Category Archives: police

An Uber-reaction in The Times

“Uber gives police private data on drivers and passengers” announces The Times(£) this morning.

In this post, much to my surprise (I have never taken an Uber, and don’t intend to – I don’t like their business model), I come to the defence of Uber.

A closer read of the Times piece reveals that what is being referred to, in documents filed with the High Court, in proceedings regarding TfL’s refusal to renew Uber’s licence, is requests to Uber from the police to disclose personal data for the purposes of the prevention and detection of crime or the apprehension or prosecution of offenders.

Such requests are commonly made to thousands of public authorities and private companies. They used to be known in data protection and police circles as “section 29 requests”, after the relevant section of the now-repealed Data Protection Act 1998. The term was a bit misleading: section 29, now replaced effectively by paragraph 2 of Schedule 2 to the Data Protection Act 2018, has the effect of disapplying the provisions of data protection law which would otherwise prevent the disclosure of personal data to the police (or others), and where not disclosing would be likely to prejudice the purposes of the prevention and detection of crime or the apprehension or prosecution of offenders. This is a necessary provision of data protection law, and provided that (as with all provisions) it is applied correctly and proportionately, it works very well: it gives controller the power to disclose personal data to the police where it is necessary for criminal justice.

If Uber are dealing with police requests appropriately, it is for the public good that personal data which assists the police to investigate drug transporting and human trafficking is made available to them.

In fact, I strongly suspect that The Times will receive such requests from the police. When the requests are related to the paper’s journalistic activities they are probably, and probably rightfully, refused, but they may well get requests in respect of their employees’ data, and I would be very surprised if they don’t sometimes – as a responsible company – comply with these.

Transport for London certainly receives such requests. Indeed, as a public authority, under its transparency measures, it has habitually made statistics on this public. The most recent publication I can find shows that 2012 to 2017 TfL received an average of approximately 10,000 requests each year.

Will The Times now report that TfL is handing over to the police thousands of pieces of intelligence on members of the public each year?

Leave a comment

Filed under Data Protection, Data Protection Act 2018, data sharing, police

Met – FOI requester’s focus on police misconduct was a “vexatiousness” factor

I regularly criticise the Information Commissioner’s Office on this blog. But credit where it’s due. They have upheld a complaint about the Met Police’s handling of a Freedom of Information Act 2000 (FOIA) request, in which the Met, remarkably, had argued that the request for information about police officers stopping people without cause and asking for their ID was vexatious (per section 14(1) of FOIA).

Clearly, there was some history to the request and the requester, and in line with authority, the Met were entitled to take this into account at arriving at their (now overturned) decision. But, as the decision notice points out, one of the factors which they said pointed towards vexatiousness was this:

Complainant’s focus upon police misconduct and/or related issues

I’ll say that again

Complainant’s focus upon police misconduct and/or related issues

Yes, the Met did indeed argue that a focus by a FOIA requester on police misconduct was a factor which led them to believe there was a pattern of behaviour which made this request (about stopping people without cause and asking for their ID) vexatious.

So well done ICO for dismissing that argument.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, police

Boris Johnson and GDPR

Might there have been a breach of data protection law in the recording, apparently by neighbours, of incidents at Boris Johnson’s home, and the passing of the recording to the media and the police? Almost certainly not.

(In this post I would like to avoid, as far as possible, broader ethical questions, and I will restrict any political observations to this: if Johnson becomes leader of the Conservative Party, and therefore prime minister, the two main UK political parties will be being led by people less fit to hold the role than at any time in my lifetime.)

In general, processing of personal data done for one’s own domestic purposes avoids the need for compliance with data protection law: Article 2(2)(c) of the General Data Protection Regulation (GDPR) – which of course provides the overarching statutory framework for most processing of personal data – says that the GDPR itself “does not apply to the processing of personal data…by a natural person in the course of a purely personal or household activity”. This is understandable: were there not such a carve-out, one’s children might, say, try to sue one for unlawful processing of their pocket-money data.

