Tag Archives: Court Decisions (Scotland)

Information Law Review of 2019

Well, it is that time again; the beginning of a New Year and therefore time for my third annual look at what happened in the world of information law in the previous twelve months and what those with an interest in the field should be looking out for in 2020. I would like to begin by wishing all readers of the Information Law Blog, both new and old, a very happy New Year.

My reviews of 2017 and 2018 began by looking at the case of Various Claimants v WM Morrisons Supermarkets Limited. I shall keep the tradition going by looking once again at this case. In 2018, the Court of Appeal dismissed the appeal by Morrisons against the decision of Mr Justice Langstaff holding them vicariously liable for the actions of an ex-employee. This case rumbled on again in 2019, with the Supreme Court hearing an appeal by Morrisons on 6th and 7th November. By the end of 2019, the Supreme Court had not yet issued its judgment and so that will be something to look out for in 2020; the Supreme Court’s judgment (although concerned with the Data Protection Act 1998, rather than the GDPR and Data Protection Act 2018) will have ramifications for data subjects and controllers, regardless of which way it goes.

Brexit continued to be a feature of 2019 in the Information law world. We have seen the changes that will take effect in data protection law as a result of the UK’s withdrawal from the European Union, which is now scheduled to take place at the end of this month. Brexit, however, will not stop being a feature of information law at 23:00 on 31st January (assuming there are no further delays). We will be in a transition period until the end of the year, but we don’t yet know exactly what we’re transitioning to which might start to become clearer by the Summer.

Brexit also featured in the information law world in other respects as well. There are still some data protection and privacy concerns floating around from the 2016 referendum on the UK’s membership of the EU. Indirectly related to that have been proceedings in the Upper Tribunal involving UKIP and in also in the First-Tier Tribunal. If reports are anything to go by, proceedings in the First-Tier Tribunal at the end of 2019 could result in an extremely critical decision against the Commissioner, so that is something to look out for in 2020.

We also saw the first GDPR administrative fine issued in the UK by the Information Commissioner (some 19 or so months after the GDPR became applicable and quite a bit behind other regulators in other EU Member States). The Commissioner has issued two Notices of Intent against two other Controllers (that we’re aware of) both of which were due to expire this month, but it has been confirmed by the Information Commissioner that the statutory six month period has been extended by agreement (in accordance with the statutory provisions). The reasons for this have not been made public at this time.

Just before Christmas the Advocate General of the European Court of Justice gave his opinion in Data Protection Commissioner v Facebook Ireland & Schrems concerning standard contractual clauses. We can expect a decision from the European Court of Justice to follow soon, whether that is before or after “exit day” at the end of January remains to be seen.

In the wider field of privacy law, the Court of Appeal took a look at the judgment of Mr Justice Arnold in the case involving Channel 5’s fly-on-the-wall documentary ‘Can’t Pay? We’ll Take it Away’. The Court of Appeal dismissed the appeals by the Respondents in respect of liability and the cross-appeal by the Claimants on the issue of quantum of damages. Meanwhile, in Scotland, Lord Bannatyne (for the first time) declared that there exists in the law of Scotland a common law right to privacy.

In May, Information Notices were again a feature of the decisions flowing from the First-Tier Tribunal; this time, however, it was concerning the Commissioner’s powers under the Freedom of Information Act 2000. The Tribunal confirmed that the Commissioner can issue an information notice in order to obtain information as part of her process for determining whether a person is a public authority for the purposes of the Environmental Information Regulations 2004.

In 2019, the Scottish Parliament’s Public Audit and Post-Legislative Scrutiny Committee began undertaking Post-Legislative Scrutiny of the Freedom of Information (Scotland) Act 2002. In 2019, I gave both written and oral [pdf] evidence to the Committee. The Committee is expected to release its report and recommendations next month.

In 2019, we saw the expansion of FOI in Scotland with Registered Social Landlords formally being designated as Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002.

