Category Archives: judgments

April 23, 2026 · 8:41 am

Open Justice and the Information Tribunal

We need to talk about open justice in the Information Rights jurisdiction of the First-tier Tribunal.

The Tribunal has just handed down a decision rejecting an appeal by the National Archives against a decision by the Information Commissioner’s Office that it had to disclose information about its handling of requests to close (or “reclose”) certain files. Remarkably, the Tribunal (like the ICO before it) gives no detail whatsoever about what the files relate to, referring to them as “Matter 1” and “Matter 2”, despite noting that it had

concerns that the [National Archives] seems to be seeking to withhold from disclosure the very existence of Matter 1 and Matter 2. It appears to us that the Appellant does not want to disclose the fact that Matter 1 and Matter 2 exist

For those who wish to know, the nature of the matters in the closed files (two foul crimes) can be readily seen on the National Archives own published spreadsheet.

But, furthermore, a witness statement was given by the Director for Public Records Access and Government Services at the National Archives. This is undoubtedly a role of some seniority. Yet the Tribunal says “It is not necessary for us to identify this witness by name in this decision (or in the Closed Annex) – therefore we merely refer to them as “the witness””.

There is no indication at any point that either the nature of Matters A and B or the name of the witness were subject to an order under rule 14 of The Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009.

With all due respect to the Tribunal and its members, in handing down an open judgment, it is handing it down to the public, as much as to the parties. In Lord Hewat’s famous (and original) formulation: “it is not merely of some importance but is of fundamental importance that justice should not only be done, but should manifestly and undoubtedly be seen to be done”.

Of course I’m not saying that justice has not been done here, and I do recognise that the Tribunal did actually order disclosure of the internal discussions about the closure of the files. But that’s not the point, and while it’s important that the public can understand what is going on (and it’s notably difficult to do so from this judgment) it should be remembered that openness of the proceedings is the general principle, and any derogation needs to be justified. In Scott v Scott, Lord Shaw said “publicity in the administration of justice” was “one of the surest guarantees of our liberties.

I realise I’m exercising some hyperbole in referencing these landmark cases in a post about the withholding of minor information in a minor decision by a tribunal. But that’s the point of important principles like the principle of open justice: they apply to the small things as much as the large ones.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, common law, Freedom of Information, Information Tribunal, judgments, Open Justice

Tagged as

April 22, 2026 · 6:00 am

“Consent” must be assessed objectively, says Court of Appeal

The Court of Appeal has handed down an important judgment (RTM v Bonne Terre Ltd & Anor [2026] EWCA Civ 488) on the meaning of “consent” in the context of data protection and ePrivacy law, and overturned what had been a problematic prior judgment of the High Court, which had left many businesses, especially those in the betting and gaming sector, facing an “ineradicable” risk of claims that potentially they could not reasonably have defended. The Court of Appeal’s judgment will no doubt be seen by those businesses as a welcome reversal, providing greater legal certainty.

So what does “consent” mean, in the data protection statutory scheme?

Article 4(11) of the UK GDPR says it means

any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

And Article 7 puts the onus on the data controller to prove that the standard has been met.

Section 2(1) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”, which deal with the sending of direct electronic marketing to individuals and the use of cookies and similar technologies), adopts the Article 4(11) UK GDPR definition (and applies it to “subscribers” and “users” as opposed to data subjects).

So far, so straightforward. But what happens in the case of someone who purports, by a clear affirmative action, such as ticking a box, to give specific, informed and unambiguous indication of his wishes, signifies agreement to the processing of personal data relating to him, and to the receiving of direct electronic marketing, but who later argues that the consent was vitiated by factors of which the data controller/sender of the marketing was unaware, and could not reasonably have been aware. Put another way, is the sending of direct electronic marketing on the basis of the objectively valid consent of someone who was subjectively incapable of giving valid consent, to be treated as lawfully sent?