However, that word “purely” is key in Article 2. Processing which is not in the course of a “purely” domestic activity, such as, say, passing a recording of an altercation involving one’s neighbours to the media and the police, will be within GDPR’s scope.

So if GDPR is likely to apply, what are the considerations?

Firstly, passing information to the police about an altercation involving one’s neighbours is straightforward: GDPR permits processing which is necessary for the performance of a task carried out in the public interest (Article 6(1)(e)) and where the processing is necessary for the purposes of someone’s legitimate interests (provided that such interests are not overridden by the rights of the data subject) (Article 6(1)(f)).

But what of passing such information to the media? Well, here, the very broad exemption for the purposes of journalism will apply (even though the neighbours who are reported to have passed the information to the media are not, one assumes, journalists as such). GDPR requires members states to reconcile the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes, and this obligation is given effect in UK law by paragraph 26 of Schedule 2 to the Data Protection Act 2018. This provides that the GDPR provisions (for the most part) do not apply to processing of personal data where it

is being carried out with a view to the publication by a person of journalistic, academic, artistic or literary material, and…the controller reasonably believes that the publication of the material would be in the public interest [and] the controller reasonably believes that the application of [the GDPR provisions] would be incompatible with the… purposes [of journalism].

Here, the controller is not just going to be the journalist or media outlet to whom the information was passed, but it is also likely to be the non-journalist person who actually passes the information (provides that the latter passes it with a view to its publication and does so under a reasonable belief that such publication would be in the public interest).

The equivalent exemption in the prior law (the Data Protection Act 1998) was similar, but, notably, applied to processing which was only carried for the purposes of journalism (or its statutory bedfellows – literature and art). The absence of the word “only” in the 2018 Act arguably greatly extends the exemption, or at least removes ambiguity (there was never any notable example of action being taken under the prior law against the media for processing which was alleged to be unlawful and which was for more than one purposes (i.e. not solely for the purposes of journalism)).

It seems almost certain, then, that Johnson’s non-journalist neighbours could avail themselves of the “journalism” exemption in data protection law. As could anyone who processes personal data with a view to its publication and who reasonably believes such publication is in the public interest: we should prepare to see this defence aired frequently over the coming years. Whether the exemption is too broad is another question.

Because of the breadth of the journalism exemption in data protection law, actions are sometimes more likely to be brought in the tort of misuse of private information (see, for example, Cliff Richard v BBC, and Ali v Channel 5). Whether such a claim might be available in this case is also another question, and not one for this blog.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, journalism, police

Making even more criminals

Norfolk Police want your dashcam footage. Do you feel lucky, punk?

I wrote recently about the change to the Information Commissioner’s Office (ICO) registration process, which enables domestic users of CCTV to notify the ICO of that fact, and pay the requisite fee of £35. I noted that this meant that

it is the ICO’s apparent view that if you use CCTV in your household and capture footage outside the boundaries of your property, you are required to register this fact publicly with them, and pay a £35 fee. The clear implication, in fact the clear corollary, is that failure to do so is a criminal offence.

I didn’t take issue with the correctness of the legal position, but I went on to say that

The logical conclusion…here is that anyone who takes video footage anywhere outside their home must register

I even asked the ICO, via Twitter, whether users of dashcams should also register, to which I got the reply

If using dashcam to process personal data for purposes not covered by domestic exemption then would need to comply with [the Data Protection Act 1998]

This subject was moved from the theoretical to the real today, with news that Norfolk Constabulary are encouraging drivers using dashcams to send them footage of “driving offences witnessed by members of the public”.

Following the analyses of the courts, and the ICO, as laid out here and in my previous post, such usage cannot avail itself of the exemption from notification for processing of personal data “only” for domestic purposes, so one must conclude that drivers targeted by Norfolk Constabulary should notify, and pay a £35 fee.

