Category Archives: journalism

April 7, 2022 · 6:57 am

Open Letter to new ICO

I was delighted recently to be invited by OpenDemocracy to sign an open letter to John Edwards, new Information Commissioner, calling for more to be done to regulate FOI effectively. I’ve written many posts in the past breaking the state of FOI enforcement, so everything in the letter resonated with me. The letter has now been sent, and there are some very high profile journalists, MPs and campaigners who have signed:

https://www.opendemocracy.net/en/freedom-of-information/information-commissioner-foi-open-letter-secrecy/

Edwards has already replied, and said that addressing these concerns will be a priority for him.

Leave a comment

Filed under access to information, Freedom of Information, Information Commissioner, journalism

Tagged as , ,

December 24, 2021 · 11:15 am

Reporter uses FOI to lift anonymity order

Here’s a remarkable example of good use of Freedom of Information (FOI) law. Tanya Fowles, a reporter covering courts in Northern Ireland, has successfully applied to lift a reporting restriction order, originally made in the magistrates’ court, which prevented her naming a person convicted of causing a child to engage in sexual activity.

The court appears to have imposed the original order because of a perceived risk to the defendant’s safety, based on evidence given by a police officer, who is reported to have told the court that

It’s a small, rural community. The family would be well-known. I think he would be easily identified. I know of incidents recently where paedophile hunters have gone to houses and attacked individuals. I am aware that is prevalent within the area, or certainly was last year. They have turned up at houses and one was arrested for assault. After that there was a bit of a lull, but I believe they are still active in the area.

However, Fowles then made an FOI request to the Police Service of Northern Ireland, which revealed that, far from such incidents being prevalent, police had only attended seven incidents in the entire County Armagh area during 2019/20, resulting in a single report of assault but zero prosecutions. This evidence was accepted in the county court (to which the case had been transferred) and the reporting restriction order was lifted.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under crime, Freedom of Information, journalism, Open Justice

Tagged as ,

June 23, 2019 · 11:48 am

Boris Johnson and GDPR

Might there have been a breach of data protection law in the recording, apparently by neighbours, of incidents at Boris Johnson’s home, and the passing of the recording to the media and the police? Almost certainly not.

(In this post I would like to avoid, as far as possible, broader ethical questions, and I will restrict any political observations to this: if Johnson becomes leader of the Conservative Party, and therefore prime minister, the two main UK political parties will be being led by people less fit to hold the role than at any time in my lifetime.)

In general, processing of personal data done for one’s own domestic purposes avoids the need for compliance with data protection law: Article 2(2)(c) of the General Data Protection Regulation (GDPR) – which of course provides the overarching statutory framework for most processing of personal data – says that the GDPR itself “does not apply to the processing of personal data…by a natural person in the course of a purely personal or household activity”. This is understandable: were there not such a carve-out, one’s children might, say, try to sue one for unlawful processing of their pocket-money data.

However, that word “purely” is key in Article 2. Processing which is not in the course of a “purely” domestic activity, such as, say, passing a recording of an altercation involving one’s neighbours to the media and the police, will be within GDPR’s scope.

So if GDPR is likely to apply, what are the considerations?

Firstly, passing information to the police about an altercation involving one’s neighbours is straightforward: GDPR permits processing which is necessary for the performance of a task carried out in the public interest (Article 6(1)(e)) and where the processing is necessary for the purposes of someone’s legitimate interests (provided that such interests are not overridden by the rights of the data subject) (Article 6(1)(f)).

But what of passing such information to the media? Well, here, the very broad exemption for the purposes of journalism will apply (even though the neighbours who are reported to have passed the information to the media are not, one assumes, journalists as such). GDPR requires members states to reconcile the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes, and this obligation is given effect in UK law by paragraph 26 of Schedule 2 to the Data Protection Act 2018. This provides that the GDPR provisions (for the most part) do not apply to processing of personal data where it

is being carried out with a view to the publication by a person of journalistic, academic, artistic or literary material, and…the controller reasonably believes that the publication of the material would be in the public interest [and] the controller reasonably believes that the application of [the GDPR provisions] would be incompatible with the… purposes [of journalism].

