June 6, 2025 · 9:58 am

Good Law Project v Reform

In the run-up to last year’s General Election, the campaigning group The Good Law Project (GLP) actively encouraged people to make subject access requests (under Article 15 of the UK GDPR) to political parties, and they say that they enabled 13,000 people to do so.

The GLP says that the Reform Party “replied to hardly anyone”, and as a result it is bringing the first ever case in the UK under Article 80(1) of the UK GDPR, whereby a data subject (or subjects) mandates an representative organisation to bring an Article 79 claim on their behalf.

Helpfully, the GLP has published both its own particulars of claim, and, now, Reform’s defence to the claim. The latter is particularly interesting, as its initial approach is to threaten to apply to strike out the claim on the grounds that the GLP does not meet the criteria for a representative body, as laid out in section 187 of the Data Protection Act 2018.

Given the nature of the two parties (one a bullish campaign group, the other a bullish political party) it seems quite likely that this will proceed to trial. If so, we should get some helpful clarification on how Article 80(1) should operate.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Article 80, Data Protection Act 2018, political parties, UK GDPR

Tagged as ,

June 6, 2025 · 8:44 am

Hinkley Point C construction company is a public authority under the EIR

The Information Tribunal has ruled that the Nuclear New Build Generation Company, a subsidiary of EDF Energy, created to construct s new nuclear power plant at Hinkley Point C (HPC), is a public authority for the purposes of the Environmental Information Regulations 2004 (EIR)

In the last fifteen years or so, a very interesting body of case law has been built up regarding the extent to which certain private persons have accrued, or have been conferred upon them, the status of a public authority for the purposes of the EIR. Some of the bodies who have been held to be public authorities (at least in a limited EIR sense) are water companies, BT, public gas transporters, and port authorities. Some which have not been held to be include Heathrow Airport and housing associations.

The EIR create a scheme for public access to environmental information held by public authorities, which runs in parallel to the scheme under the Freedom of Information Act 2000 (FOIA). Where FOIA, though, specifically designates public authorities, the EIR (which implemented an EU Directive, emanating in turn from the 1998 UNECE Aarhus Convention) define a public authority by virtue of its actions and powers.

Whether a person is a public authority will often turn on whether it “carries out functions of public administration”. The tests for this derive from the “Fish Legal ” in the CJEU: whether they are “entrusted, under the legal regime which is applicable to them, with the performance of services of public interest, inter alia in the environmental field, and…are, for this purpose, vested with special powers beyond those which result from the normal rules applicable in relations between persons governed by private law”

In NNB Generation Company (HPC) Ltd v Information Commissioner & Anor [2025] UKFTT 634 (GRC), the Tribunal, considering an appeal by HPC from a decision by the Information Commissioner’s Office that it was an EIR public authority (and in which Fish Legal were again the applicant), held that the relevant Development Consent Order, and the electricity and nuclear licences granted to HPC constituted entrustment with the performance of public services in relation to the environment, and the powers accruing from that entrustment “go far beyond what a private person without the benefit of such powers would be able to do in those circumstances, for example in empowering HPC to make byelaws, even if it opts not to do so”.

Decisions of this sort are nuanced and complex, and for that reason, often amenable to appeal. I would not be surprised if this one goes to the Upper Tribunal.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, FOIA, Information Commissioner, Information Tribunal, judgments

Tagged as

June 4, 2025 · 8:08 am

Covert recordings in family law proceedings – some slightly flawed guidance

The issue of the legality of the making of, and subsequent use of, covert audio and/or visual recordings of individuals is a complex one – even more so when it comes to whether such recordings can be adduced as evidence in court proceedings.

I’m not going to try to give an answer here, but what I will do is note that the Family Justice Council has recently produced guidance on cover recordings in family law proceedings concerning children, and it contains some rather surprising sections dealing with data protection law.

Firstly, I should say what it gets right: I think it is correct when it indicates that processing consisting of the taking of and use of covert recordings for the purpose of proceedings will not normally be able to avail itself of the carve-out from the statutory scheme under Article 2(2)(a) UK GDPR (for purely personal or household purposes).