“No”, said the High Court in the first instance. RTM was someone who, in his own submission, had gambled in circumstances, and to a degree he described as, “compulsive, out of control and destructive”, and claimed, in data protection and in misuse of private information, for damages, on the basis that, as he argued, Bonne Terre (operating as Sky Betting and Gaming, or “SBG”)

gathered and used extensive information, generated by his use of its platforms, unlawfully…especially by way of personalised and targeted marketing which he could not handle and which fed his compulsive behaviour

Mrs Justice Collins Rice DBE, had held, in her judgment, (even though RTM had not pleaded in these terms) that even though RTM had not lacked capacity to consent, and “that he wanted the direct marketing material – even perhaps craved it” he was one of a small subset (an “irreducible minimum”) of “individuals for whom decision-making…was already out of control in relation to gambling, and for whom the consenting mechanisms and information provision meant nothing other than barriers to gambling to be overcome”. Even though SBG had adopted controls in line with gambling regulatory requirements and expectations to avoid the risk of marketing to “problem gamblers” (the judge’s words) and even though these controls “can and do help manage and minimise the particular risks of direct marketing to online gamblers…they cannot and do not eliminate them”. This was because he “lacked subjective consent“; “the autonomous quality of his consenting behaviour was impaired to a real degree“; and “the quality of [his] consenting was rather lower than the standard required“, and “insufficiently freely given“.

The first instance judgment had presented all businesses, but especially those in the betting and gaming sector, with a problem and a risk: i) how could they establish in each case the subjective aspect of a data subject’s consent? and ii) if they could not establish that subjective aspect, how could they deal with the risk that marketing which would on the face of it be lawfully sent, would be held not to be, if the recipient was one of the irreducible minimum whose consent was not, subjectively, valid? Perhaps unsatisfactorily, the judge had said that this was

a risk which is ultimately ineradicable. Problem gamblers may not always be easy to recognise, and there will always be relevant information about them which is ultimately unreachable by the provider, and properly so because it is information which is itself in the private domain

The Court of Appeal has now roundly overturned the decision. Giving the main judgment, Lord Justice Warby revisited what a data controller must be able to demonstrate, in circumstances where consent is said to be present: the controller must “show that the data subject made a statement or took some other clear affirmative action…that ‘signifies agreement’”, they must also prove that “the data subject’s ‘indication’ met each of the four criteria prescribed by the legislation, namely that it was (i) freely given, (ii) specific, (iii) informed, and (iv) unambiguous”. All of these, he holds, are objective tests: “the data controller does not have to prove what was actually in the mind of the individual data subject at the time of the ‘indication’”.

In a classic example of judicial understatement, Warby LJ noted that the effect of the decision of the judge below was to establish a “principle that decisions deliberately made by a capacitous individual may nonetheless be vitiated for lack of consent” and further noted that it was a “legally novel” principle, whose “contours are not clear to me”.

Recitals 4 and 7 of the UK GDPR are relevant here. The first reminds us that

The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights

and the second reminds us that

Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced

As Warby LJ notes, an “inevitable corollary” of the original ruling would be that a business “could not guarantee its ability to ‘demonstrate’ conformity with the consent requirements of data protection law and PECR”, and

the unsatisfactory and ultimately opaque nature of the test for legally effective consent which the judge applied…would create considerable legal and practical uncertainty for economic operators

Absent a further appeal by RTM, which would need to be to the Supreme Court, and which would seem unlikely, the Court of Appeal has now gone a long way towards restoring legal and practical certainty as to the meaning of “consent” in data protection law, and how data controllers should approach the task of gathering and proving consent.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, controller, cookies, Data Protection, judgments, marketing, PECR, UK GDPR

Tagged as , , ,

April 22, 2026 · 3:44 am

JR of Met’s Live Facial Recognition Policy dismissed

In Thompson & Anor, R (On the Application Of) v Commissioner of Police of the Metropolis [2026] EWHC 915 (Admin) the Divisional Court has roundly dismissed an application for judicial review of the Met Police’s “Overt LFR Policy Document” for deployment in London of live facial recognition technology.

The claimants were: 1) a man who “was stopped, detained and questioned by police officers after having been matched by LFR with a different person on a police “watchlist” (a list of “Sought Persons”). That person was his brother who was on bail for a suspected offence of inflicting grievous bodily harm on him”; 2) Silkie Carlo, the director of Big Brother Watch, who “lives in London and has monitored and campaigned against the use of LFR by the MPS since its inception. To that end she has attended LFR deployments. In addition, Ms Carlo often attends or organises protests and is concerned about the potential use of LFR at such events”.

The challenges were on grounds that the Policy violates their rights under Articles 8 (right to respect for private and family life), 10 (freedom of expression) and 11 (freedom of assembly and association) of the European Convention on Human Rights. Specifically, the claimants argued that the Policy was not “in accordance with the law” (Article 8) and not “prescribed by law” (Articles 10 and 11). This was, they argued, because “the Policy leaves too much discretion to individual officers within the MPS to have the quality of “law.””

The fundamental issue was foreseeability, with the appropriate test that stated by Lord Sumption in the case of Gallagher: “The measure [under challenge] must not confer a discretion so broad that its scope is in practice dependent on the will of those who apply it, rather than on the law itself”.

