For those of you still following the Prince of Wales correspondence veto saga, and who have access to law journals in print or online, you may be interested to read the casenote published in the latest issue of the Law Quarterly Review discussing the Court of Appeal judgment. The casenote is by 11KBW and Panopticon stalwart Chris Knight. The full reference is CJS Knight, ‘The Veto in the Court of Appeal’ (2014) 130 LQR 552.
If you breach your legal duties as regards personal data in your control, what might you expect to pay by way of compensation to the affected individual? The received wisdom has tended to be something along these lines. First, has the individual suffered any financial loss? If not, they are not entitled to a penny under s. 13 DPA. Second, even if they get across that hurdle, how much should they get for distress? Generally, not very much – reported awards have tended to be very low (in the low thousands at most).
All of that is very comforting for data controllers who run into difficulties.
That picture is, however, increasingly questionable. “Damage” (the precondition for any award, under s. 13 DPA) could mean something other than “financial loss” – other sorts of damage (even a nominal sort of damage) can, it seems, serve as the trigger. Also, provided the evidence is sufficiently persuasive, it seems that awards – whether under the DPA or at common law (negligence) – could actually be substantial.
These trends are evident in the judgment of the Court of Appeal of Northern Ireland in CR19 v Chief Constable of the Police Service of Northern Ireland  NICA 54.
The appellant, referred to as CR19, was a police officer with the Royal Ulster Constabulary. Due to his exposure to some serious terrorist incidents, he developed Post-Traumatic Stress Disorder (PTSD); he also developed a habit of excessive alcohol consumption. He left the Constabulary in 2001. In 2002, there was a burglary at Castlereagh Police, apparently carried out on behalf of a terrorist organisation. Data and records on officers including CR19 were stolen.
The Constabulary admitted both negligence and a breach of the seventh data protection principle (failure to take appropriate technical and organisational measures). The issue at trial was the amount of compensation to which CR19 was entitled.
Note the losses for which CR19 sought compensation: he claimed that, as a result of the stress which that data loss incident caused him, his PTSD and alcohol problems worsened, he lost out on an employment opportunity and that his house had been devalued as a result of threats to the property and the package of security measures that had been implemented for protection.
The trial judge heard evidence from a number of parties, including medical experts on both sides. He found some aspects of CR19’s evidence unsatisfactory. Overall, however, he awarded CR19 £20,000 (plus interest) for the Constabulary’s negligence. He did not expressly deal with any award under s. 13 of the DPA.
CR19 appealed, saying the award was too low. His appeal was largely dismissed: the trial judge had been entitled to reach his conclusions on the evidence before him.
Further, the s. 13 DPA claim added nothing to the quantum. The Court of Appeal considered the cases of Halliday (a £750 award) and AB (£2,250) (both reported on Panopticon) and concluded as follows (para. 24):
“In this case we have earlier recorded that three eminent psychiatrists gave professional evidence as to the distress sustained by CR19 as a consequence of the break-in. While accepting that the breach and its consequences in this case are of a different order to the matters considered in Halliday or AB, we conclude that the damages for distress arising from the breach of the Data Protection Act must be considered to be subsumed into the judge’s award which, while rejected as too low by the appellant, was by no means an insignificant award. The assessment took account of the distress engendered by the breach of data protection. We cannot conceive of any additional evidence that might be relevant to any additional damages for distress in respect of breach of section 4. Accordingly, we affirm the award of compensation made by the learned trial judge. However, in view of Arden LJ’s reasoning in Halliday, we conclude that the appellant must in addition be entitled to nominal damages of £1.00 to reflect the fact that there was an admitted breach of section 4 of the Data Protection Act.”
Whilst it is not strictly correct to read the CR19 judgment as affirming a DPA award for £20,000 (that award was for negligence), the judgment is nonetheless interesting from a DPA perspective in a number of respects, including these:
(i) While it was conceded in Halliday that nominal damage suffices as “damage” for s. 13(1) purposes, that conclusion looks like it is being applied more widely.