We also had one of those rare things: a decision from the Court of Session in an appeal against a decision of the Scottish Information Commissioner. In the sole decision in such an appeal issued by the Court of Session in 2019, my client successfully challenged (on a point of law) a finding by the Commissioner that information he had requested was not held by a local council for the purpose of the Freedom of Information (Scotland) Act 2002. This case provides some useful guidance on determining whether information is held, or not, for the purposes of the Freedom of Information (Scotland) Act 2002.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters or with UK and Scottish Freedom of Information requests contact our team on 0141 229 0880.

We don’t hold it…oh yes you do!

Dr Ian Graham v The Scottish Information Commissioner [2019] CSIH 57 is a rare decision of the Court of Session in an appeal against a decision of the Scottish Information Commissioner, the last one coming almost 12 months ago. The case was considered by the Second Division (with the bench comprising of the Lord Justice Clerk, Lord Malcolm and Lord Glennie) with Lord Glennie delivering the Opinion of the Court.

Before a Scottish public authority is required to release information, it actually has to hold it and information will not be held, according to the law, if it is held by the Scottish public authority on behalf of a third party. The question that was considered in the appeal by Dr Graham was on this fundamental point: whether the Scottish public authority held the information or not; and in particular whether information was held by a Council on behalf of a third party (in this case, the Returning Officer).

In January 2018, Dr Graham requested the following information from Aberdeenshire Council: (1) a list of the contracts called off by the council from the framework agreement, (2) invoice and order copies for each contract, (3) payment confirmation from the council of the invoices and (4) whether the council reclaimed the input VAT on the invoice. The framework agreement in question was for the provision of electoral services to the returning officer. In terms of the contract (and of importance for this appeal), the Council assumed obligations and liabilities under the contract and also had responsibilities and liabilities in respect of the procurement process.

Whilst the Council ultimately released information in relation to parts (3) and (4) of his request, initially the Council also claimed that it did not hold this information for the purposes of the Freedom of Information (Scotland) Act 2002 (“FIOSA”). The Council’s argument was that because a returning officer, although an official from within the council, was legally a separate entity from the rest of the council when acting in their capacity as returning officer, they only held the information on behalf of the returning officer and not in their own right. Dr Graham was dissatisfied with this and applied to the Scottish Information Commissioner for a decision on whether the Council had complied with its disclosure obligations under FOISA. The Commissioner upheld the Council’s decision, determining that the Council did not hold the information for the purposes of FOISA, but rather held it on behalf of the returning officer.

Counsel for the Appellant argued that the word ‘held’ was being submitted to too much scrutiny, as well as drawing attention to the spirit in which the FOISA had been made; that being to make information available to the public. Counsel contended that a liberal approach should be taken to the interpretation of this provision. Reference was made by the Appellant’s Counsel to University and Colleges Admission Service v Information Commissioner [2014] UKUT 0557 (AAC) and Common Services Agency v Scottish Information Commissioner 2008 SC (HL) 184. Counsel for the Appellant further drew upon University of Newcastle v Information Commissioner [2011] UKUT 185 (AAC) to demonstrate how a more common-sense approach was preferable. The broader interpretation of ‘held’ was further supported  by the decision of the Upper Tribunal in Department of Health v Information Commissioner where it was held that a ministerial diary was ‘held’ by a department purely as a historical record for reference purposes. With reference to the current case, he ultimately claimed that the differentiation between the council holding the information for itself or on behalf of the returning officer was immaterial and indeed that both conditions could be fulfilled simultaneously in the present circumstances; with the fine-tooth investigation of the council election laws amounting to little more than prevaricating.

The Court allowed Dr Graham’s appeal, emphasising that “that the relevant provisions of FOISA should, so far as possible, be interpreted in a manner consistent with the policy of the Act, namely the desirability of making information available to the public, all in the interests of promoting open, transparent and accountable government.” [15] The court also held “that the words and expressions used in the Act should, so far as possible, be given their ordinary and natural meaning” and that “[t]here should be no scope for the introduction of technicalities, unnecessary legal concepts calculated to over-complicate matters and, by so doing, to restrict the disclosure of relevant information.” [15].