Here, the controller is not just going to be the journalist or media outlet to whom the information was passed, but it is also likely to be the non-journalist person who actually passes the information (provides that the latter passes it with a view to its publication and does so under a reasonable belief that such publication would be in the public interest).

The equivalent exemption in the prior law (the Data Protection Act 1998) was similar, but, notably, applied to processing which was only carried for the purposes of journalism (or its statutory bedfellows – literature and art). The absence of the word “only” in the 2018 Act arguably greatly extends the exemption, or at least removes ambiguity (there was never any notable example of action being taken under the prior law against the media for processing which was alleged to be unlawful and which was for more than one purposes (i.e. not solely for the purposes of journalism)).

It seems almost certain, then, that Johnson’s non-journalist neighbours could avail themselves of the “journalism” exemption in data protection law. As could anyone who processes personal data with a view to its publication and who reasonably believes such publication is in the public interest: we should prepare to see this defence aired frequently over the coming years. Whether the exemption is too broad is another question.

Because of the breadth of the journalism exemption in data protection law, actions are sometimes more likely to be brought in the tort of misuse of private information (see, for example, Cliff Richard v BBC, and Ali v Channel 5). Whether such a claim might be available in this case is also another question, and not one for this blog.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, journalism, police

Tagged as , ,

August 7, 2017 · 7:19 am

DCMS Statement of Intent on the Data Protection Bill

Not so much a Statement of Intent, as a Statement of the Bleeding Obvious

The wait is not quite over. We don’t yet have a Data Protection Bill, but we do have a Statement of Intent from DCMS, explaining what the proposed legislation will contain. I though it would be helpful to do a short briefing note based on my very quick assessment of the Statement. So here it is

IT’S JUST AN ANNOUNCEMENT OF ALL THE THINGS THE UK WOULD HAVE TO IMPLEMENT ANYWAY UNDER EUROPEAN LAW

By which I mean, it proposes law changes which will be happening in May next year, when the General Data Protection Regulation becomes directly applicable, or changes made under our obligation to implement the Police and Crime Directive. In a little more detail, here are some things of passing interest, none of which is hugely unexpected.

As predicted by many, at page 8 it is announced that the UK will legislate to require parents to give consent to children’s access to information society services (i.e. online services) where the child is under 13 (rather than GDPR’s default 16). As the UK lobbied to give member states discretion on this, it is no surprise.

Exemptions from compliance with majority of data protection law when the processing is for the purposes of journalism will remain (page 19). The Statement says that the government

believe the existing exemptions set out in section 32 strike the right balance between privacy and freedom of expression

But of potential note is the suggestion that

The main difference will be to amend provisions relating to the ICO’s enforcement powers to strengthen the ICO’s ability to enforce the re-enacted section 32 exemptions effectively

Without further details it is impossible to know what will be proposed here, but any changes to the existing regime which might have the effect of decreasing the size of the media’s huge carve-out will no doubt be vigorously lobbied against.

There is confirmation (at pp17 and 18) that third parties (i.e. not just criminal justice bodies) will be able to access criminal conviction information. Again, this is not unexpected – the regime for criminal records checks for employers etc was unlikely to be removed.

The Statement proposes a new criminal offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, something the Commons Science and Technology Committee has called for. Those who subsequently process such data will also be guilty of an offence. The details here will be interesting to see – as with most privacy-enhancing technology, in order for anonymisation to be robust it needs to stress-tested – such testing will not be effective if those undertaking do so at risk of committing an offence, so presumably the forthcoming Bill will provide for this.

The Bill will also introduce an offence of altering records with intent to prevent disclosure following a subject access request. This will use the current mechanism at section 77 of the Freedom of Information Act 2000. Whether that section itself will be amended (time limits for prosecutions militate against its effectiveness) remains unknown.

I also note that the existing offence of unlawfully obtaining personal data will be widened to those who retain personal data against the wishes of the data controller, even where it was initially obtained lawfully. This will probably cover those situations where people gather or are sent personal data in error, and then refuse to return it.