(ii) One problem in Halliday (and to an extent also in AB) was the lack of cogent evidence supporting the alleged damage. The CR19 case illustrates how evidence, including expert medical evidence, can be deployed to effect in data breach cases (whether based on negligence or on the DPA).
(iii) Unlawful acts with respect to individuals’ personal information can, it seems, lead one way or another to a substantial award. The DPA may aim to offer relatively modest awards (so said the Court of Appeal in Halliday), but serious misuse or loss of personal data can nonetheless be very damaging, and the law will recognise and compensate for this where appropriate.
Robin Hopkins @hopkinsrobin
The question of how far tribunals should go in terms of allowing evidence and submissions to be dealt with on a closed basis in FOIA appeals is one that looms large for all FOIA practitioners. Judge Nicolas Warren, the President of the First-Tier Tribunal (Information Rights) has now drafted and circulated to all FTT judges a checklist for dealing with closed proceedings under rule 14 of the Tribunal rules. Not being one to keep the public in the dark about such judicial guidance, Judge Warren has kindly agreed to the checklist being reproduced in full on the blog – see further below:
General Regulatory Chamber (Information Rights) – Rule 14 Check list
- Has Rule 14 been correctly applied so far? Should any closed material be made open?
- Is it necessary to hold part of the hearing in closed or do the closed written submissions suffice?
- Explain purpose of closed hearing to requestor.
- Ask requestor if there are any questions he or she particularly wants the Tribunal to put. If requestor legally represented then the questions should be in writing.
- Is the hearing recorded? If so, the closed session must also be recorded but separately and with the cd sealed and a note that it must not be opened with the permission of the Tribunal or the UT.
- During the closed session, keep a running note of anything new that is said which could properly be said in open session.
- At the conclusion of the closed session, agree with the representatives what is to be said to the requestor on return to open by way of:- (a) a gist of what must remain closed. (b)anything new that could have been said in open.
- In draft decision include an account of the procedure adopted and indicate what use if any was made of the closed material.
It is clear that this guidance is intended to increase the rigour and care with which tribunals approach the issue of closed hearings and, hence, to intensify compliance with natural justice principles. For further discussion of closed procedures in the information tribunal see further my previous posts on the Court of Appeal case of Browning here and here.
The Information Commissioner has today published his keenly anticipated guidance on ‘Data Protection and Journalism: A Guide for the Media’. The guidance has been published following a lengthy consultative process and in response to a recommendation made in the Leveson report. The guidance has much to say on the controversial subject of the journalistic exemption provided for under s. 32 DPA. As readers of this blog will know, section 32 largely disapplies the various obligations provided for under the DPA where the conditions provided for in s. 32(1) are met:
‘32(1) Personal data which are processed only for the special purposes [i.e. the purposes of journalism, literature and art] are exempt from any provision to which this subsection relates if—
(a) the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,
(b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and
(c) the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.’
The guidance analyses these various conditions at some length. Below are some edited highlights, along with some initial commentary.
- Meaning of ‘Journalism’ – The guidance concludes that, following the ECJ’s judgment in the Satamedia case (Case C-73/07), the concept of journalism should be ‘interpreted broadly ’. Thus, ‘It will clearly cover all output on news, current affairs, consumer affairs or sport. Taken together with art and literature, we consider it is likely to cover everything published in a newspaper or magazine, or broadcast on radio or television – in other words, the entire output of the print and broadcast media, with the exception of paid-for advertising’(p. 29). However, it will also cover the activities of citizen bloggers, insofar as they relate to public interest journalism (p. 30). Moreover ‘non-media organisations may be able to invoke the exemption. If their purpose in processing the specific information is to publish information, opinions or ideas for general public consumption, this will count as a journalistic purpose – even if they are not professional journalists and the publication forms part of a wider campaign to promote a particular cause or achieve a particular objective. However, the information must be used only for publication, and not for the organisation’s other purposes’(p. 30).