At this rate, the whole of the nation would eventually notify. Fortunately (or not) the General Data Protection Regulation becomes directly applicable from May next year. It will remove the requirement to give notification of processing. Those wishing, then, to avoid the opprobrium of being a common criminal have ten months to send their fee to the ICO. Others might question how likely it is that the full force of the law will discover their criminality, and prosecute, in that short time period.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner, police, Uncategorized

ACPO: contractor’s error, or data controller’s liability?

I blogged a week or so ago about the worrying fact that the Association of Chief Police Officers (ACPO) were encouraging people to send sensitive personal data over an unsecure HTTP connection.

 a tweet…by Information Security consultant Paul Moore alerted that ACPO’s criminal records office has a website which invites data subjects to make an online request but, extraordinarily, provides by an unencrypted http rather than encrypyted https connection. This is such a basic data security measure that it’s difficult to understand how it has happened…

Well now, thanks to Dan Raywood of ITSecurity Guru, we have a bit more information about how it did happen. Dan had to chase ACPO several times for a comment, and eventually, after he had run the story, they came back to him with the following comment:

The ACPO Criminal Records Office (ACRO) became aware of the situation concerning the provision of personal data over a HTTP rather than a encrypted HTTPS connection on Tuesday February 24. This was caused by a contractual oversight. The Information Commissioner was immediately advised. The secure HTTPS connection was restored on February 25. We apologise for this matter.

It’s good to know that they acted relatively quickly to secure the connection, although one is rather led to wonder whether or when – had not Paul Moore raised the alert – ACPO would have otherwise noticed the problem.

But there is potentially a lot of significance in the words “caused by a contractual oversight”. If ACPO are saying that a contractor is responsible for the website, and that it was the contractor’s error which caused the situation, they should also consider the seventh data protection principle in the Data Protection Act 1998 (DPA), which requires a data controller (which ACPO is, in this instance) to take

Appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

but also

Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

(a)choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b)take reasonable steps to ensure compliance with those measures

What this means is that a failure to choose a data processor with appropriate security guarantees, and a failure to make sure the processor complies with those guarantees, can mean that the data controller itself is liable for those failings. If the failings are of a kind likely to cause substantial damage or substantial distress, then there is potential liability to a monetary penalty notice, to a maximum of £500,000, from the Information Commissioner’s Office (ICO).

In truth, the ICO is unlikely to serve a monetary penalty notice solely because of the likelihood of substantial damage or substantial distress – it is much easier to take enforcement action when actual damage or distress has occurred. Nonetheless, one imagines the ICO will be asking searching questions about compliance with the contract provisions of the seventh principle.

Thanks to IT Security Guru for permission to use the ACPO quote. Their story can be seen here.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under 7th principle, Data Protection, data security, Information Commissioner, police

ACPO encourage the sending of identity documents over insecure connection

ACPO – the Association of Chief Police Officers – are inviting people to send online data protection subject access request including copies of proof of identity, such as passports or bank statements over an insecure http connection. This is almost certainly in breach of ACPOs obligations under the Data Protection Act.

One of the most important rights under data protection law is that of “subject access”. Section 7 of the Data Protection Act 1998 (DPA) provides, in broad terms, that a person may require an organisation to say whether it is processing data about that person, and if so, to be given a copy of it. It was, for instance, through exercise of this subject access right that six journalists recently discovered that they were on the National Domestic Extremism and Disorder Intelligence database. The DPA recognises the importance of this right by enshrining it in its Schedule One Principles – the sixth principle obliges data controllers to process personal data in accordance with data subjects’ rights under the Act.