However, throughout, when addressing the issue of the processing of children’s data, it refers to the Information Commissioner’s Office’s Children’s Code, but doesn’t note (or notice?) that that Code is drafted specifically to guide online services on the subject of age appropriate design of such services. Although some of its general comments about children’s data protection rights will carry over to other circumstances, the Children’s Code is not directly relevant to the FJC’s topic.

It also goes into some detail about the need for an Article 6(1) UK GDPR lawful basis if footage is shared with another person. Although strictly true, this is hardly the most pressing point (there are a few potential bases available, or exemptions to the need to identify one). But it also goes on to say that a failure to identify a lawful basis will be a “breach of the DPA 2018” (as well as the UK GDPR): I would like its authors to say what specific provisions of the DPA it would breach (hint: none).

It further, and incorrectly, suggests that a person making a covert recording might commit the offence of unlawfully obtaining personal data at section 170 DPA 2018. However, it fails to recognise that the offence only occurs where the obtaining is done without the consent of the controller, and, here, the person making and using the recording will be the controller (as the “lawful basis” stuff above indicates).

Finally, when it deals with developing policies for overt recording, it suggests that consent of all the parties would be the appropriate basis, but gives no analysis of how that might be problematic in the context of contentious and fraught family law proceedings.

The data protection aspects of the guidance are only one small part of it, and it may be that it is otherwise sound and helpful. However, it says that the ICO were consulted during its drafting, and gave “helpful advice”. Did the ICO see the final version?

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Covert recording, Data Protection, Data Protection Act 2018, Family law, Information Commissioner, UK GDPR

Tagged as

June 3, 2025 · 7:35 am

Could the Data (Use and Access) Bill fall?

[EDIT: in this post I originally said I understood that the current parliamentary session would end when Parliament rises for summer recess. Prompted by Andrew Harvey, on the Jiscmail Data Protection list, I checked this point, and I was wrong: my MP (who, on the two occasions I’ve emailed him, has been impressively responsive), says “With the legislative programme from the King’s Speech barely a quarter of the way through, I would guess this will be at least an 18 month session”). So one of the pressing issues in the post is less pressing, but that still doesn’t get round the issue of the impasse.]

Westminster is at an impasse over the Data (Use and Access) Bill. The Lords have repeatedly introduced amendments, in the form of totally new clauses on AI and copyright which were never intended to be part of the Bill, and the Commons have repeatedly removed them. Yesterday’s reprise of the exercise suggests that ping pong is not stopping any time soon.

This must be of tremendous frustration to the government. In particular, it will be of significant concern to the ministers and civil servants who will be negotiating with the European Commission over the reciprocal data adequacy arrangements which allow free transfer of personal data between the EU and the UK. The Commission had introduced a sunset clause to the original agreement, which was due to expire this month, but this has been extended for a further six months, specially to allow for the passage and enactment of the DUAB (the Commission wants to see what the revised UK data protection scheme will look like).

So what happens now? As the Bill was introduced in the Lords, the Commons cannot invoke its powers to force the Bill through to Royal Assent, under section 2 of the Parliament Act 2011.

The current parliamentary session may well run on for some time yet. Traditionally, all parliamentary business would cease at prorogation, so if a Bill hadn’t passed, it fell. In recent years, however, procedures in both Houses have been developed, whereby, by agreement, a Bill can “carry over” to the next session. This is very unusual, though, with a Bill introduced in the Lords. It is also difficult to see how, or why, there would be agreement to carry over a Bill like the DUAB, over which the two Houses are in actual disagreement.

Maybe the alternative would be to allow the Bill to fall (or withdraw it), and reintroduce it in the Commons, in the next session.

But there would be no winners in such a scenario. The government (and Parliament) would have to go to significant time and cost, and the opponents in the Lords, serried behind Baroness Kidron, would be no closer to getting the artists’ protections from AI models that they seek.

And in the meantime, the extended sunset clause for UK adequacy would be dropping below the horizon.

