Category Archives: Privacy

Privacy v Freedom of Expression: ‘Can’t Pay? We’ll take it away’

Yesterday an interesting privacy judgment was handed down in the English High Court by Mr Justice Arnold.  The Claimants, Shakir Ali and Shahinda Aslam, brought proceedings against Channel 5 Broadcast Limited (“Channel 5”) for breaching their privacy in using footage of their eviction in the defendants’ television programme, ‘Can’t Pay?  We’ll take it away’.

‘Can’t Pay?  We’ll take it away’ is an observational documentary series broadcast by Channel 5 which follows the work of High Court Enforcement Agents.  The programme often features the evictions of tenants from residential premises by High Court Enforcement Agents and these agents pursuing debtors for the recovery of monies owed to their clients.  At Paragraph 58 of his judgment, Mr Justice Arnold states that the production company “wanted to show how the process which courts provided for the enforcement of debts and the reclaiming of property from debtors and tenants actually operated within ordinary peoples’ lives. He particularly wanted to show how landlords and creditors could expedite enforcement by moving the process from the County Court to the High Court, and the effect of this.”

The Claimants argued that they had a reasonable expectation of privacy and that this had been breached.  Meanwhile, the Defendants argued that the Claimants did not have a reasonable expectation of privacy.  Alternatively Channel 5 argued that if the Claimants did have a reasonable expectation of privacy, that was defeated by the Defendants’ rights to freedom of expression when the two were balanced against one another.  Channel 5 was responsible for selecting which enforcement actions that were filmed for the programme would actually appear in the television series.

On the day of the eviction, the Claimants were visited by two High Court Enforcement Agents; one of whom was in training and the other, Mr Paul Bohill, had more than 30 years’ experience as a High Court Enforcement Agent.  Only the first claimant was in the property when the Agents, together with a television film crew, arrived at the property to effect the eviction.  Certain information was supposed to be provided to those being filmed but the evidence proved that Mr Bohill actively prevented that information being given to the Claimants, even when the first claimant enquired about why it was being filmed.  Mr Justice Arnold covers the events of the eviction of the claimants, in detail, in paragraphs 70 – 115 of his judgment.

On 17th June 2015 the first claimant contacted the production company objecting to footage of his eviction being used in the television series.  He was told that they [the production company] needed to get their facts straight with regards to his benefits, but that his objections would be passed onto Channel 5 who made decisions about broadcast.

At paragraph 169 of his judgment, Mr Justice Arnold states that in his “judgment the principal factors relied upon by the Claimants do lead to the conclusion that they had a reasonable expectation of privacy in respect of the information in question. The Programme was largely filmed in their home; it showed them being evicted without prior warning; it showed them in a state of shock and distress; it showed them being taunted by Omar Ahmed; and it was foreseeable that the broadcasting of the Program me would have an adverse effect on their children. I do not accept that the open justice principle means that the Claimants’ Article 8 rights were not engaged. Open justice means that Channel 5 was entitled to report the facts that the courts had made the Order for Possession and issued the Writ of Possession and in consequence the Claimants had been lawfully evicted; but what happened in their home on 2 April 2015 was not part of the proceedings. Nor do I consider that the broadcasting of the information was an inevitable consequence of the Claimants’ failure to comply with the Order for Possession. Nor do I accept that Mr Ali’s Article 8 rights were  significantly weakened by his political activity.  Mrs Aslam had not engaged in political activity at all. I accept that the Claimants, and their children, had already suffered damage to their privacy as a result of the Ahmeds’ postings on social media, but I do not accept that this meant that the broadcasting of Programme either could not or did not inflict further damage given the substantial scale and duration of the broadcasting.”

In respect of the argument advanced on behalf of Channel 5, that Mr Ali had consented to being filmed, Mr Justice Arnold states that the consent was not “true consent”, was “an agreement to participate under protest” and “was not fully informed agreement given that he was not told anything about the programme that was being filmed or who would broadcast it or about the body cameras.” (paragraph 177).  In any event, Mr Justice Arnold held that “to the limited extent that he did give consent on 2 April 2015, he unequivocally withdrew that consent prior to the first broadcast of the Programme.” (paragraph 178).

Having found that the Claimants did have a reasonable expectation of privacy, it became necessary for the court to balance that against Channel 5’s rights to freedom of expression.  There was no dispute that there was a genuinely held belief by the production company and channel 5 that the programme was in the public interest; however, there was a dispute between the parties as to whether that was enough or whether it had to be assessed objectively.  Mr Justice Arnold concluded that it was clear that the court had to assess it objectively.