There is one particular howler at page 21, which suggests the government doesn’t understand what privacy by design and privacy by default mean:

The Bill will also set out to reassure citizens by promoting the concept of “privacy by default and design”. This is achieved by giving citizens the right to know when their personal data has been released in contravention of the data protection safeguards, and also by offering them a clearer right of redress

Privacy by design/default is about embedding privacy protection throughout the lifecycle of a project or process etc., and has got nothing at all to do with notifying data subjects of breaches, and whether this is a drafting error in the Statement, or a fundamental misunderstanding, it is rather concerning that the government, which makes much of “innovation” (around which privacy by design should be emphasised), fails to get this right.

So that’s a whistle stop tour of the Statement, ignoring all the fluff about implementing things which are required under GDPR and the Directive. I’ll update this piece in due course, if anything else emerges from a closer reading.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

11 Comments

Filed under Data Protection, GDPR, Information Commissioner, journalism

Tagged as , ,

September 23, 2015 · 4:55 pm

ICO discloses names of Operation Motorman journalists

In August this year the Upper Tribunal dismissed an appeal by the Information Commissioner’s Office (ICO) of a prior ruling that he must disclose the names of certain journalists who appeared on a list 305 names seized by the ICO during a raid in 2003 on the home of private investigator Steve Whittamore. The raid was part of “Operation Motorman”, an investigation which forms part of the background to the various civil and criminal proceedings generated by the phone-hacking scandals, and to the establishment of the Leveson Inquiry.

The names which have been ordered to be disclosed have now been provided by the ICO to the requester, the clearly indefatigable Chris Colenso-Dunne. Chris has kindly given the list to me, and I make it available in the attachment below. One name stands out in particular: Rebekah Wade (as she then was), now Brooks, who has always denied knowledge of the phone-hacking which took place while she was editor of the now defunct News of the World (and who was, of course, acquitted in 2014 of conspiring to hack phones when editor of that paper and of making corrupt payments to public officials when editor of The Sun, as well as of all other charges).

It is important to be aware, as the Upper Tribunal said, that presence on the list means nothing more than that the journalists in question

had commissioned Mr Whittamore to obtain information… The information did not carry with it any assertion as to the actual or alleged commission of any crime by those journalists [para 38]

No doubt the list will generate further comment, though.

ICO Motorman List

[this post was edited to remove a paragraph where I’d mistakenly taken the list to mean that Wade was working for “Femail” at the time]

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.


7 Comments

Filed under Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism, Upper Tribunal

Tagged as , ,

August 8, 2015 · 10:22 am

FOI, data protection and rogue landlords 

On 23rd July the Chartered Institute of Environmental Health (CIEH), in conjunction with the Guardian, published a database of landlords who have been convicted of offences under the Housing Act 2004. This showed, for example, that one landlord has been prosecuted seven times for issues relating to disrepair and poor state of properties rented out. It also showed apparent regional discrepancies regarding prosecutions, with some councils carrying out only one prosecution since 2006.

This public interest investigative journalism was, however not achieved without a fight: in September last year the information Commissioners office (ICO) issued a decision notice finding that the journalists request for this information had been correctly refused by the Ministry of Justice on the grounds that the information was sensitive personal data and disclosure under the Freedom of Information Act 2000 (FOIA) would contravene the MoJ’s obligations under the Data Protection Act 1998 (DPA). Section 40(2) of FOIA provides that information is exempt from disclosure under FOIA if disclosure would contravene any of the data protection principles in Schedule One of the DPA (it also provides that it would be exempt if disclosure would contravene section 10 of the DPA, but this is rarely invoked). The key data protection principle is the first, which says that personal data must be processed fairly and lawfully, and in particular that the processing must meet one of the conditions in Schedule Two, and also – for sensitive personal data – one of the conditions in Schedule Three.

The ICO, in its decision notice, after correctly determining that information about identifiable individuals (as opposed to companies) within the scope of the request was sensitive personal data (because it was about offences committed by those individuals) did not accept the requester’s submission that a Schedule Three condition existed which permitted disclosure. The only ones which could potentially apply – condition 1 (explicit consent) or condition 5 (information already made public by the individual) – were not engaged.

