Tag Archives: Court Decisions (England)

Information Law Review of 2019

Well, it is that time again; the beginning of a New Year and therefore time for my third annual look at what happened in the world of information law in the previous twelve months and what those with an interest in the field should be looking out for in 2020. I would like to begin by wishing all readers of the Information Law Blog, both new and old, a very happy New Year.

My reviews of 2017 and 2018 began by looking at the case of Various Claimants v WM Morrisons Supermarkets Limited. I shall keep the tradition going by looking once again at this case. In 2018, the Court of Appeal dismissed the appeal by Morrisons against the decision of Mr Justice Langstaff holding them vicariously liable for the actions of an ex-employee. This case rumbled on again in 2019, with the Supreme Court hearing an appeal by Morrisons on 6^th and 7^th November. By the end of 2019, the Supreme Court had not yet issued its judgment and so that will be something to look out for in 2020; the Supreme Court’s judgment (although concerned with the Data Protection Act 1998, rather than the GDPR and Data Protection Act 2018) will have ramifications for data subjects and controllers, regardless of which way it goes.

Brexit continued to be a feature of 2019 in the Information law world. We have seen the changes that will take effect in data protection law as a result of the UK’s withdrawal from the European Union, which is now scheduled to take place at the end of this month. Brexit, however, will not stop being a feature of information law at 23:00 on 31^st January (assuming there are no further delays). We will be in a transition period until the end of the year, but we don’t yet know exactly what we’re transitioning to which might start to become clearer by the Summer.

Brexit also featured in the information law world in other respects as well. There are still some data protection and privacy concerns floating around from the 2016 referendum on the UK’s membership of the EU. Indirectly related to that have been proceedings in the Upper Tribunal involving UKIP and in also in the First-Tier Tribunal. If reports are anything to go by, proceedings in the First-Tier Tribunal at the end of 2019 could result in an extremely critical decision against the Commissioner, so that is something to look out for in 2020.

We also saw the first GDPR administrative fine issued in the UK by the Information Commissioner (some 19 or so months after the GDPR became applicable and quite a bit behind other regulators in other EU Member States). The Commissioner has issued two Notices of Intent against two other Controllers (that we’re aware of) both of which were due to expire this month, but it has been confirmed by the Information Commissioner that the statutory six month period has been extended by agreement (in accordance with the statutory provisions). The reasons for this have not been made public at this time.

Just before Christmas the Advocate General of the European Court of Justice gave his opinion in Data Protection Commissioner v Facebook Ireland & Schrems concerning standard contractual clauses. We can expect a decision from the European Court of Justice to follow soon, whether that is before or after “exit day” at the end of January remains to be seen.

In the wider field of privacy law, the Court of Appeal took a look at the judgment of Mr Justice Arnold in the case involving Channel 5’s fly-on-the-wall documentary ‘Can’t Pay? We’ll Take it Away’. The Court of Appeal dismissed the appeals by the Respondents in respect of liability and the cross-appeal by the Claimants on the issue of quantum of damages. Meanwhile, in Scotland, Lord Bannatyne (for the first time) declared that there exists in the law of Scotland a common law right to privacy.

In May, Information Notices were again a feature of the decisions flowing from the First-Tier Tribunal; this time, however, it was concerning the Commissioner’s powers under the Freedom of Information Act 2000. The Tribunal confirmed that the Commissioner can issue an information notice in order to obtain information as part of her process for determining whether a person is a public authority for the purposes of the Environmental Information Regulations 2004.

In 2019, the Scottish Parliament’s Public Audit and Post-Legislative Scrutiny Committee began undertaking Post-Legislative Scrutiny of the Freedom of Information (Scotland) Act 2002. In 2019, I gave both written and oral [pdf] evidence to the Committee. The Committee is expected to release its report and recommendations next month.

In 2019, we saw the expansion of FOI in Scotland with Registered Social Landlords formally being designated as Scottish public authorities for the purposes of the Freedom of Information (Scotland) Act 2002.

We also had one of those rare things: a decision from the Court of Session in an appeal against a decision of the Scottish Information Commissioner. In the sole decision in such an appeal issued by the Court of Session in 2019, my client successfully challenged (on a point of law) a finding by the Commissioner that information he had requested was not held by a local council for the purpose of the Freedom of Information (Scotland) Act 2002. This case provides some useful guidance on determining whether information is held, or not, for the purposes of the Freedom of Information (Scotland) Act 2002.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters or with UK and Scottish Freedom of Information requests contact our team on 0141 229 0880.

Privacy v Freedom of Expression in the Court of Appeal

Last year, Mr Justice Arnold gave judgment in the interesting case of Ali & Aslam v Channel 5 Broadcasting. This case concerned the fly-on-the wall programme broadcast on Channel 5 called “Can’t Pay? We’ll take it away”; which follows the work of High Court Enforcement Officers as they enforce court orders relating to debt and housing matters. Mr Justice Arnold found Channel 5 to be liable to the Claimants in the sum of £10,000 each; holding that the Claimant’s rights to privacy outweighed the rights of Channel 5 in respect of freedom of expression and the public interest.

Both parties appealed to the England and Wales Court of Appeal; Channel 5 on the issue of liability and the Claimants on the grounds that the damages awarded were insufficient. In a judgment given on 16^th April 2019, the Court of Appeal (Irwin LJ, Newey LJ and Baker LJ) refused both appeals.