The Court engaged in a painstaking analysis of the Policy, and broadly, the claim foundered because the Policy (which was reviewed and republished as a result of early skirmishes in the proceedings) was sufficiently detailed so that “In the context of promoting law and order in a large metropolis, the Policy provides the claimants with an adequate indication of the circumstances in which LFR will be used and enables them to foresee, to a degree that is reasonable in the circumstances, the consequences of travelling in an area of London where LFR is in use” (at 214).

A notable side point: the Court was highly critical of (rejected) attempts by both sides to admit expert evidence which did not go to the substantive issue of the lawfulness of the Policy, but rather resulted in  “a game of ping pong which has assumed, in each round of shots, a “momentum” that is less and less related to the issues in the claim. Neither party should have engaged in this fruitless approach” (at 188).

A final point of note, two big wins in one day for Anya Proops KC, with this judgment and the Court of Appeal’s judgment in RTM v Bonne Terre, where she appeared with Robin Hopkins KC, both of 11KBW.  

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under police, surveillance, human rights, Facial recognition, judgments, judicial review

Tagged as , ,

April 16, 2026 · 5:28 am

The extent of legal advice privilege

Would the act of confirming or denying whether Boris Johnson sought legal advice on the lawfulness of his Covid-19 lockdown declaration of 23 March 2020 in itself consist of disclosure of legally privileged information?

“Yes”, said the Cabinet Office, in response to a Freedom of Information request.

“No”, said the Information Commissioner’s Office:

the Cabinet Office could confirm that it had sought legal advice (if it had in fact done so) without indicating whether that advice had concluded that the proposed action was or was not lawful. Therefore the Cabinet Office could confirm or deny that it had sought legal advice without revealing the substance of any advice provided and thus without revealing any information which would be covered by legal privilege

“No”, also said the First-tier tribunal:

confirmation that information is held and that the Prime Minister had sought advice would not disclose the substance of what advice was sought. Nor would it reveal whether any advice was given in response, still less what that advice was

“Yes”, now says the Upper Tribunal: the FTT (and the ICO) took too restrictive an approach to the concept of legal advice privilege:

Taking due account of the need to construe the protection afforded by legal advice privilege broadly, in my judgement to confirm whether the Prime Minister made a request for advice about the lawfulness of the lockdown announced on 23 March 2020 would to an extent reveal privileged information. The request was about the legality of the measures imposed by the lockdown of 23 March 2020. In other words, whether those particular measures (e.g., requiring people to stay at home or in wherever they were living on 23 March 2020, subject to certain exceptions) fell within the Government’s legal powers. Asking that particular question about the lawfulness of those particular measures was part of confidential communications between the Prime Minister and his lawyers on that issue, and to an extent would have revealed or given a clue as to the what the advice was about, namely whether the lockdown measures were lawfully authorised

Notable that the judge decides in his judgment that one of core textbooks – Passmore on Privilege – is wrong in stating, as a general principle, that “References to the obtaining of legal advice on a given subject matter are not
privileged”.

The Cabinet Office v 1) The Information Commissioner 2) Daryl Peagram: [2026] UKUT 140 (AAC)

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments, Legal privilege, Upper Tribunal

Tagged as

March 28, 2026 · 8:29 am

Erasure request in Children Act proceedings

[reposted from my LinkedIn account]

This is a rather extraordinary judgment in Children Act proceedings in the Family Court, in which a person who is an unregistered barrister and holds herself out as a lawyer, started out as a lay advocate to mother, then put herself forward to care for all of the children, seeking three times to be joined as a party.

In her skeleton argument in support of her final application to be joined, the court established – in a now wearily familiar way – that there were a number of cases of citations and propositions that were included as a result of using a “widely known publicly available AI tool to assist her in preparing [the argument]”.

She then informed the court that she was unable to continue to offer a home for the children or be part of the proceedings, that she no longer wished to proceed with the assessment to be either a special guardian or foster carer for the children, and sought for her assessment to be “formally withdrawn”. At the same time she asked for her data and that of her family members in the court bundle to be destroyed.

Unsurprisingly, the judge declined to do so (X v The Transcription Agency LLP and another [2024] 1 WLR 33 applied).

But more than that, in a judgment in which all of the parties’ identities (including the applicant public authority) are anonymised, she has been named, with the judge saying that she is “…a person who holds herself out as a lawyer. She offers, or has offered, paid legal work to members of the public. This is an important consideration. I am satisfied having read her written submissions lodged since the hearing that [she] still does not really acknowledge or accept that her actions in not checking the citations and propositions she included in her skeleton argument were serious”.

