Author Archives: Alistair Sloan

Data Protection and Brexit: Changes to UK law (Part 1)

This is the first in a series of blog posts that I intend on doing over the next period which look at some of the changes to the GDPR and the Data Protection Act 2018 that will be brought about by the withdrawal of the United Kingdom from the European Union. In my 2018 information law review, published in January, I noted that the UK Government had published The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Draft). These regulations, made pursuant to the powers conferred upon the Government in terms of the European Union (Withdrawal) Act 2018, make significant changes to the GDPR and the Data Protection Act 2018 in order to ensure that they both still work and make sense once the UK has withdrawn from the European Union. They will not enter into force until “exit day”.

Representatives
Currently any controller or processor (excluding those who fall within limited exceptions) established outside of the EU require to appoint a representative within the EU as a point of contact for data subjects and the supervisory authorities. The draft 2019 Regulations will amend this requirement so that any controller or processor not established in the United Kingdom will be required to appoint such a representative within the United Kingdom. This will apply to controllers and processors based in EU and EEA states after “exit day”. Therefore it is important that EU and EEA businesses who are not established with the UK, but collect personal data of data subjects in the UK, turn their minds to appointing such a representative within the UK in time for exit day.

Equally, it should be noted that UK businesses currently do not need to appoint such representatives within the EU/EEA because the UK is an EU member. When the UK leaves the European Union it will be necessary for UK businesses to comply with Article 27 of the EU GDPR; therefore, a representative within one of the 27 EU member states will need to be appointed.

Adequacy decisions
Under the GDPR the European Commission has the power to make adequacy decisions. These are decisions which allow the flow of personal data to a territory (or a part of a territory or sector within a territory) outside of the EU. The draft 2019 Regulations will insert new provisions (sections 17A and 17B) into the Data Protection Act 2018 establishing a very similar regime which will allow the Secretary of State to make “adequacy regulations” these will function in much a similar way. It is probably quite likely that one of the first adequacy regulations to be made will specify that the EU and EEA states have an adequate level of personal data protection.

The UK, upon exit day, will fall outside of the European Commission agreements and adequacy decisions (such as the EU-US “safe harbour” agreement). Similar agreements will need to be agreed with the UK. Controllers who currently rely on adequacy decisions of the Commission will need to think about how they will comply with UK data protection law in respect of international transfers of personal data, post-brexit.

Standard data protection clauses
Under the GDPR the European Commission has the power to adopt standard data protection clauses which, if used, will give an adequate level of protection for personal data when that personal data is transferred to a non-EU member state.

The draft 2019 Regulations will insert a section 17C into the Data Protection Act 2018, which will give the Secretary of State the power to make regulations specifying “standard data protection clauses which the Secretary of State considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR.”  In essence, the power of the Commission will transfer to the Secretary of State on exit day.

Administrative Fines
The power of the Information Commissioner to issue administrative fines (or, in the language of the Data Protection Act 2018, ‘Penalty Notices’) will continue to exist when the UK leaves the European Union. The maximum amounts of those penalties are currently expressed in Euros (although the Data Protection Act 2018 requires the Information Commissioner to issue the penalties in pounds sterling). The draft 2019 Regulations will amend the maximum amounts to convert them into pounds sterling as opposed to Euros. The €10,000,000 figure will change to £8,700,000; while the €20,000,000 figure will become £17,500,000. These figures are roughly what the euro figures convert to using the current exchange rates.

These are just some of the many changes that will be made by the draft 2019 Regulations. I hope to be able to do some more blog posts looking at some of the other changes contained within the draft 2019 regulations as we approach the 29th March 2019 (the date on which the UK is scheduled to leave the European Union).

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

FOI in Scotland: Registered Social Landlords

Last week the Scottish Ministers laid The Freedom of Information (Scotland) Act 2002 (Designation of Persons as Scottish Public Authorities) Order 2019 (Draft) before the Scottish Parliament for the approval of the Parliament, as they are required to do in terms of the Freedom of Information (Scotland) Act 2002 (“FOISA”). This order is a long anticipated order to bring Registered Social Landlords (“RSLs”) within the scope of FOISA by designating them as Scottish public authorities. If approved (and there is nothing to suggest that the Order will not be approved by the Scottish Parliament), it will mean that RSLs (and their subsidiaries) will be designated as Scottish public authorities from 11 November 2019. Some had been hoping that they would have been designated from April this year, while others had been hoping that it would be April 2020. The Scottish Ministers appear to have split the difference and given RSLs a period of around 9 months to prepare for becoming Scottish public authorities.

RSLs have been, following a number of decisions of the Scottish Information Commissioner (which have never been appealed to the Court of Session), Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004 for a number of years. There is, however, some debate about whether they remain so, following some changes to the regulatory landscape pertaining to RSLs. It has not yet, to my knowledge, been tested whether they still are Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004. Whether the changes to the regulatory landscape of RSLs has had the effect of them no longer being Scottish public authorities, for the purposes of the Environmental Information (Scotland) Regulations 2004, is somewhat immaterial; designation as a Scottish public authority for the purposes of FOISA also means that they will be Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004.

It should be noted that the draft order has been drafted in such a way so as to make RSLs Scottish public authorities for limited purposes only. They will be Scottish public authorities in respect of the following functions:

  1. providing housing accommodation and related services and includes anything done, or required to be done, in relation to:- (a) the prevention and alleviation of homelessness; (b) the management of housing accommodation (limited to the management of housing accommodation for which a registered social landlord has, under the Housing (Scotland) Act 2001, granted a Scottish secure tenancy as defined in section 11 or a short Scottish secure tenancy as defined in section 34 of that Act); (c) the provision and management of sites for gypsies and travellers, whatever their race or origin; and
  2. the supply of information to the Scottish Housing Regulator by a registered social landlord or a connected body in relation to its financial well-being and standards of governance.