The Court of Appeal addressed the issue of liability first, before dealing with the appeal on quantum (the amount of damages awarded). The issue for the Court of Appeal was whether Arnold J had gone beyond what was justified in balancing the Claimants’ rights to privacy against Channel 5’s rights to freedom of expression; and as a consequence had made an error of law. The Court of Appeal held that Arnold J had taken “too narrow a view of what was in the public interest, effectively confining it to the High Court Process.” [74] The Court considered that Arnold J was wrong to conclude “that the publication of each specific piece of information in respect of which the Claimants had a legitimate expectation of privacy had to be justified as a matter of general public interest.” [74]

An interference with privacy which cannot be justified (logically or rationally) by reference to the public interest served by publication cannot be rendered lawful by editorial discretion. However, where there is a rational view by which publication can be justified in the public interest the courts should be slow to interfere, giving full weight to editorial discretion and knowledge.

Despite having some reservations about the treatment of the public interest issues in the judgment from Arnold J (in particular, the narrow approach taken to the public interests issues which arose), the Court refused the cross-appeal by Channel 5. The court had three principal reasons for doing so, set out in paragraphs 92-94 of its judgment. Those can be summarised as follows:

Arnold J was clearly well aware of the relevant legal principles set out in the applicable case law.
The Court of Appeal was satisfied that Arnold J was fully aware of the range of public interest issues raised in the programme; and
The Court of Appeal was satisfied that while another judge might have reasonably found against the Claimants, it was not unreasonable for Arnold J to have found in their favour.

Turning to the appeal on damages, the first ground of appeal advanced essentially amounted to one that the level of damages awarded to each Claimant did not reflect the scale and nature of the publication. The second ground is that the judge was wrong to take into account the publication of the postings by the Ahmeds when setting the awards of damages for the publications by the Defendant. The third ground is that the judge wrongly failed to take into account the impact of the programme on the Claimants’ children.

All three grounds of appeal in respect of quantum were refused by the Court of Appeal. In respect of ground 2, the Court of Appeal noted that “[i]t must be obvious that the distress attributable to the programme was reduced because a number of people within the Claimants’ community or network were already aware of the broad events from the postings”. In respect of ground 3, the Court of Appeal considered that Arnold J had taken into account t he potential impact on the Claimants’ children.

On ground 1, the Court of Appeal distinguished against damages awarded in the case of phone hacking and the present case. They did so on the basis that in t he hacking cases those responsible for the hacking knew full well what they were doing was illegal; however, in the present case Channel 5 had taken steps to ensure that they remained within the law; including obtaining expert legal opinion. Furthermore, in the circumstances it was appropriate for Mr Justice Arnold to make an award of damages in the round.

There is some helpful guidance from the Court of Appeal on the issue of quantum in respect of breaches of privacy in the media sphere. In assessing quantum it is possible to look at issues in the round and reach a global figure of damages, rather than awarding damages identifiable to each issue. Furthermore, damages for cases of this kind cannot be calculated mathematically. Finally, an appellate court should not seek to interfere with an assessment as to quantum unless the damages awarded are so high or so low as to be perverse.

Alistair Sloan

If you would like advice or assistance in connection with a privacy issue, or any other information law matter; contact Alistair Sloan on 0141 229 0880. You can also send him an E-mail.

Information Law Review of 2018

It does not seem as though it was a year ago since I sat down to write my review of Information Law in 2017 and to have a brief look ahead into 2018; but somehow we now appear to be in 2019. It was always going to be the case that 2018 was going to be a big year for information law; with the General Data Protection Regulation becoming applicable on 25^th May 2018. The 25^th May 2018 came and went without the millennium bug style apocalypse that seemed inevitable from the amount of sensationalist writing that was taking place in late 2017 and early 2018.

My review of 2017 started off with the English and Welsh High Court decision on vicarious liability for data protection breaches in Various Claimants v WM Morrisons Supermarket PLC [2017] EWHC 3113 (QB). This case rumbled on in 2018 and it was considered by the Court of Appeal. The Court of Appeal heard the appeal and (in remarkably quick time) dismissed the appeal. It is understood that Morrisons have sought permission to appeal to the Supreme Court and if permission is granted it is possible that it will feature in a review of Information law in 2019.

In February, the English and Welsh High Court issued an interesting privacy judgment when it considered an action for compensation arising out of “Can’t Pay? We’ll Take it Away’; a fly-on-the wall documentary following High Court Enforcement Officers in their work enforcing court orders relating to debt and housing cases. The Court had the tricky job of balancing the privacy rights of individuals against the rights of television companies in respect of freedom of expression; however, the High Court decided that the balance in this particular case fell in favour of the claimant’s privacy rights. The High Court’s decision was appealed to the Court of Appeal; looking specifically at the issue of quantifying the level of damages. That appeal was heard by the Court of Appeal in early December and should provide useful guidance on calculating damages in the privacy sphere.

Facebook, Cambridge Analytical and Aggregate AIQ all featured quite heavily in 2018 in terms of privacy and data protection matters. Facebook was served with a monetary penalty in the amount of £500,000 for breaches of the Data Protection Act 1998 and Aggregate AIQ was also the recipient of the first Enforcement Notice under the Data Protection Act 2018 (which was narrowed in scope by the Information Commissioner following an appeal by AIQ; which was subsequently dropped). Facebook lodged an appeal against the Monetary Penalty Notice with the First-Tier Tribunal (Information Rights) in November 2018. If and when a decision is reached by the Tribunal in respect of that appeal, it will feature on this blog.