However, the ICO did not at the time consider the secondary legislation made under condition 10: the Data Protection (Processing of Sensitive Personal Data) Order 2000 provides further bases for processing of sensitive personal data, and, as the the First-tier Tribunal (Information Rights) (FTT) accepted upon appeal by the applicant, part 3 of the Schedule to that Order permits processing where the processing is “in the substantial public interest”, is in connection with “the commission by any person of any unlawful act” and is for journalistic purposes and is done with a “view to the publication of those data by any person and the data controller reasonably believes that such publication would be in the public interest”. In fairness to the ICO, this further condition was identified by them in their response to the appeal.

In this case, the information was clearly sought with a view to the future publication in the CIEH’s Magazine, “Environmental Health News” and the requester was the digital editor of the latter. This, the FTT decided, taken with the (objective) substantial public interest in the publication of the information, was sufficient to make disclosure under FOIA fair and lawful. In a passage (paras 28-30) worth quoting in full the FTT said

Unfit housing is a matter of major public concern and has a significant impact on the health of tenants.  The Housing Act is a key mechanism for local authorities to improve housing standards and protect the health of vulnerable tenants.  One mechanism for doing this is by means of prosecution, another is licensing schemes for landlords.  Local authorities place vulnerable families in accommodation outside their areas tenants seek accommodation, The publication of information about convictions under the Housing Act would be of considerable value to local authorities in discharge of their functions and assist prospective tenants and those assisting them in avoiding landlords with a history of breaches of the Housing Act.

The sanctions under the Housing Act are comparatively small and the  opprobrium of a conviction may well not rank with other forms of criminal misbehaviour, however the potential for harm to others from such activity is very great, the potential for financial benefit from the misbehaviour is also substantial.  Breaches of the Housing Act are economically motivated and what is proposed is a method of advancing the policy objective of the Housing Act by increasing the availability of relevant information to key actors in the rented housing market – the local authorities as regulator and purchaser and the tenants themselves.  Any impact on the data subjects will overwhelmingly be on their commercial reputations rather than more personal matters.

The Tribunal is therefore satisfied that not only is the disclosure of this information in the substantial public interest, but also any reasonably informed data controller with  knowledge of the social needs and the impact of such disclosure would so conclude.

It is relatively rare that sensitive personal data will be disclosed, or ordered to be disclosed, under FOIA, but it is well worth remembering the 2000 Order, particularly when it comes to publication or proposed publication of such data under public interest journalism.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..

Leave a comment

Filed under Data Protection, Freedom of Information, Information Commissioner, Information Tribunal, journalism, Open Justice

Tagged as , , , ,

February 4, 2015 · 9:25 am

Is an FOI request from an investigative journalist ever vexatious?

Last week, in the Court of Appeal, the indefatigable, if rather hyperbolic, Mr Dransfield was trying to convince three judges that his request, made long ago, to Devon County Council, for information on Lightning Protection System test results relating to a pedestrian bridge at Exeter Chiefs Rugby Ground, was not vexatious. If he succeeds in overturning what was a thorough, and, I think, pretty unimpeachable ruling in the Upper Tribunal, then we may, at last, have some finality on how to interpret section 14(1) of the Freedom of Information Act 2000 (FOIA):

a public authority [is not obliged] to comply with a request for information if the request is vexatious

But what is certain is that the Court of Appeal will not hand down a ruling which would allow a public authority to feel able merely to state that a request is vexatious, and do nothing more to justify reliance on it. But that is what the Metropolitan Police appear to have done in an extraordinary response to FOIA requests from the Press Gazette. The latter has been engaging in a campaign to expose what it believes to be regular use of surveillance powers to monitor or investigate actions of journalists. This is both a serious subject and a worthy campaign. Investigative journalism, by definition, is likely to involve the making of enquiries, sometimes multiple ones, sometimes speculative, “to discover the truth and to identify lapses from it”. It is inevitable that an investigative journalist will from time to time need to make use of FOIA, and the Information Commissioner’s Office (ICO) advises that

[public] authorities must take care to differentiate between broad requests which rely upon pot luck to reveal something of interest and those where the requester is following a genuine line of enquiry

The ICO doesn’t (and couldn’t) say that a FOIA request from an investigative journalist could never be classed as vexatious, but I think the cases when that would happen would be exceptional. The Upper Tribunal ruling by Wikeley J that Mr Dransfield is seeking to overturn talked of “vexatious” as connoting

a manifestly unjustified, inappropriate or improper use of a formal procedure

and

It may be helpful to consider the question of whether a request is truly vexatious by considering four broad issues or themes – (1) the burden (on the public authority and its staff); (2) the motive (of the requester); (3) the value or serious purpose (of the request) and (4) any harassment or distress (of and to staff)

although it was stressed that these were neither exhaustive, nor a “formulaic checklist”.