A register of social landlords can be found on the website for the Scottish Housing Regulator.

Alistair Sloan

We are able to provide advice and assistance to public authorities and requesters in connection with matters concerning Freedom of Information laws; if you would like advice and assistance in connection with these matters, or any other information law matter, please contact Alistair Sloan on 0141 299 0880 or by E-mail. You can also follow our dedicated Information Law Twitter account.

Developing the Information Expressway

The Upper Tribunal has recently considered the meaning and scope of the exception in Regulation 12(4)(d) of the Environmental Information Regulations 2004 (“the EIRs”). This exception allows a public authority to withhold environmental information in response to a request where “the request relates to material which is still in the course of completion, to unfinished documents or to incomplete data”.

Highways England Company Limited v Information Commissioner and Henry Manisty [2018] UKUT 432 (AAC) concerned a request made to Highways England by Mr Manisty in December 2016. Mr Manisty request related to the possible route of the Expressway between oxford and Cambridge being investigated by Highways England. His request was refused by Highways England and the Information Commissioner did not uphold Mr Manisty’s subsequent complaint to her office. Mr Manisty appealed to the First-Tier Tribunal who allowed his appeal, deciding that the exception in Regulation 12(4)(d) did not apply. Highways England sought, and was granted, permission to appeal to the Upper Tribunal.

Upper Tribunal Judge Jacobs reminds us that as the EIRs implement an EU Directive they must (for now) be interpreted in a way that accords with the normal principles that apply to EU law. Judge Jacobs reminds us that one of those principles is that the exceptions must be interpreted restrictively. Judge Jacobs points out that this is a separate consideration from the presumption in favour of disclosure enshrined within the EIRs; that presumption simply allocates the burden of proof while the restrictive approach defines the scope of the exception.

Judge Jacobs also addresses the Aarhus Convention and the Implementation Guide. The EU Directive, which the EIRs implements, implements the Aarhus Convention into EU law and so regard has to be had to the convention when interpreting the EIRs and the Directive. Judge Jacobs, in paragraph 19, reviews some of the relevant case law and concludes that the Implementation Guide “can be used to aid interpretation, but it is not binding and cannot override what the Convention provides.”

Judge Jacobs includes two helpful paragraphs setting out what the exception does not mean. When deciding the scope of the exception it is not permissible to take into account any adverse consequences that disclosure might have. This is relevant for the purposes of determining where the public interest lies and also, perhaps, deciding whether the exception is engaged. Judge Jacobs states that “[a]dverse consequences must not be made a threshold test for regulation 12(4)(d).” [para 21]

Judge Jacobs considers what “material” and “relates to” means within the exception. In respect of “material”, he considers that the word material “is not apt to describe something incorporeal, like a project, an exercise or a process.” The material in question may form part of a project or process etc.; however, the material in question must itself be in the course of completion. We are not necessarily concerned with whether the project is in the course of completion. [para 23] Judge Jacobs also holds that “[m]aterial includes information that is not held in documents and is not data: things like photographs, film, or audio recordings.” [para 24]

Having already looked at what the exception does not mean, Judge Jacob eventually gets around to deciding what the exception does mean. He notes, in paragraph 28, that the language in the exception is “deliberately imprecise.” That being said, Judge Jacobs, in paragraph 30, returns to the principle that the exception should be applied restrictively. The imprecise language does not mean the exception can be applied “so widely as to be incompatible with the restrictive approach required by EU law.” At the same time it cannot be applied so narrowly that its purpose is defeated. In paragraph 31 of the decision, Judge Jacobs, identifies yet another deliberately vague expression within the exception: ‘piece of work’. The judge identifies some factors that may be of some assistance in applying the exception. For example, if there has been a natural break in the public authority’s private thinking; or, perhaps, the public authority is at a stage where publicity around its progress so far is taking place. The continuing nature of the project, process or exercise might also be a relevant feature. However, public authorities shouldn’t get too excited: this is not, by any means, a checklist. Judge Jacobs makes it clear that each case will turn on its own circumstances.

Public authorities should also be aware that their own internal labels will not be determinative of matters; it is not possible to, in the words of Judge Jacobs “label [your] way out of [your] duty to disclose.” Labels such as “draft or preliminary thoughts may, or may not, reflect the reality.” [para 32]

Counsel for Highways England is recorded as having emphasised legal certainty and its importance. Judge Jacobs accepts that his decision will not produced legal certainty in the way that was possibly envisaged by Counsel for Highways England. Judge Jacobs notes that its application will not be easy; however, issues of judgement are involved and that limits what can be achieved.

In deciding that the First-Tier Tribunal had not erred in law, Judge Jacobs took the view that, when reading the First-Tier Tribunal’s reasoning as a whole; its approached accorded with his analysis of the operation of the exception. The First-Tier Tribunal “understood that it was exercising a judgment on whether the information requested could now properly be considered as independent from the continuing work on the Expressway.”

So, what have we learned? Judge Jacobs has certainly gone through the exception carefully and produced what he considers to be the best that can be achieved in terms of defining the scope of the exception in Regulation 12(4)(d). Its scope is narrow, but not so narrow as to defeat the policy intention of providing a space for public authorities to think in private; however, its imprecise nature should not be taken as giving public authorities cart blanche. Each and every case will turn on its own circumstances and a degree of judgement is involved in determining whether the exception will apply or not.

There are also some useful reminders (for now) about the need to utilise EU law principles when interpreting the EIRs. There is also a useful reminder, in paragraph 6, about the approach that the Upper Tribunal adopts when considering an appeal. It is unlike the First-Tier Tribunal; it is not conducting a re-hearing of the case. The Appellant has to show that the First-Tier Tribunal erred in law. We are also reminded that the nature of the language of the provision has to be taken into account when considering legal certainty; it is therefore not always possible to give a precise exposition of the scope of a provision – sometimes, it really does just come down to a matter of judgement.