- Processing data ‘only for’ special purposes – The guidance effectively assumes that traditional media organisations will typically meet this requirement in respect of their data processing activities. So far as non-media organisations are concerned, it posits that they will not be able to rely on the s. 32 exemption if, in addition to processing the data for journalistic purposes, the data ‘are also used for the organisation’s other purposes – eg in political lobbying or in fundraising campaigns – the exemption will not apply’ (p. 31). [Note - this obviously begs the question of whether there is any neat dividing line between campaign-led journalism (which the Commissioner seems to think falls within the scope of s. 32) and ‘political lobbying’. It also begs the question whether traditional media organisations may themselves be engaged in political lobbying as an integral part of their publication activities].
- ‘With a view to publication’ – The position adopted in the guidance is that, provided that the data processing is being undertaken with ‘the ultimate aim of publishing a story’, the s. 32(1)(a) requirement is fulfilled. The guidance goes on to state ‘In short, this means that the exemption can potentially cover any information collected, created or retained as part of a journalist’s day-to-day activities, both before and after publication. However, the exemption cannot apply to anything that is not an integral part of the newsgathering and editorial process’ (p. 31). [Note – as will be apparent the guidance seems to embody a very broad approach to s. 32(1)(a)].
- Balancing rights – The guidance repeatedly asserts that, when handling personal data in the media context, decision-makers should be weighing the public interest in publication/pursuing the story as against the privacy rights of affected data subjects. Thus, for example, on the subject of publication, the guidance states ‘Publication is likely either to be fair and to comply with the DPA or to fall within the journalism exemption if it can be shown that someone at an appropriate level considered whether the public interest in publication outweighed individual privacy in the circumstances of the case and can give good reasons for this view when challenged’ (p. 13, emphasis added). When specifically discussing the s. 32 exemption, the guidance states: ‘You must reasonably believe publication is in the public interest – and that the public interest justifies the extent of the intrusion into private life. You must also reasonably believe that compliance with the relevant provision is incompatible with journalism. In other words, it must be impossible to comply and fulfil your journalistic purpose, or unreasonable to comply in light of your journalistic aims, having balanced the public interest in journalism against the effect upon privacy rights.’ (p. 27 emphasis added and see pp. 33-34). The guidance invites a similar balancing exercise to be conducted as and when journalists/editors are deciding whether or not to notify a data subject about the fact that their data is being collected or, further, whether or not to collect data using covert means (p. 10). [Note - this analysis is likely to be regarded as particularly controversial. This is because it arguably marks a significant departure from the language of the s. 32 exemption, which on its face seems to presuppose that the focus of the analysis is simply on whether publication is in the public interest, with no balancing of that interest as against the privacy rights of data subjects].
- Responsibility for applying the public interest test – That said the guidance repeatedly states that, so far as the s. 32 exemption is concerned, it is journalists/editors and not the Commissioner who are responsible for deciding what is ‘in the public interest’. The Commissioner sees his role as testing whether the decisions of the relevant journalist/editor is reasonable, albeit that the guidance also states that he will not ‘disregard [the media’s views] lightly’ (p. 35).
- ‘Compliance incompatible with the special purposes’ – In his original draft guidance, the Commissioner suggested that, in order to invoke s. 32, it would have to be established that compliance with the provisions of the DPA would make it impossible to fulfil the journalistic purpose (see p. 30: ‘you must decide that the provision in question would stop you from doing your job’). The final version of the guidance states that, in order for reliance to be placed on the s. 32 exemption: ‘…it must be impossible to comply and fulfil your journalistic purpose, or unreasonable to comply in light of your journalistic aims, having balanced the public interest in journalism against the effect upon privacy rights’ (p. 27, emphasis added). The underlined section of the citation indicates a more flexible test than the ‘you cannot do your job’ test suggested in the draft guidance (see further p. 37).
The guidance also contains the following noteworthy conclusions:
- Notification – Where media organisations are gathering data about individuals they should as a matter of course notify them of this fact, unless this is not practicable or it would undermine the journalistic activity. In deciding whether or not to notify, consideration should be given to the level of privacy intrusion resulting from the processing (pp. 9-10).
