Tag Archives: Court Decisions (Information Notice)

Information Law Review of 2018

It does not seem as though it was a year ago since I sat down to write my review of Information Law in 2017 and to have a brief look ahead into 2018; but somehow we now appear to be in 2019. It was always going to be the case that 2018 was going to be a big year for information law; with the General Data Protection Regulation becoming applicable on 25th May 2018. The 25th May 2018 came and went without the millennium bug style apocalypse that seemed inevitable from the amount of sensationalist writing that was taking place in late 2017 and early 2018.

My review of 2017 started off with the English and Welsh High Court decision on vicarious liability for data protection breaches in Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB)This case rumbled on in 2018 and it was considered by the Court of Appeal. The Court of Appeal heard the appeal and (in remarkably quick time) dismissed the appeal. It is understood that Morrisons have sought permission to appeal to the Supreme Court and if permission is granted it is possible that it will feature in a review of Information law in 2019.

In February, the English and Welsh High Court issued an interesting privacy judgment when it considered an action for compensation arising out of “Can’t Pay? We’ll Take it Away’; a fly-on-the wall documentary following High Court Enforcement Officers in their work enforcing court orders relating to debt and housing cases. The Court had the tricky job of balancing the privacy rights of individuals against the rights of television companies in respect of freedom of expression; however, the High Court decided that the balance in this particular case fell in favour of the claimant’s privacy rights. The High Court’s decision was appealed to the Court of Appeal; looking specifically at the issue of quantifying the level of damages. That appeal was heard by the Court of Appeal in early December and should provide useful guidance on calculating damages in the privacy sphere.

Facebook, Cambridge Analytical and Aggregate AIQ all featured quite heavily in 2018 in terms of privacy and data protection matters. Facebook was served with a monetary penalty in the amount of £500,000 for breaches of the Data Protection Act 1998 and Aggregate AIQ was also the recipient of the first Enforcement Notice under the Data Protection Act 2018 (which was narrowed in scope by the Information Commissioner following an appeal by AIQ; which was subsequently dropped). Facebook lodged an appeal against the Monetary Penalty Notice with the First-Tier Tribunal (Information Rights) in November 2018. If and when a decision is reached by the Tribunal in respect of that appeal, it will feature on this blog.

Arising out of the same wide-ranging investigation by the ICO as the Facebook penalty and the AIQ Enforcement Notice was an Information Notice served on the United Kingdom Independence Party (UKIP), which was appealed to the First-Tier Tribunal (Information Rights). The Tribunal dismissed the appeal by UKIP in July.

In April there was yet another important decision from the English and Welsh High Court in respect of Privacy and Data Protection. A little over four years after the European Court of Justice decision on the Right to Be Forgotten in Google Spain, Mr Justice Warby handed down his judgment in NT1 & NT2 v Google; this represented the first decision of a UK Court in respect of the Right to Be Forgotten. An appeal was lodged in respect of this case and was due to be heard just before Christmas; however, it was reported that the case was settled on the day of the appeal.

The issue of compensation to identifiable third parties in the context of data protection breaches was considered by the English and Welsh Court of Appeal. This case adds to the helpful privacy and data protection case law emanating from the English and Welsh courts.

Another interesting development that we saw during the course of 2018 was a director being disqualified indirectly in connection with privacy and data protection matters. It does show that directors can be held personally liable for privacy and data protection transgressions of limited companies. This was underlined by the amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 which now enable the Commissioner to serve a monetary penalty on directors (and others associated with companies) in certain circumstances.

In Scotland, the Court of Session made new rules which should make appealing decisions of the Scottish Information Commissioner in respect of requests for environmental information more financially viable.

Litigation in respect information law matters in Scotland remains limited. The majority of litigation on these areas arises out of England and Wales. Perhaps in 2019, we will begin to see more litigation in Scotland on information law matters. Hopefully the new rules in the Court of Session will see more appeals in respect of the Environmental Information (Scotland) Regulations 2004 and hopefully the introduction of Group proceedings in the Court of Session through the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 will help with an increase in data protection and privacy litigation in Scotland.

In terms of 2018 Scottish cases, not long before Christmas the Court of Session treated us to a judgment in an appeal concerning vexatious requests under the Freedom of Information Scotland Act 2002. Beggs v Scottish Information Commissioner considered the correct approach to be taken when applying section 14(1) of the Freedom of Information (Scotland) Act 2002.

Looking ahead to 2019; the big issue on the horizon is Brexit. Much of what is discussed on this blog as “information law” derives from European law and so Brexit will likely have an impact upon that. We are still unsure as to the terms that we will be leaving on. A withdrawal Agreement has been negotiated between the European Union and the United Kingdom; however, there is  still a way to go with that – and it looks quite likely that the UK Parliament will rejected the Withdrawal Agreement in its current form. If we end up leaving with no Withdrawal Agreement in place then this will cause considerable difficulties for UK business which rely upon the transfer of personal data from elsewhere within the European Union; it will also cause problems for public bodies.

