommended

The Government needs to find a way of retaining a feebased self-financing system for the data protection work of the Information Commissioner, if necessary by negotiating an option for the UK to retain the notification fee or introduce an alternative fee. If the Government fails to achieve this, the unappealing consequence will be that funding of the ICO’s data protection work will have to come from the taxpayer.

To which Lord McNally replied

The work we intend to undertake in partnership with the ICO will include drawing upon research commissioned by the ICO into future funding options, and analysis they have done into the effectiveness of the tiered notification fee system which has been in place since 2009. I would like to reassure the Committee that the Government is committed to ensuring that the Information Commissioner is appropriately resourced.

Er, OK, but does that really say anything at all?

Independence of ICO

The Committee had linked the issue of adequacy of resources to the ICO’s relationship with the executive. If the regulator is reliant on government grant, can it be truly sufficiently independent? Their recommendation was

With the potential removal of the notification fee through the EU Regulation, we reiterate our recommendation that the Information Commissioner should become directly responsible to, and funded by, Parliament
Previously, during a Westminster Hall debate in January, justice minister Helen Grant had been clear that the government did not think this was appropriate. Lord McNally though was – again – equivocal
Whilst there are currently no plans for the Information Commissioner to be a Parliamentary body or to be funded by Parliament, the work we are taking forward on the ICO’s long-term funding and operating model will consider the range of recommendations that have been made by your Committee and others, including Lord Justice Leveson in relation to the future powers, governance and accountability arrangements of the ICO. I look forward to updating the Committee in due course.
Custodial data protection offences
On the subject of whether, finally, custodial sanctions for section 55 data protection offences should be commenced (see Pounder et al, passim), the Committee was clear
We call on the Government to adopt our previous recommendation, as well as that of the Home Affairs Committee, the Joint Committee on the Draft Communications Data Bill and the Leveson Inquiry, and commence sections 77 and 78 of the Criminal Justice and Immigration Act 2008 to allow for custodial sentences for breach of section 55 of the Data Protection Act 1998.
On this at least Lord McNally had a small piece of actual news. The government is to consult on Lord Justice Leveson’s proposals on data protection arising from his inquiry into the culture, practices and ethics of the press
It is…the Government’s view that the recommendations require careful consideration by a wide audience. We therefore intend to conduct a public consultation on the full range of data protection proposals, including on whether to make an Order introducing custodial sentences under section 77 CJIA (a statutory requirement), which will seek views on their impact and how they might be approached.
Compulsory data protection audits
Finally, the Committee had noted the reluctance of some public sector organisations to submit to the offer of a data protection audit by the ICO. They found it “shocking” that this should be the case (sensitive souls eh?) and recommended that the power of compulsory audit should be extended (it currently applies to government departments)
We recommend the Secretary of State bring forward an order under section 41 A of the Data Protection Act to meet the recommendation of the Information Commissioner that his power to serve Assessment Notices be extended to NHS Trusts and local councils.
Lord McNally confirmed that consultation was already under way regarding the extension of this ICO audit power to compel NHS bodies to submit, but he was – you’ve guessed it – equivocal on whether local government would be similarly compelled
There are currently no plans to extend the Information Commissioner’s powers of compulsory audit to local government but the Department for Communities and Local Government are taking a partnership approach to improving local government’s compliance with data protection principles.
I can’t help seeing Lord McNally’s response as little more than a polite nod to the Justice Committee. It promises very little (other than a consultation on Leveson’s data protection proposals, which, given the continuing wrangles over the GDPR, I can’t see achieving much quickly) and delivers nothing immediate. However, the ICO tweeted this morning that it welcomed the response regarding funding and powers, so maybe the future of the independent regulator of transparency and privacy is being decided behind closed doors.

1 Comment

Filed under Data Protection, Europe, Freedom of Information, Information Commissioner, transparency, Uncategorized

Who’s to blame for the Ministerial Veto?

The people to blame for our not being able to see Prince Charles’ lobbying correspondence with the government are not the judges – it’s the people who passed the FOI Act.

So, perhaps to no one’s great surprise, the judicial review application by the Guardian’s Rob Evans of the Attorney General’s ministerial veto has failed. As three of 11KBW’s array of brilliant information law advocates were instructed in the proceedings, I am sure we will see a Panopticon blog post shortly, and I wouldn’t try to compete with what will be the usual clear and percipient legal analysis (for which, also, see this excellent post from Mark Elliott). However, I wanted to address what I see as a potential misapprehension that this was an expression by the High Court that it agreed that the Attorney General was correct to issue a certificate vetoing disclosure of correspondence between Prince Charles and government departments. While the natural outcome of the court’s judgment is that the correspondence will not be disclosed, what was actually to be decided, and ultimately was decided in the Attorney General’s favour, was whether the exercise of his powers was lawful.