The following principle – the seventh – is the one which deals with data security, and it requires data controllers to have appropriate measures in place to safeguard against loss of personal data. The Information Commissioner’s Office (ICO) explains why this is important:

Information security breaches may cause real harm and distress to the individuals they affect – lives may even be put at risk. Examples of the harm caused by the loss or abuse of personal data (sometimes linked to identity fraud) include
– fake credit card transactions;
– witnesses at risk of physical harm or intimidation;
– offenders at risk from vigilantes;
– exposure of the addresses of service personnel, police and prison officers, and women at risk of domestic violence…

But a tweet yesterday (22.02.15) by Information Security consultant Paul Moore alerted that ACPO’s criminal records office has a website which invites data subjects to make an online request but, extraordinarily, provides by an unencrypted http rather than encrypyted https connection.

image1

This is such a basic data security measure that it’s difficult to understand how it has happened – and to confirm their identity people are being encouraged to send highly confidential documents, such as passports, over an unsecure connection. The ICO points out that

Failure to provide the first assurance (encryption) means that any sensitive information transmitted will be viewable via any computer system on the route between the two systems

At a time when there are moves to encrypt all web traffic, the failure to offer encryption on such profoundly sensitive issues as information held by police, and identity documents, is jaw-dropping. The ICO was copied in to subsequent tweets, and it will be interesting to see what action they take.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under Data Protection, data security, Information Commissioner, police

Is an FOI request from an investigative journalist ever vexatious?

Last week, in the Court of Appeal, the indefatigable, if rather hyperbolic, Mr Dransfield was trying to convince three judges that his request, made long ago, to Devon County Council, for information on Lightning Protection System test results relating to a pedestrian bridge at Exeter Chiefs Rugby Ground, was not vexatious. If he succeeds in overturning what was a thorough, and, I think, pretty unimpeachable ruling in the Upper Tribunal, then we may, at last, have some finality on how to interpret section 14(1) of the Freedom of Information Act 2000 (FOIA):

a public authority [is not obliged] to comply with a request for information if the request is vexatious

But what is certain is that the Court of Appeal will not hand down a ruling which would allow a public authority to feel able merely to state that a request is vexatious, and do nothing more to justify reliance on it. But that is what the Metropolitan Police appear to have done in an extraordinary response to FOIA requests from the Press Gazette. The latter has been engaging in a campaign to expose what it believes to be regular use of surveillance powers to monitor or investigate actions of journalists. This is both a serious subject and a worthy campaign. Investigative journalism, by definition, is likely to involve the making of enquiries, sometimes multiple ones, sometimes speculative, “to discover the truth and to identify lapses from it”. It is inevitable that an investigative journalist will from time to time need to make use of FOIA, and the Information Commissioner’s Office (ICO) advises that

[public] authorities must take care to differentiate between broad requests which rely upon pot luck to reveal something of interest and those where the requester is following a genuine line of enquiry

The ICO doesn’t (and couldn’t) say that a FOIA request from an investigative journalist could never be classed as vexatious, but I think the cases when that would happen would be exceptional. The Upper Tribunal ruling by Wikeley J that Mr Dransfield is seeking to overturn talked of “vexatious” as connoting

a manifestly unjustified, inappropriate or improper use of a formal procedure

and

It may be helpful to consider the question of whether a request is truly vexatious by considering four broad issues or themes – (1) the burden (on the public authority and its staff); (2) the motive (of the requester); (3) the value or serious purpose (of the request) and (4) any harassment or distress (of and to staff)

although it was stressed that these were neither exhaustive, nor a “formulaic checklist”.

It is difficult to imagine that the motive of the Press Gazette journalists can be anything but well-intended, and similarly difficult to claim there is no value or serious purpose to the request, or the other requests which need to be considered for context. Nor has there been, as far as I am aware, any suggestion that the requests have caused Met staff any harassment or distress. So we are (while noting and acknowledging that we are not following a checklist) only likely to be talking about “the burden on the public authority and its staff”. It is true that some requests, although well-intentioned and of serious value, and made in polite terms, have been accepted either by the ICO or the First-tier Tribunal (FTT), as being so burdensome to comply with that (even before considering whether FOIA costs limits are engaged) they merit rejection on vexatiousness grounds. In 2012 the FTT upheld an appeal from the Independent Police Complaints Commission, saying that