It is difficult to imagine that the motive of the Press Gazette journalists can be anything but well-intended, and similarly difficult to claim there is no value or serious purpose to the request, or the other requests which need to be considered for context. Nor has there been, as far as I am aware, any suggestion that the requests have caused Met staff any harassment or distress. So we are (while noting and acknowledging that we are not following a checklist) only likely to be talking about “the burden on the public authority and its staff”. It is true that some requests, although well-intentioned and of serious value, and made in polite terms, have been accepted either by the ICO or the First-tier Tribunal (FTT), as being so burdensome to comply with that (even before considering whether FOIA costs limits are engaged) they merit rejection on vexatiousness grounds. In 2012 the FTT upheld an appeal from the Independent Police Complaints Commission, saying that

A request may be so grossly oppressive in terms of the resources and time demanded by compliance as to be vexatious, regardless of the intentions or bona fides of the requester. If so, it is not prevented from being vexatious just because the authority could have relied instead on s.12 [costs limits]

and last year the FTT similarly allowed a late submission by the Department of Education that a request from the journalist Laura McInerney for information about Free School applications was vexatious because of the burden it would impose:

There is no question here of anything in the tone of the request tending towards vexatiousness; nor does anyone doubt Ms McInerney’s genuine motives…There is value in openness and transparency in respect of departmental decision making. That value would be increased by the academic scrutiny which the disclosed material would receive…In our judgment, however, these important considerations are dwarfed by the burden which implementation of the request places on DFE.

But it does not appear that the request in question from the Press Gazette was likely to go any way towards being grossly oppressive, or to being a burden which would “dwarf” the other considerations.

Moreover, and it does not appear to have been a point argued in the DfE case, there is an argument, explored through a series of cases in the Court of Justice of the European Union, and, domestically, in the Supreme Court, in Kennedy v ICO and Charity Commission, that Article 10 of the European Convention on Human Rights, providing as it does in part a right “to receive and impart information and ideas without interference by public authority” (subject to limitations that are prescribed by law, necessary and proportionate, and pursue a legitimate aim) might sometimes need to read down into FOIA, particularly where a journalist is the requester. Although the Supreme Court, by a majority, and on the facts (specifically in the context of a FOIA absolute exemption), rejected the submission in Kennedy, the argument in the abstract still has some weight – someone engaging in investigative journalism is clearly generally acting as a “social watchdog”, and the likelihood that they are making a FOIA request with bad motives, or without serious purpose, or in a way likely to harass or cause distress is correspondingly low. It seems to me that, absent the sort of “excessive burden” argument explored in the IPCC and DfE cases – and, as I say, the Met don’t seem to have advanced any such argument – to label a request from an investigative journalist as vexatious is to stand at the top of a slippery slope. One hopes that the Met review and reverse this decision.

p.s. In a world in which we are all journalists, this all has the potential to get very complicated.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

149 Comments

Filed under Article 10, Freedom of Information, journalism, police

Tagged as , , ,

December 23, 2014 · 8:13 am

Are we all journalists?

The ICO has said that Global Witness can claim the data protection exemption for journalism, regarding their investigations in BSGR. This fascinating case continues to raise difficult and important questions.

Data protection law rightly gives strong protection to journalism; this is something that the 2012 Leveson inquiry dealt with in considerable detail, but, as the inquiry’s terms of reference were expressly concerned with “the press”, with “commercial journalism”, it didn’t really grapple with the rather profound question of “what is journalism?” But the question does need to be asked, because in the balancing exercise between privacy and freedom of expression too much weight afforded to one side can result in detriment to the other. If personal privacy is given too much weight, freedom of expression is weakened, but equally if “journalism” is construed too widely, and the protection afforded to journalism is consequently too wide, then privacy rights of individuals will suffer.