Is there still time for compromise? The simple answer is yes, but there have been few signs of much movement from either side.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adequacy, Data (Use and Access) Bill, parliament

Tagged as ,

May 27, 2025 · 7:42 am

Liz Truss leadership election not amenable to JR

Was the leadership election in which Liz Truss was elected as leader of the Conservative Party (and as a result of which she was recommended to the Queen by the outgoing Boris Johnson, and appointed by the Queen as her Prime Minister) a decision amenable to judicial review?

Whether a person is a public authority for the purposes of the Freedom of Information Act 2000 is, in principle, a relatively straightforward issue: is it listed in Schedule 1 to FOIA?; or has it been designated as such by order under section 5?; or is it wholly owned by the public sector?

Whether a person is a public authority under section 6 of the Human Rights Act 1998, or whether a person is a public authority amenable to judicial review, are more complex questions.

It was the last of these that the Court of Appeal had primarily to consider in Tortoise Media Ltd, R (On the Application Of) v Conservative and Unionist Party [2025] EWCA Civ 673. Tortoise Media had written to the Party seeking certain information in relation to the leadership election process, and argued that the public effects of the leadership election meant that, in those circumstances, the Party was exercising a public function for the purposes of CPR 54.1(2). The follow-on argument was that the judgment of the ECtHR in Magyar Helsinki Bizottság v Hungary meant that the domestic courts should read down Article 10 of the ECHR (as incorporated in domestic law in the HRA) as imposing, in some cases, a positive obligation on a body to provide information to the media, who act as “watchdogs” in the public interest.

Perhaps unsurprisingly, though, the Court of Appeal did not accept that the effects and circumstances of the Party leadership election made the decision of the Party amenable to JR:

the nature of the act of electing a party leader…is at all times a private act. The fact that it has important, indirect consequences for the public does not transform a private act into a public one.

For that reason, the Court did not need to consider the Article 10/Magyar arguments (but on which, one feels – having regard to the submissions on behalf of the Duchy of Lancaster, as intervener, which argued that the Supreme Court’s decisions in Sugar and in Kennedy (which did not follow the reasoning in Magyar) bound all inferior courts – the claimants would have in any case lost).

It’s an interesting read, even if it was – to put it mildly – an ambitious case to bring.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Article 10, Freedom of Information, human rights, judgments, judicial review

Tagged as ,

May 7, 2025 · 7:17 am

FOIA contempt proceedings against University of Exeter

Non-compliance by a public authority with the provisions of the Freedom of Information Act 2000 is rarely a particularly serious matter for the public authority: a delay in responding, or a failure to disclose what should be disclosed, or wrong reliance on exemptions will at most normally only result in a public decision notice by the Information Commissioner’s Office (ICO), and there are hundreds of those issued each year, which pass with barely any attention.

Where it can get serious is where the public authority fails to comply with an order by the ICO, or where, upon a case having been appealed to the First-tier Tribunal (FTT), the FTT has made an order for disclosure. Sections 54 and 61, respectively, of FOIA, empower the ICO and the FTT to treat the failure to comply as offence of contempt of court, and certify the offence to the Upper Tribunal, which has the power to commit for contempt. In principle, as I understand it, the Upper Tribunal could, if it agreed there was a contempt, impose a period of imprisonment or a fine (the powers here are not contained in the Upper Tribunal Rules, but in YSA (Committal for contempt by media) [2023] UKUT 00075 (IAC), the Upper Tribunal (in a non-FOIA case) said that as the Upper Tribunal Rules do not expressly deal with contempt certifications, then the Upper Tribunal should, so far as it can, adopt the contempt provisions of part 81 of the Civil Procedure Rules.

