It does not seem as
though it was a year ago since I sat down to write my review of
Information Law in 2017 and to have a brief look ahead into 2018; but
somehow we now appear to be in 2019. It was always going to be the case that
2018 was going to be a big year for information law; with the General Data
Protection Regulation becoming applicable on 25th May 2018. The 25th
May 2018 came and went without the millennium bug style apocalypse that seemed
inevitable from the amount of sensationalist writing that was taking place in
late 2017 and early 2018.
My review of 2017 started off with the English and Welsh High Court decision on vicarious liability for data protection breaches in Various Claimants v WM Morrisons Supermarket PLC [2017] EWHC 3113 (QB). This case rumbled on in 2018 and it was considered by the Court of Appeal. The Court of Appeal heard the appeal and (in remarkably quick time) dismissed the appeal. It is understood that Morrisons have sought permission to appeal to the Supreme Court and if permission is granted it is possible that it will feature in a review of Information law in 2019.
In February, the
English and Welsh High Court issued an interesting privacy judgment when it
considered an action for compensation arising out of “Can’t Pay? We’ll Take it
Away’; a fly-on-the wall documentary following High Court Enforcement Officers
in their work enforcing court orders relating to debt and housing cases. The
Court had the tricky job of balancing the privacy rights of individuals against
the rights of television companies in respect of freedom of expression;
however, the
High Court decided that the balance in this particular case fell in favour of
the claimant’s privacy rights. The High Court’s decision was appealed to
the Court of Appeal; looking specifically at the issue of quantifying the level
of damages. That appeal was heard by the Court of Appeal in early December and
should provide useful guidance on calculating damages in the privacy sphere.
Facebook, Cambridge
Analytical and Aggregate AIQ all featured quite heavily in 2018 in terms of
privacy and data protection matters. Facebook
was served with a monetary penalty in the amount of £500,000 for breaches of
the Data Protection Act 1998 and Aggregate AIQ was also the recipient of
the first Enforcement Notice under the Data Protection Act 2018 (which was
narrowed in scope by the Information Commissioner following an appeal by AIQ;
which was subsequently dropped). Facebook lodged an appeal against the Monetary
Penalty Notice with the First-Tier Tribunal (Information Rights) in November
2018. If and when a decision is reached by the Tribunal in respect of that
appeal, it will feature on this blog.
Arising out of the same
wide-ranging investigation by the ICO as the Facebook penalty and the AIQ
Enforcement Notice was an Information Notice served on the United Kingdom
Independence Party (UKIP), which was appealed to the First-Tier Tribunal
(Information Rights). The Tribunal dismissed
the appeal by UKIP in July.
In April there was yet
another important decision from the English and Welsh High Court in respect of
Privacy and Data Protection. A little over four years after the European Court
of Justice decision on the Right to Be Forgotten in Google Spain, Mr
Justice Warby handed down his judgment in NT1 & NT2 v Google; this
represented the first decision of a UK Court in respect of the Right to Be
Forgotten. An appeal was lodged in respect of this case and was due to be heard
just before Christmas; however, it was reported that the case was settled on
the day of the appeal.
The issue of
compensation to identifiable third parties in the context of data protection
breaches was considered
by the English and Welsh Court of Appeal. This case adds to the helpful
privacy and data protection case law emanating from the English and Welsh
courts.
Another interesting
development that we saw during the course of 2018 was a
director being disqualified indirectly in connection with privacy and data
protection matters. It does show that directors can be held personally
liable for privacy and data protection transgressions of limited companies.
This was underlined by the amendments
to the Privacy and Electronic Communications (EC Directive) Regulations 2003
which now enable the Commissioner to serve a monetary penalty on directors (and
others associated with companies) in certain circumstances.
In Scotland, the Court
of Session made new rules which should make appealing decisions of the
Scottish Information Commissioner in respect of requests for environmental
information more financially viable.
Litigation in respect
information law matters in Scotland remains limited. The majority of litigation
on these areas arises out of England and Wales. Perhaps in 2019, we will begin
to see more litigation in Scotland on information law matters. Hopefully the
new rules in the Court of Session will see more appeals in respect of the
Environmental Information (Scotland) Regulations 2004 and hopefully the
introduction of Group proceedings in the Court of Session through the Civil
Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 will help with
an increase in data protection and privacy litigation in Scotland.
In terms of 2018
Scottish cases, not long before Christmas the Court of Session treated us to a
judgment in an appeal concerning vexatious requests under the Freedom of
Information Scotland Act 2002. Beggs v Scottish
Information Commissioner considered the correct approach to be taken
when applying section 14(1) of the Freedom of Information (Scotland) Act 2002.
Looking ahead to 2019;
the big issue on the horizon is Brexit. Much of what is discussed on this blog
as “information law” derives from European law and so Brexit will likely have
an impact upon that. We are still unsure as to the terms that we will be
leaving on. A withdrawal Agreement has been negotiated between the European
Union and the United Kingdom; however, there is still a way to go with that – and it looks
quite likely that the UK Parliament will rejected the Withdrawal Agreement in
its current form. If we end up leaving with no Withdrawal Agreement in place
then this will cause considerable difficulties for UK business which rely upon
the transfer of personal data from elsewhere within the European Union; it will
also cause problems for public bodies.
In terms of making the
law work after Brexit, we were treated by the Government (in between Christmas
and New Year) to a draft of The Data Protection, Privacy and Electronic
Communications (Amendments etc) (EU Exit) Regulations 2019. These Regulations
will make changes to the GDPR, the Data Protection Act 2018 and the Privacy and
Electronic Communications (EC Directive) Regulations 2003 in light of the
United Kingdom no longer being a member of the European Union. I will, of
course, look at these draft Regulations in more detail soon.
I will attempt to address
information law matters as they unfold in 2019 on the Information Law Blog from
Inksters Solicitors.
Alistair Sloan
If you would like advice or
assistance with Privacy
and Data Protection matters or with UK and Scottish
Freedom of Information requests contact Alistair Sloan on 0141 229 0880 or you can
E-mail him.