In 2008 the Court of Justice of the European Union (CJEU) was asked, in the Satamedia case, to consider the extent of the exemption from a large part of data protection law for processing of personal data for “journalistic” purposes. Article 9 of the European Data Protection Directive (the Directive) provides that

Member States shall provide for exemptions or derogations…for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.

and recital 37 says

Whereas the processing of personal data for purposes of journalism or for purposes of literary of artistic expression, in particular in the audiovisual field, should qualify for exemption from the requirements of certain provisions of this Directive in so far as this is necessary to reconcile the fundamental rights of individuals with freedom of information and notably the right to receive and impart information

In Satamedia one of the questions the CJEU was asked to consider was whether the publishing of public-domain taxpayer data by two Swedish companies could be “regarded as the processing of personal data carried out solely for journalistic purposes within the meaning of Article 9 of the directive”. To this, the Court replied “yes”

Article 9 of Directive 95/46 is to be interpreted as meaning that the activities [in question], must be considered as activities involving the processing of personal data carried out ‘solely for journalistic purposes’, within the meaning of that provision, if the sole object of those activities is the disclosure to the public of information, opinions or ideas [emphasis added]

One can see that, to the extent that Article 9 is transposed effectively in domestic legislation, it affords significant and potentially wide protection for “journalism”. In the UK it is transposed as section 32 of the Data Protection Act 1998 (DPA). This provides that

Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if—

(a)the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b)the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c)the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.

where “the special purposes” are one or more of “the purposes of journalism”, “artistic purposes”, and “literary purposes”. Section 32 DPA exempts data processed for the special purposes from all of the data protection principles (save the 7th, data security, principle) and, importantly from provisions of sections 7 and 10. Section 7 is the “subject access” provision, and normally requires a data controller, upon receipt of written request by an individual, to inform them if their personal data is being processed, and, if it is, to give the particulars and to “communicate” the data to the individual. Section 10 broadly allows a data subject to object to processing which is likely to cause substantial damage or substantial distress, and to require the data to controller to cease (or not begin) processing (and the data controller must either comply or state reasons why it will not). Personal data processed for the special purposes are, therefore, exempt from subject access and from the right to prevent processing likely to cause damage or distress. It is not difficult to see why – if the subject of, say, investigative journalism, could find out what a journalist was doing, and prevent her from doing it, freedom of expression would be inordinately harmed.

The issue of the extent of the journalistic data protection exemption came into sharp focus towards the end of last year, when Benny Steinmetz and three other claimants employed by or associated with mining and minerals group Benny Steinmetz Group Resources (BSGR) brought proceedings in the High Court under the DPA seeking orders that would require campaigning group Global Witness to comply with subject access requests by the claimants, and to cease processing their data. The BSGR claimants had previously asked the Information Commissioner’s Office (ICO), pursuant to the latter’s duties under section 42 DPA, to assess the likelihood of the lawfulness of Global Witness’s processing, and the ICO had determined that it was unlikely that Global Witness were complying with their obligations under the DPA.

However, under section 32(4) DPA, if, in any relevant proceedings, the data controller claims (or it appears to the court) that the processing in question was for the special purposes and with a view to publication, the court must stay the proceedings in order for the ICO to consider whether to make a specific “special purposes” determination by the ICO. Such a determination would be (under section 45 DPA) that the processing was not for the special purposes nor was it with a view to publication, and it would result in a “special information notice”. Such a stay was applied to the BSGR proceedings and, on 15 December, after some considerable wait, the ICO conveyed to the parties that it was “satisfied that Global Witness is only processing the personal data requested … for the purposes of journalism”. Accordingly, no special information notice was served, and the proceedings remain stayed. Although media reports (e.g. Guardian and Financial Times) talk of appeals and tribunals, no direct appeal right exists for a data subject in these circumstances, so, if as seems likely, BSGR want to revive the proceedings, they will presumably either have to apply to have the stay lifted or/and issue judicial review proceedings against the ICO.