I’m not aware of any FOIA case where the Upper Tribunal (or the High Court, which had the jurisdiction until the Data Protection Act 2018 amended FOIA and conferred jurisdiction on the Upper Tribunal) has actually made a contempt committal. But the latest case to make its way to the Upper Tribunal, to consider whether to do so, involves the University of Exeter. The University was asked under FOIA for the names of attendees, and the organisations they represented, at two University groups – the Exeter Community Panel and the Resident Liaison Group. The University refused, citing data protection concerns (and relying on the exemption at section 40(2) FOIA), and the ICO agreed. However, the FTT disagreed (these were public facing groups and attendees would have had no reasonable expectation that their names would be kept private) and ordered disclosure. This, however, the University did not do, and upon being chased by the applicant, indicated that at least some of the information no longer existed, because of (undocumented) oral right to be forgotten requests made by attendees after the FTT had ordered disclosure (which raised s77 FOIA questions). As the FTT pointed out, the University had supplied the withheld information to the ICO and to the FTT itself for the purposes of the original proceedings, and it was “less than credible that the Respondent cannot recover that information and provide it to the Applicant”.

The FTT was satisfied therefore, that this was a “wilful”, “flagrant” and continuing failure to comply with its order – “a contrived and persistent failure that is still ongoing”.

The FTT nonetheless still urged the University to fully comply with the order, as doing say “may mitigate any action taken by the Upper Tribunal”.

Compliance with FOIA is not voluntary for a public authority. Still less so is compliance with orders of a court.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under contempt, FOIA, Freedom of Information, Information Tribunal, Upper Tribunal

Tagged as

April 17, 2025 · 7:17 am

FOIA s11 – All or nothing or a sliding scale?

When a public authority receives a request for information it must, under the Freedom of Information Act 2000, determine and communicate whether the information is held (subject to any exemption which removes the obligation to confirm or deny whether it is held), and then determine whether any exemptions to disclosure apply. These latter exemptions include the procedural ones at ss12 and 14 of FOIA (costs grounds and vexatiousness or repeatedness) and the substantive ones at Part II (ss21 to 44). It is only then that, if the requester has requested the information in a specific format (such as a specific software format) the public authority must, under s11, consider whether it must “so far as reasonably practicable” give effect to that preference.

That this is the correct order of things is confirmed by an important (albeit quite niche) judgment of the Upper Tribunal, in Walawalker v The Information Commissioner & Anor [2023] UKFTT 1084 (GRC). Both the ICO, and the First Tier Tribunal, had elided/confused the staged process above, with the result that the appeal before the Upper Tribunal was on the meaning of s11, despite prior findings not having been fully made on the application of exemptions.

Nonetheless, what the Upper Tribunal had to decide was, where (for instance as was the case here) a request was for transcripts of a 50-odd audio recordings of distress calls at sea, and the act of transcribing them would be very resource-heavy, did the obligation to give effect to the preference for transcripts “so far as reasonably practicable” impose an “all or nothing” or a “sliding scale duty”? In this example, did the Maritime and Coast Agency have to transcribe as many of the calls as it could before it became no longer reasonably practicable, or did the exercise as a whole constitute something that was not reasonably practicable?

It was the latter, said the judge: s11 applies to “the information” requested (what the ICO in its submissions, described as being a “unitary concept” – and the judge said this was a “helpful perspective”) not a subset of extract of the information. What Mr Walaker had requested was “all calls”, and it was that “unitary concept” which as at issue in the s11 analysis. It was not reasonably practicable to transcribe all calls, and so the s11 duty did not apply.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal, judgments, Section 11, UK GDPR

Tagged as ,

April 16, 2025 · 6:25 am

The Emperor has no clothes!

[reposted from my LinkedIn account]

When a public authority receives a Freedom of Information Act request and the requested information contains personal data (of someone other than the requester) it must first consider whether it can even confirm or deny that the information is held. For instance “Dear NHS Hospital Trust – please say whether you hold a list of embarrassing ailments suffered by Jon Baines, and if you do, disclose the list to me”. To confirm (or deny) even holding the information would tell the requester something private about me, and would contravene the data protection principles at Article 5(1) of the UK GDPR. Therefore, the exemption at s40 of FOIA kicks in – specifically, the exemption at s40(5A): the hospital can refuse to confirm or deny whether the information is held.

But suppose that, mistakenly, the hospital had perhaps confirmed it held the information, but refused to disclose it? The cork, surely, is for ever out of the bottle.