Alistair Sloan

We are able to provide advice in connection with a wide range of information law matters, including Freedom of Information Act/Environmental Information Regulations appeals. If you would like advice and assistance on any of these matters then please contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on Twitter.

Openness by design: ICO’s draft access to information strategy

The Information Commissioner’s Office has published a draft access to information strategy [pdf] and is inviting comments on it. The document opens by explaining that over the next three years the ICO has the ambition to be “more proactive and increase the impact of” regulation in respect of the Freedom of Information Act 2000 (“FOIA”) and the Environmental Information Regulations 2004 (“EIRs”).

The document is intended to be read in conjunction with the ICO’s ‘Regulatory Action Policy’, which was consulted on last year (and covers all of the legislation that the Commissioner is tasked with enforcing, not just FOIA and the EIRs).

The draft strategy gives the impression that the ICO intends to become more proactive in its enforcement of FOIA and the EIRs – especially in relation to “systematic non-compliance”. This could mean that the ICO intends become more formal in its enforcement action. So we will need to wait and see how it pans out.

The other matter within the draft strategy that is worthy of note (although it really is worthwhile taking the time to read the whole document – it’s not a lengthy one) is the section which discusses the changes that have occurred since FOIA and the EIRs were enacted. In particular the draft strategy indicates that a report to Parliament will be published later this month “making recommendations for change in relation to outsourced public services and some other categories of public service provision that are not within the scope of the current legislation.” Quite what will happen with such a report, given that Parliament is pretty tied up with Brexit related matters, is unclear; however, it should be worth looking at – especially if you’re involved in the provision of public services under contract.

The ICO is inviting comments on the draft strategy document until 8th March 2019 and comments can be submitted via the ICO website.

Post-Legislative Scrutiny of the Freedom of Information (Scotland) Act 2002

For some time now the Scottish Parliament’s Public Audit and Post-Legislative Scrutiny Committee has been considering whether to undertake post-legislative scrutiny of the Freedom of Information (Scotland) Act 2002. The Committee’s decision on whether to undertake post-legislative scrutiny of FOISA was delayed while they awaited the Scottish Information Commissioner concluding his intervention in respect of the Scottish Government.

Yesterday, after hearing again from the Scottish Information Commissioner and his Head of Enforcement, the Committee took a decision (in private), as recorded in the Minutes [pdf], to undertake post-legislative scrutiny of FOISA.

It is not yet clear how the Committee will undertake its post-legislative scrutiny or what the timetable will be; but what can now be said is that there will be formal post-legislative scrutiny of FOISA by a committee of the Scottish Parliament for the first time since FOISA was enacted in 2002. Much has changed since FOISA was enacted and while the Act generally performs fairly well, there are undoubtedly some areas which are ripe for improvement.

Once we know more about the details of the post-legislative scrutiny I will, of course, blog about it.

Alistair Sloan

We are able to provide advice and assistance in connection with a range of Freedom of Information matters, including appeals against decisions of both the Scottish and UK Information Commissioners.  If you would like to do discuss a Freedom of Information, or any other Information Law, matter with us then you can contact Alistair Sloan on 0141 229 0880.  Alternatively, you can send him an E-mail.

Information Law Review of 2018

It does not seem as though it was a year ago since I sat down to write my review of Information Law in 2017 and to have a brief look ahead into 2018; but somehow we now appear to be in 2019. It was always going to be the case that 2018 was going to be a big year for information law; with the General Data Protection Regulation becoming applicable on 25th May 2018. The 25th May 2018 came and went without the millennium bug style apocalypse that seemed inevitable from the amount of sensationalist writing that was taking place in late 2017 and early 2018.

My review of 2017 started off with the English and Welsh High Court decision on vicarious liability for data protection breaches in Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB)This case rumbled on in 2018 and it was considered by the Court of Appeal. The Court of Appeal heard the appeal and (in remarkably quick time) dismissed the appeal. It is understood that Morrisons have sought permission to appeal to the Supreme Court and if permission is granted it is possible that it will feature in a review of Information law in 2019.

In February, the English and Welsh High Court issued an interesting privacy judgment when it considered an action for compensation arising out of “Can’t Pay? We’ll Take it Away’; a fly-on-the wall documentary following High Court Enforcement Officers in their work enforcing court orders relating to debt and housing cases. The Court had the tricky job of balancing the privacy rights of individuals against the rights of television companies in respect of freedom of expression; however, the High Court decided that the balance in this particular case fell in favour of the claimant’s privacy rights. The High Court’s decision was appealed to the Court of Appeal; looking specifically at the issue of quantifying the level of damages. That appeal was heard by the Court of Appeal in early December and should provide useful guidance on calculating damages in the privacy sphere.

Facebook, Cambridge Analytical and Aggregate AIQ all featured quite heavily in 2018 in terms of privacy and data protection matters. Facebook was served with a monetary penalty in the amount of £500,000 for breaches of the Data Protection Act 1998 and Aggregate AIQ was also the recipient of the first Enforcement Notice under the Data Protection Act 2018 (which was narrowed in scope by the Information Commissioner following an appeal by AIQ; which was subsequently dropped). Facebook lodged an appeal against the Monetary Penalty Notice with the First-Tier Tribunal (Information Rights) in November 2018. If and when a decision is reached by the Tribunal in respect of that appeal, it will feature on this blog.

Arising out of the same wide-ranging investigation by the ICO as the Facebook penalty and the AIQ Enforcement Notice was an Information Notice served on the United Kingdom Independence Party (UKIP), which was appealed to the First-Tier Tribunal (Information Rights). The Tribunal dismissed the appeal by UKIP in July.

