Category Archives: judgments

October 29, 2024 · 5:21 am

ICO, Clearview AI and Tribunal delays

[reposted from LinkedIn]

On 28 October the Information Commissioner’s Office (ICO) made the following statement in respect of the November 2023 judgment of the First Tier Tribunal upholding Clearview AI’s successful appeal of the ICO’s £7.5m fine, and posted it in an update to its original announcement about appealing:

The Commissioner has renewed his application for permission to appeal the First-tier Tribunal’s judgment to the Upper Tribunal, having now received notification that the FTT refused permission of the application filed in November 2023.

It is extraordinary that it has taken 11 months to get to this point.

So what does this mean?

If a party (here, the ICO) wishes to appeal a judgment by the First Tier Tribunal (FTT) to the next level Upper Tribunal (UT), they must first make an application to the FTT itself, which must decide “as soon as practicable” whether to grant permission to appeal its own judgment (rules 42 and 43 of the Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009).

If the FTT refuses permission to appeal (as has happened here), the application may be “renewed” (i.e. made again) directly to the UT itself (rule 21(2) of the Tribunal Procedure (Upper Tribunal) Rules 2008).

So, here, after 11 months (“as soon as reasonably practicable”?) the ICO has just had its initial application refused, and is now going to make an applicant under rule 21(2) of the UT Rules.

The ICO’s wording in its statement is slightly odd though: it talks of “having now received notification” that the FTT “refused” (not, say, “has now refused”) the November 2023 application. The tense used half implies that the refusal happened at the time and they’ve only just been told. If so, something must have gone badly wrong at the Tribunal.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Data Protection, GDPR, Information Commissioner, Information Tribunal, judgments, Upper Tribunal

Tagged as ,

October 24, 2024 · 8:06 am

Harassment of terrorism victims

[reposted from LinkedIn]

It is impossible to imagine claimants with whom one has more sympathy than Martin Hibbert and his daughter Eve, who each suffered grave, life-changing injuries in the 2017 Manchester Arena attack, and who then found themselves targeted by the bizarre and ghoulish actions of Richard Hall, a “conspiracy theorist” who has claimed the attack was in fact a hoax.

Martin and Eve brought claims in harassment and data protection against Hall, and, in a typically meticulous judgment Mrs Justice Steyn DBE yesterday gave judgment comprehensively in their favour on liability in the harassment claim. Further submissions are now invited on remedies.

The data protection claim probably adds nothing, but for those pleading and defending such claims it is worth reading Steyn J’s (mild) criticisms of the flaws, on both sides, at paragraphs 246-261. She has also invited further submissions on the data protection claim, although one wonders if it will be pursued.

Other than that, though, one hopes this case consigns Hall to the dustbin of history.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, UK GDPR

Tagged as ,

October 20, 2024 · 10:02 am

The missing page about the missing PhD

[reposted from LinkedIn]

[EDIT: you win some, you get the wrong end of the stick on some. It was pointed out to me that the ICO removes items from its disclosure log after two years, which is why the document no longer shows up, and in the comments below I was taken to a copy of the document at WhatDoTheyKnow. Both these points have been confirmed to me in an FOI response from the ICO. What mislead me into thinking there was something more going on was probably the Tribunal’s reference to a “new policy”: it clearly wasn’t so much a policy, as a statement that the ICO would rely on s17(6) FOIA to refuse to reply to future requests, on the grounds that a vexatious campaign was being pursued.]

This is plain odd.

For several years the The London School of Economics and Political Science (LSE), and, consequently, the Information Commissioner’s Office has had to deal to with FOI requests about former Taiwanese president Tsai Ing-wen’s “missing PhD dissertation” (for some background, see here (I don’t vouch for its accuracy)).

A number of these requests have been refused on the grounds of vexatiousness, with many upheld on referral to the ICO.