- Covert methods – Covert methods should be used only where this is justified in the public interest, taking into account the adverse effects on the individual’s privacy. Even if covert methods have been used, once the data has been obtained the issue of notifying the data subject should be considered (p. 10).
- Data retention – Data should be retained for no longer than is necessary and, any data which is retained, should be regularly reviewed in order to assess its utility. ‘Contact details and background research are a vital journalistic resource, and you are likely to want to keep them for long periods or indefinitely, even if there is no specific story in mind at present. But you are ‘processing’ personal data just by keeping it, so you must comply with the DPA’ (p. 11). [This latter conclusion represents an important concession by the Commissioner that, in the context of journalism, data archives are likely to have an ongoing utility, even if they are not being actively deployed in the context of a current story].
- Confidential sources – The guidance makes clear that the subject access regime cannot be used to gain access to information identifying confidential journalistic sources. Indeed, it confirms that disclosure of such information is itself likely to amount to a breach of the DPA ‘in many cases’ (p. 16).
- Section 55 offences– The guidance states that, where you knowingly or recklessly obtain or disclose personal data without the consent of the relevant data controller, you may be committing a criminal offence under s. 55 DPA, even if your activities fall within the scope of s. 32. This is because the public interest defence available in respect of s. 55 offences holds you to a higher standard than the standard imposed under s. 32 (p. 10).
Finally, I should add that many of the principles identified in the guidance are likely to be subject to scrutiny and debate in the context of the ongoing Steinmetz v Global Witness case (discussed here), which is now before the Commissioner .
The Senior President of Tribunals, Sullivan LJ, has launched a consultation paper on altering the composition of the First-tier Tribunal (General Regulatory Chamber) in some Information Rights cases. With the support of GRC Chamber President, Judge Warren, it is proposed to remove the requirement that a judge sit with two non-legal members and allow the Chamber President flexibility to direct that certain cases be heard by a judge alone.
From the consultation document, it does not appear that the formal Composition Practice Statement will set out itself when non-legal members will be used, but the Chamber President’s anticipation is stated to be that a judge alone will be used in more procedural cases, such as whether the information is held, or time limit issues, or whether the cost of compliance limits are breached, or whether the information is readily accessible by other means. A single judge may also be used where the judge is already familiar with the evidence because of previous involvement with the case and all parties are content that a decision should be taken without a hearing. Other cases, and therefore questions of the balance of the public interest, will continue to be heard by a panel of three.
Consultation responses are to be sent by 3 October 2014.
The details of the questions, and the address for responses, can be found in the consultation paper here.
The introduction of the controversial draft Data Retention Regulations 2014 has already been discussed by my colleague Robin Hopkins in his excellent post last month. The Regulations now have the force of law, having come into force on 31 July 2014 – see the Regulations here. In his post, Robin made the point that, following the judgment in Digital Rights Ireland, there were two methods for curtailing the infringement of privacy rights presupposed by the existing communications data retention (CDR) regime: either cut back on the data retention requirements provided for under the legislation, so as generally to limit the potential for interference with privacy rights, or introduce more robust safeguards with a view to ensuring that any interference with privacy rights is proportionate and otherwise justified. The Government, which has evidently opted for the latter approach in the new Regulations, will now need to persuade a somewhat sceptical public that the safeguards which have been adopted in the legislation strike the right balance as between the protection of privacy rights on the one hand and the imperative to support criminal law enforcement functions on the other.