In April there was yet another important decision from the English and Welsh High Court in respect of Privacy and Data Protection. A little over four years after the European Court of Justice decision on the Right to Be Forgotten in Google Spain, Mr Justice Warby handed down his judgment in NT1 & NT2 v Google; this represented the first decision of a UK Court in respect of the Right to Be Forgotten. An appeal was lodged in respect of this case and was due to be heard just before Christmas; however, it was reported that the case was settled on the day of the appeal.

The issue of compensation to identifiable third parties in the context of data protection breaches was considered by the English and Welsh Court of Appeal. This case adds to the helpful privacy and data protection case law emanating from the English and Welsh courts.

Another interesting development that we saw during the course of 2018 was a director being disqualified indirectly in connection with privacy and data protection matters. It does show that directors can be held personally liable for privacy and data protection transgressions of limited companies. This was underlined by the amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 which now enable the Commissioner to serve a monetary penalty on directors (and others associated with companies) in certain circumstances.

In Scotland, the Court of Session made new rules which should make appealing decisions of the Scottish Information Commissioner in respect of requests for environmental information more financially viable.

Litigation in respect information law matters in Scotland remains limited. The majority of litigation on these areas arises out of England and Wales. Perhaps in 2019, we will begin to see more litigation in Scotland on information law matters. Hopefully the new rules in the Court of Session will see more appeals in respect of the Environmental Information (Scotland) Regulations 2004 and hopefully the introduction of Group proceedings in the Court of Session through the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 will help with an increase in data protection and privacy litigation in Scotland.

In terms of 2018 Scottish cases, not long before Christmas the Court of Session treated us to a judgment in an appeal concerning vexatious requests under the Freedom of Information Scotland Act 2002. Beggs v Scottish Information Commissioner considered the correct approach to be taken when applying section 14(1) of the Freedom of Information (Scotland) Act 2002.

Looking ahead to 2019; the big issue on the horizon is Brexit. Much of what is discussed on this blog as “information law” derives from European law and so Brexit will likely have an impact upon that. We are still unsure as to the terms that we will be leaving on. A withdrawal Agreement has been negotiated between the European Union and the United Kingdom; however, there is  still a way to go with that – and it looks quite likely that the UK Parliament will rejected the Withdrawal Agreement in its current form. If we end up leaving with no Withdrawal Agreement in place then this will cause considerable difficulties for UK business which rely upon the transfer of personal data from elsewhere within the European Union; it will also cause problems for public bodies.

In terms of making the law work after Brexit, we were treated by the Government (in between Christmas and New Year) to a draft of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. These Regulations will make changes to the GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 in light of the United Kingdom no longer being a member of the European Union. I will, of course, look at these draft Regulations in more detail soon.

I will attempt to address information law matters as they unfold in 2019 on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0141 229 0880 or you can E-mail him.


Scottish Vexatiousness

Paragraph numbers in this blog post relate to the Court of Session’s decision in Beggs v Scottish Information Commissioner [2018] CSIH 80; unless the context requires, or it is expressly stated, otherwise.

If you’re regularly involved in the making of or responding to freedom of information requests then you are likely to be familiar with the decision of the English and Welsh Court of Appeal in Dransfield and Another v The Information Commissioner and another which deals with the meaning and application of “vexatious” within section 14 of the Freedom of Information Act 2000 (“FOIA”). In keeping with many of the provisions of FOIA, there has been considerable litigation on section 14 within the First-Tier Tribunal; however, the decision in Dransfield is the leading authority on the approach that public authorities, the UK Information Commissioner and the First-Tier and Upper Tribunals should take when applying or considering the exemption in section 14(1) of FOIA.

As with many aspects of the Freedom of Information (Scotland) Act 2002, the equivalent provisions within FOISA (also section 14) have escaped any judicial consideration; that is, until today when the First Division,  Inner House of the Court of Session (Lord President Carloway and Lords Brodie and Drummond Young) advised its opinion in an appeal under section 56 of FOISA against a decision of the Scottish Information Commissioner which upheld the decision of the Scottish Prison Service that a request for information made to it was vexatious: Beggs v Scottish Information Commissioner [2018] CSIH 80.

As with most cases involving vexatious requests, there is a history to the matter; this is briefly set out in paragraphs 5-15 of the Court’s Opinion. I am therefore not going to set it out here. There were two grounds of appeal advanced on behalf of the Appellant before the Court and these are set out, in full, by the Court in paragraph 4 of its Opinion. The grounds can  be summarised as follows: (1) that the test set out by Arden LJ (as she then was) in Dransfield should apply and that it had been incorrectly applied by the Scottish Information Commissioner (“SIC”); and (2) that the SIC’s decision was irrational as it failed to take into account a number of factors. The court ultimately rejected both grounds of appeal and refused the Appeal.

The Court makes some “preliminary comment” about the English and Welsh Court of Appeal’s decision in Dransfield. It notes that the decision is “an English case concerning English legislation” (para 26). This is not a wholly accurate statement by the Court: Dransfield concerns section 14 of FOIA, which cannot properly be said to be English legislation. FOIA covers UK-wide public bodies (such as UK Government departments, the BBC, UCAS, the British Transport Police and other); it can be used by people living in Scotland. There is also no separate Norther Irish FOI law and FOIA applies to bodies such as departments of the Northern Irish Government and the Police Service of Northern Ireland. Furthermore, it is possible for appeals against the Upper Tribunal to be taken to the Court of Session and the UK Commissioner can, for example, under section 54, make certifications to the Court of Session.