The case remains fascinating. It is easy to applaud a decision in which a plucky environmental campaign group claims journalistic data protection exemption regarding its investigations of a huge mining group. But would people be so quick to support, say, a fascist group which decided to investigate and publish private information about anti-fascist campaigners? Could that group also gain data protection exemption claiming that the sole object of their processing was the disclosure to the public of information, opinions or ideas? Global Witness say that

The ruling confirms that the Section 32 exemption for journalism in the Data Protection Act applies to anyone engaged in public-interest reporting, not just the conventional media

but it is not immediately clear from where they import the “public-interest” aspect – this does not appear, at least not in explicit terms, in either the Directive or the DPA. It is possible that it can be inferred, when one considers that processing for special purposes which is not in the public interest might constitute an interference with respect for data subjects’ fundamental rights and freedoms (per recital 2 of the Directive). And, of course, with talk about public interest journalism, we walk straight back into the arguments provoked by the Leveson inquiry.

Furthermore, one notes that the Directive talks about exemption for processing of personal data carried out solely for journalistic purposes, and the DPA says “personal data which are processed only for the special purposes are exempt…”. This was why I emphasised the words in the Satamedia judgment quoted above, which talks similarly of the exemption applying if the “sole object of those activities is the disclosure to the public of information, opinions or ideas”. One might ask whether a campaigning group’s sole or only purpose for processing personal data is for journalism. Might they not, in processing the data, be trying to achieve further ends? Might, in fact, one say that the people who engage solely in the disclosure to public of information, opinions or ideas are in fact those we more traditionally think of in these terms…the press, the commercial journalists?

P.S. Global Witness have uploaded a copy of the ICO’s decision letter. This clarifies that the latter was satisfied that the former was processing for the special purposes because it was part of “campaigning journalism” even though the proposed future publication of the information “forms part of a wider campaign to promote a particular cause”. This chimes with the ICO’s data protection guidance for the media, but it will be interesting if it is challenged on the basis that it doesn’t support a view that the processing is “only” or “solely” for the special purposes.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

5 Comments

Filed under Data Protection, Directive 95/46/EC, Information Commissioner, journalism, Leveson

Tagged as , , , ,

December 8, 2014 · 3:08 pm

Russell Brand and the domestic purposes exemption in the Data Protection Act

Was a now-deleted tweet by Russell Brand, revealing a journalist’s private number, caught by data protection law?

Data protection law applies to anyone who “processes” (which includes “disclosure…by transmission”) “personal data” (data relating to an identifiable living individual) as a “data controller” (the person who determines the purposes for which and the manner in which the processing occurs). Rather dramatically, in strict terms, this means that most individuals actually and regularly process personal data as data controllers. And nearly everyone would be caught by the obligations under the Data Protection Act 1998 (DPA), were it not for the exemption at section 36. This provides that

Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III

Data protection nerds will spot that exemption from the data protection principles and Parts II and III of the DPA is effectively an exemption from whole Act. So in general terms individuals who restrict their processing of personal data to domestic purposes are outwith the DPA’s ambit.

The extent of this exemption in terms of publication of information on the internet is subject to some disagreement. On one side is the Information Commissioner’s Office (ICO) who say in their guidance that it applies when an individual uses an online forum purely for domestic purposes, and on the other side are the Court of Justice of the European Union (and me) who said in the 2003 Lindqvist case that

The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone numberconstitutes ‘the processing of personal data…[and] is not covered by any of the exceptionsin Article 3(2) of Directive 95/46 [section 36 of the DPA transposes Article 3(2) into domestic law]

Nonetheless, it is clear that publishing personal data on the internet for reasons not purely domestic constitutes an act of processing to which the DPA applies (let us assume that the act of publishing was a deliberate one, determined by the publisher). So when the comedian Russell Brand today decided to tweet a picture of a journalist’s business card, with an arrow pointing towards the journalist’s mobile phone number (which was not, for what it’s worth, already in the public domain – I checked with a Google search) he was processing that journalist’s personal data (note that data relating to an individual’s business life is still their personal data). Can he avail himself of the DPA domestic purposes exemption? No, says the CJEU, of course, following Lindqvist. But no, also, would surely say the ICO: this act by Brand was not purely domestic. Brand has 8.7 million twitter followers – I have no doubt that some will have taken the tweet as an invitation to call the journalist. It is quite possible that some of those calls will be offensive, or abusive, or even threatening.