The Court approved of and agreed with the reasoning given by the Upper Tribunal at paragraphs 21-22 of its decision in University of Newcastle. In essence, a Scottish public authority will hold information if it has more than a de minimis interest in the information. That is to say, it will only fall outside of the scope of FOISA if it has “no (or no material) interest of its own” in the information. [18] As a result of the Court’s decision, it reduced the Commissioner’s decision and remitted the matter back to him so that he could reconsider Dr. Graham’s application in light of its opinion.

The effect of this decision should be to widen the scope of information that is available to the public under FOISA. Scottish public authorities and the Commissioner will be required to take a more holistic approach in future to deciding whether information is only held by the Scottish public authority on behalf of a third party. A more practical approach requires to be taken than simply looking at whether the Scottish public authority and the third party are separate entities from one another; consideration must be given to the underlying factual matrix. The opinion of the Court also re-iterates previous comments by the courts that the Act should be interpreted in a way that isn’t too complex or technical.

Our Alistair Sloan acted for the successful appellant in this case, instructing John MacGregor, Advocate.

Danny Cummins (Trainee Solicitor)

If you would like advice or assistance in respect of a Freedom of Information matter or a data protection/privacy issue then contact us on 0141 229 0880 or you can send us an E-mail.

Privacy, the common law and Scotland

In a recent opinion from Lord Bannatyne (B C and Others v Chief Constable Police Service of Scotland and others [2019] CSOH 48), sitting in the Outer House of the Court of Session, we have the first express statement that there is a right of privacy at common law in Scotland. Traditionally in Scotland, privacy law has been dealt with through the European Convention on Human Rights, the Human Rights Act and data protection law.

This case involved a number of police officers who are facing disciplinary proceedings by the Police Service of Scotland for alleged misconduct which is founded upon a number of messages sent via WhatsApp. The messages came into the possession of the professional standards department having been discovered on the phone of an officer who was being investigated in connection with alleged sexual offences.

The messages in question were characterised by Senior Counsel for the Police Service of Scotland in her written submissions as being “on any view, blatantly sexist and degrading, racist, anti-semitic, homophobic, mocking of disability” and included “a flagrant disregard for police procedures by posting crime scene photos of current investigations.” [para 166] Lord Bannatyne believed that it was “a characterisation which a reasonable person having regard to the content of the messages would be entitled to reach. I conclude that the content of the messages can be regarded as potentially informing the issue of breach of Standards in circumstances calling into question the impartial discharge of the petitioners’ duties.” [para 166]

In terms of the common law right to privacy, the starting point for Lord Bannatyne was the relationship between the Human Rights Act 1998 and the Common Law. He quoted Lord Reid, with approval, in R (Osborn) v The Parole Board at paragraph 57 of that judgment. From that passage Lord Bannatyne concluded that if the right to privacy exists at common law, Article 8 of the convention does not supersede it. Lord Bannatyne noted that the European jurisprudence could be used to help inform and develop a common law right to privacy.

He then went on to ask whether there was a justification for a right to privacy in the common law. He cited, with approval, the words of Lord Nicholls at paragraph 12 of the judgment in Campbell v MGN Ltd. Lord Bannatyne thought that the right to privacy could “be described as a core value and one which is inherent in a democratic and civilised state.” [para 106]. He continued:

“[it] seems to flow from the centrality of the role of privacy in a democratic society and particularly in a society where electronic storage of information and electronic means of intrusion into the private lives of a citizen by government, private organisations and individuals are growing exponentially the common law should recognise the right to privacy.” [para 107]

Lord Bannatyne considered that the English authority on the point was of assistance. In England and Wales the common law on privacy has been developed in the context of the development of the law on breach of confidence. Scotland also has a concept of breach of confidence, which is a well understood remedy and it has been explicitly accepted previously that the law in Scotland in respect of breach of confidence is the same as the law in respect of breach of confidence in England and Wales (see, for example, Lord Advocate v Scotsman Publications).

At paragraph 116 of his opinion, Lord Bannatyne observed “that given privacy is a fundamental right I think it highly likely that it exists in the common law of Scotland.” He also noted that it was “inherently unlikely” that Scottish and English law in relation to this fundamental matter are entirely different.

Finally, he considered the existing case law in Scotland (to the extent that there is any) tended to support the view that such a right exists in the law of Scotland. He also found it “noteworthy” that none of the cases to which he was referred expressly or implicitly stated that there was no common law right to privacy in Scotland.

