Category Archives: Information Law

Information Law Review of 2019

Well, it is that time again; the beginning of a New Year and therefore time for my third annual look at what happened in the world of information law in the previous twelve months and what those with an interest in the field should be looking out for in 2020. I would like to begin by wishing all readers of the Information Law Blog, both new and old, a very happy New Year.

My reviews of 2017 and 2018 began by looking at the case of Various Claimants v WM Morrisons Supermarkets Limited. I shall keep the tradition going by looking once again at this case. In 2018, the Court of Appeal dismissed the appeal by Morrisons against the decision of Mr Justice Langstaff holding them vicariously liable for the actions of an ex-employee. This case rumbled on again in 2019, with the Supreme Court hearing an appeal by Morrisons on 6th and 7th November. By the end of 2019, the Supreme Court had not yet issued its judgment and so that will be something to look out for in 2020; the Supreme Court’s judgment (although concerned with the Data Protection Act 1998, rather than the GDPR and Data Protection Act 2018) will have ramifications for data subjects and controllers, regardless of which way it goes.

Brexit continued to be a feature of 2019 in the Information law world. We have seen the changes that will take effect in data protection law as a result of the UK’s withdrawal from the European Union, which is now scheduled to take place at the end of this month. Brexit, however, will not stop being a feature of information law at 23:00 on 31st January (assuming there are no further delays). We will be in a transition period until the end of the year, but we don’t yet know exactly what we’re transitioning to which might start to become clearer by the Summer.

Brexit also featured in the information law world in other respects as well. There are still some data protection and privacy concerns floating around from the 2016 referendum on the UK’s membership of the EU. Indirectly related to that have been proceedings in the Upper Tribunal involving UKIP and in also in the First-Tier Tribunal. If reports are anything to go by, proceedings in the First-Tier Tribunal at the end of 2019 could result in an extremely critical decision against the Commissioner, so that is something to look out for in 2020.

We also saw the first GDPR administrative fine issued in the UK by the Information Commissioner (some 19 or so months after the GDPR became applicable and quite a bit behind other regulators in other EU Member States). The Commissioner has issued two Notices of Intent against two other Controllers (that we’re aware of) both of which were due to expire this month, but it has been confirmed by the Information Commissioner that the statutory six month period has been extended by agreement (in accordance with the statutory provisions). The reasons for this have not been made public at this time.

Just before Christmas the Advocate General of the European Court of Justice gave his opinion in Data Protection Commissioner v Facebook Ireland & Schrems concerning standard contractual clauses. We can expect a decision from the European Court of Justice to follow soon, whether that is before or after “exit day” at the end of January remains to be seen.

In the wider field of privacy law, the Court of Appeal took a look at the judgment of Mr Justice Arnold in the case involving Channel 5’s fly-on-the-wall documentary ‘Can’t Pay? We’ll Take it Away’. The Court of Appeal dismissed the appeals by the Respondents in respect of liability and the cross-appeal by the Claimants on the issue of quantum of damages. Meanwhile, in Scotland, Lord Bannatyne (for the first time) declared that there exists in the law of Scotland a common law right to privacy.

In May, Information Notices were again a feature of the decisions flowing from the First-Tier Tribunal; this time, however, it was concerning the Commissioner’s powers under the Freedom of Information Act 2000. The Tribunal confirmed that the Commissioner can issue an information notice in order to obtain information as part of her process for determining whether a person is a public authority for the purposes of the Environmental Information Regulations 2004.

In 2019, the Scottish Parliament’s Public Audit and Post-Legislative Scrutiny Committee began undertaking Post-Legislative Scrutiny of the Freedom of Information (Scotland) Act 2002. In 2019, I gave both written and oral [pdf] evidence to the Committee. The Committee is expected to release its report and recommendations next month.

In 2019, we saw the expansion of FOI in Scotland with Registered Social Landlords formally being designated as Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002.

We also had one of those rare things: a decision from the Court of Session in an appeal against a decision of the Scottish Information Commissioner. In the sole decision in such an appeal issued by the Court of Session in 2019, my client successfully challenged (on a point of law) a finding by the Commissioner that information he had requested was not held by a local council for the purpose of the Freedom of Information (Scotland) Act 2002. This case provides some useful guidance on determining whether information is held, or not, for the purposes of the Freedom of Information (Scotland) Act 2002.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters or with UK and Scottish Freedom of Information requests contact our team on 0141 229 0880.

