Lots of FOI contempt applications in the wings

A new piece on the Mishcon de Reya site: the First-tier Tribunal is dealing with at least eight applications to certify contempt of court for failure by public authorities to comply with decision notices.

FOI enforcement starts to get serious?

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal, access to information, contempt

First ever FOI contempt certification

I’ve written a piece on the Mishcon de Reya website on the first ever case of certification of contempt of court to the High Court, for failure to comply with a decision notice.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal

Open Letter to new ICO

I was delighted recently to be invited by OpenDemocracy to sign an open letter to John Edwards, new Information Commissioner, calling for more to be done to regulate FOI effectively. I’ve written many posts in the past breaking the state of FOI enforcement, so everything in the letter resonated with me. The letter has now been sent, and there are some very high profile journalists, MPs and campaigners who have signed:

https://www.opendemocracy.net/en/freedom-of-information/information-commissioner-foi-open-letter-secrecy/

Edwards has already replied, and said that addressing these concerns will be a priority for him.

Leave a comment

Filed under Freedom of Information, Information Commissioner, journalism, access to information

Ineffectual powers

The Information Commissioner’s Office (ICO) has just announced that it has served a fine (strictly, a monetary penalty notice) of £80,000, under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), on a company which sent a large number of particularly tasteless SMSs during the pandemic, of this sort

“Get Debt FREE during the Lockdown! Write off 95% of ALL DEBTS with ALL charges and fees FROZEN. Government backed. Click [here] Stop 2optout”

(In passing, I’m rather surprised the ICO’s announcement gave hyperlinks to the offending, albeit broken, URLs.)

In that accompanying announcement, the ICO’s Head of Investigations is quoted as saying

The company director failed to cooperate with our investigations through concealing his identity by using false company details on his websites; changing the wording on the text messages; and, changing his company’s registered address after becoming aware of our investigation.

and we are told that the director

tried to evade the ICO investigations with different tactics since 2019, but investigators were determined to bring this company to account for plaguing people’s lives with thousands of spam messages

What is interesting in this context is that the ICO’s powers to issue fines for serious contraventions were added to, in 2018, to allow them also to fine company directors themselves (where the contravention was with the consent of connivance of the director, or attributable to any neglect on their part).

I asked the ICO if they had a comment on why no director fine was issued here, but they only wished to say

The action we have taken is proportionate and appropriate in the circumstances of this case.

This is fair enough: there may be facts which are not public, and I don’t criticise what is a sound piece of enforcement against unlawful marketing communications.

However, as far as I am aware, since the ICO acquired the powers to fine directors (and similar officers) under PECR they have not exercised those powers once. This is odd – they had long lobbied for the powers, and when the change in the law was being proposed, the then Commissioner Elizabeth Denham told The Register “It should have a real deterrent effect”. Maybe there are legal issues with actually ascribing liability to directors, or practical issues with tracking and pinning them down to try to enforce against them. If so, and if the 2018 change in the law has not had that “real deterrent effect”, is the ICO letting government know?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Information Commissioner, monetary penalty notice, PECR, spam texts

NADPO March webinar

The next NADPO monthly webinar is on 22 March. As usual, we have two great talks:

  • Joe Chapman, Scottish Information Commissioner’s Office – ‘Access to information post-pandemic: learning from the experience of FOI in Scotland’
  • Ashley Winton, Mishcon de Reya LLP – ‘Adtech and Website Analytics – the current state of play’

Attendance is free for all NADPO members (attendance at all NADPO events is always free for members – no “in-game purchases” for them). And Data Protection Forum members are also allowed to attend for no charge.

If anyone else is especially interested in NADPO, or these specific talks, please contact me at chair at NADPO dot co dot uk – I can often be persuaded to offer a free space in those circumstances.

Leave a comment

Filed under Uncategorized

Ukraine Justice Alliance

My firm, Mishcon de Reya, is working with a collective of lawyers, law firms, and non-governmental organisations (NGOs) to form an alliance that will support Ukrainians in response to the catastrophic invasion of Ukraine. Please share widely:

Ukraine Justice Alliance

Leave a comment

Filed under human rights

The Seepage of Information Act

Transport yourself back to January 2020 (what a different world that was). You are a journalist, or maybe just an informed citizen, and you want to know what preparations the government had made in the event Boris Johnson had lost his seat in the general election a month previously.

You make a request for this information to the Cabinet Office under the Freedom of Information Act 2000 (FOIA). You know that you should get a response within twenty working days (section 10 of FOIA says so). And you know that there is a regulator (the Information Commissioner, or “ICO”) who oversees compliance with FOIA.

What you probably don’t expect is that, 25 months on, you not only haven’t received the information you requested but you have only just had a ruling from the ICO that you are not entitled to it.

That’s how long it has taken this request to make its way through what is an unacceptably slow process. The requester made the request to the Cabinet Office on 7 January 2020. By 12 March 2020 they had had no response whatsoever, so complained to ICO. Three months later, on 16 June 2020, ICO formally told the Cabinet Office to pull its finger out. On 3 August it did, and refused to disclose the requested information, citing one of the statutory exemptions. On 22 September 2020 the requester again complained to ICO, who then took sixteen months to decide that the Cabinet Office was entitled to rely on the exemption claimed.