Upon appeal by the requester (this requester really has it in for me) to the ICO, I could understand the latter saying that the hospital should have applied s40(5A) and failure to do so was a failure to comply with FOIA. However, certainly of late, the ICO has engaged in what to me is a strange fiction: it says in these circumstances that it will “retrospectively apply s40(5A)” itself. It will pretend to put the cork back in the bottle, after the wine has been consumed.

And now, the Information Tribunal has upheld an ICO decision to do so, albeit with no argument or analysis as to whether it’s the correct approach. But even more bizarre it says

We are satisfied that the Commissioner was correct to apply section 40(5B) FOIA proactively, notwithstanding the information that has previously been provided by the Trust, to prevent the Trust from providing confirmation or denial that the information is held.

But the Trust had already done so! It can’t retrospectively be prevented from doing something it has already done. The cork is out, the wine all gone.

Am I missing something? Please excuse the sudden mix of metaphor, but can no one else see that the Emperor has no clothes?

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

13 Comments

Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, UK GDPR

Tagged as , ,

April 15, 2025 · 7:45 am

Recital 63 of the GDPR is nonsensical

[reposted from my LinkedIn account]

I’m sure I’ve mentioned this before (but that sort of thing never stops me banging on about stuff) but whenever I read recital 63 of the GDPR it irritates me, because a comma is in the wrong place. The result is that the clause in question is slightly nonsensical. It reads:

A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.

The literal reading of that clause is that the right of access exists in order that a data subject can be “aware of the lawfulness” of processing and “verify the lawfulness” of processing. The latter is fine on its own but what does the former mean? And if one becomes “aware of the lawfulness” of the processing then why should one then “verify” it?

Surely the need is to be aware of the processing, and then verify its lawfulness?

Clearly, the comma should be moved, so it says

…in order to be aware of, and verify the lawfulness of, the processing.

And when I’m Prime Minister a UK GDPR (Recital 63 Correction) Amendment Bill is the first thing I will table.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under Data Protection, GDPR, nonsense, subject access, UK GDPR

April 14, 2025 · 8:51 am

Personal use of work devices – an Irish judgment

A frequent headache for data protection practitioners and lawyers is how to separate (conceptually and actually) professional and personal information on work devices and accounts. It is a rare employer (and an even rarer employee) who doesn’t encounter a mix of the two categories.

But, if I use, say, my work phone to send a couple of text messages (as I did on Saturday after the stupid SIM in my personal phone decided to stop working), who is the controller of the personal data involved in that activity? I’d be minded to say that I am, (and that my employer becomes, at most, a processor).

That is also the view taken by the High Court in Ireland, in an interesting recent judgment.

The applicant was an employee of the Health Service Executive (HSE), and did not, in this case, have authority or permission to use his work phone for personal use. He nonetheless did so, and then claimed that a major data breach in 2021 at the HSE led to his personal email account and a cryptocurrency account being hacked, with a resultant loss of €1400. He complained to the Irish Data Protection Commissioner, who said that as his personal use was not authorised, the HSE was not the controller in respect of the personal data at issue.

The applicant sought judicial review of the DPC decision. This of course meant the application would only succeed if it met the high bar of showing that the DPC had acted unlawfully or irrationally. That bar was not met, with the judge holding that:

The DPC did not purport to adopt an unorthodox interpretation of the definition of data controller. Instead, against the backdrop of the factual matrix before it, it found that the HSE had not “determined the purposes and means 28of the processing” of the data relating to the Gmail, Yahoo, Fitbit and Binance accounts accessed by the applicant on his work phone. That finding appears to me to be self-evident, where that use of the phone clearly was not authorised by the HSE.

I think that has to be correct. But I’m not sure I quite accept the full premise, because I think that even if the HSE had authorised personal use, the legal position would be the same (although possibly not quite as unequivocally so).

In genuinely interested in others’ thoughts though.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under controller, Data Protection, employment, GDPR, Ireland, judgments, Uncategorized

Tagged as