The Information Tribunal has recently given judgment on one of these, and ruled in favour of the appellant, holding that the request was not vexatious. But what struck me was the fact that both the appellant and the ICO cited in evidence a page (a hosted pdf, going by the URL) on the ICO’s website. The judgment says this

The Appellant stated in his grounds of appeal that after he had complained to the Commissioner about the Authority’s response to the Request, the Commissioner published on the ICO’s website (by reference to a disclosure log) a new policy of not processing FOIA requests seeking information on President Tsai Ing-wen’s PhD.

But a footnote (screenshotted here) correctly notes that the link does not go to this page, and further, I can’t find any sign of it on the UK government web archive or the Wayback Machine. An advanced Google search on the ICO website throws no light.

So I’ve made an FOI request to the ICO, and will update when I get a response.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as , ,

October 15, 2024 · 5:41 am

Third party rights under FOIA

[reposted from LinkedIn]

In a Freedom of Information Act (FOIA) matter there are two parties with express rights and obligations – the requester and the public authority (PA) – with the potential for the regulator – the Information Commissioner’s Office – to become involved if there is a dispute.

But there is often a third party involved, and one who has no express rights under FOIA – the person to whom requested information relates. This can be a corporate, but sometimes it will be an individual (think, for example of MPs whose expense claims were sought from the Commons many years ago).

The code of practice issued by the Cabinet Office under section 45 of FOIA recommends as best practice that, where a PA receives a request for information where a third party’s interests are engaged, the third party should be consulted, and given the opportunity to make representations. But the Code is clear that those representations cannot bind the PA, and that the decision on disclosure is ultimately for the PA to make.

All of this should, of course, run its course within the 20 working days that FOIA allows for responding to a request. So quite how a request from 2019, to the Legal Services Agency (LSA) for Northern Ireland, regarding the grant of legal aid to a self-styled peace campaigner, has only just been determined in the High Court is a pressing question. Nonetheless, the judgment (though slightly odd) is worth reading.

The man in question, Raymond McCord, was invited to make representations on the request (made by a unionist MP), having been informed of the LSA’s intention to disclose. He brought immediate judicial review proceedings to prevent disclosure and the LSA undertook not to disclose until the ICO had given a view on the lawfulness of processing (I pause to note that the LSA’s suggestion that McCord had an alternative remedy by way of a complaint to the ICO after disclosure for a determination as to whether FOIA had been complied with was wrong in law, and flawed in logic).

The ICO gave an opinion in June 2020 that disclosure would likely be both unfair and unlawful, but stressed that the opinion “is in no way legally binding in this case, however, it should be of assistance to the court in making a final decision.”

No explanation is given in the judgment of why it then took over four years for the court to rule on the application. This is simply ridiculous.

Nevertheless, the court conducted a rather eccentric analysis of the authorities on disclosure of personal data under FOIA (and of various non-authoritative prior ICO decision notices) before determining, five whole years (rather than twenty working days) after the FOIA request, that the information should be disclosed, holding that “the applicant cannot complain of any breach of privacy in respect of his pursuit of high‑profile public interest litigation in circumstances where he himself has commented publicly on the issues”.

The judgment, ultimately, is rather unsatisfactory. The interim judgment (in 2020(!)) of Keegan J, which noted the undertaking by the LSA not to disclose pending the ICO’s ruling, discusses alternative remedies, and implies that McCord would have a right to appeal the ICO’s decision to the First tier Tribunal. However, this predates the Killock and Delo cases which make clear that there is no substantive data subject right of appeal from an ICO data protection decision through the tribunal system. In Killock the Upper Tribunal made clear that a substantive data subject challenge (rather than a procedural one) to the ICO should, indeed, be by way of judicial review proceedings.

And it remains the case that, if you are a third party who has an interest (maybe a profound interest) in information which a public authority is proposing to disclose, in response to a FOIA request, your rights are unclear and limited.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, FOIA, Information Commissioner, judgments, judicial review

Tagged as , , ,

October 8, 2024 · 4:39 am

Is the purchase of a watch “private information”?