It appears that what the Court meant by “English legislation” is that the decision in Dransfield was not binding upon the SIC as the SIC is concerned with the enforcement of FOISA – an Act of the Scottish Parliament – rather than FOIA – an Act of the UK Parliament. I may, of course, be entirely wrong and the Court of Session has fundamentally misunderstood FOIA and the distinction between FOIA and FOISA. However, this is not really a matter upon which anything of substance in Beggs can be said to turn. It appears that the Court has essentially adopted the reasoning of Arden LJ and supplemented it with some of its own.

Also by way of preliminary comment the Court notes that Arden LJ expressly declined to offer a definition of or test for “vexatious” or “vexatiousness” (para 26) and so it was incorrect to argue that Dransfield set out a “test” for vexatious requests. The court went on (also at para 26) to state that “[i]t would be remarkable if the word “vexatious” when found in section 14(1) of the English Act of 2000 meant something different from the same word when found in section 14(1) of the Scottish Act of 2002; the terms of the two subsections are essentially identical.”

However, the Court of Session found that there was much in the judgment of Arden LJ that they would agree with and quote paragraph 68 of the judgment of Arden LJ with approval. The Court of Session, perhaps importantly, appears to have approved of the view that Arden LJ took that the rights in FOIA were constitutional in nature (para 28). The court also held that when assessing whether a request is vexatious or not, it must be viewed objectively. In the decision under challenge, the SIC had concluded that when viewed objectively the information sought was of no value to the Appellant. The First Division held that had the SIC followed Dransfield (which she was not obliged to do so) then she would have correctly reached the same conclusion: that Mr Beggs’ request was vexatious (para 30).

In terms of the irrationality ground of appeal, this was dealt with more swiftly by the Court. Counsel for the Appellant had characterised the three matters which the Appellant argued had been overlooked by the Court, were material.

The first matter was the Appellant’s express disavowal of any direct and personal attack. The Appellant had expressly disavowed in his request that there was any such attack. However, the Solicitor Advocate for the SIC argued that the contents of a letter sent to one of the SIC’s officers revealed the Appellant’s purpose; the Appellant’s purpose was “not to obtain information as such” (para 33) rather it was with a view to pursuing complaints about their conduct.” (also at para 33).

The court held that “the presence of a malicious motive may point to a request being vexatious the absence of a malicious motive does not point to a request not being vexatious” (para 33). In essence, while the Court appears to have been sceptical of the Appellant’s express disavowal of personal attack it seems that even if it had not been sceptical, the disavowal may not have assisted the Appellant anyway. The Court again expressed the objective nature of assessing whether a request is vexatious and agreed with the SIC that a request may be harassing even if that is not what is intended by the requester.

The second consideration referred to the past conduct of the authority; these requests appear to have been the result of the Scottish Prison Service putting forward inaccurate information in earlier proceedings before the Court of Session. The Court approved of the view of Arden LJ in respect of vengeful motives – such a motive might itself be an indicator that a request is vexatious. The court’s position here is fairly broad, but it does not appear to close off legitimate use of FOISA to uncover evidence of wrongdoing within a Scottish public authority. However, it is fairly clear that if a requester is using

The third consideration related to the importance of the information requested; the court concluded that the information was objectively of no value and this was therefore not a material consideration.

Comment
This is the first time that the vexatious requests provision in FOISA has been considered by the Scottish courts and will now be the leading case in applying section 14(1) of FOISA. The decision essentially approves of the approach set out by the English and Welsh Court of Appeal in Dransfield. It is important to remember that a request must be considered objectively. There is no express test for vexatious requests either under FOIA or FOISA, but it will be important for Scottish public authorities to keep in mind the constitutional nature of the rights in FOISA. With this in mind, the threshold for applying the provision in section 14(1) of FOISA is a high one.

The Court of Session considers that, when Arden LJ used the phrase “no reasonable foundation for thinking that the information sought would be of value”, it appears that Arden LJ was trying to encapsulate an idea of “gross disproportion as between much trouble inevitably caused and little benefit possibly gained.” How much traction this comment of the Court of Session will have in terms of the application of section 14 of FOIA (given that the Court of Session’s judgments in FOISA cases are of only persuasive authority to the Tribunals and English and Welsh Courts) remains to be seen. Of course, should Beggs seek permission (and be granted permission) to appeal to the Supreme Court we may get a definitive view from(the now)  Lady Arden on whether the Court of Session has correctly interpreted what she meant when sitting in the English and Welsh Court of Appeal.

For the time being, whether or not the Court of Session was right in what it said, this is now (subject to any appeal) the law as it applies in Scotland vis-à-vis FOISA. When considering whether a requester has a reasonable foundation for thinking that the information sought would be of value, it is necessary to look (objectively) at what value there is in the information (a mere assertion by the Applicant that it is of value will not itself be sufficient) and balance that against the inevitable burden that answering the request will place on the authority: they are inversely proportional to one another.

From the perspective of requesters, it is likely to be of little assistance to include express statements in requests that the request is not a personal attack on the authority or a member of its staff and even if you have no intent to cause harassment your request might well have that effect. Your request will be considered objectively in light of its facts and circumstances (and comments made in later correspondence may well be seen as tending to show the opposite).

The decision in Beggs is not likely to have much, if any, impact upon the way in which the vexatious requests provisions in FOISA operate in practice. The Court has essentially approved of the approach to the identical provisions under FOIA. In the absence of any previous authority from the Scottish courts in respect of section 14, the SIC and Scottish public authorities have historically found Dransfield to be persuasive and used it as a basis for understanding what section 14 means.

In short, to decide whether a request is vexatious it is necessary to consider the request objectively on its own facts and circumstances. There is no formula or checklist that can be followed which will give you a definitive answer.

Alistair Sloan

If you would like advice or assistance in respect of a Freedom of Information matter or a data protection/privacy issue then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail.