I think it’s important to note that the judge expresses some (although by no means complete) sympathy for aspects of the person’s position and personal circumstances, and the judgment states that she has self-referred to the Bar Standards Board. For that reason, I’m not naming in her in this post itself.

A, B, C, D, Re (Extension of assessment; Use of AI: hallucinations) [2026] EWFC 71 (B)

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, erasure, judgments

Tagged as

March 7, 2026 · 7:39 am

Ofwat and Open Justice

On 5 March Ofwat announced its intention to fine South East Water £22m for repeated supply failures.

It transpires that South East Water has applied for permission for judicial review of the proposal, and also that it sought an injunction to restrain Ofwat from publishing its announcement, pending the outcome of the JR application.

Mr Justice Chamberlain’s dismissal of the application for the interim injunction strikes me as an important one in relation to the principle of open justice. The judgment notes that, although Ofwat, as a public authority, would not generally enjoy the benefit of Convention rights, Article 10 confers on members of the public not just the right to freedom of expression (ie to impart information) but also to receive information which a public authority wishes to publish. An order which prevented Ofwat from doing so would interfere with those Article 10 rights. By s12(3) of the Human Rights Act 1998, the court cannot make such an order on an interim basis unless it is “satisfied that the applicant is likely to establish that publication should not be allowed”.

On the facts, the judge was very far from satisfied. The allegations of public law unfairness and predetermination on the part of Ofwat appeared to have strong potential defences. And the argument that publication would have negative effects on South East Water’s credit rating, although it had some merit, had to be balanced against three other types of harm which would be caused in the scenario where interim relief was granted but the claim later failed: one harm would be to potential investors; one harm would be to South East Water’s customers, many of whom had already suffered from repeated supply issues, and who would be delayed in hearing about the proposed enforcement action by at least four months; and the final harm would be that the substantive JR proceedings would have to proceed in private, thus denying any other party (e.g. a group representing customers or consumers) to apply to file evidence or make submissions as an intervenor – that would be a “very substantial derogation from the principle of open justice, which itself would give rise to significant damage to the public interest”.

For all these reasons, interim relief was refused. As South East Water confirmed it did not intend to appeal, the notice of intent was published, as was the judgment.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Article 10, human rights, judgments, judicial review, Open Justice

Tagged as

February 18, 2026 · 8:50 am

Freemasonry, JR and data protection

The High Court has refused to give permission to apply for judicial review upon an application by representative bodies of Freemasons, and by two Freemasons who are serving officers in the Met Police. The respondent was the Commissioner of the same force, and the impugned decisions relate to a new policy under which police officers and staff of the Met who are or have been members of “an organisation that has confidential membership, hierarchical structures and requires members to support and protect each other” to declare that fact, confidentially, to their local professional standards unit.

Among the proposed challenges were claims that the policy was an unlawful interference with officers’ and staffs’ qualified Convention rights under Articles 8 (right to respect for private and family life), 10 (freedom of expression) and 11 (freedom of assembly). On an assumption that the policy involved an interference with these rights, at this permission stage, said the judge, the question was whether there was a real prospect that the Court would find any interference with ECHR rights not to be justified, and the “key question” was whether any interference with the rights was proportionate. He could answer that question “confidently…even at this early stage”: the interference was modest, and the factors on the other side of the scales were compelling.

There was also a challenge on data protection grounds, to the effect, in part, that there was no lawful basis identified for the processing, and nor were purposes or limitations identified. Furthermore, special category data was involved. In answer to this, the judge pointed to the Met’s “appropriate policy document” (see paras 5 and 39 of Sch 1 Data Protection Act 2018) which provided “sufficient clarity”.

The judge also – and here I think he fell into minor error – said that any individual claimants had an alternative remedy, by way of complaint to the Information Commissioner’s Office and “if still dissatisfied, an appeal to the First-tier Tribunal”: but as the authorities make clear, there is no right of appeal to the Tribunal under such circumstances (section 166 Data Protection Act 2018 only allows a data subject to apply for a steps Order, where the ICO has failed to take appropriate steps to investigate a complaint – it does not provide a right of appeal). I doubt very much, though, that this apparent slight error has any real substance in the round.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, judicial review

Tagged as ,

January 30, 2026 · 7:55 am

CoA: County Court is appropriate forum for routine data protection claim

This is a helpful short Court of Appeal judgment on the appropriate forum for a data protection of relatively low value and limited complexity (spoiler: it’s the County Court, folks).