[reposted from LinkedIn]

An interesting (if it gets to trial) Northern Ireland case of Frampton and Van Der Horst [2024] NIMaster 17, in which the plaintiff former boxer (P) has sought damages in, variously, passing off, copyright, breach of confidence, misuse of private information and data protection, as a result of the defendant watch seller’s (D) publication of a YouTube video revealing that P had bought a watch from D.

P had obtained judgment in default and D sought to set this aside. In deciding to do so the master only had to determine whether the D has an arguable defence.

The analyses of whether the MOPI and data protection defences are arguable are interesting (and in the latter case, flawed).

On MOPI, the master noted that the “Murray factors” (“the attributes of the claimant, the nature of the activity in which the claimant was engaged, the place at which it was happening, the nature and purpose of the intrusion, the absence of consent and whether it was known or could be inferred, the effect on the claimant, and the circumstances in which and the purposes for which the information came into the hands of the publisher”) will require consideration at trial, and also noted that the authoritative law books on the topic identify “personal financial and tax related information” as one of the types of information that will normally (but not invariably) be regarded as giving rise to a reasonable expectation of privacy. All these points could only, said the master, be determined by a trial judge, having heard all the evidence.

On the data protection claim, the defence consisted in an argument that D’s processing was based on his legitimate interests. Here, the master seems to have erred, in assessing that “This would appear a particularly weak argument as there was no express consent from the plaintiff and the purported legitimate reason for processing the data was effectively to make money, which is not an exemption under UK General Data Protection Regulations [sic]”. But, of course, reliance on Article 6(1)(f) UK GDPR legitimate interests does not (cannot) require the consent of the data subject; rather, it requires the controller’s legitimate interests to be balanced against the interests, rights and freedoms of the data subject. Nor is there any authority for the proposition that an interest or interests cannot be “legitimate” because they are commercial interests (indeed, the CJEU, in a finding which I am certain would be followed by the domestic courts, only last week ruled that a commercial interest is capable of being a legitimate interest).

This, of course, was not a fully argued case (the master only had affidavits and draft pleadings to go on). If the case goes to trial we may well see all of the claims more properly argued and considered.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, misuse of private information

Tagged as ,

September 3, 2024 · 7:03 am

CCTV and commercial property leases

[reposted from LinkedIn]

There is a minor, but interesting, data protection point in this judgment on a dispute between a landlord and commercial tenant about a lease.

The claimant was a dentist who had become suspended and therefore could not practise as a fully registered dentist in accordance with the terms of the lease. The dispute was about whether she had done so, and, if so, whether the court should grant relief from forfeiture (it did, on the facts).

The claimant also sought and was granted a declaration, in relation to the landlord’s siting of internal CCTV cameras, “that the processing of the claimant’s data by the defendant is unlawful and breached the provisions of the Data Protection Act 2018 and the regulations [sic] relating thereto”. 

The evidence was that “a CCTV camera was installed by the defendant by being affixed to the door frame above the entrance to the toilets in the building, on the same floor as the room let to the claimant, pointing at the stairs and the door to the claimant’s…premises”. Although the defendant landlord claimed that “the CCTV was placed there for the legitimate purpose of monitoring those going to the building’s toilets”(!), the judge did not accept that: “as it was placed, [it] had a distinct view of the entrance to the claimant’s room, and, when it was opened, into the room itself. There is no real reason why it could not have been so positioned to exclude that, or why indeed it could not have been located to point in the opposite direction to monitor those coming out of the toilet area door[!]… it was an attempt to monitor who was attending the claimant’s room and its use.”

Unfortunately, the judge does not appear to have made findings as to what precisely were the infringements of the data protection law (one notes that the declaration was sought only in respect of the claimant’s own data, and not of those attending her premises, but the finding appears to be in respect of both). 