Data Protection and Privacy Enforcement: November 2018

0The year is progressing quickly and we’re now onto looking at November’s enforcement action published by the Information Commissioner’s Office in relation to privacy and data protection matters. We are beginning to see enforcement action under the Data Protection Act 2018 (“DPA18”) filter through, but the majority is very much still under the Data Protection Act 1998 (“DPA98”) in respect of breaches which occurred prior to 25 May 2018.

Key Points

  • Carrying out a Data Protection Impact Assessment in the early stages of any project where it is envisaged that personal data will be processed is a useful tool to help highlight privacy and data protection concerns so that they can be addressed in the planning phase. Data protection by design and privacy impact assessments were recommended good practice under the DPA98; however, the GDPR mandates data protection by design and default (Article 25) and the carrying out of data protection impact assessments in certain circumstances (Article 35). Even if the GDPR does not require you to complete a DPIA, it is worthwhile undertaking one in any event – it can also be a helpful document to present to the Commissioner should her office begin any investigation into your organisation.
  • It is important to regularly download an updated version of the Telephone Preference Service list and to do so as close as possible to an intended direct marketing campaign. If you undertake regular direct marketing campaigns then you should probably be downloading the updated list once per month. Relying on an out of date version could mean that you unlawfully call numbers – the cost of regularly obtaining a copy of the TPS list is insignificant compared to the financial penalties that can be issued by the Information Commissioner for contraventions of Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
  • It should go without saying that if the Information Commissioner takes enforcement action against you for contravening privacy and data protection laws then you should ensure that you take adequate remedial measures to ensure that the contravention doesn’t happen again.
  • If you obtain a list of telephone numbers to call for marketing purposes from a third party the obligation rests with you to ensure that you have lawful authority to make (or instruct others on you behalf to make) calls to each intended number.
  • Controllers may no longer be required to notify the Commissioners of their processing of personal data; however, they are still required to make payment to the Commissioner of a fee. Those who either (a) don’t know they are due to pay  a fee; or (b) miss paying their fee and rectify the matter once the Commissioner has contacted them about their non-payment will likely not face formal enforcement action, but those who continue to fail to pay the fee once the Commissioner has contacted them can expect to be required to pay a financial penalty for failure to pay the fee.

Enforcement Action published by the ICO during November 2018

Metropolitan Police Service
The Commissioner of Police of the Metropolis (MPS) was served with an Enforcement Notice by the Information Commissioner [pdf] requiring the MPS to take a number of specified steps; including the conducting of a data protection impact assessment, in respect of its Gangs Matrix. The Gangs Matrix is part of the MPS’ ongoing effort to reduce the incidences of crime in London arising from gangs. The Notice only emphasises the Commissioner’s primary concerns in respect of the MPS’ compliance with the data protection principles, rather than listing every single contravention. The Notice makes reference to contraventions of the first, third, fourth, fifth and seventh data protection principles

DM Bedroom Design Ltd
The Information Commissioner served DM Bedroom Design Ltd with a monetary penalty in the sum of £160,000 [pdf] and also served it with an Enforcement Notice [pdf] after finding that the company had contravened Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). This was not the first time that the company had received a monetary penalty from the Commissioner for contravening PECR. The company operated an internal suppression list and also advised the Commissioner that it screened lists against the Telephone Preference Service (“TPS”) list; however, the Commissioner found that the company had not downloaded the TPS list since March 2017.

Solartech North East Limited
Solaretech North East Limited (“Solartech”) was served by the Information Commissioner with a monetary penalty in the amount of £90,000 [pdf] and an enforcement notice [pdf]. The Commissioner found that Solartech had contravened Regulation 21 of PECR by making almost 75,000 calls unlawfully to numbers listed with the Telephone Preference Service. Solartech had previously came to the attention of the Commissioner’s office in 2014 and had bene provided with advice from her office as well as subjected to a period of monitoring. Despite this, and further advice and monitoring in 2016/17 Solartech continued to contravene Regulation 21 of PECR. Solartech sought (unsuccessfully) to blame third parties for these contraventions.

Uber
Uber is a popular app which provides taxi services to its users by linking them with Uber drivers in their area. It has bene the subject of many recent legal battles in the Employment field and has now also come to the attention of data protection supervisory authorities in the United Kingdom and the Netherlands. The Information Commissioner served Uber with a monetary penalty notice in the amount of £385,000 following a cyber attack. [pdf] The Commissioner found that Uber had breached the seventh data protection principle by failing to have in place adequate technical and organisational measures.

Fixed Penalty Notices: Data Protection Fees
The old notification requirement and fee under the DPA98 has gone, but has been replaced with a new data protection fee payable by controllers who are not exempt from the fee. The new fees regulations are found in The Data Protection (Charges and Information) Regulations 2018. Organisations who are required to pay the fee and fail to do so may be served with a penalty notice by the Commissioner requiring them to pay a fixed penalty calculated in relation to the amount of the fee payable under the Regulations by the controller. The Commissioner has taken enforcement action, in the form of fixed penalty notices, against a number of controllers in the business, manufacturing and finance sectors for failure to pay their data protection fees; even after being contacted by the Commissioner about the unpaid fee. The Commissioner has not published all of the penalty notices, or even a list of controllers subject to enforcement action, but has instead published “example” notices (which read more like templates than examples) for each of the three sectors.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Environmental Information request appeals and prohibitive costs: new Court of Session rules

The Court of Session has made new rules with a view to preventing court actions relating to the environment from being “prohibitively expensive”. The new court rules introduced orders which will be known as “prohibitive expenses orders”. These new rules are of relevance to readers of this blog as they will apply to appeals against decisions of the Scottish Information Commissioner to the Court of Session where the decision being appealed relates to a request for environmental information under the Environmental Information (Scotland) Regulations 2004 (EIRs).