Notably, the Explanatory Memorandum issued with the Regulations itself constitutes a clear attempt to allay concerns that the safeguarding arrangements embodied in the legislation are insufficiently robust. Here are some edited highlights:
Meaning of communications data and its uses – ‘Communications data is the context not the content of a communication. It can be used to demonstrate who was communicating; when; from where; and with whom. It can include the time and duration of a communication, the number or email address of the originator and recipient, and sometimes the location of the device from which the communication was made. It does not include the content of any communication: for example the text of an email or a conversation on a telephone. Communications data is used by the intelligence and law enforcement agencies during investigations regarding national security and, organised and serious crime. It enables investigators to identify members of a criminal network, place them in specific locations at given times and in certain cases to understand the criminality in which they are engaged. Communications data can be vital in a wide range of threat to life investigations, including the investigation of missing persons. Communications data can be used as evidence in court.’ (para. 7.1)
The need for legislation which mandates retention – Data needs to be retained by telecoms providers so that they can be accessed and used for criminal law enforcement purposes (para. 7.2). Absent mandatory retention requirements, there can be no guarantee that telecoms providers will themselves retain communications data for a sufficiently lengthy period time. This is because, in the absence of a mandatory obligation, telecoms providers may retain data for only a few months and indeed possibly only a few days, depending on their commercial needs. However, ‘many [criminal law enforcement] investigations require data that is older than the few months that data may be retained for business purposes, particularly in ongoing investigations into offences such as child abuse and financial crime’ (para. 7.3). This is why the original domestic CDR regime embodied in the Data Retention (EC Directive) Regulations 2009 mandated retention for a period of 12 months.
New safeguards – The new Regulations ‘effectively replicate the obligations on providers contained in the 2009 Regulations, and do not provide for the retention of any additional categories of communications data’ (para. 3.3). ‘These Regulations only differ from the 2009 Regulations in that they provide additional safeguards’ (para. 7.4). Two safeguards in particular are highlighted in the Memorandum.
- the 2009 Regulations imposed a blanket 12 month retention period where a relevant notice had been served on a telecoms provider. The new Regulations enable ‘different data types to be retained for shorter periods when appropriate’ (para. 7.4).
- the 2009 Regulations did not embody any statutory duty on the Secretary of State to consult providers prior to issuing a notice, although consultation was in practice undertaken. The new Regulations make prior consultation a statutory obligation (para. 7.4).
The following points are worthy of note in respect of the new ‘safeguards’ embodied in the Regulations.
- First and perhaps most significantly, the Regulations themselves do not purport to identify the types or categories of data which should to be retained for less than 12 months. They simply posit that 12 months is the maximum retention period (r. 4(2)). This leaves a significant question as to what types of data, if any, will ultimately attract a shorter retention period. The risk which is inevitably inherent in this type of open-ended legislative arrangement is that blanket, indiscriminate 12 month retention continues to be the norm.
- Regulation 5(1) requires the Secretary of State to take into account a variety of matters before issuing a retention notice, including not least the likely number of users who will be affected by the notice. However, such matters would presumably have been treated as relevant considerations as and when the Secretary of State was issuing a notice under the 2009 Regulations. Hence, it is not clear that this particular safeguard will add much of substance to the overall process.
- Similarly the requirement in r. 6 that the Secretary of State must keep any retention notice under review presumably merely codifies an obligation which was already implicitly present in the 2009 regime.
- Regulation 10 makes provision for a statutory code of practice on data retention to be issued by the Secretary of State. It is unclear whether this code may yet shed further light on how the Secretary of State intends to exercise her powers under this highly controversial legislation.
- More generally, there must be serious doubts that the safeguards embodied in the new Regulations are sufficient to meet the deep concerns expressed by the CJEU in the Digital Rights case. Of course it might be said that the real danger to personal privacy arises not in the context of the data retention regime per se but rather in the context of those legislative powers which permit the State to access any communications data which have been retained, most notably the powers provided for in RIPA. However, whatever position you may adopt on that particular line of argument, suffice it to say that the question of whether the State should be entitled, in effect, to create a vast reservoir of potentially accessible communications data still hangs in the balance, the new safeguards in the Data Retention Regulations notwithstanding.
Readers of this blog will already be familiar with the ways in which data protection legislation is assuming increasing importance in both the media and technology worlds. Certainly if there were any doubt as to the relevance of this legislation to the way in which both the media and technology companies operate, that doubt was firmly laid to rest following the highly controversial judgment of the CJEU in Google Spain. That judgment has led to extensive debates about the so-called right to be forgotten (as to which see here the recent ITN debate on Google Spain, in which I participated along withthe Information Commissioner and Google’s Spain’s Director of Communications for EMEA). However, the judgment was important, not only because of what it said about the right to be forgotten, but also because of the way in which it managed, in effect, to bring the data processing activities of a large US-based corporation, namely Google Inc, within the territorial scope of the EU Directive. In short, the Court held that personal data which is processed by a search engine operated by a US company is still protected under the Directive, particularly because the search engine is itself commercially supported by advertising which had been sold within Europe by EU-based subsidiary companies, including Google Spain.
