Monthly Archives: November 2018

Environmental Information request appeals and prohibitive costs: new Court of Session rules

The Court of Session has made new rules with a view to preventing court actions relating to the environment from being “prohibitively expensive”. The new court rules introduced orders which will be known as “prohibitive expenses orders”. These new rules are of relevance to readers of this blog as they will apply to appeals against decisions of the Scottish Information Commissioner to the Court of Session where the decision being appealed relates to a request for environmental information under the Environmental Information (Scotland) Regulations 2004 (EIRs).

The EIRs give effect in Scotland (in relation to environmental information held by Scottish public authorities – environmental information held by UK public authorities is covered by the Environmental Information Regulations 2004) to Directive 2003/4/EC of the European Parliament and of the Council of 28 January 2003 on public access to environmental information. [pdf] This European Directive in turn gives effect to the UN/ECE Convention on Access to Information, Public Participation in Decision-Making and Access to Justice in Environmental Matters [pdf] (‘the Aarhus Convention’). Article 9 of the Aarhus Convention requires that individuals have access to justice in respect of environmental matters and that this should not be “prohibitively expensive”.

With some of the background to these new rules (briefly) explained, what exactly do these new rules mean? In short, they mean that anyone who brings an appeal to the Court of Session against a decision of the Scottish Information Commissioner in respect of a request for environmental information (whether or not the requester knew at the time of making their request that the request was a request for environmental information or not – knowing exactly what is environmental information under the EIRs can be very difficult) can make a motion to the court to have their liability in expenses limited should they ultimately be unsuccesful in their appeal.

A person bringing an appeal to the Court of Session against a relevant decision of the Scottish Information Commissioner will be required to make a motion for a prohibitive expenses order as soon as is reasonably practicable after becoming aware that the appeal is defended. In essence, an appellant will need to make a motion relatively quickly after Answers to the Note of Appeal are intimated to them and any unreasonable delay in doing so is likely going to have an impact upon whether the court makes an order.

The new rules provide that proceedings are to be considered prohibitively expensive if the costs and expenses likely to be incurred by the applicant are likely to exceed the financial means of the party or where are objectively unreasonable having regard to six factors set out in the rules; including whether the applicant has reasonable prospects of success; the complexity of the relevant law and procedure; and whether the case is frivolous.

Where the court is satisfied that the proceedings are prohibitively expensive, it must make a prohibitive expenses order (in otherwords, if the test is met then the court has no discretion over whether an order is made or not). The order will limit the appellant’s expenses to the respondent to £5,000 (or such other sum as may be justified) and will limit the respondent’s expenses to the appellant to £30,000 (or such other sum as may be justified). It therefore seems as though it will be possible for a requester who intervenes in an appeal brought by the scottish public authority to apply to have their liability capped in line with the £5,000 figure rather than the £30,000. It also seems as though the court will have the discretion to cap the laibility at a lower or higher figure than £5,000 or £30,000.

It remains to be seen just how these new rules will operate in practice, but this is a good step forward. Appeals to the Inner House of the Court of Session are expensive and an unsuccessful appellant could face an expenses bill of many tens of thousands of pounds (in addition to their own legal fees). These new rules do not affect the availability of legal aid (or the rules that apply to expenses where an unsuccessful appellant is in receipt of legal aid). However, these rules will help people who are financially ineligible for legal aid, but are still financially unable to risk losing an appeal. Furthermore, legal aid can be difficult to obtain and therefore this provides a potential route for a person whose application for legal aid has been refused (although, it remains to be seen whether the timeframe for making a motion for a “prohibitive expenses order” is flexible enough to deal with situations where someone has applied for, but ultimately been refused, legal aid). It also remains to be seen how the court will deal with an application for a prohibitive expenses order where legal aid has been refused on the basis of the merits of the appeal rather than on financial eligibility (the tests do, at first blush, appear to be different with perhaps a lower threshold applying to the question of merits in a motion for a prohibitive expenses order as opposed to an application for legal aid).

These new rules might see an increase in EIR appeals to the Court of Session (indeed, we might see an appeal be brought – none have ever been brought, at least so far as I’m aware, in the almost 14 years that people have been able to request environmental information in Scotland). People who are unable to financially risk losing an appeal will now be able to know what their liability in expenses will be in advance of expenses mounting up. This could have financial implications for the Scottish Information Commissioner if his office starts to see an increase in litigation and also for Scottish public authorities who may ultimately decide to become involved in appeals brought by requesters against decisions of the Commissioner.

Alistair Sloan

If you would like advice or assistance in respect of requests for environmental information or any other information law matter, you can contact Alistair Sloan on 0141 229 0880 or by E-mail.

Update 28/11/2018 – The Scottish Information Commissioner’s office has advised that there was one appeal brought against one of their decisions relating to a request for environemntal information. The appeal was brought by a public authority and was abandoned by the public authority.