Under section 53(2) of the Freedom of Information Act 2000 (FOIA) a decision notice issued by the Information Commissioner (IC) (or later remade by a tribunal) ceases to have effect if an “accountable person” (effectively, either a Cabinet Minister or the government’s senior law officer) issues a certificate stating that he has “on reasonable grounds” decided that there was in fact no prior failure by the government department in question to comply with a request for information under FOIA. It is a power of executive override of a decision made by the statutory regulator (the IC). Its place in the statutory, and constitutional, scheme is what people should be objecting to, particularly in light of what the court in this case found.

The case dates back to the earliest days of the commencement of FOIA. Evans had requested correspondence between Prince Charles and various government departments, but those departments had refused to disclose. In a detailed and complex analysis the Upper Tribunal (the case having been transferred from the First-tier Tribunal) last September decided that, although the FOIA exemption (at section 37) relating to communications with the Royal Household was engaged, the public interest fell in favour of disclosure of the information (two points of note: first, the section 37 exemption, which was at the time of the request a qualified one, subject to the application of the public interest, has since been amended to make it absolute; second, there were other exemptions engaged, but the section 37 was the focal one). 

There was potentially further right of appeal, to the Court of Appeal and, ultimately, the Supreme Court. So why did the government not follow this route? The Campaign for Freedom of Information have issued a press release in which their Director Maurice Frankel says “Ministers should have to appeal against decisions they dislike and not be able simply to overturn them”. I agree (of course) but the reason the government departments did not appeal in this case is because any appeal would have had to have been on a point of law – the more senior courts could not have substituted different findings of fact, or decided whether an exercise of discretion should have been exercised differently. In short, I suspect the government did not appeal because they knew they would have been unsuccessful (or rather, their lawyers would presumably have advised, as lawyers do, that the chances of success were low).

Davis LJ, giving the leading judgment in the High Court, identified that

The underlying submission on behalf of the claimant is, in effect, that the accountable person is not entitled simply to prefer his own view to that of the tribunal

to which he countered

why not? It is inherent in the whole operation of s.53 that the accountable person will have formed his own opinion which departs from the previous decision (be it of Information Commissioner, tribunal or court) and may certify without recourse to an appeal. As it seems to me, therefore, disagreement with the prior decision…is precisely what s.53 contemplates, without any explicit or implicit requirement for the existence of fresh evidence or of irrationality etc. in the original decision which the certificate is designed to override. Of course the accountable person both must have and must articulate reasons for that view…[It] is for the accountable person in practice to justify the certification. But if he does so, and that justification comprises “reasonable grounds”, then the power under s.53(2) is validly exercised. Accordingly, the fact the certificate involves, in this case, in effect reasserting the arguments that had not prevailed before the Upper Tribunal does not of itself mean that it is thereby vitiated

 The power to issue a certificate exists under section 53(2), even if, as Lord Judge said, such a power “appears to be a constitutional aberration”. If it exists, it can be exercised, subject to it being done so lawfully. To admit of another interpretation, says David LJ, would be (taken with the claimant’s other arguments) to 

greatly [narrow] the ostensible ambit of s.53. As a matter of statutory interpretation I can see no justification for such a limitation, either on linguistic grounds or on purposive grounds

Parliament chose to enact s53, and any potential inherent constitutional imbalance or threat to the rule of law in its having done so is overcome by the availability of judicial review:

for the purposes of s.53 of FOIA, Parliament has provided the procedure by which this statutory provision is to be mediated. It is to be mediated, on challenge by way of judicial review, by the courts assessing whether the Secretary of State has certified “on reasonable grounds”. That involves no derogation from the fundamental principle of the rule of law: on the contrary, it is an affirmation of it.

For the same reasons, any challenge as to whether the exercise of the veto (as applied to environmental information under the Environmental Information Regulations 2004) offends the relevant sections of the originating EC Directive and the Aarhus Convention (specifically, those that deal with the need to have a “review procedure”) could also be met by reference to the availability of judicial review (although one wonders, along with the Aarhus Convention Compliance Committee, whether judicial review meets the requirement to be not “prohibitively expensive”).

And ultimately, and  relatively straighforwardly, it fell to the court to

consider whether the Attorney General has shown in the present case reasonable grounds for certifying as he did…[and] the Statement of Reasons appended to the certificate, once carefully read and analysed, does indeed demonstrate such “reasonable grounds”. The views and reasons expressed as to where the balance of public interest lies are proper and rational. They make sense. In fact, I have no difficulty in holding them to be “cogent”. Indeed – especially given that the Attorney General’s reasons and conclusions are in many respects to the like effect as those previously provided by the Information Commissioner – it will be recalled that the Upper Tribunal had itself, in paragraph 4 of its decision, acknowledged that there are “cogent arguments for nondisclosure”

So, if you want to criticise the fact that the Attorney General was allowed to veto disclosure of Prince Charles’ correspondence with the government, don’t criticise the judges, don’t even criticise (too much, at least) the Attorney General himself – rather, criticise Parliament which passed the law.