Information Law Review of 2018

It does not seem as though it was a year ago since I sat down to write my review of Information Law in 2017 and to have a brief look ahead into 2018; but somehow we now appear to be in 2019. It was always going to be the case that 2018 was going to be a big year for information law; with the General Data Protection Regulation becoming applicable on 25th May 2018. The 25th May 2018 came and went without the millennium bug style apocalypse that seemed inevitable from the amount of sensationalist writing that was taking place in late 2017 and early 2018.

My review of 2017 started off with the English and Welsh High Court decision on vicarious liability for data protection breaches in Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB)This case rumbled on in 2018 and it was considered by the Court of Appeal. The Court of Appeal heard the appeal and (in remarkably quick time) dismissed the appeal. It is understood that Morrisons have sought permission to appeal to the Supreme Court and if permission is granted it is possible that it will feature in a review of Information law in 2019.

In February, the English and Welsh High Court issued an interesting privacy judgment when it considered an action for compensation arising out of “Can’t Pay? We’ll Take it Away’; a fly-on-the wall documentary following High Court Enforcement Officers in their work enforcing court orders relating to debt and housing cases. The Court had the tricky job of balancing the privacy rights of individuals against the rights of television companies in respect of freedom of expression; however, the High Court decided that the balance in this particular case fell in favour of the claimant’s privacy rights. The High Court’s decision was appealed to the Court of Appeal; looking specifically at the issue of quantifying the level of damages. That appeal was heard by the Court of Appeal in early December and should provide useful guidance on calculating damages in the privacy sphere.

Facebook, Cambridge Analytical and Aggregate AIQ all featured quite heavily in 2018 in terms of privacy and data protection matters. Facebook was served with a monetary penalty in the amount of £500,000 for breaches of the Data Protection Act 1998 and Aggregate AIQ was also the recipient of the first Enforcement Notice under the Data Protection Act 2018 (which was narrowed in scope by the Information Commissioner following an appeal by AIQ; which was subsequently dropped). Facebook lodged an appeal against the Monetary Penalty Notice with the First-Tier Tribunal (Information Rights) in November 2018. If and when a decision is reached by the Tribunal in respect of that appeal, it will feature on this blog.

Arising out of the same wide-ranging investigation by the ICO as the Facebook penalty and the AIQ Enforcement Notice was an Information Notice served on the United Kingdom Independence Party (UKIP), which was appealed to the First-Tier Tribunal (Information Rights). The Tribunal dismissed the appeal by UKIP in July.

In April there was yet another important decision from the English and Welsh High Court in respect of Privacy and Data Protection. A little over four years after the European Court of Justice decision on the Right to Be Forgotten in Google Spain, Mr Justice Warby handed down his judgment in NT1 & NT2 v Google; this represented the first decision of a UK Court in respect of the Right to Be Forgotten. An appeal was lodged in respect of this case and was due to be heard just before Christmas; however, it was reported that the case was settled on the day of the appeal.

The issue of compensation to identifiable third parties in the context of data protection breaches was considered by the English and Welsh Court of Appeal. This case adds to the helpful privacy and data protection case law emanating from the English and Welsh courts.

Another interesting development that we saw during the course of 2018 was a director being disqualified indirectly in connection with privacy and data protection matters. It does show that directors can be held personally liable for privacy and data protection transgressions of limited companies. This was underlined by the amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 which now enable the Commissioner to serve a monetary penalty on directors (and others associated with companies) in certain circumstances.

In Scotland, the Court of Session made new rules which should make appealing decisions of the Scottish Information Commissioner in respect of requests for environmental information more financially viable.

Litigation in respect information law matters in Scotland remains limited. The majority of litigation on these areas arises out of England and Wales. Perhaps in 2019, we will begin to see more litigation in Scotland on information law matters. Hopefully the new rules in the Court of Session will see more appeals in respect of the Environmental Information (Scotland) Regulations 2004 and hopefully the introduction of Group proceedings in the Court of Session through the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 will help with an increase in data protection and privacy litigation in Scotland.