Arising out of the same wide-ranging investigation by the ICO as the Facebook penalty and the AIQ Enforcement Notice was an Information Notice served on the United Kingdom Independence Party (UKIP), which was appealed to the First-Tier Tribunal (Information Rights). The Tribunal dismissed the appeal by UKIP in July.

In April there was yet another important decision from the English and Welsh High Court in respect of Privacy and Data Protection. A little over four years after the European Court of Justice decision on the Right to Be Forgotten in Google Spain, Mr Justice Warby handed down his judgment in NT1 & NT2 v Google; this represented the first decision of a UK Court in respect of the Right to Be Forgotten. An appeal was lodged in respect of this case and was due to be heard just before Christmas; however, it was reported that the case was settled on the day of the appeal.

The issue of compensation to identifiable third parties in the context of data protection breaches was considered by the English and Welsh Court of Appeal. This case adds to the helpful privacy and data protection case law emanating from the English and Welsh courts.

Another interesting development that we saw during the course of 2018 was a director being disqualified indirectly in connection with privacy and data protection matters. It does show that directors can be held personally liable for privacy and data protection transgressions of limited companies. This was underlined by the amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 which now enable the Commissioner to serve a monetary penalty on directors (and others associated with companies) in certain circumstances.

In Scotland, the Court of Session made new rules which should make appealing decisions of the Scottish Information Commissioner in respect of requests for environmental information more financially viable.

Litigation in respect information law matters in Scotland remains limited. The majority of litigation on these areas arises out of England and Wales. Perhaps in 2019, we will begin to see more litigation in Scotland on information law matters. Hopefully the new rules in the Court of Session will see more appeals in respect of the Environmental Information (Scotland) Regulations 2004 and hopefully the introduction of Group proceedings in the Court of Session through the Civil Litigation (Expenses and Group Proceedings) (Scotland) Act 2018 will help with an increase in data protection and privacy litigation in Scotland.

In terms of 2018 Scottish cases, not long before Christmas the Court of Session treated us to a judgment in an appeal concerning vexatious requests under the Freedom of Information Scotland Act 2002. Beggs v Scottish Information Commissioner considered the correct approach to be taken when applying section 14(1) of the Freedom of Information (Scotland) Act 2002.

Looking ahead to 2019; the big issue on the horizon is Brexit. Much of what is discussed on this blog as “information law” derives from European law and so Brexit will likely have an impact upon that. We are still unsure as to the terms that we will be leaving on. A withdrawal Agreement has been negotiated between the European Union and the United Kingdom; however, there is still a way to go with that – and it looks quite likely that the UK Parliament will rejected the Withdrawal Agreement in its current form. If we end up leaving with no Withdrawal Agreement in place then this will cause considerable difficulties for UK business which rely upon the transfer of personal data from elsewhere within the European Union; it will also cause problems for public bodies.

In terms of making the law work after Brexit, we were treated by the Government (in between Christmas and New Year) to a draft of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. These Regulations will make changes to the GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 in light of the United Kingdom no longer being a member of the European Union. I will, of course, look at these draft Regulations in more detail soon.

I will attempt to address information law matters as they unfold in 2019 on the Information Law Blog from Inksters Solicitors.

Alistair Sloan

If you would like advice or assistance with Privacy and Data Protection matters or with UK and Scottish Freedom of Information requests contact Alistair Sloan on 0141 229 0880 or you can E-mail him.

Compensation for identifiable third parties following a data breach

The subject of data protection has, once again, been visited by the England and Wales Court of Appeal. At the end of last week the Court (Gross LJ, McFarlane LJ and Coulson LJ) gave its judgment in an appeal brought by the Secretary of State for the Home Department and the Home Office against a decision of the England and Wales High Court in which it was found liable to three members of a family following a data breach.

The Factual Background
The facts as found proved by the court at first instance are more fully set out in the judgment of Mitting J ([2016] EWHC 2217 (QB)), but they can be summarised for the purposes of this blog post in the following way. The case concerns three members of a family TLT, TLU and TLV. TLT and TLU are married (but have different surnames) and TLU is the teenage son of TLT (sharing the same surname). In 2010 the family lawfully arrived in the United Kingdom. They claimed asylum. They were also jointed by an older child who was, in 2010, 17 years of age. Upon turning 18, he applied for asylum in his own right. His application fro asylum was rejected and he was returned to Iran in 2012. TLT and TLU heard from relatives in Iran that upon his return to Iran their son had been detained and tortured and subsequently released after paying a bribe.

On 15^th October 2013 the Home Office suffered a data breach when it accidently published more information than it had intended to concerning the family return process. It had intended to publish the statistics contained in the first sheet of a spreadsheet, but not the underlying data that was contained in a second sheet. The error was discovered on 28^th October 2013 and the spreadsheet was immediately removed from the internet. It was discovered that by the time the spreadsheet was removed at least one unknown individual had downloaded and saved the spreadsheet.

In November 2014 a person who had downloaded the page and the spreadsheet from the UK Border Agency’s website uploaded the spreadsheet onto a US website; this was later removed on 18 December 2013.

The personal data of TLT was included within the spreadsheet; in particular it included both his forename and surname, his nationality (Iranian), his date of birth and age. It also noted that “assisted return” was being pursued and stated that the removal case type was “Family with Children – Voluntary”. It further acknowledged that asylum had been claimed.

In March 2014, TLU received some communications from a family member in Iran. These communications advised that the Iranian authorities had detained another member of TLU’s family and questioned them about “you”. It was said that the authorities in Iran claimed to have documentation showing that TLT and his family had claimed asylum.