UPDATE: 25 July 2013

The Guardian reports that permission has been granted to appeal to the Court of Appeal.

 

Leave a comment

Filed under Environmental Information Regulations, Europe, Freedom of Information, Information Commissioner, transparency, Uncategorized

ICO Social Media Guidance – Shirking Responsibility?

The Information Commissioner has issued guidance on when the Data Protection Act is held to apply to Social Networking and Online Forums. While I recognise the pragmatic approach it takes, it appears to be in conflict with the leading legal authorities.

The Guidance

Apparently without much fanfare, unless I’ve missed it or am ahead of it, the Information Commissioner’s Office (ICO) has issued guidance for the public on Social networking and online forums when does the DPA apply? The short answer, applying European law, should be “always”. But this would a) make the guidance rather short, and b) not be in line with the ICO’s persistent line that his office should not have to regulate what people say about each other on the internet.

The guidance says

The DPA contains an exemption for personal data that is processed by an individual for the purposes of their personal, family or household affairs. This exemption is often referred to as the ‘domestic purposes’ exemption. It will apply whenever an individual uses an online forum purely for domestic purposes

There are several interesting things about this position statement. First, it omits that the Data Protection Act 1998 (DPA) says that personal data only processed for domestic purposes is exempt from the obligations under the Act. Second, it also, strangely, omits the phrase “including recreational purposes” which arguably supports the ICO’s position (although, as I will mention later, it is controversial wording). Third, it is in direct contradiction of the leading European judicial authority on the exemption.

The guidance goes on to accept that some forms of individual self-expression on the internet will not be caught by the domestic purposes exemption, but as a whole (see the section entitled “ICO involvement in complaints against those running social network sites, organisations and individuals”) it appears to be an exercise in saying “don’t come to us if you don’t like what someone is saying about you on the internet”.

This subject is, of course, of considerable current relevance, given concerns expressed that a regulatory scheme imposed subsequent to the Leveson inquiry might end up applying to the blogosphere, or even to social media in general. I’ve written previously on this, arguing that existing data protection law already applies to such activities.

The Law

Article 3(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Directive”) says that

This Directive shall not apply to the processing of personal data…by a natural person in the course of a purely personal or household activity

and recital 12 to the Directive says that the data protection principles contained therein do not apply to the processing

of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses

These provisions are given domestic effect in section 36 of the DPA, which says

Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III [emphasis added]

In the leading European case on the provisions of the Directive, Lindqvist (Approximation of laws) [2003] EUECJ C-101/01, the European Court of Justice held that

[the] exception must…be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people

Lest there be any doubt as to the meaning of this, the ECJ issued a press release to accompany the judgment, which said

the act of referring, on an internet page, to various persons and identifying them by name…does not fall within the category of activities for the purposes…of purely personal or domestic activities, which are outside the scope of the directive [emphasis in original]

Lindqvist is, I would submit, unequivocal authority for the proposition that referring to an identifiable person or persons on the internet constitutes the processing of personal data, and is processing which is not exempt under Article 3(2) of the Directive.

The ICO has never accepted that Lindqvist has general application to internet publication of personal data. For instance, the ICO’s internal 2011 guidance on “Dealing with complaints about information published online” says

the Lindqvist judgement [sic]…related to a specific set of circumstances and cannot be applied to all cases of online publication

Try as I might I cannot square this with ECJ’s authority in Lindqvist. Still less can I square with it the comment, in an ICO paper on the proposed General Data Protection Regulation that