The claimant had originally incorrectly issued his claim as a High Court media and communications claim in the Cardiff District Registry (if data protection claims are to be issued in the High Court, they must be issued in the King’s Bench Division at the Royal Courts of Justice). The judge in the High Court in Cardiff transferred the claim to the County Court but his order arguably contained insufficient reasons, and did not explain that either party could apply to have it set aside or varied (as required by CPR 3.3(5)(b). The claimant tried to make representations, by way of an email, as to why the High Court was the appropriate forum, but this was rejected on the basis that it had been filed in the wrong court. By that stage, the transfer to the County Court had taken effect. Accordingly, the matters arising could only be determined by way of appeal.

In its determination, the CoA found that the case (involving disclosure, in separate proceedings, of medical information by a court security guard to an usher and a solicitor for a third party) did not appear to involve any factual or legal complexity, and the claimed sum of £30,000 was clearly within the ambit of the County Court.

(I interject here to observe that, on the brief facts as recorded in the judgment, there might have been some legal complexity – it seems likely that the disclosure would have been made orally by the security guard, so was there “processing” involved?)

Wysokinski v OCS Security Ltd [2026] EWCA Civ 26 

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, judgments, UK GDPR

Tagged as

January 29, 2026 · 6:00 am

Tribunal – Soil Association certification subsidiary is subject to EIR

The Soil Association Ltd, is a company limited by guarantee and a not-for-profit registered charity. It is not a public authority for the purposes of the Freedom of Information Act 2000 (FOIA), nor, I think, has anyone proposed that it is a public authority for the purposes of the Environmental Information Regulations 2004 (EIR). Yet the Information Commissioner’s Office, in a decision now upheld by the Information Tribunal, has determined that a subsidiary company of the Soil Association – SA Certification Limited – is a public authority for the purposes of the EIR. I think this is probably the correct position, and the judgment of the Tribunal is helpful in explaining why.

A body is a public authority for the purposes of FOIA primarily by way of designation or ownership (if the body is listed in Schedule One of FOIA, or designated by Order, or is wholly owned by one or more other public authorities, then it falls under the regime). The EIR are different: a body is determined to be an EIR public authority if it is a FOIA one, but it might also be one by virtue of what it does or is empowered to do. Under regulation 2(2)(c) if the body is a “natural or legal [person] having public responsibilities or functions, or providing public services, in relation to the environment, under the control of a body or person [who is a public authority]” then it will be a public authority for the purposes of the EIR.

The case law has established that one of the core tests for this is whether the body has been vested with “special powers” of a public nature, “beyond those which result from the normal rules applicable in relations between persons governed by private law’” (C-297/12 Fish Legal v Information Commissioner).

SA Certification Ltd is an accredited certification body for the delivery of certification under a number of regulations and standards, and is designated by DEFRA as a “control body” for the purposes of its “control system” for the labelling of organic products. This, held the Tribunal, confers a special power on SA Certification to certify as organic and to suspend or terminate certification, and this was sufficient to render it a public authority for the purposes of the EIR.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as ,

January 15, 2026 · 6:37 am

Russell Group is not a public authority for the purposes of FOIA

For those interested in the general question of what is a “publicly owned company” for the purposes of sections 3 and 6 of the Freedom of Information Act 2000 (FOIA), and the specific question of whether the Russell Group is a public authority for the purposes of the FOIA, the Information Tribunal judgment in Farfan v Information Commissioner & Anor [2026] UKFTT 48 (GRC) will make fascinating reading. For the remaining 69.2 million people in the UK, it will be impenetrable.

A company will be a publicly owned company for the purposes of section 3(1)(b) of FOIA if all of its members are themselves public authorities listed in schedule 1 of FOIA.

So, in short, the answer to the second question is “no”, because a) 22 of the 24 members of the Russell Group are university institutions, not the governing bodies of those institutions (and it is the latter which are listed in schedule 1), b) in any case, even if the Tribunal had decided that there was no distinction between the university institutions and their governing bodies, the remaining two members of the Russell Group are the Universities of Glasgow and Edinburgh, and they are not listed in schedule 1 of FOIA (rather, they are public authorities for the purposes of the Freedom of Information (Scotland) Act 2002).

Get reading, you crazy FOIA (and FOISA) nerds.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under FOIA, FOISA, Freedom of Information, Further education, Information Commissioner, Information Tribunal, judgments, Uncategorized

Tagged as