So, as I say, a minor point, but interesting. Landlords, even in commercial property agreements (and disputes arising), should not simply assume they have the right to place CCTV on their property in such a way as it infringes the data protection rights of individuals using the property (whether they be tenants, employees of tenants, or the tenant’s visitors).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under CCTV, Data Protection, judgments, property dispute, Uncategorized

Tagged as ,

August 31, 2024 · 7:41 am

JR judgment, and the lack of third party rights under FOIA

[reposted from LinkedIn]

The Freedom of Information Act 2000 (FOIA) confers rights on those requesting information, and obligations on public authorities (it also confers duties and powers on the Information Commissioner). What it does not do is confer any rights on someone whose information is held by a public authority and requested to be disclosed: if someone asks for that third party’s information and the public authority discloses, or is minded to disclose, the third party can do little or nothing to stop it.

That appears to be illustrated by a case in the High Court of Northern Ireland. I say “appears” because there doesn’t seem to be a judgment yet, and so I’ve had to piece together what seems to have been at issue.

FOIA requests were made by three unionist MPs to the Legal Services Agency (LSA) for funding for legal cases brought by victims’ campaigner Raymond McCord. It appears that the LSA proposed to disclose the information, and Mr McCord (because he has no rights as a third party under the FOIA regime itself) brought judicial review proceedings to prevent disclosure.

According to the media reports, those proceedings have failed, with the judge saying

There is a legitimate public interest in the openness and accountability of the LSA as a public authority responsible for the expenditure of substantial public funds…[Mr McCord’s] contention that he is a private individual sits uneasily with his own description as a ‘peace campaigner’ and his various interviews with the media, including when he challenged the public claims made by Mr Allister about the appropriateness of him being granted legal aid…Self-evidently, the applicant has injected himself into the public discourse on a number of high-profile cases which are of obvious and manifest interest to the public. This is particularly so in relation to Brexit litigation.

It also appears that at some stage the ICO was involved, and indicated its view that disclosure would “likely be unfair and unlawful”. I imagine that this was because Mr McCord made a data protection complaint. In any event, the ICO said that its view was not legally binding (an interesting side note: could the ICO have issued an enforcement notice under section 149 of the Data Protection Act 2018 to prevent a public authority releasing personal data under FOIA?)

This issue of “third party rights” (or lack thereof) under FOIA is a very interesting one. The section 45 Code recommends that public authorities consult with third parties where necessary, and have regard to their representations, but this still doesn’t confer a direct right.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, judgments, judicial review, personal data

Tagged as , ,

July 30, 2024 · 7:19 am

Immunity from suit in data protection (and other) claims

[reposted from LinkedIn]

All too often, in my experience, public authorities might inadvertently disclose confidential information about one person to someone with whom that person is in dispute, or from whom that person is in danger. Typical examples are when a council discloses information about one resident to a neighbour, or when the police disclose information about a vulnerable person to their abusive partner.

This can also happen during the process of court proceedings.

There is a long-standing – and complex – common law concept of “immunity from suit”, which, in the very simplest and most general of terms, will prevent someone from being sued for something they say in court.

This judgment involves a fascinating, but headache-inducing, analysis of the different types of immunity from suit – witness immunity at court, advocate’s immunity at court, witness immunity before court, advocate’s immunity before court and legal proceedings immunity before court (which may apply to lawyers, police officers or administrative staff preparing a case for trial).

The background facts are grim: a woman fleeing from domestic violence was forced to flee from safe homes because twice her addresses were inadvertently disclosed (or at least indicated) to the perpetrator, against whom criminal proceedings were being brought – once by the police and once by the CPS.

The woman brought claims against both public authorities under the Human Rights Act 1998, the Data Protection Act 2018 and in misuse of private information. However, the defendants initially succeeded in striking the claims out/getting summary judgment (one part of the claim against the police was permitted to continue).

Mr Justice Richie upheld the appeal against the strike out/summary judgment, with rather a tour de force run through of the history and authorities on immunity (para 66 begins with the words “I start 439 years ago”).