Whilst I have been drafting this blog post Brand has deleted the tweet: that is to his credit. But of course, when you have so many millions of followers, the damage is already done – the picture is saved to hard drives, is mirrored by other sites, is emailed around. And, I am sure, the journalist will have to change his number, and maybe not much harm will have been caused, but the tweet was nasty, and unfair (although I have no doubt Brand was provoked in some way). If it was unfair (and lacking a legal basis for the publication) it was in contravention of the first data protection principle which requires that personal data be processed fairly and lawfully and with an appropriate legitimating condition. And because – as I submit –  Brand cannot plead the domestic purposes exemption, it was in contravention of the DPA. However, whether the journalist will take any private action, and whether the ICO will take any enforcement action, I doubt.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Data Protection, Directive 95/46/EC, Information Commissioner, journalism, social media

Tagged as , , ,

October 20, 2014 · 4:13 pm

Clegg calls for a data protection public interest defence (where there already is one)

UPDATE: 22.10.14

It appears that Clegg’s comments were in the context of proposed amendments to the Crime and Criminal Justice Bill, and the Guardian reports that

The amendments propose a new defence for journalists who unlawfully obtain personal data (section 55 of the Data Protection Act) where they do so as part of a story that is in the public interest

But I’m not sure how this could add anything to the existing section 55 provisions which I discuss below, which mean that an offence is not committed if “the obtaining, disclosing or procuring [of personal data without the consent of the data controller] was justified as being in the public interest” – it will be interesting to see the wording of the amendments.

Interestingly it seems that another proposed amendment would be to introduce custodial sentences for section 55 offences. One wonders if the elevated public interest protections for journalists are a sop to the press, who have long lobbied against custodial sentences for this offence.

END UPDATE.

In an interesting development of the tendency of politicians to call for laws which aren’t really necessary, Nick Clegg has apparently called for data protection law to be changed to what it already says

The Telegraph reports that Nick Clegg has called for changes to data protection, bribery and other laws to “give journalists more protection when carrying out their job”. The more informed of you will have spotted the error here: data protection law at least already carries a strong exemption for journalistic activities. Clegg is quoted as saying

There should be a public interest defence put in law – you would probably need to put it in the Data Protection Act, the Bribery Act, maybe one or two other laws as well – where you enshrine a public interest defence for the press so that where you are going after information and you are being challenged, you can set out a public interest defence to do so

Section 32 of the Data Protection Act 1998 provides an exemption to almost all of a data controller’s obligations under the Act regarding the processing of personal data if

(a)the processing is undertaken with a view to the publication by any person of any journalistic…material,

(b)the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c)the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with [the publication by any person of any journalistic…material]

This provision (described as “extremely wide” at Bill stage1) was considered at length in Part H of the report of the Leveson Inquiry into the Culture, Practices and Ethics of the Press, which looked at the press and data protection. Indeed, Leveson recommended section 32 be amended and narrowed in scope. Notably, he recommended that the current subjective test (“the data controller reasonably believes”) should be changed so that section 32 could only be relied on if inter alia “objectively the likely interference with privacy resulting from the processing of the data is outweighed by the public interest in publication” (emphasis added). I know we’ve all forgotten about Leveson now, and the Press look on the report as though it emerged, without context, from some infernal pit, but even so, I’m surprised Mr Clegg is calling for the introduction of a provision that’s already there.

Perhaps, one might pipe up, he was talking about the section 55 DPA offence provisions (indeed, the sub-heading to the Telegraph article does talk in terms of journalists being protected “when being prosecuted”. So let’s look at that: section 55(2)(d) provides in terms that the elements of the offence of unlawful obtaining etc of personal data are not made out if

 in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest

So, we have not just a public interest defence to a prosecution, but, even stronger, a public interest provision which means an offence is not even committed if the acts were justified as being in the public interest.

Maybe Mr Clegg thinks that public interest provision should be made even stronger when journalists are involved. But I’m not sure it realistically could be. Nonetheless, I await further announcements with interest.

1Hansard, HC, vo1315, col 602, 2 July 1998 (as cited in Philip Coppel QC’s evidence to the Leveson Inquiry).

1 Comment

Filed under Data Protection, journalism, Leveson

Tagged as