The CJEU’s judgment in Google Spain has now been specifically relied upon in English High Court proceedings to support an application for service out of the jurisdiction, on Google Inc, of a set of proceedings brought under the Data Protection Act 1998 (DPA): Hegglin v Google Inc & Ors.
According to the Lawtel case report of the Hegglin judgment, Mr Hegglin is an individual who is resident in Hong Kong, but has previously lived in and retained closed connections with the UK. An anonymous person posted abusive and defamatory material concerning Mr Hegglin on a number of websites which were then indexed on Google. Mr Hegglin went on to bring proceedings against Google Inc under the DPA, including claims under s. 10 (right to prevent processing likely to cause substantial damage or distress) and s. 14 (right to rectification). He sought an injunction requiring Google Inc to block specific sites containing the allegations and a Norwich Pharmacal order was made. Relying specifically on Google Spain, Bean J held that service of the DPA proceedings could properly be effected on Google Inc. He also held that England was the appropriate forum for the dispute and was also suitable for the trial, particularly as the defamatory remarks risked damage to Mr Hegglin’s reputation in England.
Of course, this is not the first time that the court has permitted proceedings to be served on Google Inc under the DPA. In January 2014, the High Court held that proceedings for compensation under s. 13 DPA could properly be served on Google Inc in connection with its act of collating data from Google-users based in the UK: see Vidal-Hall v Google Inc  EWHC 13 (QB) (which you can read about here). However importantly, in Vidal-Hall, which was decided before Google Spain, Google Inc accepted that it was a data controller in respect of the data originating from the claimants’ browsers. It merely disputed that the data in question amounted to ‘personal data’ for the purposes of s. 1 (see paras. 121-122 of the judgment). Thus, territorial jurisdiction was not ostensibly in issue in Vidal-Hall.
What remains to be seen now is how far the Google Spain judgment will now also be relied upon as against other corporations which are based outside the EU but which use EU subsidiaries to provide commercial support for their activities.
In the usual end of term rush, the Court of Appeal has handed down judgment in Innes v Information Commissioner  EWCA Civ 1086 on the provision in section 11 FOIA which allows a requestor to express a preference for communication by a particular means, so long as it is reasonably practicable to give effect to the preference. The issue in Innes was that Mr Innes had requested certain school admissions information and had sent a further email shortly afterwards asking for that information to be supplied to him in Excel format. The ICO, the FTT and the Upper Tribunal had all ruled against Mr Innes, in part relying on the Scottish decision of Glasgow City Council v Scottish Information Commissioner  CSIH 73;  SC 125.
The Court of Appeal, however, took a different view. The judgment of Underhill LJ is surprisingly long, but can be quite quickly summarised. His initial reasoning was that provision of information in permanent form encompassed hard or electronic copies, but no more than that; what was sought was the right to choose the form of permanent form in which the information is provided, but FOIA gives no such right: at . However, Underhill LJ, with some hesitation (not shared by Longmore LJ), went on to accept that that was not the end of the matter. It was a natural use of English to describe the software format in which a copy of the requested information was provided as an aspect of its “form”. It naturally flowed that he could choose the format in which that electronic information was provided. The fact that a software format such as Excel was more than simply a means of presenting information did not mean that the format could not be described as an aspect of the form of the information. Such a reading fitted with the apparent philosophy of the Act. Citizens were given the right of access to public information at least in part so that they could make use of that information, and there was no countervailing policy consideration. A construction of the Act that made it easier for them to do so effectively was to be preferred: at -. No assistance was drawn from Hansard, the Glasgow case or the dataset amendments. The upshot is that, so long as the request is reasonably practicable and does not require the public authority to put the information into a new format or breach its licence conditions, a request to be supplied with information in a specific programme should be complied with.