The EIRs give effect in Scotland (in relation to environmental information held by Scottish public authorities – environmental information held by UK public authorities is covered by the Environmental Information Regulations 2004) to Directive 2003/4/EC of the European Parliament and of the Council of 28 January 2003 on public access to environmental information. [pdf] This European Directive in turn gives effect to the UN/ECE Convention on Access to Information, Public Participation in Decision-Making and Access to Justice in Environmental Matters [pdf] (‘the Aarhus Convention’). Article 9 of the Aarhus Convention requires that individuals have access to justice in respect of environmental matters and that this should not be “prohibitively expensive”.

With some of the background to these new rules (briefly) explained, what exactly do these new rules mean? In short, they mean that anyone who brings an appeal to the Court of Session against a decision of the Scottish Information Commissioner in respect of a request for environmental information (whether or not the requester knew at the time of making their request that the request was a request for environmental information or not – knowing exactly what is environmental information under the EIRs can be very difficult) can make a motion to the court to have their liability in expenses limited should they ultimately be unsuccesful in their appeal.

A person bringing an appeal to the Court of Session against a relevant decision of the Scottish Information Commissioner will be required to make a motion for a prohibitive expenses order as soon as is reasonably practicable after becoming aware that the appeal is defended. In essence, an appellant will need to make a motion relatively quickly after Answers to the Note of Appeal are intimated to them and any unreasonable delay in doing so is likely going to have an impact upon whether the court makes an order.

The new rules provide that proceedings are to be considered prohibitively expensive if the costs and expenses likely to be incurred by the applicant are likely to exceed the financial means of the party or where are objectively unreasonable having regard to six factors set out in the rules; including whether the applicant has reasonable prospects of success; the complexity of the relevant law and procedure; and whether the case is frivolous.

Where the court is satisfied that the proceedings are prohibitively expensive, it must make a prohibitive expenses order (in otherwords, if the test is met then the court has no discretion over whether an order is made or not). The order will limit the appellant’s expenses to the respondent to £5,000 (or such other sum as may be justified) and will limit the respondent’s expenses to the appellant to £30,000 (or such other sum as may be justified). It therefore seems as though it will be possible for a requester who intervenes in an appeal brought by the scottish public authority to apply to have their liability capped in line with the £5,000 figure rather than the £30,000. It also seems as though the court will have the discretion to cap the laibility at a lower or higher figure than £5,000 or £30,000.

It remains to be seen just how these new rules will operate in practice, but this is a good step forward. Appeals to the Inner House of the Court of Session are expensive and an unsuccessful appellant could face an expenses bill of many tens of thousands of pounds (in addition to their own legal fees). These new rules do not affect the availability of legal aid (or the rules that apply to expenses where an unsuccessful appellant is in receipt of legal aid). However, these rules will help people who are financially ineligible for legal aid, but are still financially unable to risk losing an appeal. Furthermore, legal aid can be difficult to obtain and therefore this provides a potential route for a person whose application for legal aid has been refused (although, it remains to be seen whether the timeframe for making a motion for a “prohibitive expenses order” is flexible enough to deal with situations where someone has applied for, but ultimately been refused, legal aid). It also remains to be seen how the court will deal with an application for a prohibitive expenses order where legal aid has been refused on the basis of the merits of the appeal rather than on financial eligibility (the tests do, at first blush, appear to be different with perhaps a lower threshold applying to the question of merits in a motion for a prohibitive expenses order as opposed to an application for legal aid).

These new rules might see an increase in EIR appeals to the Court of Session (indeed, we might see an appeal be brought – none have ever been brought, at least so far as I’m aware, in the almost 14 years that people have been able to request environmental information in Scotland). People who are unable to financially risk losing an appeal will now be able to know what their liability in expenses will be in advance of expenses mounting up. This could have financial implications for the Scottish Information Commissioner if his office starts to see an increase in litigation and also for Scottish public authorities who may ultimately decide to become involved in appeals brought by requesters against decisions of the Commissioner.

Alistair Sloan

If you would like advice or assistance in respect of requests for environmental information or any other information law matter, you can contact Alistair Sloan on 0141 229 0880 or by E-mail.

Update 28/11/2018 – The Scottish Information Commissioner’s office has advised that there was one appeal brought against one of their decisions relating to a request for environemntal information. The appeal was brought by a public authority and was abandoned by the public authority.

Data Protection and Privacy Enforcement: October 2018

Regular readers of this blog will know that every month I look at the published enforcement action taken by the Information Commissioner in respect of privacy and data protection law. The infractions are often very similar and the same key lessons to take away from the enforcement action appear frequently; October’s enforcement action proves no different. There is, however, a mixture of enforcement action taken under the Data Protection Act 1998 (“DPA98) – in respect of breaches that occurred prior to the 25 May 2018 – and enforcement action taken under the Data Protection Act 2018 (”DPA18).