A request may be so grossly oppressive in terms of the resources and time demanded by compliance as to be vexatious, regardless of the intentions or bona fides of the requester. If so, it is not prevented from being vexatious just because the authority could have relied instead on s.12 [costs limits]

and last year the FTT similarly allowed a late submission by the Department of Education that a request from the journalist Laura McInerney for information about Free School applications was vexatious because of the burden it would impose:

There is no question here of anything in the tone of the request tending towards vexatiousness; nor does anyone doubt Ms McInerney’s genuine motives…There is value in openness and transparency in respect of departmental decision making. That value would be increased by the academic scrutiny which the disclosed material would receive…In our judgment, however, these important considerations are dwarfed by the burden which implementation of the request places on DFE.

But it does not appear that the request in question from the Press Gazette was likely to go any way towards being grossly oppressive, or to being a burden which would “dwarf” the other considerations.

Moreover, and it does not appear to have been a point argued in the DfE case, there is an argument, explored through a series of cases in the Court of Justice of the European Union, and, domestically, in the Supreme Court, in Kennedy v ICO and Charity Commission, that Article 10 of the European Convention on Human Rights, providing as it does in part a right “to receive and impart information and ideas without interference by public authority” (subject to limitations that are prescribed by law, necessary and proportionate, and pursue a legitimate aim) might sometimes need to read down into FOIA, particularly where a journalist is the requester. Although the Supreme Court, by a majority, and on the facts (specifically in the context of a FOIA absolute exemption), rejected the submission in Kennedy, the argument in the abstract still has some weight – someone engaging in investigative journalism is clearly generally acting as a “social watchdog”, and the likelihood that they are making a FOIA request with bad motives, or without serious purpose, or in a way likely to harass or cause distress is correspondingly low. It seems to me that, absent the sort of “excessive burden” argument explored in the IPCC and DfE cases – and, as I say, the Met don’t seem to have advanced any such argument – to label a request from an investigative journalist as vexatious is to stand at the top of a slippery slope. One hopes that the Met review and reverse this decision.

p.s. In a world in which we are all journalists, this all has the potential to get very complicated.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

149 Comments

Filed under Article 10, Freedom of Information, journalism, police

Up a gum tree

Data protection law doesn’t prevent disclosure of personal data where not doing would be likely to prejudice criminal justice purposes

Theft of a bicycle may not be the most serious crime ever. However, crime it is, and any omission by a person which is likely to prejudice the detection of that crime or the apprehension or prosecution of the thief is, in societal terms, to be deplored. This is why, when the omission in question would be a failure by a data controller to disclose personal data to the police which would be likely to assist in the detection of the crime or the apprehension or prosecution of the thief, the Data Protection Act 1998 (DPA) provides an exemption to the general presumption in the Act against disclosure, which authorises such disclosure.

Section 29 of the DPA is often misunderstood. It is quite common, particularly in certain sectors (social services, housing etc.) for data controllers to be contacted by the police, or other bodies with powers to investigate crime, asking for disclosure of information about people whose personal data the data controller holds. Data protection officers will often talk of a “section 29 request”, but this is really just shorthand for saying “the police etc. have requested disclosure of personal data from this data controller and the section of the DPA which is engaged and under whose provisions we would be authorised to disclose would be section 29”.

With this in mind it is surprising to read in The Daily Record that police are unable to trace a person who had the gall to post an advert on the classified ad site Gumtree purporting to offer for sale a bike stolen from outside a gym in Edinburgh. According to the article police have told the owner of the bike, who spotted the advert, that

…officers could not act because of data protection laws…Due to data protection laws, a warrant must be applied for before police can access personal information held by the site.