What follows is far from a fully thought-out legal argument, but bear with me for the purposes of polemic: Article 10 of European Convention on Human Rights says that everyone has the qualified right to receive information (as well as to impart information) without interference by public authority. Previous attempts to argue that Article 10 confers something above and beyond FOIA in respect of accessing information from public authorities have foundered, on the grounds that, in context, Article 10 doesn’t add anything to the rights in FOIA (see Kennedy, para 92 and elsewhere). But it does seem to me that if the regulatory scheme itself interposes a delay which might be, as here, 1600% longer than the original statutory timescale given to the original recipient for responding to the request, the basis might arise for mounting an argument that the scheme fails to avoid public authority interference in the Article 10 fundamental right.

Maybe I’m overreaching. Let’s just say this: it cannot be right that it takes over two years to get a response and a regulatory decision on a FOIA request. Let’s hope new Commissioner John Edwards sorts this out.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Article 10, Cabinet Office, Freedom of Information, Information Commissioner

Latest NADPO event

The next of the monthly NADPO lunchtime webinars will be next Tuesday (22 February), with speakers Dr Chris Pounder, of Amberhawk Training, on “Do the proposed changes to the UK’s human rights regime undermine the UK_GDPR?” and Johnny Chagger, of Leeds Teaching Hospitals NHS Trust on “Integrating heath and social care records” (Johnny’s talk has a provisional title for now).

NADPO members can attend for free (as they can at all our events). If you are not a member, but are interested in the talks, and interested in joining NADPO, please feel free to drop me a line at chair at nadpo dot co dot uk. We generally have a couple of free tickets to offer.

Leave a comment

Filed under Uncategorized

NADPO event – some free spaces on request

NADPO, the membership association for information rights professionals, which I’ve chaired for some years now, is holding the latest in its online lunchtime webinars next Tuesday.

We’re delighted to be joined by Professor Kirstie Ball of St Andrews University, who will be talking on the theme of “Worker monitoring and surveillance: Psycho-social risks and organizational justice” and by Dr Ben Worthy, Senior Lecturer in Politics at Birkbeck College, University of London on “Resistance and undermining of FOI”.

Attendance is free for members, but we generally allow a few free tickets for those who are interested in the topics, and who may be interested in joining NADPO. Please contact me (chair at NADPO dot co dot uk) if you would like to request a place.

Leave a comment

Filed under Uncategorized

COVID booster messages and the law

GET BOOSTED NOW Every adult needs a COVID-19 booster vaccine to protect against Omicron. Get your COVID-19 vaccine or booster. See NHS website for details

On Boxing Day, this wording appears to have been sent as an SMS in effect to every mobile telephone number in the UK. The relevant government web page explains that the message is part of the national “Get Boosted Now” campaign to protect against the Omicron variant of COVID-19. The web page also thanks the Mobile Network Operators for “their assistance in helping deliver the vitally important Get Boosted Now message”.

It is inevitable that questions may get raised raised about the legality of the SMSs under data protection law. What is important to note is that, although – to the extent that the sending involved the processing of personal data – the GDPR may apply (or, rather, the UK GDPR) the relevant law is actually the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). Under the doctrine of lex specialis where two laws govern the same situation, the more specific rules will prevail over more general rules. Put another way, if the more specific PECR can justify the sending of the SMSs, then the sending will also be justified under the more general provisions of UK GDPR.

Regulation 16A of PECR (inserted by a 2015 amendment), provides that where a “relevant communications provider” (in this case a Mobile Network Operator) is notified by a government minister (or certain other persons, such as chief constables) that an “emergency” has occurred, is occurring or is about to occur, and that it is expedient to use an emergency alert service, then the usual restrictions on the processing of traffic and location data can be disregarded. In this instance, given the wording on the government website, one assumes that such a notification was indeed made by a government minister under regulation 16A. (These are different emergency alerts to those proposed to be able to be sent under the National Emergency Alert system from 2022 which will not directly involve the mobile network operators.)

“Emergency” is not defined in PECR, so presumably will take its definition here from section 1(1)(a) of the Civil Contingencies Act 2004 – “an event or situation which threatens serious damage to human welfare in a place in the United Kingdom”.

The effect of this is that, if the SMSs are legal under PECR, they will also be legal under Article 6(1)(c) and 6(1)(e) of the UK GDPR (on the grounds that processing is necessary for compliance with a legal obligation to which the controller is subject, and/or necessary for the performance of a task carried out in the public interest).

There is an interesting side note as to whether, even though the SMSs count as emergency alerts, they might also be seen as direct marketing messages under regulations 22 and 23 of PECR, thus requiring the content of the recipient before they could be sent. Under the current guidance from the Information Commissioner (ICO), one might argue that they would be. “Direct marketing” is defined in the Data Protection Act 2018 as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals” and the ICO defines it further by saying that this “covers any advertising or marketing material, not just commercial marketing. All promotional material falls within this definition, including material promoting the aims of not-for-profit organisations”. Following that line of thought, it is possible that the Omicron SMSs were both emergency alerts and direct marketing messages. This would be an odd state of affairs (and one doubts very much that a judge – or the ICO, if challenged on this – would actually agree with its own guidance and say that these SMSs were indeed direct marketing messages). The ICO is in the process of updating its direct marketing guidance, and might be well advised to consider the issue of emergency alerts (which aren’t covered in the current consultation document).

[Edited to add: I don’t think what I say above necessarily covers all the legal issues, and no doubt there are aspects of this that could have been done better, but I doubt very much there is any substantive legal challenge which can be made.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under communications data, consent, Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, PECR, UK GDPR