The issues on appeal
There were three issues on appeal:

Did the spreadsheet in question contain the private and/or confidential information?
Did the spreadsheet contain personal data of which TLU and TLV were the data subjects?
Even if the information in the spreadsheet did not contain the personal data of TLU and TLV, are they entitled to damages for the distress they have suffered under section 13 of the Data Protection Act 1998 in any event?

The first issue
This issue amounts to a common law tort in English law. At para 28 of the judgment of the Court of Appeal Gross LJ said that “this issue is short, straightforward and essentially one of fact.” Gross LJ had “no hesitation in concluding that the Home Office’s publication of the spreadsheet misused TLU’s and TLV’s private and confidential information.” [31] TLT was the lead family claimant and the detailed nature of the information concerning TLT as such meant that TLU and TLV “could readily be identified by third parties” and that they “had a reasonable expectation of privacy and confidentiality in respect of their information in the spreadsheet.” [31]

The second Issue
In terms of section 1 of the Data Protection Act 1998, personal data was defined as meaning “data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.” The Data Protection Act 1998 was the domestic vehicle through which the United Kingdom implemented is obligations under Directive 95/46/EC (which has, of course, now been replaced by the General Data Protection Regulation, but is still relevant for the purpose of this case as that was the law in force at the time). Recital 26 of the Directive noted that the “principles of protection” should take account “of all the means likely reasonably to be used either by the controller or by any other person to identify the” data subject.

In the present case, limb (b) of the definition of personal data was met in relation to TLU and TLV. The Home Office had argued that the information contained in row 1101 of the spreadsheet (which concerned TLT) did not “relate to” TLU and TLV. This was rejected by the court with reference to the statutory language. [39]

The Home Office had also sought to rely on Durant v Financial Services Authority as a means of trying to limit the scope of personal data (and therefore its liability) in this case. However, Gross LJ held that Durant, when properly applied, “powerfully reinforces the case for TLU and TLV” [44] and that Auld LJ was simply stating “a broad, practical working assumption.” [42] There was nothing within Durant that enabled the Court to depart from the conclusions that they must reach in light of the decision by the Court of Appeal in Vidal-Hall v Google and the Supreme Court in Common Services Agency v Scottish Information Commissioner

Third Issue
In the circumstances, this issue did not arise and the court felt it best to leave resolution of it “to a case where a decision is required” on it. [48]

Comment
The appeal was therefore dismissed by Gross LJ on all three issues that were raised and McFarlane LJ and Coulson LJ simply agreed adding no further comments of their own.

This is an interesting, but not unexpected, decision from the Court of Appeal which will be binding on all lower courts in England and Wales and will be persuasive in Scotland. It is difficult to find fault with the approach taken by the Court of Appeal or the judge at first instance; indeed, this is very much the view of the Court of Appeal. It does make it clear though that it will be possible for data subjects not directly referred to within the compromised data arising out of a data breach to sue for damages in certain circumstances. The first instance case had become an important case when such situations arose and now that the Court of Appeal has confirmed the approach adopted by the first instance judge it is likely that we will see more claims of this nature being made.

The circumstances in the present case are fairly clear-cut, but not all situations where liability might arise will be as clear-cut. The GDPR is not going to have any real impact upon this position; the definition of personal data essentially adopts the same two-stage test as was to be found within section 1 of the Data Protection Act 1998. Therefore this pre-GDPR case will continue to be instructive in the post-GDPR world we now inhabit.

Alistair Sloan

If you require further information in relation any data protection or privacy law matter then please do contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on twitter for news and updates concerning data protection, privacy and freedom of information.

Crossroads: where data protection and freedom of information intersect

The laws relating to freedom of information and those relating to privacy and data protection often come into conflict with one another. One issue which arises often for those who are responsible for answering freedom of information requests is whether or not to disclose personal data of third parties which is caught up within the information that has been requested. This is an area that has been the subject of much litigation both under the Scottish and UK FOI laws; indeed, cases have gone from Scotland all the way to the UK Supreme Court (this might be because there are fewer levels of appeal to go through in Scotland and until very recently Scottish litigants did not need the permission of the Court of Session or the Supreme Court to take an appeal there).

One area which is perhaps the most contentious of all is where the personal data in question relations to civil servants. The generally accepted position has been that in most cases the personal data of junior civil servants will be redacted while personal data relating to senior civil servants is more likley to be disclosed. This position, however, is one that has never really had any scrutiny from the superior courts; that is until now. On 6^th April the Upper Tribunal (Administrative Appeals Chamber) made its decision in Cox v Information Commissioner and Home Office [2018] UKUT 119 (AAC). Judge Wikeley records that to the best of his knowledge Cox was “the first occasion on which the Upper Tribunal has had to consider in any depth the issue of the principles governing the disclosure of the names of individual civil servants in response to a request under FOIA.” [32]

In this appeal the Appellant, Mr Cox, is concerned with the development of Government policy and its application in relation to migration from the Horn of Africa. The Appellant made a request for information to the Home Office pursuant to his right of access to information within the Freedom of Information Act 2000. His request for information sought details concerning meetings between civil servants from the Home Office and government officials from countries within the region. In particular, the Appellant sought the dates of the meetings, names of all those who were present at the meetings and also the notes of such meetings.

There were two issues in the appeal, but this blog post only focuses on the first of those issues; that being the disclosure of the names of civil servants. The Home Office had refused to disclose the names of three civil servants who had formed part of the UK’s delegation to Eritrea in December 2014 (they were referred to as J, L and N during the course of the proceedings before the First-Tier Tribunal). The Information Commissioner had agreed with the Home Office and found that the Home Office had complied with the requirements of the Freedom of Information Act 2000 in withholding the names under section 40(2) of the Act.