Key Lessons

  • When the Commissioner’s office makes contact with you in the course of an investigation it is advisable to cooperate with the investigation. The Commissioner has powers to require persons (not just data controllers) to provide her office with information. It is a criminal offence not to comply with an information notice issued by the Commissioner under the DPA98 while a person who fails to comply with an Information Notice served under the DPA18 can be made the subject of an Information Order by the court.
  • Before making telephone calls for the purpose of direct marketing it is essential that organisations check their list against the list held by the Telephone Preference Service. It is against the law to call a number listed with the TPS for the purposes of direct marketing unless you can show that the recipient has not objected, for the time being, to receiving marketing calls from you. The law has recently been changed and the Commissioner will soon be able to serve a monetary penalty on directors of a company for breaches of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
  • Any removable media such as CDs and USB memory sticks should be encrypted to prevent unauthorised access to personal data in the event that the media is lost or stolen. Controllers should also consider putting in place technical barriers to ensure that personal data is not unnecessarily being put onto removable media.
  • When drafting privacy statements where you are seeking to obtain consent for direct marketing; it is important to be specific about just what marketing might be sent. It is insufficient to rely upon statements along the lines of “you consent to receive marketing from our carefully selected third party affiliates” and similar.
  • The person who instigates a call is liable for a contravention of PECR, not the person who makes the call. Therefore you cannot avoid liability by engaging a third party contractor to make calls on your behalf. If you have directed that the calls be made then you are liable for any contraventions of PECR. Therefore, companies who engage third parties to undertake telemarketing on their behalf need to ensure that they have in place adequate due diligence to ensure that there are no negligent contraventions of PECR.
  • It’s not enough to simply rely upon your own internal suppression lists when making telephone calls for the purposes of direct marketing; it is also important that call lists as screened against the list maintained by the Telephone Preference Service. It’s also important that companies engaging in telesales regularly obtain an updated version of the list maintained by the TPS and you should never seek to rely upon a version of the list that is more than 28 days old.
  • It can be worthwhile brining appeals against Notices served by the Commissioner – especially where the terms of the notice are unclear. Where reasons are provided for a decision they generally require to be intelligible.

Enforcement action published by the Information Commissioner in October 2018

Oaklands Assist UK Limited
Oaklands Assist UK Limited (“OAUK”) was served with a Monetary Penalty Notice  in the sum of £150,000 [pdf] after the Commissioner found that OAUK had used a public electronic communications service for the purpose of direct marketing in contravention of Regulation 21 of the Privacy and electronic Communications (EC Directive) Regulations 2003 (“PECR”). It appears that OAUK did not initially comply with the Commissioner’s investigation as the penalty notice states that the Commissioner had to serve an Information Notice on OAUK and it only made contact with the Commissioner’s office when they were threated with prosecution for failure to comply with an Information Notice. The Commissioner found that OAUK had made 63,724 direct marketing calls to numbers that were listed on the TPS, in contravention of Regulation 21 of PECR.

Heathrow Airport Limited
Heathrow Airport Limited (“LHR”) was served with a monetary penalty notice in the sum of £120,000 [pdf] after the Commissioner found that it had breached the seventh data protection principle in schedule 1 to the DPA98. LHR had lost an unencrypted USB memory stick which had been found by a member of the public in West London. The member of the public who found the USB memory stick took it to a public library where they accessed it. Approximately 1% of the files on the memory stick contained personal data, including sensitive personal data. The Commissioner found that the use of removable media was widespread within LHR, but that there was little in the way of measures in places to ensure oversight. Furthermore, there were no technical barriers in place to limit or restrict the downloading of information from LHR’s systems onto removable media.

Boost Finance Limited
Boost Finance Limited (“Boost”) was served with a monetary penalty notice in the sum of £90,000 [pdf] after the Commissioner found that it was responsible for a large number of unsolicited E-mails in respect of pre-paid funeral plans. The Commissioner found that Boost (trading as findmeafuneralplan.com) had instigated, via affiliates that it had appointed, in excess of 4 million unsolicited marketing E-mails contrary to Regulation 22 of PECR. The E-mails were sent to individuals who had subscribed to a number of Boost’s affiliates. The Commissioner concluded [para 16] that Boost had “relied upon inadequate, generic, vague, misleading, tiered and incomplete personal data collection methods and privacy statements as a way of obtaining consent to send direct marketing E-mails.”

Aggregate IQ Data Services Limited
This is not a new Enforcement Notice, but rather it is a notice of variation of the first ever enforcement notice served under the DPA18 [pdf]. Aggregate IQ Data Services Limited (“AIQ”) was served with an enforcement notice by the Commissioner in respect of her investigation into data analytics in politics (which arose out of the allegations surrounding Facebook and Cambridge Analytica). AIQ had appealed the Notice to the First-Tier Tribunal (Information Rights) and has since discontinued that appeal. The revised notice is in much tighter terms than the original notice served by the Commissioner. The revised notice requires AIQ to “[e]rase any personal data of individuals in the UK, determined by reference to the domain name of the email address processed by AIQ, retained by AIQ on its servers as notified to the Information Commissioner…” AIQ is required to do this within 30 days of the Office of the Information and Privacy Commissioner of British Columbia notifying it that either the OIPC no longer requires it for an investigation, or that the OIPC informs AIQ that it is happy for AIQ to comply with the notice (whichever occurs the soonest).

Facebook Ireland Ltd
Facebook Ireland Ltd is the company who UK users (and indeed other EU users) of the Facebook social media platform have a relationship with. The Commissioner served Facebook Ireland with a monetary penalty notice in the sum of £500,000 for breaches of the first and seventh data protection principles [pdf]. The Commissioner considered that Facebook UK Limited, a UK establishment, had carried out certain activities on behalf of Facebook Ireland and Facebook Inc. As the breaches occurred while the DPA98 was still in force, £500,000 represents the maximum penalty that the Commissioner could issue. It is understood that Facebook Ireland has appealed the monetary penalty to the First-Tier Tribunal (Information Rights).

ACT Response Limited
The Information Commissioner served ACT Response Limited (“ACT”) with a monetary penalty notice in the amount of £140,000 [pdf] after she found that ACT had instigated in excess of £490,000 telephone calls for the purposes of direct marketing in contravention of Regulation 21 of PECR. The company operated its own internal suppression list, but did not screen its lists against the Telephone Preference Service list. ACT provided a copy of a training manual to the commissioner during her investigation, which contained a script which directed those making the calls to ask whether a person was listed on the TPS and to apologise if they were. ACT tried to blame the contravention on one of its sister companies as the company that made the calls, but the sister company made the calls on behalf of ACT and the lines used to make the calls were registered to ACT.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.