In very short summary, he held that strike out/summary judgment had been inappropriate, because “the movement in the last 25 years in the appellate case law has been away from absolutism, towards careful consideration of whether the facts of each case actually do fit with the claimed ‘immunity’ by reference to whether the long-established justifications for the immunity apply” (at 106). In the examples here, it was at least arguable that immunity was being claimed not over evidence in the case, but “extraneous or peripheral or administrative matters”. The judge should have applied a balancing exercise to the facts to decide whether immunity applied: she had failed to do so, and had not been entitled to determine that there was no arguable claim

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under compensation, damages, Data Protection Act 2018, human rights, judgments, LinkedIn Post, litigation, misuse of private information, police

Tagged as , , , ,

July 3, 2024 · 8:05 pm

Data protection v Defamation

[Sometimes I will upload posts I make on LinkedIn to this blog, because they’re easier to archive here: however they’re a bit more “conversational” than usual]

Can (or in what circumstances can) a data protection claim be brought on the basis that processing involves harm to reputation of a sort which, more orthodoxically*, would be brought in defamation?

His Honour Justice Parkes has refused an application by Dow Jones to strike out a data protection erasure claim (with an associated compensation claim) on the grounds that in reality it is a “statute-barred defamation complaint dressed up as a claim in data protection, and brought in data protection to avoid the rules which apply to defamation claims” (the application was also on Jameel grounds).

The judge says he “cannot see how [the claimants] can be summarily denied access to the court to make [their] case, employing a cause of action which is legitimately open to them… simply because in the past they have repeatedly threatened to claim in defamation, or because the claim is heavily based (as it is) on considerations of harm to reputation, or because, had they brought the claim in defamation, it would have faced very difficult obstacles”.

HHJ Parkes notably (ie this needs to go to trial) says that “the state of the law on the recoverability of damages for injury to reputation in non-defamation claims is uncertain and in flux” and that it is “unsuitable for determination on a summary application and probably requires the attention of an appellate court”.

It will be very interesting if this now makes it to trial. But never hold your breath on that folks.

[*yes, I did intend to coin the most awkward adverb possible]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, defamation, erasure, journalism, judgments, Uncategorized

Tagged as ,

June 29, 2024 · 10:16 am

An EIR judgment as long as a novel

Those who think the data protection statutory regime is complex might want to consider how it compares to that under the Environmental Information Regulations 2004 (EIR).

So if you fancy spending the day reading a judgment that is (by my calculations) longer than George Orwell’s 1984, now’s your chance.

A number of personal search companies, who undertake different types of searches for use in real property sale and purchase transactions, are bringing a claim in restitution regarding the charges they’ve paid to defendant water companies for reports under the CON29DW Drainage and Water Enquiry process. Their argument is that information responsive to a CON29DW is “environmental information” (EI) within the meaning of the EIR and that the water companies in question were obliged to make EI available for free or for no more than a reasonable charge. Accordingly, the charges levied by the water companies were unlawful and/ or paid under a mistake of law and that the water companies have been unjustly enriched to the extent of those charges.

The water companies, in turn, say that information responsive to a CON29DW was not EI, and/or that the information was not ‘held’ by them at the time the relevant request was made and/or that they were otherwise entitled under the EIR to refuse its disclosure.

Mr Justice Richard Smith’s magnum opus of a judgment bears close reading (closer than I’ve yet been able to give it), but it contains some notable findings, such as: not all of the information responsive to a CON29DW is EI; not all of the information was held for the purposes of the EIR and not by all of the defendants; information responsive to a CON29DW about internal flooding to a property is personal data (there’s an interesting discussion on the definition of personal data, touching on Durant, Edem, Ittihadieh and Aven v Orbis – but I think this part of the judgment is flawed – just because information about internal flooding could be personal data doesn’t mean it always is (which is what the judge appears to hold) – what about where a residential property is unoccupied and owned by a company?)

It seems to me that the effect of the judgment is to fracture the claim into small bits – some of the info is EI, some is held, by some defendants, some is exempt, etc. – and may well have the effect of damaging the chances of the claim progressing.

The judge ends by imploring the parties to try to resolve the issue other than through the court process. So let’s see if there’s an appeal.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, Environmental Information Regulations, judgments

Tagged as ,