The UK and Scottish provisions in respect of personal data are the same (although, in the Scottish Act the exemption can be found within section 38 of the Freedom of Information (Scotland) Act 2002). Personal data of third parties is exempt under FOI law where to release the personal data would amount to a breach of the data protection principles. When third party personal data is involved in an FOI request the sixth condition in Schedule 2 to the Data Protection Act 1998 comes into play. This condition requires there to be a balancing exercise undertaken between the rights of the data subject and the rights of the person who is seeking disclosure of the personal data.

In South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 (a case which involved the disclosure of pay scales within the Council in connection with matters concerning equal pay), Lady Hale observed that the sixth condition in Schedule 2 required that three discrete questions are asked and answered:

Is the data controller or the third party or parties who whom the data are disclosed pursuing a legitimate interest of interests?
Is the processing involved necessary for the purpose of those interests?
Is the processing unwarranted in the circumstances by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

The first hurdle for a requester to get across in seeking to have third party personal data, including the names of civil servants, disclosed under FOI laws is that they are pursuing a legitimate interest. It is clear from the authorities that there is no inherent interest in the release of civil servants’ names: “[t]here is no reason why the general transparency values underpinning FOIA should automatically create a legitimate interest in disclosure under the DPA.” [42] (see also Department of Health v Information Commissioner and Lewis [2017] EWCA Civ 374) What needs to be assessed is “the legitimate interests of the individual requester, and not the more abstract legitimate interests of the public at large”. [43] If the decision-maker, whether that be the public authority, commissioner or courts/tribunals, is not satisfied that there is no legitimate interest being pursued by the requester, then they do not need to go any further as the sixth condition would not apply (see the comments of Judge Jacobs giving the decision of the Upper Tribunal in Information Commissioner v (1) CF and (2) Nursing and Midwifery Council [2015] UKUT 449 (AAC) at paragraph 19 in particular).

When the personal data exemptions are in play they represent an exception to the general proposition that the FOI process is applicant blind (i.e. that the applicant doesn’t play a part in determining whether information ought to be released or not); other exceptions include, for example, the vexatious provisions and the aggregation provisions within the appropriate limit regulations. Judge Jacobs, at paragraph 30, in IC v CF & NMC (above) said that it “is impossible to apply paragraph 6(1) without having regard to the identity of the applicant, the interest pursued by the request and the extent to which information is already potentially available to the public.”

Each case will, of course, turn on its own facts. Many of the factors which go into determining whether third party personal data ought to be released is specific to the facts and context. However, I suggest that we can draw some clear principles from the case law to date:

When determining the legitimate interests part of the test; there is no public benefit legitimate interest – reference must be had to who is making the request and why they are making the request;
The balancing exercise required to be undertaken when applying condition 6 of Schedule 2 is not the same balancing exercise that is completed when undertaking the public interest balancing exercise;
FOI rights do not take precedence over privacy and data protection rights;
When it comes to the personal data of civil servants; there is no hard rule that the personal data (including names) of senior civil servants will always be disclosed and likewise there is no hard rule that the personal data (including names) of junior civil servants will always be redacted; it is a decision that is both fact-specific and context-specific

The decision in Cox is of course one that is not binding on the Scottish Information Commissioner, but it is binding upon the First-Tier Tribunal and the UK Information Commissioner. It essentially approves of the way in which public authorities and both commissioners have been handling these issues to date and so we’re unlikely to see anything change as to how the tension between FOI laws and the data protection laws is resolved.

The Data Protection Bill will (when it is finally passed and eneacted) amend both the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 to reflect the General Data Protection Regulation; the provisions look a bit unwieldy, but in reality they are unlikely to change very little in terms of day-to-day practice.

Alistair Sloan

If you require advice and assistance on any aspect of freedom of information or data protection and privacy law then you can contact Alistair Sloan on 0141 229 0880; alternatively you can contact him directly be E-mail. We have a Twitter account dedicated to information law issues , which you are welcome to follow.

NT1 and NT2: Forgetting past misdemeanors

The so-called ‘right to be forgotten’ (hereafter “RTBF”) is an often trumpeted aspect of the GDPR; it is an important right, but one that is rather more restricted in nature than is understood. The RTBF is not a new right within he GDPR, but has foundation within current data protection law and practice. On 13 March 2014, the Grand Chamber of the Court of Justice of the European Union gave its judgment in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (“Google Spain”), which it has popularly been said created a ‘right to be forgotten’. The court did not, in fact, grant a right to be forgotten; instead, the court required search engines, such as Google, to consider requests from individuals to have links to webpages concerning them de-listed from Google search results in certain circumstances.

Fast forward to 13^th April 2018, a little over 4 years since the decision in Google Spain, Mr Justice Warby handed down his judgment in NT1 & NT 2 v Google LLC [2018] EWHC 799 (QB); cases which both concerned the RTBF. NT1 and NT2 are both businessmen who were convicted of criminal offences. In respect of NT1, he was involved in a controversial property business in the late 1980s and the early 1990s (while in his thirties). In the late 1990s, while he was in his 40s, NT1 was prosecuted and convicted, after trial, of a criminal conspiracy connected with those business activities. He was sentenced to a period of imprisonment and his conviction has since become “spent”. In addition to the matters for which he was convicted, he was also accused of, but never prosecuted for, a separate conspiracy connected with the same business. Some of the businesses former staff were eventually convicted in relation to that separate conspiracy. There was media reporting of these and related matters at that time. Links to that reporting are made available by Google in its search results. On 28 June 2014, not long after the CJEU’s decision in Google Spain, NT1 made a de-listing request to Google in respect of six links. Google agreed to block one link, but not the other 5. Google stood by its position when NT 1 asked for them to reconsider their decision. In January 2015, a second de-listing request was made by NT1, this time through his solicitors. Google replied to that de-listing enquiry in April 2015, refusing it.