The Court also took a non-technical approach to when the request was made. Underhill LJ accepted that the wording of section 11 meant that the request for the format must be made at the time of the information request, and could not be made later. However, it was also quite happy to construe the follow-up email of Mr Innes as further, replacement, FOIA request: at . It is not perhaps entirely to see how those two points are readily compatible, or least how the latter does not fundamentally undermine the former.
Mr Innes had also raised a section 16 complaint. Underhill LJ had some criticisms about the reasoning of the FTT – particularly about the approach it had adopted to what was a section 1 request and therefore what section 16 applied to – but accepted that on the material before it the First Tier Tribunal could not properly have found a breach of section 16 on the part of the Council, it having explained the information it had provided and offered to provide further explanations if required: at . Underhill LJ agreed that section 16 did not encompass assistance in explaining information which he had requested and which had been provided, providing that it was information supplied under section 1: at .
Edd Capewell appeared for the ICO.
Last month I penned a post on the issue of how the principle of natural justice can be reconciled with the use of closed procedures in FOIA appeals. The post was written against the backdrop of the Court of Appeal hearing of the appeal in the Browning case. Today the Court of Appeal has handed down its judgment. Mr Browning’s appeal was dismissed.
Before looking at the conclusions reached by the Court, it is important to understand the facts of the Browning case. Mr Browning is a highly regarded journalist. He sought access to information held by DBIS in connection with the application of the export licensing regime, particularly insofar as it had been applied to applications made by third party businesses for licences to export to Iran. The request was refused on an application of ss. 41 and 43 FOIA. The ICO upheld Mr Browning’s complaint about the refusal. However, on appeal to the FTT, and having considered further relevant evidence adduced for the purposes of that appeal, the ICO decided that it would switch sides and support DBIS’s case on appeal. As many operating within the FOIA field will know, it is not uncommon for the ICO to adapt his position in this way.
So far as the hearing itself was concerned, the FTT conducted part of the appeal on a closed basis. This meant that not only the public but also Mr Browning and his legal representative were excluded from part of the hearing. The FTT of course has express power to conduct FOIA appeals in this manner pursuant to rr. 35 and 5 of the FTT Rules. However, Mr Browning was not content with this arrangement and, whilst he did not apply to participate in the closed hearing himself, he did apply for permission for his counsel to participate. The application was made on the basis that Mr Browning’s counsel would give undertakings to the FTT not to reveal any closed material or evidence without the FTT’s permission. The application was made on the basis that this was the minimum derogation from the natural justice principle which should be tolerated by the tribunal.
Notably, the FTT does have power under r. 14(4) of the FTT Rules to permit such an arrangement. However, the FTT in Browning decided that the application should be refused. The FTT went on to hear evidence in closed session from a number of individuals in their capacity as representatives of businesses which had applied for licences permitting them to export to Iran.
It would appear that after the hearing went back into open session, the FTT explained in some detail the nature of the evidence given by the witnesses in closed session (“the substantive evidence”). However, the identity of the witnesses and information revealing the identity of the businesses they represented (“the identifying information”) was withheld. This was on the basis that the disclosure of such information would itself be highly damaging to the relevant businesses.
Of course, whilst in one sense Mr Browning’s position as a party could not be said to have been unduly prejudiced by the convening of the closed session, particularly because he was given a detailed account of the substantive evidence, in another sense, the prejudice was substantial: by being denied access to the closed session, neither Mr Browning nor his counsel had been able to challenge the evidence given by the witnesses through the process of cross-examination. Mr Browning’s concerns about this inability to cross-examine witnesses would appear to have been amplified in the present case because, in contrast with other appeals, where the ICO is effectively supporting the position adopted the applicant, in this case the ICO was supporting the position of DBIS. At the very least this caused Mr Browning to question whether the ICO would be as assiduous in testing the evidence in closed session as he would have been had he been supporting Mr Browning’s position. See further my earlier post on the general concerns which surround the use of closed procedures in FOIA appeals.