The reference to a warrant, however, is surely excessive. The article also refers to the police “waiting to hear back” from Gumtree. Section 29(3) of the DPA allows Gumtree to disclose the details of the person who placed the advert, by exempting them from the general obligation to comply with the first five data protection principles and sections 10 and 14(1) to (3) (collectively referred to as the non-disclosure principles). Failure to exercise this power by a data controller, or a delay in doing so, in circumstances where such a failure would be likely to prejudice the police’s duties is detrimental to the public interest. One hopes that, if the article is correct, Gumtree will now act in that public interest and disclose the details without delay.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under Data Protection, data sharing, police, Uncategorized

Naming and shaming the innocent

Around this time last year I wrote two blog posts about two separate police forces’ decision to tweet the names of drivers charged (but not – yet, at least – convicted) of drink driving offences. In the latter example Staffordshire police were actually using a hashtag #drinkdriversnamedontwitter, and I argued that

If someone has merely been charged with an offence, it is contrary to the ancient and fundamental presumption of innocence to shame them for that fact. Indeed, I struggle to understand how it doesn’t constitute contempt of court to do so, or to suggest that someone who has not been convicted of drink-driving is a drink driver. Being charged with an offence does not inevitably lead to conviction. I haven’t been able to find statistics relating to drink-driving acquittals, but in 2010 16% of all defendants dealt with by magistrates’ courts were either acquitted or not proceeded against

The Information Commissioner’s Office investigated whether there had been a breach of the first principle of Schedule One of the Data Protection Act 1998 (DPA), which requires that processing of personal data be “fair and lawful”, but decided to take no action after Staffs police agreed not to use the hashtag again, saying

Our concern was that naming people who have only been charged alongside the label ‘drink-driver’ strongly implies a presumption of guilt for the offence. We have received reassurances from Staffordshire Police the hashtag will no longer be used in this way and are happy with the procedures they have in place. As a result, we will be taking no further action.

But my first blog post had raised questions about whether the mere naming of those charged was in accordance with the same DPA principle. Newspaper articles talked of naming and “shaming”, but where is the shame in being charged with an offence? I wondered why Sussex police didn’t correct those newspapers who attributed the phrase to them.

And this year, Sussex police, as well as neighbouring Surrey, and Somerset and Avon are doing the same thing: naming drivers charged with drink driving offences on twitter or elsewhere online. The media happily describe this as a “naming and shaming” tactic, and I have not seen the police disabusing them, although Sussex police did at least enter into a dialogue with me and others on twitter, in which they assured us that their actions were in pursuit of open justice, and that they were not intending to shame people. However, this doesn’t appear to tally with the understanding of the Sussex Police and Crime Commissioner who said earlier this year

I am keen to find out if the naming and shaming tactic that Sussex Police has adopted is actually working

But I also continue to question whether the practice is in accordance with police forces’ obligations under the DPA. Information relating to the commission or alleged commission by a person of an offence is that person’s sensitive personal data, and for processing to be fair and lawful a condition in both of Schedule Two and, particularly, Schedule Three must be met. And I struggle to see which Schedule Three condition applies – the closest is probably

The processing is necessary…for the administration of justice
But “necessary”, in the DPA, imports a proportionality test of the kind required by human rights jurisprudence. The High Court, in the MPs’ expenses case cited the European Court of Human Rights, in The Sunday Times v United Kingdom (1979) 2 EHRR 245  to the effect that

while the adjective “necessary”, within the meaning of article 10(2) [of the European Convention on Human Rights] is not synonymous with “indispensable”, neither has it the flexibility of such expressions as “admissible”, “ordinary”, “useful”, “reasonable” or “desirable” and that it implies the existence of a “pressing social need.”
and went on to hold, therefore that “necessary” in the DPA

should reflect the meaning attributed to it by the European Court of Human Rights when justifying an interference with a recognised right, namely that there should be a pressing social need and that the interference was both proportionate as to means and fairly balanced as to ends
So is there a pressing social need to interfere with the rights of people charged with (and not convicted of) an offence, in circumstances where the media and others portray the charge as a source of shame? Is it proportionate and fairly balanced to do so? One consideration might be whether the same police forces name all people charged with an offence. If the intent is to promote open justice, then it is difficult to see why one charging decision should merit online naming, and others not.But is the intent really to promote open justice? Or is it to dissuade others from drink-driving? Supt Richard Corrigan of Avon and Somerset police says