Channel 5 argued that “the programme addressed a number of matters of real public interest and concern: increasing levels of personal debt, and in particular rent arrears of tenants in privately-rented accommodation; the dependence of tenants on benefits, and in particular housing benefit; the effect of enforcement of writs of possession by HCEAs; and the consequences for both landlords and tenants. He further submitted that it was justified for Channel 5 to illustrate these matters by showing what happened to real people in real situations, because that was the best way to engage the public and stimulate debate.”

At paragraph 195, Mr Justice Arnold concludes that “the Programme did contribute to a debate of general interest, but…the inclusion of the Claimants’ private information in the Programme went beyond what was justified for that purpose…The focus of the Programme was not upon the matters of public interest, but upon the drama of the conflict between Omar Ahmed [the landlord] and the Claimants. Moreover, that conflict had been encouraged by Mr Bohill…”

Mr Justice Arnold ultimately concluded that when balancing the rights of the Claimants to a private and family life against Channel 5’s rights to freedom of expression, the balance came down in favour of the Claimants’ Article 8 rights.  Each claimant was ultimately awarded £10,000 in damages.

This case raises a number of questions about similar style programmes regularly broadcast on television in the United Kingdom.  It is possible that Channel 5 might face claims from others featured in ‘Can’t Pay?  We’ll take it away’ arising out of the publicity that this judgment has received.  Of course, Channel 5 might well decide to appeal the decision; however, in the meantime broadcasters who broadcast similar style programmes and the production companies who make them ought to reflect upon the decision in the meantime and take it into account when making decisions about programming content of that nature.  It is clear that individuals in these situations do have a reasonable expectation of privacy.  There will be circumstances where the broadcasters’ freedom of expression will defeat the privacy rights of the individuals; however, there will need to be a genuine attempt to cover matters of public interest.  If it is simply for the prupose of entertainment, then broadcasters could find themselves being sued for breach of privacy if they do not have informed consent from the individuals featured (or do not take steps to protect the identities of those featured).

Alistair Sloan

If you would like advice or assistance in respect of a privacy/data protection issue or any other information law matter then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

PECR: The forgotten relative

Much of the focus in relation to data protection and privacy law is on implementation of the Genera Data Protection Regulation, which becomes applicable from 25 May 2018.  However, many of the discussions that are taking place in respect of GDPR implementation are forgetting the GDPR’s older cousin:  the snappily named Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).  This Directive from the European Union dating from 2002 was implemented in the United Kingdom through the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

 The Directive on privacy and electronic communications is concerned with the processing of personal data and the protection of privacy in the electronic communications sector and is of importance to telecommunications providers, Internet Service Providers and any person or organisation who conducts direct marketing by electronic means; however, this blog post is concerned only with direct marketing and is a follow-up to my recent blog post on whether consent is required under the GDPR.

The GDPR might be the big thing at the moment, but it is important not to consider it in isolation.  When thinking about GDPR implementation it is necessary to take a holistic view and think about how it interacts with other laws because these other laws don’t stop having effect just because of the GDPR.  Therefore, it is essential to consider how these other laws affect your GDPR implementation.

The rules on direct marketing by electronic means are relatively simple and straightforward, but this does not stop unlawful behaviour from taking place on an industrial scale.  Rarely does a month go past without the Information Commissioner’s Office publishing information on enforcement action it has taken against businesses arising out of failing to comply with PECR, especially since the law changed to lower the legal threshold for Monetary Penalty Notices in relation to PECR infringements.

Electronic Mail
Electronic Mail includes E-mail and SMS text messaging.  The general rule for direct marketing by electronic mail is that you need consent, as defined by the 1995 Data Protection Directive.  This means that you must have a freely given, specific and informed indication that the person to whom you are directing the marketing wants to receive such marketing.

There is an exception to this which is referred to as the “soft opt-in”.  This applies where you have obtained a person’s personal data “in the course of the sale or negotiations for the sale of a product or service” to them.  You can then send direct marketing to this person, without first gaining their express consent, where you are marketing your own similar products or services.  The data subject must be “given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected”.

Each direct marketing communication that is sent must include a simple means of opt-out of further direct marketing content (and this must be free of charge, except for the costs of transmission of the opt-out).

Telephone:  Automated calls
The rules for direct marketing by telephone are split into automated and unsolicited live telesales calls.  In the case of automated calls with recorded information played when the phone line being called is answered, the subscriber (i.e. the person who has contracted with the telephone service provider) must have notified the caller (or the person instigating the call where the caller is a third party acting on behalf of the instigator) that, for the time being, they consent to receiving such calls.  Again, this requires there to be a freely given, specific and informed indication.  Consent can be withdrawn.

Telephone:  Unsolicited live telesales calls
You do not require consent to make such calls; however, you must not make such calls where the subscriber has notified you that they do not wish to receive such calls, or if the number is registered with the Telephone Preference Service (TPS).  You can call numbers registered with the TPS where the subscriber has consented to receiving calls from you, notwithstanding that the number is registered with the TPS.  Consent can, as always, be withdrawn at a later date.