Data Protection and Privacy Enforcement: October 2018

Regular readers of this blog will know that every month I look at the published enforcement action taken by the Information Commissioner in respect of privacy and data protection law. The infractions are often very similar and the same key lessons to take away from the enforcement action appear frequently; October’s enforcement action proves no different. There is, however, a mixture of enforcement action taken under the Data Protection Act 1998 (“DPA98) – in respect of breaches that occurred prior to the 25 May 2018 – and enforcement action taken under the Data Protection Act 2018 (”DPA18).

Key Lessons

  • When the Commissioner’s office makes contact with you in the course of an investigation it is advisable to cooperate with the investigation. The Commissioner has powers to require persons (not just data controllers) to provide her office with information. It is a criminal offence not to comply with an information notice issued by the Commissioner under the DPA98 while a person who fails to comply with an Information Notice served under the DPA18 can be made the subject of an Information Order by the court.
  • Before making telephone calls for the purpose of direct marketing it is essential that organisations check their list against the list held by the Telephone Preference Service. It is against the law to call a number listed with the TPS for the purposes of direct marketing unless you can show that the recipient has not objected, for the time being, to receiving marketing calls from you. The law has recently been changed and the Commissioner will soon be able to serve a monetary penalty on directors of a company for breaches of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
  • Any removable media such as CDs and USB memory sticks should be encrypted to prevent unauthorised access to personal data in the event that the media is lost or stolen. Controllers should also consider putting in place technical barriers to ensure that personal data is not unnecessarily being put onto removable media.
  • When drafting privacy statements where you are seeking to obtain consent for direct marketing; it is important to be specific about just what marketing might be sent. It is insufficient to rely upon statements along the lines of “you consent to receive marketing from our carefully selected third party affiliates” and similar.
  • The person who instigates a call is liable for a contravention of PECR, not the person who makes the call. Therefore you cannot avoid liability by engaging a third party contractor to make calls on your behalf. If you have directed that the calls be made then you are liable for any contraventions of PECR. Therefore, companies who engage third parties to undertake telemarketing on their behalf need to ensure that they have in place adequate due diligence to ensure that there are no negligent contraventions of PECR.
  • It’s not enough to simply rely upon your own internal suppression lists when making telephone calls for the purposes of direct marketing; it is also important that call lists as screened against the list maintained by the Telephone Preference Service. It’s also important that companies engaging in telesales regularly obtain an updated version of the list maintained by the TPS and you should never seek to rely upon a version of the list that is more than 28 days old.
  • It can be worthwhile brining appeals against Notices served by the Commissioner – especially where the terms of the notice are unclear. Where reasons are provided for a decision they generally require to be intelligible.

Enforcement action published by the Information Commissioner in October 2018

Oaklands Assist UK Limited
Oaklands Assist UK Limited (“OAUK”) was served with a Monetary Penalty Notice  in the sum of £150,000 [pdf] after the Commissioner found that OAUK had used a public electronic communications service for the purpose of direct marketing in contravention of Regulation 21 of the Privacy and electronic Communications (EC Directive) Regulations 2003 (“PECR”). It appears that OAUK did not initially comply with the Commissioner’s investigation as the penalty notice states that the Commissioner had to serve an Information Notice on OAUK and it only made contact with the Commissioner’s office when they were threated with prosecution for failure to comply with an Information Notice. The Commissioner found that OAUK had made 63,724 direct marketing calls to numbers that were listed on the TPS, in contravention of Regulation 21 of PECR.

Heathrow Airport Limited
Heathrow Airport Limited (“LHR”) was served with a monetary penalty notice in the sum of £120,000 [pdf] after the Commissioner found that it had breached the seventh data protection principle in schedule 1 to the DPA98. LHR had lost an unencrypted USB memory stick which had been found by a member of the public in West London. The member of the public who found the USB memory stick took it to a public library where they accessed it. Approximately 1% of the files on the memory stick contained personal data, including sensitive personal data. The Commissioner found that the use of removable media was widespread within LHR, but that there was little in the way of measures in places to ensure oversight. Furthermore, there were no technical barriers in place to limit or restrict the downloading of information from LHR’s systems onto removable media.

Boost Finance Limited
Boost Finance Limited (“Boost”) was served with a monetary penalty notice in the sum of £90,000 [pdf] after the Commissioner found that it was responsible for a large number of unsolicited E-mails in respect of pre-paid funeral plans. The Commissioner found that Boost (trading as findmeafuneralplan.com) had instigated, via affiliates that it had appointed, in excess of 4 million unsolicited marketing E-mails contrary to Regulation 22 of PECR. The E-mails were sent to individuals who had subscribed to a number of Boost’s affiliates. The Commissioner concluded [para 16] that Boost had “relied upon inadequate, generic, vague, misleading, tiered and incomplete personal data collection methods and privacy statements as a way of obtaining consent to send direct marketing E-mails.”