In terms of 2018 Scottish cases, not long before Christmas the Court of Session treated us to a judgment in an appeal concerning vexatious requests under the Freedom of Information Scotland Act 2002. Beggs v Scottish Information Commissioner considered the correct approach to be taken when applying section 14(1) of the Freedom of Information (Scotland) Act 2002.

Looking ahead to 2019; the big issue on the horizon is Brexit. Much of what is discussed on this blog as “information law” derives from European law and so Brexit will likely have an impact upon that. We are still unsure as to the terms that we will be leaving on. A withdrawal Agreement has been negotiated between the European Union and the United Kingdom; however, there is  still a way to go with that – and it looks quite likely that the UK Parliament will rejected the Withdrawal Agreement in its current form. If we end up leaving with no Withdrawal Agreement in place then this will cause considerable difficulties for UK business which rely upon the transfer of personal data from elsewhere within the European Union; it will also cause problems for public bodies.

In terms of making the law work after Brexit, we were treated by the Government (in between Christmas and New Year) to a draft of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. These Regulations will make changes to the GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 in light of the United Kingdom no longer being a member of the European Union. I will, of course, look at these draft Regulations in more detail soon.

I will attempt to address information law matters as they unfold in 2019 on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0141 229 0880 or you can E-mail him.


Scottish Government’s Programme for Government: the information law perspective

Yesterday, the Scottish Government launched its Programme for Government [pdf] (the Scottish Government’s equivalent to the Queen’s Speech) for the coming Parliamentary year. There are three proposed Bills, which the Scottish Government plans to introduce in the coming year, that have a data protection and privacy angle to them. Those bills are: the Biometric Data Bill, the Disclosure Bill and the Census (Amendment) Bill.

Biometric Data Bill
This Bill will be designed to take forward the recommendations of the Independent Advisory Group on the use of Biometric Data which was chaired by John Scott QC. The Programme for Government document says of the Bill that it:

will enhance oversight of biometric data and  techniques used for the purposes of justice and community safety. It will include provision for the creation of a statutory code of practice covering the acquisition, use, retention and disposal of data including fingerprints, DNA and facial images. We will ensure an appropriately distinct and proportionate approach to capturing biometric data for children aged between 12 and 17.

Disclosure Bill
The Disclosure Bill will relate to the disclosure of criminal history data under the Disclosure Scotland schemes. The Bill will aim to “simplify the system and strike the right balance between strengthened safeguarding and helping people with convictions to get back into work.”

Census (Amendment) Bill
The Census (Amendment) Bill will be designed to bring changes which will permit the National Records of Scotland to ask questions on sexual orientation and transgender status beginning in the 2021 census. The questions will be voluntary.

There is no much in the way of detail in the full programme for government document, but it seems fairly clear that these three Bills will crossover into the world of data protection and privacy. Once the Bill’s are published we may have a better idea as to the nature of the data protection and privacy aspects to them.

Alistair Sloan

If you would like advice on a data protection or privacy matter than contact Alistair on 0141 229 0880 or you can E-mail him directly. You can also follow our twitter account dedicated to the field of Information law.

Privacy and Data Protection: director disqualified

In September 2017 the Information Commissioner served a Monetary Penalty Notice on Easyleads Limited in the amount of £260,000 [pdf]; the company was also served with an Enforcement Notice by the Commissioner requiring the company to comply with the terms of the Privacy and Electronic Communications (EC Directive) Regulations 2003 [pdf]. It has since transpired that the company never paid the monetary penalty notice and the Information Commissioner petitioned the court to have the company wound-up. It is not unheard of for monetary penalty notices served by the Commissioner to go unpaid; however, where they do it is often because the company goes into liquidation. A copy of the order winding the company up following the petition by the Information Commissioner [pdf] can be found on the Companies House website.

What is interesting about this case though is an announcement by the Insolvency Service that the Secretary of State had accepted a disqualification undertaking from Shaun Harkin, the director of Easyleads Limited. The effect of the undertaking is to ban Mr. Harkin from “directly or indirectly becoming involved, without the permission of the court, in the promotion, formation or management of a company for six years”.

The announcement from the insolvency Service explains that the reason Mr Harkin is now banned from being a director of a company for 6 years is because he failed to ensure that the company complied with its statutory obligations, specifically that he failed to ensure that the company complied with the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 around undertaking direct marketing by telephone.