This is another tool in our campaign to stop people driving while under the influence of drink or drugs. If just one person is persuaded not to take to the road as a result, then it is worthwhile as far as we are concerned.

and Sussex police’s Chief Inspector Natalie Moloney says

I hope identifying all those who are to appear in court because of drink or drug driving will act as a deterrent and make Sussex safer for all road users

which firstly fails to use the word “alleged” before “drink or drug driving”, and secondly – as Supt Corrigan – suggests the purpose of naming is not to promote open justice, but rather to deter drink drivers.

Deterring drink driving is certainly a worthy public aim (and I stress that I have no sympathy whatsoever with those convicted of such offences) but should the sensitive personal data of who have not been convicted of any offence be used to their detriment in pursuance of that aim?

I worry that unless such naming practices are scrutinised, and challenged when they are unlawful and unfair, the practice will spread, and social “shame” will be encouraged to be visited on the innocent. I hope the Information Commissioner investigates.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under Data Protection, human rights, Information Commissioner, Open Justice, police, social media

Twitter timeline changes – causing offence?

@jamesrbuk: Well that’s jarring: Twitter just put a tweet into my feed showing a still from the James Foley beheading video, from account I don’t follow

When the Metropolitan Police put out a statement last week suggesting that merely viewing (absent publication, incitement etc) the video of the beheading of James Foley, they were rightly challenged on the basis for this (conclusion, there wasn’t a valid one).

But what about a company which actively, by the coding of its software, communicates stills from the video to unwilling recipients? That seems to be the potential (and actual, in the case of James Ball in the tweet quoted above) effect of recent changes Twitter has made to its user experience. Tweets are now posted to users’ timelines which are not from people followed, nor from followers of people followed

when we identify a Tweet, an account to follow, or other content that’s popular or relevant, we may add it to your timeline. This means you will sometimes see Tweets from accounts you don’t follow. We select each Tweet using a variety of signals, including how popular it is and how people in your network are interacting with it. Our goal is to make your home timeline even more relevant and interesting

I’m not clear on the algorithm that is used to select which unsolicited tweets are posted to a timeline, but the automated nature of it raises issues, I would argue, about Twitter’s responsibility and potential legal liability for the tweets’ appearance, particularly if the tweets are offensive to the recipient.

Section 127 of the Communications Act 2003 says

A person is guilty of an offence if he—

(a)sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or

(b)causes any such message or matter to be so sent.

The infamous case of DPP v Chambers dealt with this provision, and although Paul Chambers was, thankfully, successful in appealing his ridiculous conviction for sending a menacing message, the High Court accepted that a tweet is a message sent by means of a public electronic communications network for the purposes of the Communications Act 2003 (¶25).

A still of the beheading video certainly has the potential to be grossly offensive, and also obscene. The original tweeter might possibly be risking the committing of a criminal offence in originally tweeting it, but what of Twitter, inserting into an unwilling recipient’s timeline?

Similarly, section 2 of the Terrorism Act 2006 creates an offence if a person is reckless at whether the distribution or circulation of a terrorist publication constitutes a direct or indirect encouragement or other inducement to the commission, preparation or instigation of acts of terrorism (it’s possible this is the offence the Met were -oddly – hinting at in their statement).

I’m not a criminal lawyer (I’m not even a lawyer) so I don’t know whether the elements of the offence are made out, nor whether there are jurisdictional or other considerations in play, but it does strike me that the changes Twitter has made have the potential to produce grossly offensive results.

Leave a comment

Filed under police, social media