There has been some suggestion the Regulation should be used to ‘implement’ the Lindqvist decision – in short meaning that information posted openly on the internet necessarily falls outside the law’s personal or household processing exemption. We never wholly accepted the reasoning in Lindqvist…
One might take a moment to reflect on what is being said here. The paper’s author appears to understand the meaning of Lindqvist, regarding the lack of exemption for information posted openly on the internet, but says the ICO doesn’t (wholly) accept what is the binding decision of the ECJ.
One possible justification for the position lies in the additional wording Parliament inserted into section 36 of the DPA relating to “recreational purposes” (although, as I note above, the new guidance doesn’t put much emphasis on this). It is perhaps possible to construe – as the ICO clearly does – this to permit the section 36 exemption to extend to internet publication of personal data. Indeed, the apparently interminable infraction proceedings brought against the UK by the European Commission (tracked doggedly by Dr Chris Pounder) for numerous examples of apparent lack of proper domestic implementation of the Directive include criticism that
the inclusion of “recreational purposes” in the Data Protection Act…in the Commission’s view appeared to be broader than household activities.
However, even if this addition of “recreational purposes” to the UK statutory scheme arguably extends – perhaps impermissibly – the ambit of the exemption, the ICO was told in unequivocal terms in The Law Society & Ors v Kordowski [2011] EWHC 3185 (QB) that
The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully
In Kordowski the ICO had been asked by the Law Society to intervene to prevent the publication of defamatory and unfair postings on a website called “Solicitors from Hell”. The ICO had declined, citing – in a letter to the Law Society – the domestic purposes exemption as the reason for not investigating
I do sympathise with solicitors and others who may find it extremely difficult, and in many cases impossible, to have offensive material about them removed from the internet. Perhaps this is a case where the law is out of step with technology. However, I am afraid the DPA is simply not designed to deal with the sort of problem that you have brought to my attention.
Tugendhat J expressed his sympathy
with the Commissioner in what he says about the practical difficulties raised by cases such as the present. It is also beyond doubt that the DPA was not designed to deal with the way in which the internet now works
but said that the ICO had an obligation to investigate a complaint “where there is no room for argument that processing is unlawful”.
The ICO (in the form of David Smith, the Deputy Commissioner responsible for data protection) has argued that the mistake the ICO made in the Kordowski matter was in holding that the site owner and administrator (Kordowski himself) was covered by the section 32 exemption. He does not appear to accept that the people submitting the “ratings” and comments about solicitors were not covered by the same
we took the view, quite rightly I think, that the individuals who posted the comments on the Solicitors from Hell website are just individuals, they are acting in their personal, domestic capacity…I think where we actually went a bit wrong in our analysis…we said the Solicitors from Hell website doesn’t exercise control, is not a data controller and so is not caught by the law. When this case came to court, quite rightly the court looked in more detail at what the operators of the site did, the notice board and it was a lot more than just a notice board, they were actually charging people to put information there and charging solicitors to have information taken down…The intermediary there was clearly a data controller. But this establishing who is a data controller and who isn’t in this whole environment is extremely difficult. [from a transcript of an oral presentation]
While this is an interesting argument, that the site owner, as clearly the primary data controller, holds some sort of primary liability for publication on his or her site, while those posting on it are exempt because of the domestic purposes exemptions, it is hugely problematic. This is because, firstly, it is inconsistent with the judgment in Lindqvist and, secondly, becuase it tends towards an illogical argument that an individual commenter on a site, perhaps a social media site, posting a defamatory, or even a criminal, statement, does so only for domestic purposes.
European developments
In Kordowski the judge’s sympathy rested in part on the fact that the DPA, and the ICO who must regulate it, are creatures of the 1995 Directive
In 1995 search engines were in their infancy. Google was incorporated in 1998. There have been many developments since that time, including the increasing use of third party facilities
In Janaury 2012 the European Commission began the lengthy process of introducing a new European data protection framework. The draft General Data Protection Regulation (GDPR) retains exemption provisions for domestic activities, and introduces new concepts: Article 2(2) states
This Regulation does not apply to the processing of personal data…by a natural person without any gainful interest in the course of its own exclusively personal or household activity [emphasis added]
and Recital 15 explains
This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus without any connection with a professional or commercial activity [emphasis added]
This might shift the scenery set by Lindqvist to a degree, and it is possible that the ICO’s guidance, although dealing with the current DPA, was written with an eye on the European developments. Indeed, the rest of Recital 15 says
the exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities.
However, it is to be noted that Peter Hustinx, the European Data Protection Supervisor, did not think the draft domestic purposes provisions of the GDPR were adequate
Recital 15 indicates that the exception applies in the absence of gainful interest, but it does not address the common issue of processing of data for personal purposes ona wider scale, such as the publication of personal information within a social network…In line with the rulings of the Court of Justice in Lindquist and Satamedia, the EDPS suggests that a criterion be inserted to differentiate public and domestic activities based on the indefinite number of individuals who can access the information. This criterion should be understood as an indication that an indefinite number of contacts shall in principle mean that the household exemption does no longer apply. It is without prejudice to a stricter requirement for a genuine personal and private link, to prevent that individuals making data available to several hundreds or even thousands of individuals would automatically fall underthe exemption.
But a final development has occurred with the release on 31 May of Irish Presidency of the Council of the European Union’s Justice and Home Affairs draft compromise text which adds to Recital 15 the following words
Personal and household activities include social networking and on-line activity undertaken within the context of such personal and household activities.
One wonders if the ICO was aware, when drafting his Social Media Guidance, of this development. However, and while it remains to be seen what the GDPR will ultimately say, much could still turn on what “undertaken within the context” means within Recital 15.
And we should not get ahead of ourselves. The ICO regulates the DPA, and as the (European) law currently stands, the act of referring to a person on the internet does not attract the domestic purpose exemption. The ICO guidance implies it might. Will this be challenged?

4 Comments

Filed under Data Protection, defamation, Europe, GDPR, Information Commissioner, social media