Fax
Yes, it is still a thing and some people (and indeed whole sectors) still use fax machines.  However, as it is more or less an obsolete technology all I will say on the matter is that PECR regulates the use of fax for direct marketing and the relevant parts are Regulations 20 and 25.

That is a very brief run through of the relevant law as it stands today.  However, a couple of points to note in closing:  Firstly, the EU is currently working on a replacement to the current Directive.  It had been anticipated that the new E-Privacy Regulation would be implemented alongside the GDPR, but work started on it too late and so it won’t.  Whether it will be finalised in and in force prior to Brexit is something that we will need to wait and see.  Secondly, depending on what happens with the Brexit negotiations it may still end up being part of UK law even if it comes into force after the UK leaves the EU.  Thirdly, there is likely to be some temporary adjustments to PECR from 25 May 2018, that is because PECR adopts a lot of definitions from the Data Protection Act 1998 and the 1995 Data Protection Directive (both of which will be repealed on 25 May 2018).  Finally, the domestic Regulations were made under the European Communities Act 1972; therefore the European Union (Withdrawal) Bill may well have some impact upon them.

Alistair Sloan

If you would like advice or assistance with a privacy or data protection matter, or any other information law concern then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.

Privacy and the Monitoring of Communications in the Employment Setting

On 5th September 2017 the Grand Chamber of the European Court of Human Rights issued its decision in the case of Bărbulescu v. Romania, which considers the application of the right to a private and family life contained in Article 8 of the European Court of Human Rights to the monitoring of a person’s communications by their employer.

The background to the case is that an employee was dismissed by his employer for making use of company equipment and services (internet connection and computer) for personal purposes during working hours; in particular, he had been sending personal messages (some of which were of an “intimate nature”) to his brother and fiancée.  The company’s internal policies prohibited this use and after following the disciplinary process required by Romanian domestic law, he was dismissed.  He brought a case in the domestic courts and was unsuccessful in all of those courts.  He then brought a case before the European Court of Human Rights which ultimately ended up with the Grand Chamber issuing its decision on 5th September 2017.  The procedural background to the case is more fully set out in the Court’s judgment.

The Court stated that the relationship between an employee and their employer “is contractual, with particular rights and obligations on either side, and is characterised by legal subordination.” (paragraph 117) The court went on to state, at paragraph 118, that “labour law leaves room for negotiation between the parties to the contract of employment.  Thus, it is generally for the parties themselves to regulate a significant part of the content of their relations.”

In terms of the margin of appreciation afforded to States under the European Convention of Human Rights, the Court decided, at paragraph 119, that States “must be granted a wide margin of appreciation in assessing the need to establish a legal framework governing the conditions in which an employer may regulate electronic or other communications of a non-professional nature by its employees in the workplace.”  However, the Court went on to state, in paragraph 120 of its judgment, that “the discretion enjoyed by States in this field cannot be unlimited.  The domestic authorities should ensure that the introduction by an employer of measures to monitor correspondence and other communications, irrespective of the extent and duration of such measures, is accompanied by adequate and sufficient safeguards against abuse.”  These adequate and sufficient safeguards, the court stated at paragraph 121, “are essential.”

The Court sets out five factors which it considers domestic authorities should treat as being relevant:

  1. What notification has been given to the employee regarding the possibility that the employer might take measures to monitor their correspondence and other communications, and what notification the employee has been given regarding the implementation of these measures;
  2. The extent of the monitoring by the employer and the degree of intrusion into the employee’s privacy (a distinction should be drawn between simply monitoring the flow of communications and the monitoring of the content of the communications);
  3. The reasons the employer has provided to justify the monitoring of their communications and their actual content – greater justification will be required for monitoring the content as opposed to just the flow;
  4. Whether it would have been possible for the employer to have in place a monitoring system that was based on less intrusive methods and measures than simply directly accessing the content of the employee’s communications;
  5. The consequences of the monitoring for the employee subjected to it, and the use made by the employer of the results of the monitoring operation, in particular whether the results were used to achieve the declared aim of the measure;
  6. Whether there were adequate safeguards in place; especially when the employer’s monitoring operations are of an intrusive nature.

This case makes it clear that it can be legitimate for an employer to monitor, not only the flow of private communications made by an employee on company systems, but also the actual content of the correspondence.  However, employers do not have an unlimited right.

Employers will have to think carefully about what aims they are trying to achieve by the monitoring of communications by employees on company systems and whether their proposed method of monitoring is proportionate with that aim.  Furthermore, employees should be given clear and fair notice of what monitoring is taking place and the purpose for the monitoring.