NT2’s case is quite separate from that of NT1; the two claims were tried separately, but were heard one after the other and involved the same judge and the same representation. NT2’s case has some similarity in terms of its facts and it raises similar issues of principle to that of NT1. While in his 40s and sometime in the early 21^st century, NT2 was involved in a controversial business which experienced public opposition in relation to its environmental practices. NT2 pleaded guilty to two charges of conspiracy in connection with that business. This was “rather more than ten years ago” [para 7]. NT2 received a short prison sentence and spent six weeks in custody before being released; his conviction also became spent. On 14 April 2015, NT2 made a de-listing request to Google in respect of 8 links. Google declined to de-list any of the links.

Ultimately, NT2 was successful in obtaining orders requiring Google to de-list while NT1 was unsuccessful.

Journalism, literature and art exemption

Google had, in its defence to these claims, sought to place reliance upon the exemption in section 32 of the Data Protection Act 1998, which relates to “journalism, literature and art”. Warby J deals with this aspect of Google’s defence to the claims by the claimants in paragraphs 95-102 of the judgment. Warby J ultimately rejected Google’s reliance upon section 32 holding that the exemption did not apply in the first place; but even if it did, Google would have failed to meet the part of the test which is contained in section 32(1)(b). Warby J accepted that the EU law concept of journalism was a broad and elastic one which went beyond simply the activities of media undertakings and incorporates other activities which have as their aim the disclosure to the public of information, opinions and ideas. However, Warby J concluded that “the concept [of journalism] is not so elastic that it can be stretched to embrace every activity that has to do with conveying information or opinions. To label all such activity as “journalism” would be to elide the concept of journalism with that of communication.”

In Google Spain the CJEU was sceptical as to whether the exemption in Article 9 of the Directive (which is implemented through section 32 of the Data Protection Act 1998) would apply to an internet search engine such as Google. Warby J noted that this observation by the CJEU was not integral to its decision in Google Spain; however, concluded that “it is true”. Internet Search Engines do not, in the view of Wraby J, process personal data “only” for the purposes of journalism, literature or art.

In considering section 32 of the Data Protection Act 1998 Warby J concluded that there is a subjective and an objective element to each of section 32(1)(b) and (c). In relation to section 32(1)(b) Warby J concluded that the data controller had to have a subjective belief that the publication of the personal data in question would be in the public interest and this belief must be objectively reasonable. In respect of section 32(1)(c), Warby J considered that the data controller must prove that it had a subjective belief that compliance with the data protection principle(s) engaged would be incompatible with the special purpose and that belief must be one which is objectively reasonable.

Warby J explained in his judgment that if he was wrong in his conclusion that section 32 was not even engaged in this case, that he would have still rejected Google’s reliance upon it concluding that Google would have failed when it came to considering the test in section 32(1)(b). There was no evidence, Warby J concluded, that “anyone at Google ever gave consideration to the public interest in continued publication of the URLs complained of, at any time before NT1 complained” [para 102]

Schedule 3 of the Data Protection Act 1998

Clearly a great deal of the personal data at issue in these claims, being personal data relating to criminal convictions, is sensitive personal data (see section 2 of the Data Protection Act 1998). In order for processing of sensitive personal data to be in compliance with the first data protection principle, which requires personal data to be processed fairly and lawfully, the data controller must be able to rely upon one of the conditions in Schedule 3 to the Data Protection Act 1998 (in addition to one of the Schedule 2 conditions). This is an area where Google had a great deal of difficulty.

Warby J rejected most of the Schedule 3 grounds that Google sought reliance upon (see paras 107-109). However, in paragraph 110 of his decision, Warby J, decides that condition 5 in Schedule 3 was satisfied: “that “the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.” In reaching this conclusion, Warby J relies upon the decision of Stephens J in Townsend v Google Inc [2017] NIQB 81. In Townsend, Stephens J concluded that as a consequence of the principle of open justice, when an offender commits an offence, even in private, he deliberately makes that information public (see para 65 of Townsend). In NT1 and NT2, Counsel for the Claimants, Hugh Tomlinson QC, takes issue with the conclusions of Stephen J and Counsel’s arguments are set out briefly by Warby J towards the end of paragraph 110. Warby J concludes that, in his view, that the reasoning of Mr. Tomlinson was not sound.

I must confess that I have a great deal of difficulty with the reasoning of Warby J and Stephens J on this point. I struggle to see how the commission of an offence by an individual amounts to them taking positive steps to make the information public. The conclusions of Warby J and Stephens J do not seem to me to fit with the statutory language in the Data Protection Act 1998 nor the language of the Directive which it implements. Warby J considered that the language in Article 8.2(e) of the Data Protection Directive is “obscure”. It seems to me that the language of the Directive is the complete antitheses of “obscure” and that section 32 does not adequately implement the requirements of the Directive in this regard. The only UK jurisdiction yet to grapple with this issue is Scotland. Neither the Northern Irish nor the English and Welsh court decisions are from appellate level courts. For the time being we have two first instance courts in two jurisdictions reaching the same conclusion; that will undoubtedly be considered somewhat persuasive by other first instance judges.