Aggregate IQ Data Services Limited
This is not a new Enforcement Notice, but rather it is a notice of variation of the first ever enforcement notice served under the DPA18 [pdf]. Aggregate IQ Data Services Limited (“AIQ”) was served with an enforcement notice by the Commissioner in respect of her investigation into data analytics in politics (which arose out of the allegations surrounding Facebook and Cambridge Analytica). AIQ had appealed the Notice to the First-Tier Tribunal (Information Rights) and has since discontinued that appeal. The revised notice is in much tighter terms than the original notice served by the Commissioner. The revised notice requires AIQ to “[e]rase any personal data of individuals in the UK, determined by reference to the domain name of the email address processed by AIQ, retained by AIQ on its servers as notified to the Information Commissioner…” AIQ is required to do this within 30 days of the Office of the Information and Privacy Commissioner of British Columbia notifying it that either the OIPC no longer requires it for an investigation, or that the OIPC informs AIQ that it is happy for AIQ to comply with the notice (whichever occurs the soonest).

Facebook Ireland Ltd
Facebook Ireland Ltd is the company who UK users (and indeed other EU users) of the Facebook social media platform have a relationship with. The Commissioner served Facebook Ireland with a monetary penalty notice in the sum of £500,000 for breaches of the first and seventh data protection principles [pdf]. The Commissioner considered that Facebook UK Limited, a UK establishment, had carried out certain activities on behalf of Facebook Ireland and Facebook Inc. As the breaches occurred while the DPA98 was still in force, £500,000 represents the maximum penalty that the Commissioner could issue. It is understood that Facebook Ireland has appealed the monetary penalty to the First-Tier Tribunal (Information Rights).

ACT Response Limited
The Information Commissioner served ACT Response Limited (“ACT”) with a monetary penalty notice in the amount of £140,000 [pdf] after she found that ACT had instigated in excess of £490,000 telephone calls for the purposes of direct marketing in contravention of Regulation 21 of PECR. The company operated its own internal suppression list, but did not screen its lists against the Telephone Preference Service list. ACT provided a copy of a training manual to the commissioner during her investigation, which contained a script which directed those making the calls to ask whether a person was listed on the TPS and to apologise if they were. ACT tried to blame the contravention on one of its sister companies as the company that made the calls, but the sister company made the calls on behalf of ACT and the lines used to make the calls were registered to ACT.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Directors’ personal liability: Privacy and Electronic Communications (EC Directive) Regulations 2003

One of the most frequent areas where the Information Commissioner undertakes enforcement action is in relation to breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). PECR, among other things, governs direct marketing which takes place by way of telephone, SMS and E-mail (but not post). Under the current regime, the Commissioner is able to issue Monetary Penalty Notices (up to a maximum of £500,000) to data controllers who fail to comply with the requirements of PECR; however, the Commissioner has for sometime wanted greater powers. In particular, the Commissioner has been seeking the power to issue monetary penalties to directors of those companies.

When a company is served with a monetary penalty notice for breaching PECR, it is not uncommon for the company to close and for a new company to be created in its place with the same people at its helm, undertaking the same activities. The new company is often referred to as a phoenix company. This often means that (a) the penalty goes unpaid; and (b) the same individuals are continuing with their unlawful activity under a separate and distinct entity which is free from the debts and burdens of the old company.

On Thursday 15th November 2018, the Government made The Privacy and Electronic Communications (Amendment) Regulations 2018; which are due to enter into force as from Monday 17th December 2018. These Regulations amend PECR to allow the Commissioner to also serve a monetary penalty notice on “officer of the body” in certain circumstances. An officer of the body is defined as, in relation to a body corporate, “a director, manager, secretary or other similar officer of the body or any person purporting to act in such capacity, or where the affairs of the body are managed by its members, a member”; and in relation to a Scottish partnership, “a partner or any person purporting to act as a partner.”

This opens up a wide variety of persons who serve in companies and partnerships to the possibility of being personally served with a monetary penalty notice as well as the company. However, the Regulations do not allow the Commissioner to serve a monetary penalty notice only on the officer; it is a pre-requisite of the amended regulations that the Commissioner must have served a monetary penalty notice on the controller.

Furthermore, the Commissioner can’t just automatically serve a monetary penalty notice on the officer(s) of the body on each occasion that she serves a monetary penalty notice on the body. The power only applies where the contravention of PECR “took place with the consent or connivance of the officer” or where the contravention is “attributable to any neglect on the part of the officer.”

In short, if a body ceases to exist after being served with a monetary penalty for contraventions of PECR; the commissioner could start coming after the officers personally where they consented, or connived, to contravene PECR or where simply negligent in respect of any contravention. It will be interesting to see just how the Commissioner goes about using this power (the possibility of a personal financial penalty of up to £500,000 will be significant for the vast majority of officers). It is more than probable that the Commissioner will utilise this new power where she can as it is one that her office has been seeking for some time.

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.