Lord Bannatyne went on to consider that the Petitioners could have “no reasonable expectation of privacy” flowing “from the attributes which arise as a result of their position as constables.” [para 166] It is not the case that police officers, as a result of their position, have no right to privacy at all, but, rather, that this right is limited. Lord Bannatyne opines that the limitation can be defined in the following way: “f their behaviour in private can be said to be potentially in breach of the Standards in such a way as to raise doubts regarding the impartial performance of their duties then they have no reasonable expectation of privacy.” [para 168] A police officer, because of the attributes of a person holding the office of constable, is in a different position to an ordinary member of the public. [para 168]

The remaining issues that had to be dealt with by Lord Bannatyne were dealt with in, comparably, fairly short compass. Lord Bannatyne held that “there is a clear and accessible basis for the disclosure [by the police, as a public authority, to the professional standards branch of Police Scotland] in the circumstances of this case.” [para 192] He also held that the disclosure decision was not an arbitrary one. [para 192]

Lord Bannatyne also held the interference was necessary, in accordance with Article 8(2) of the Convention. He did not agree that all of the matters listed in Article 8(2) were engaged, but did hold that ‘public safety’ and ‘the prevention and detection of crime’ were engaged. [para 198] In terms of the balancing exercise to be carried out, Lord Bannatyne considered that the balance was“heavily weighted on the side of disclosure” and he was “unable to identify a less intrusive measure which could have been used without unacceptably comprising the objectives [he had] identified.” [para 201]

Finally, in respect of interdict, Lord Bannatyne held that even if he had been with the Petitioners he would nevertheless have held that the Petitioners were not entitled to the interdict which they sought. [para 202]

This is an important case as it is the first time that a Scottish court has expressly declared that there is a common law right to privacy in Scotland. That, however, has to be tempered with the fact that it is a decision of the Outer House and therefore only of persuasive authority in the Court of Session and lower courts. A different Lord Ordinary (or a Sheriff) may ultimately reach a different conclusion (although, I think that unlikely). Although, the Petitioners were right on this point, they ultimately lost the case and the petition was refused. Therefore there may well be a reclaiming motion (appeal) to the Inner House and this point may well be considered and decided upon by the Inner House. This would give us binding authority which all the lower courts in Scotland would be required to follow stating that there is a common law right to privacy in Scotland.

The decision will certainly add an additional tool to the armory of individuals who are concerned about their privacy and breaches thereof; it will also be another angle which those advising on issues of privacy will have to consider. We may begin to see more cases proceed on the basis of a breach of the common law right to privacy as opposed to cases proceeding on breaches of convention rights and data protection law.

Alistair Sloan

If you would like advice in connection with any privacy matter, or any other information law matter; contact our team on 0141 229 0880 or by E-mail. You can also follow our dedicated Information law twitter account.

Information Law Review of 2018

It does not seem as though it was a year ago since I sat down to write my review of Information Law in 2017 and to have a brief look ahead into 2018; but somehow we now appear to be in 2019. It was always going to be the case that 2018 was going to be a big year for information law; with the General Data Protection Regulation becoming applicable on 25th May 2018. The 25th May 2018 came and went without the millennium bug style apocalypse that seemed inevitable from the amount of sensationalist writing that was taking place in late 2017 and early 2018.

My review of 2017 started off with the English and Welsh High Court decision on vicarious liability for data protection breaches in Various Claimants v WM Morrisons Supermarket PLC  [2017] EWHC 3113 (QB)This case rumbled on in 2018 and it was considered by the Court of Appeal. The Court of Appeal heard the appeal and (in remarkably quick time) dismissed the appeal. It is understood that Morrisons have sought permission to appeal to the Supreme Court and if permission is granted it is possible that it will feature in a review of Information law in 2019.