The balancing exercise

The court in Google Spain required a balancing exercise to take place between the rights within the European Convention on Human Rights to a private and family life (Article 8) and freedom of expression (Article 10). Following Google Spain the ‘Article 29 Working Party’ (soon to become the European Data Protection Board) issued guidance on the Google Spain decision. These guidelines provide helpful assistance, but do not prescribe the factors which are to be taken into consideration; it is acceptable to go beyond the factors in the guidance [para 135].

In respect of NT1, Warby J attached some weight to the conduct of the Claimant post-conviction; in particular, NT1 had caused to be published about him on the internet (by a reputation management company known in the judgment by the fictitious name of ‘cleanup’) misleading statements about his character and integrity: NT1 had been convicted of a substantial offence of dishonesty and had received a substantial prison sentence for that. This can be contrasted with NT2 who had not been convicted of an offence of dishonesty, had entered a plea of guilty and had shown remorse.

The contrast is an interesting one because while each case will inevitably turn on its own facts, it shows the kind of issues that the court is likely to take into consideration when balancing the competing Article 8 and 10 rights.

Interaction between the Rehabilitation of Offenders Act and the Data Protection Act 1998

The Rehabilitation of Offenders Act 1974 (“ROA”) differs in Scotland from what is in force in England and Wales; of course, these claims deal with the ROA as it applies in England and Wales. The differences in the substance of the Act do not, however, affect the principles which are in play when looking at the interaction between the ROA and data protection law.

The ROA creates a, somewhat limited, right to rehabilitation and Warby J concluded that this right to rehabilitation is an aspect of privacy law. Warby J concluded that “[t]he rights and interests protected include the right to reputation, and the right to respect for family life and private life, including unhindered social interaction with others.” Furthermore, Warby J concluded that “[u]pholding the right [to rehabilitation] also tends to support a public or societal interest in the rehabilitation of offenders.” Importantly though, the right to rehabilitation is a qualified right. As with most cases involving rights, the rights of the offender to rehabilitation do come into conflict with the rights of others, in particular their rights to information and freedom of expression.

As a starting point, a person who is party to legal proceedings held in public (such as the accused in a criminal trial) does not have a reasonable expectation of privacy. However, there may well come a point in time when they can have such an expectation. The ROA works to prevent the disclosure of certain criminal offences for which a person has been convicted after a specified period of rehabilitation. It does not, Warby J concluded, mean that in 1974 Parliament legislated for a right to privacy or confidentiality from the point at which the offence became “spent”.

The rehabilitated offender’s right to a family and private life in respect of a spent conviction will normally be a weighty factor against further use of disclosure of that information; however, it is not a conclusive factor. The “balancing exercise will involve an assessment of the nature and extent of any actual or prospective harm. If the use or disclosure causes, or is likely to cause, serious or substantial interference with private or family life that will tend to add weight to the case for applying the general rule.” [para 166]

Paragraph 166 of Warby J’s judgment is well-worth reading in full for anyone who is involved in balancing exercises of this nature.

At the end of the day, de-indexing (or de-listing) from internet search results does not cause the information to disappear completely. The effect that it has is to make the information more difficult to find. It will still be possible for a person, with sufficient determination, to discover and access the information. In the modern day world we are used to being able to put search terms into Google (and other search engines) and have millions, if not billions, of results returned to us in a fraction of a second. The search engines have developed algorithms which help to bring the content that is seemingly most relevant to the top of those results with the seemingly least relevant placed at the end of the long list of results. Information is much more readily available than it was in 1974; some might argue that cases such as NT1 and NT2 simply return the position back to something which more closely resembles 1974.

It is quite probable that we will begin to see cases like NT1 and NT2 arise more frequently. The qualified right to erasure within the GDPR has attracted a lot of attention and individuals are certainly more aware of ‘the right to be forgotten’. The GDPR arguably doesn’t take us forward from what was determined in Google Spain, but simply gives it a statutory basis as opposed to one that is derived mostly from case law. The qualified right to erasure within the GDPR is, as noted above, often overstated and this will inevitably, in the event that people seek to enforce it more frequently, lead to disputes between controllers and data subjects.

Alistair Sloan

Should you require advice or assistance about UK Data Protection and Privacy law then contact Alistair Sloan on 0141 229 0880. You can also contact him by E-mail. You can also follow our dedicated Twitter account covering all Information Law matters: @UKInfoLaw

Privacy v Freedom of Expression: ‘Can’t Pay? We’ll take it away’

Yesterday an interesting privacy judgment was handed down in the English High Court by Mr Justice Arnold. The Claimants, Shakir Ali and Shahinda Aslam, brought proceedings against Channel 5 Broadcast Limited (“Channel 5”) for breaching their privacy in using footage of their eviction in the defendants’ television programme, ‘Can’t Pay? We’ll take it away’.

‘Can’t Pay? We’ll take it away’ is an observational documentary series broadcast by Channel 5 which follows the work of High Court Enforcement Agents. The programme often features the evictions of tenants from residential premises by High Court Enforcement Agents and these agents pursuing debtors for the recovery of monies owed to their clients. At Paragraph 58 of his judgment, Mr Justice Arnold states that the production company “wanted to show how the process which courts provided for the enforcement of debts and the reclaiming of property from debtors and tenants actually operated within ordinary peoples’ lives. He particularly wanted to show how landlords and creditors could expedite enforcement by moving the process from the County Court to the High Court, and the effect of this.”