The FTT ultimately decided the appeal in DBIS’s favour. It is clear from the judgment that the evidence given in closed session played a determinative role in this context.
Mr Browning went on to appeal the FTT’s decision to refuse his application for counsel-only access to the UT. He lost before the UT. He then appealed the UT’s judgment to the Court of Appeal. The appeal was put on the basis of the following relatively narrow ground:
- the Tribunals Courts and Enforcement Act 2007 provides for a power to make rules to govern the procedures of the tribunal. However, pursuant to s. 22(4), that rule-making power must be exercised so as to ensure: (a) that ‘justice is done’ and (b) that the ‘tribunal system is accessible and fair’;
- the FTT rules, as applied in the FOIA context, are ultra vires s. 22(4). This is because endowing the FTT with a power to conduct closed procedures in the absence of the applicant’s representative (as to which see rules 35 and 5) produces the result that, in cases where representatives are excluded, justice is not done and the tribunal system is not accessible and fair.
Thus, the appeal was advanced solely on the issue of the vires of the rules. It was not argued on the ground that the FTT’s decision had been perverse on the facts of the case before it.
The Court of Appeal dismissed the appeal. Marice Kay LJ, who gave the leading judgment, held in short that the rules were on their face intra vires s. 22(4) and, further, that application of the principle of natural justice did not require a different result. In reaching this conclusion, the Court noted in particular relevant jurisprudence concerning the serious practical difficulties attendant on permitting counsel-only access in the context of closed procedures, including not least the House of Lords’ judgment in Somerville v Scottish Ministers  1 WLR 2734. The key paragraph of Marice Kay LJ’s judgment is paragraph 35:
‘35. The crucial task is to devise an approach, in the context of a specific case, which best reconciles the divergent interests of the various parties. In my judgment, the approach adopted in this case and originating in the [British Union for the Abolition of Vivisection v ICO and Newcastle University EA 2010/0064] case does precisely that, having regard to the unique features of appeals under FOIA where issues of third party confidentiality and damage to third party interests loom large. The features to which reference was made in the BUAV case – the expertise of the Tribunal, the role of the IC as guardian of FOIA etc – make it permissible to exclude both an appellant and his legal representative except in circumstances where the FTT
“cannot carry out its investigatory function of considering and testing the closed material and give appropriate reasons for its decision on a sufficiently informed basis and so fairly and effectively in the given case having regard to the competing rights and interests involved. ”
In associating myself with this formulation I am accepting that there are features surrounding a case such as this which merit the description of the procedure as being at least in part investigatory as opposed to adversarial.’
The net effect of the judgment is that counsel-only access can potentially be contemplated by the tribunal but only in those exceptional cases where the tribunal concludes that the lack of counsel’s participation means that the tribunal cannot do justice to the case.
It is at this point important to note that the case in Browning was mounted exclusively on the basis that Mr Browning’s counsel should be permitted access to the closed session. There was no suggestion that this was a case where use of a special advocate would be apt, although it is understood that the use of special advocates was discussed before the Court of Appeal. This is important because in many senses the special advocate system avoids the acute practical difficulties which go hand in hand with the use of counsel-only access. Moreover, the fact that certain cases may warrant use of a special advocate was specifically confirmed by the FTT in BUAV.
One suspects that, in view of the concerns expressed by the Court of Appeal in Browning on the subject of counsel-only access, the debate around achieving natural justice in the context of FOIA appeals will now start to focus more heavily on the use of special advocates. Of course the use of special advocates is costly, as was noted in BUAV. This will often mean that their deployment is disproportionate. However, there will nonetheless be cases where the importance of the issues at stake in the appeal and the lack of access to substantive evidence given in closed session create a powerful if not overwhelming imperative in favour of adopting the special advocate procedure. It will be interesting to see whether this is an argument which surfaces before the FTT in the near future.
11KBW’s Ben Hooper acted for the Information Commissioner before the Court of Appeal.