In February, the English and Welsh High Court issued an interesting privacy judgment when it considered an action for compensation arising out of “Can’t Pay? We’ll Take it Away’; a fly-on-the wall documentary following High Court Enforcement Officers in their work enforcing court orders relating to debt and housing cases. The Court had the tricky job of balancing the privacy rights of individuals against the rights of television companies in respect of freedom of expression; however, the High Court decided that the balance in this particular case fell in favour of the claimant’s privacy rights. The High Court’s decision was appealed to the Court of Appeal; looking specifically at the issue of quantifying the level of damages. That appeal was heard by the Court of Appeal in early December and should provide useful guidance on calculating damages in the privacy sphere.

Facebook, Cambridge Analytical and Aggregate AIQ all featured quite heavily in 2018 in terms of privacy and data protection matters. Facebook was served with a monetary penalty in the amount of £500,000 for breaches of the Data Protection Act 1998 and Aggregate AIQ was also the recipient of the first Enforcement Notice under the Data Protection Act 2018 (which was narrowed in scope by the Information Commissioner following an appeal by AIQ; which was subsequently dropped). Facebook lodged an appeal against the Monetary Penalty Notice with the First-Tier Tribunal (Information Rights) in November 2018. If and when a decision is reached by the Tribunal in respect of that appeal, it will feature on this blog.

Arising out of the same wide-ranging investigation by the ICO as the Facebook penalty and the AIQ Enforcement Notice was an Information Notice served on the United Kingdom Independence Party (UKIP), which was appealed to the First-Tier Tribunal (Information Rights). The Tribunal dismissed the appeal by UKIP in July.

In April there was yet another important decision from the English and Welsh High Court in respect of Privacy and Data Protection. A little over four years after the European Court of Justice decision on the Right to Be Forgotten in Google Spain, Mr Justice Warby handed down his judgment in NT1 & NT2 v Google; this represented the first decision of a UK Court in respect of the Right to Be Forgotten. An appeal was lodged in respect of this case and was due to be heard just before Christmas; however, it was reported that the case was settled on the day of the appeal.

The issue of compensation to identifiable third parties in the context of data protection breaches was considered by the English and Welsh Court of Appeal. This case adds to the helpful privacy and data protection case law emanating from the English and Welsh courts.

Another interesting development that we saw during the course of 2018 was a director being disqualified indirectly in connection with privacy and data protection matters. It does show that directors can be held personally liable for privacy and data protection transgressions of limited companies. This was underlined by the amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 which now enable the Commissioner to serve a monetary penalty on directors (and others associated with companies) in certain circumstances.

In Scotland, the Court of Session made new rules which should make appealing decisions of the Scottish Information Commissioner in respect of requests for environmental information more financially viable.

Litigation in respect information law matters in Scotland remains limited. The majority of litigation on these areas arises out of England and Wales. Perhaps in 2019, we will begin to see more litigation in Scotland on information law matters. Hopefully the new rules in the Court of Session will see more appeals in respect of the Environmental Information (Scotland) Regulations 2004 and hopefully the introduction of Group proceedings in the Court of Session through the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 will help with an increase in data protection and privacy litigation in Scotland.

In terms of 2018 Scottish cases, not long before Christmas the Court of Session treated us to a judgment in an appeal concerning vexatious requests under the Freedom of Information Scotland Act 2002. Beggs v Scottish Information Commissioner considered the correct approach to be taken when applying section 14(1) of the Freedom of Information (Scotland) Act 2002.

Looking ahead to 2019; the big issue on the horizon is Brexit. Much of what is discussed on this blog as “information law” derives from European law and so Brexit will likely have an impact upon that. We are still unsure as to the terms that we will be leaving on. A withdrawal Agreement has been negotiated between the European Union and the United Kingdom; however, there is  still a way to go with that – and it looks quite likely that the UK Parliament will rejected the Withdrawal Agreement in its current form. If we end up leaving with no Withdrawal Agreement in place then this will cause considerable difficulties for UK business which rely upon the transfer of personal data from elsewhere within the European Union; it will also cause problems for public bodies.

In terms of making the law work after Brexit, we were treated by the Government (in between Christmas and New Year) to a draft of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. These Regulations will make changes to the GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 in light of the United Kingdom no longer being a member of the European Union. I will, of course, look at these draft Regulations in more detail soon.

I will attempt to address information law matters as they unfold in 2019 on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0141 229 0880 or you can E-mail him.