The Claimants argued that they had a reasonable expectation of privacy and that this had been breached. Meanwhile, the Defendants argued that the Claimants did not have a reasonable expectation of privacy. Alternatively Channel 5 argued that if the Claimants did have a reasonable expectation of privacy, that was defeated by the Defendants’ rights to freedom of expression when the two were balanced against one another. Channel 5 was responsible for selecting which enforcement actions that were filmed for the programme would actually appear in the television series.

On the day of the eviction, the Claimants were visited by two High Court Enforcement Agents; one of whom was in training and the other, Mr Paul Bohill, had more than 30 years’ experience as a High Court Enforcement Agent. Only the first claimant was in the property when the Agents, together with a television film crew, arrived at the property to effect the eviction. Certain information was supposed to be provided to those being filmed but the evidence proved that Mr Bohill actively prevented that information being given to the Claimants, even when the first claimant enquired about why it was being filmed. Mr Justice Arnold covers the events of the eviction of the claimants, in detail, in paragraphs 70 – 115 of his judgment.

On 17^th June 2015 the first claimant contacted the production company objecting to footage of his eviction being used in the television series. He was told that they [the production company] needed to get their facts straight with regards to his benefits, but that his objections would be passed onto Channel 5 who made decisions about broadcast.

At paragraph 169 of his judgment, Mr Justice Arnold states that in his “judgment the principal factors relied upon by the Claimants do lead to the conclusion that they had a reasonable expectation of privacy in respect of the information in question. The Programme was largely filmed in their home; it showed them being evicted without prior warning; it showed them in a state of shock and distress; it showed them being taunted by Omar Ahmed; and it was foreseeable that the broadcasting of the Program me would have an adverse effect on their children. I do not accept that the open justice principle means that the Claimants’ Article 8 rights were not engaged. Open justice means that Channel 5 was entitled to report the facts that the courts had made the Order for Possession and issued the Writ of Possession and in consequence the Claimants had been lawfully evicted; but what happened in their home on 2 April 2015 was not part of the proceedings. Nor do I consider that the broadcasting of the information was an inevitable consequence of the Claimants’ failure to comply with the Order for Possession. Nor do I accept that Mr Ali’s Article 8 rights were significantly weakened by his political activity. Mrs Aslam had not engaged in political activity at all. I accept that the Claimants, and their children, had already suffered damage to their privacy as a result of the Ahmeds’ postings on social media, but I do not accept that this meant that the broadcasting of Programme either could not or did not inflict further damage given the substantial scale and duration of the broadcasting.”

In respect of the argument advanced on behalf of Channel 5, that Mr Ali had consented to being filmed, Mr Justice Arnold states that the consent was not “true consent”, was “an agreement to participate under protest” and “was not fully informed agreement given that he was not told anything about the programme that was being filmed or who would broadcast it or about the body cameras.” (paragraph 177). In any event, Mr Justice Arnold held that “to the limited extent that he did give consent on 2 April 2015, he unequivocally withdrew that consent prior to the first broadcast of the Programme.” (paragraph 178).

Having found that the Claimants did have a reasonable expectation of privacy, it became necessary for the court to balance that against Channel 5’s rights to freedom of expression. There was no dispute that there was a genuinely held belief by the production company and channel 5 that the programme was in the public interest; however, there was a dispute between the parties as to whether that was enough or whether it had to be assessed objectively. Mr Justice Arnold concluded that it was clear that the court had to assess it objectively.

Channel 5 argued that “the programme addressed a number of matters of real public interest and concern: increasing levels of personal debt, and in particular rent arrears of tenants in privately-rented accommodation; the dependence of tenants on benefits, and in particular housing benefit; the effect of enforcement of writs of possession by HCEAs; and the consequences for both landlords and tenants. He further submitted that it was justified for Channel 5 to illustrate these matters by showing what happened to real people in real situations, because that was the best way to engage the public and stimulate debate.”

At paragraph 195, Mr Justice Arnold concludes that “the Programme did contribute to a debate of general interest, but…the inclusion of the Claimants’ private information in the Programme went beyond what was justified for that purpose…The focus of the Programme was not upon the matters of public interest, but upon the drama of the conflict between Omar Ahmed [the landlord] and the Claimants. Moreover, that conflict had been encouraged by Mr Bohill…”

Mr Justice Arnold ultimately concluded that when balancing the rights of the Claimants to a private and family life against Channel 5’s rights to freedom of expression, the balance came down in favour of the Claimants’ Article 8 rights. Each claimant was ultimately awarded £10,000 in damages.

This case raises a number of questions about similar style programmes regularly broadcast on television in the United Kingdom. It is possible that Channel 5 might face claims from others featured in ‘Can’t Pay? We’ll take it away’ arising out of the publicity that this judgment has received. Of course, Channel 5 might well decide to appeal the decision; however, in the meantime broadcasters who broadcast similar style programmes and the production companies who make them ought to reflect upon the decision in the meantime and take it into account when making decisions about programming content of that nature. It is clear that individuals in these situations do have a reasonable expectation of privacy. There will be circumstances where the broadcasters’ freedom of expression will defeat the privacy rights of the individuals; however, there will need to be a genuine attempt to cover matters of public interest. If it is simply for the prupose of entertainment, then broadcasters could find themselves being sued for breach of privacy if they do not have informed consent from the individuals featured (or do not take steps to protect the identities of those featured).

Alistair Sloan

If you would like advice or assistance in respect of a privacy/data protection issue or any other information law matter then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.