Employers will also need to give careful consideration to the safeguards that they need to have in place with regards to the monitoring procedures they have in place and ensure that what safeguards they do have in place are adequate.  With regards to safeguards, the court specifically stated that employers should not have access to the actual content of the correspondence concerned unless the employee has been notified in advance.

The court has also said that domestic authorities should ensure that any employee whose communications have been monitored has access to a remedy before a judicial body and that judicial body should have jurisdiction to determine, at least in substance, how the six criteria set out in its judgment have been observed and whether the impugned measures were in fact lawful.

This decision doesn’t really change the law as it already operated.  The decision does not prevent employers from undertaking the monitoring of communications by their employees on the employer’s systems.  However, the decision does act as a useful reminder that the ability to conduct such monitoring activities is not wholly unrestrained.  The decision, coupled with the forthcoming applicability of the General Data Protection Regulation, may well provide a good opportunity for employers to review their policies in this area to ensure that they are compliant with the law.

Alistair Sloan

If you would like advice on a matter concerning data protection or privacy, then you can contact our Alistair Sloan on 0345 450 0123 or by completing the contact page on this blog.  Alternatively, you can send him an E-mail directly.

Data Protection/Privacy Enforcement – August 2017

In this blogpost I shall be looking at the enforcement action taken by the Information Commissioner in the fields of data protection and privacy which was publicised during August 2017.  It is hoped that this will become a regular monthly feature on this blog.

Key Points

The key points from the enforcement action publicised by the ICO during the course of August are:

  • Ensure that where your organisation undertakes direct marketing by telephone, you do not make calls to numbers which are listed on the Telephone Preference Service; unless you have been given consent to make such calls.
  • Ensure that contractors who have access to personal data only have access to that personal data which is necessary for the services that they are providing to you.
  • Ensure that you have appropriate technical and organisational measures in places to prevent the unauthorised or unlawful processing of personal data when processing personal data over the internet.
  • Ensure that all of your staff (including temporary and agency staff) are given data protection training which is appropriate to their job role, and to ensure that regular refresher training is undertaken.
  • If you are an employee and have access to personal data as part of your job role, do not make use of that access for any purposes not required as part of your employment; including for personal purposes.

Enforcement Action published by ICO in August 2017

H.P.A.S Limited (trading as Safestyle UK)

H.P.A.S Limited were served with a Monetary Penalty Notice [pdf] in the amount of £70,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Laura Anderson Limited t/a Virgo Home Improvements

Laura Anderson Limited were served with a Monetary Penalty Notice [PDF] in the amount of £80,000 and an Enforcement Notice [pdf] after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Home Logic UK Limited

Home Logic UK Limited were served with a Monetary Penalty Notice [pdf] in the amount of £50,000 after the Commissioner found that they had made unsolicited direct marketing calls to telephone numbers which were listed on the Telephone Preference Service.

Talk Talk Telecom Group Plc

Talk Talk Telecom Group Plc were served with a Monetary Penalty Notice [pdf] in the amount of £100,000.  The Commissioner found that they had failed to have in place adequate technical and organisational measures to prevent against the unauthorised or unlawful processing of personal data.  Talk Talk Telecom Group Plc had in place unjustifiably wide-ranging access to personal data by external agents, which put that personal data at risk.

London Borough of Islington

The London Borough of Islington was served with a Monetary Penalty Notice [pdf] in the amount of £70,000.  The Commissioner found that the Borough’s parking enforcement application had design flaws and some of the functionality was misconfigured, allowing for unauthorised access to personal data.

Nottinghamshire County Council

Nottinghamshire County Council was served with a Monetary Penalty Notice [pdf] in the amount of £70,000.  The Commissioner found that the Council had failed to have in place an authentication process for accessing an internet based allocation service for home carers; this left personal data and sensitive personal data exposed on the internet.

Cheshire West and Chester Council

Cheshire West and Chester Council signed an undertaking [pdf] stating that they would take certain steps to ensure compliance with the Data Protection Act 1998.  In particular the Commissioner was concerned that a number of self-reported incidents by the council involved staff who had not received data protection training.

Prosecution

A former employee of Colchester Hospital University NHS Foundation Trust was prosecuted in The Colchester Magistrates’ Court.  The Defendant pleaded guilty to offences under Section 55 of the Data Protection Act 1998.  She had accessed the sensitive health records of friends and people she knew and disclosed some of the personal information she obtained obtained.  She was fined £400 for the offence of obtaining the personal data and £650 for the offence of disclosing the personal data.  She was also required to pay prosecution costs and a victim surcharge.

I can provide advice and assistance on a wide range of information law matters.  If you wish to discuss an information law matter with me then you can contact me on 0345 450 0123 or by completing the form on the contact page of this blog.  Alternatively, you can send me an E-mail directly.

Alistair Sloan