In terms of making the law work after Brexit, we were treated by the Government (in between Christmas and New Year) to a draft of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. These Regulations will make changes to the GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 in light of the United Kingdom no longer being a member of the European Union. I will, of course, look at these draft Regulations in more detail soon.

I will attempt to address information law matters as they unfold in 2019 on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0141 229 0880 or you can E-mail him.


Information Notices: UKIP -v- Information Commissioner

Last week the Information Commissioner published an update on her investigation into the use of personal data in political campaigning; it received much publicity and I wrote about the report on this blog. In the report it was revealed that the First-Tier Tribunal (Information Rights) (hereafter “FTT”) had dismissed an appeal by the United Kingdom Independence Party (“UKIP”) against an Information Notice served upon it by the Commissioner.

I have previously written on Information Notices more generally (which dealt with them under the Data Protection Act 1998 (”DPA98”), rather than the Data Protection Act 2018(“DPA18”)) and so I don’t propose to set out in any detail what an Information Notice is; however, in brief the Commissioner had the power to compel a person (not just a data controller) to provide her with certain information under section 43 of the DPA98; failure to comply with an Information Notice issued under the DPA98 is a criminal offence.

In my blog post last week I said that I would try and blog when the FTT published its decision in respect of UKIP’s appeal against the Information notice. The FTT has now published its decision in United Kingdom Independence Party (UKIP) –v– The Information Commissioner [pdf]. The background to the Information Notice is set out in the decision, but it appears that the Commissioner’s office wrote to UKIP asking it to provide certain information. UKIP responded, but did so in a very unsatisfactory manner. In particular the answers given were lacking in detail and contradicted information obtained by the Commissioner’s office from the Electoral commission website.  As a result, the Commissioner used her power to compel information from UKIP.

UKIP appealed on the grounds that the Information Notice was “unjust, disproportionate and unnecessary because the UKIP has never suggested it would not comply and that a preferable course of action would have been for the Commissioner to write seeking clarification and specific details.“ [para 13] It seems that the Tribunal issued Directions asking the Commissioner whether she could issue a fresh Information notice because the FTT was not clear on certain matters; however, it was pointed out that this was not open to either the FTT or the Commissioner and that the FTT must allow or dismiss the appeal by UKIP.

The matters upon which the FTT was uncertain were clarified by the Commissioner and ultimately the appeal was dismissed by the FTT. The appeal was considered, at the request of both parties, on the papers alone and therefore no hearing took place. The Tribunal concluded that “the expressed intention of UKIP to provide information and co-operate with the Commissioner is at odds with the information provided by UKIP.” [para 19] UKIP was not arguing that the Notice was not issued “in accordance with the Data Protection Act [1998]” [para 20].

It appears from the FTT’s decision that UKIP later did try to argue that it was not in accordance with the law founding upon the FTT’s own request for clarification; however, the FTT decided that the “notice, of itself, is clear”  and that the reasoning advanced by UKIP did “not provide grounds for allowing this appeal.” [para 25]

The Tribunal also concluded that the appeal had no merit [para 26] before unanimously dismissing the appeal [para 27].

Information Notices are not a common feature of the data protection enforcement landscape. UKIP could seek to appeal the FTT’s decision to dismiss its appeal and whether UKIP seek permission to appeal the decision to the Upper Tribunal remains to be seen. My own view, from the information available in the FTT’s judgment, is that the ultimate conclusion of the FTT was correct; however, the route by which the FTT arrived at that conclusion is unhelpful and may be enough to persuade either the FTT or the Upper Tribunal to grant permission to appeal.

From reading the FTT’s decision it appears that there might have been some confusion on the part of the FTT concerning what its functions were in respect of Information Notices and what the statutory scheme for such a notice was. Whether this was down to the way in which the Commissioner had presented the case on the papers or down to a genuine lack of understanding by the FTT is something that we might never know (especially if there is no appeal by UKIP to the Upper Tribunal)

In terms of the actual decision; it is not at all surprising that the FTT did not take UKIP’s assertion that it would co-operate with the Commissioner at face value when presented with its response to the Commissioner’s more informal request for information from them. It underlines the importance of genuinely engaging with the Commissioner when they are undertaking investigations – they do have certain powers to assist them with their investigation and they do seem willing to use those powers where they feel as though they need to do so.

The framework for Information Notices has changed slightly under the GDPR/DPA18 – it’s no longer a criminal offence to fail to comply with an Information Notice; however, the Commissioner could go to court and obtain an Information Order from the Court where an Information Notice is not complied with. A right of appeal to the FTT continues to exist against Information Notices issued under the DPA18.

Alistair Sloan

If you are facing an investigation by the Information Commissioner in respect of alleged failures to comply with privacy and data protection law, or if you require advice on any other information law matter you can contact Alistair Sloan on 0141 229 0880.  Alternatively you can contact him directly by E-mail.  We also have a dedicated information law twitter account which you can follow.