This is an important announcement from the Insolvency Service; it demonstrates that the effects of failing to comply with data protection and privacy law can be wide-ranging. There is the potential for directors running companies which fail to comply with data protection and privacy law facing being banned from being involved in the formation or management of companies for a not insignificant period of time. It remains to be seen whether this sort of action becomes much more frequent and it is not something that is directly in the control of the Information Commissioner herself, but if the Insolvency Service is starting to take seriously breaches of data protection and privacy law by companies and looking to disqualify directors (where it can within the parameters of the law) then this is clearly something that those involved in the formation and management of limited companies ought to bear in mind when considering data protection and privacy compliance.

Alistair Sloan

If you require advice or assistance on a matter relating to data protection or privacy law then you can contact Alistair Sloan on 0141 229 0880 or send him an E-mail. You can also follow our twitter account dedicated to information law matters.

Information Law Review of 2017

2018 is now upon us and this is a big year in the field of Information Law, the General Data Protection Regulation will at last become applicable in the United Kingdom.  If you are a data controller or a data processor, your preparations for the GDPR should be well under way; however, if you have not yet started to prepare for these regulations then it is not yet too late.  The lesser known brother of the GDPR also kicks in this year, the Law Enforcement Directive, which governs the processing of personal data by law enforcement agencies.

However, before I get stuck into what is coming this year in the field of Information law, I want to take a moment to look back at some of the things that happened in 2017.  At the tail end of 2017 the High Court in England issued its anticipated judgment in the case of Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB)This represented a significant development in the data protection field and opens up a much wider range of circumstances in which data subjects can sue a data controller under Section 13 of the Data Protection Act 1998.

In October 2017, the Irish High Court made a reference to the Court of Justice of the European Union at the request of the Irish Data Protection Commissioner seeking a preliminary ruling on “Privacy Shield”, the successor to the Safe Harbour rules which had previously been held to be unlawful by the European Court.

In September 2017, the Grand Chamber of the European Court of Human Rights issued a decision concerning the application of the right to a private and family life contained in Article 8 of the European Court of Human Rights to the monitoring of a person’s communications by their employer.

Also in September 2017, the UK Government published its Data Protection Bill which will replace the Data Protection Act 1998, extends GDPR standards to areas not within the competence of the European Union and implements the Law Enforcement Directive, among other things.

Now looking ahead to 2018, it is possible that we might see a decision from the English Court of Appeal in the Morrisons case referred to above, the judge having granted permission to Morrisons to appeal his findings in relation to vicarious liability.  We may also see claims for compensation being made based upon the Morrisons decision.

In Scotland, we will be expecting to see some more progress made by the Scottish Parliament in its consideration of the Children and Young People (Information Sharing) (Scotland) Bill.  I provided written evidence to the Education and Skills Committee on this Bill last year.  The Committee has had some difficulty in completing its Stage 1 consideration of the Bill and the previous deadline of 22 November 2017 for completion of Stage 1 was removed by the Scottish Parliament.

It is also possible that we will see the Scottish Parliament’s Public Audit and Post-Legislative scrutiny Committee begin to undertake a post-legislative inquiry into the operation of the Freedom of Information (Scotland) Act 2002 (or announce that such an inquiry will take place in due course).  If such an inquiry does take place, it will be the first time that there will have been a complete review of the Scottish FOI Act and how it is operating.

Staying on the subject of Freedom of Information in Scotland, we are likely to see the outcome of the Scottish Information Commissioner’s formal intervention in respect of the Scottish Government’s compliance with the Freedom of Information (Scotland) Act 2002.  We are also likley to see an Order being made under Section 5 of the Freedom of Information (Scotland) Act 2002 designating Registered Social Landlords as scottish public authorities with effect from 1st April 2019.

By the end of 2018 we should also hopefully have a much better idea as to what the UK’s relationship with the European Union will be after it leaves, and in particular what impact this will have on data protection and privacy law in Scotland and the rest of the UK.

There will no doubt be a raft of new court decisions in relation to both Privacy/Data Protection and Freedom of Information over the course of the next 12 months and I will attempt to address the most important and unusual decisions here on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters (including GDPR preparation) or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0345 450 0123 or you can E-mail him.