Facing justice: judgment against Facebook in privacy/data protection case

February 25th, 2015 by Anya Proops

The extent to which privacy and data protection rights can effectively resonate within the online environment is an acutely important issue for all information law practitioners. Moreover, it is an issue which seems to be gaining ever increasing traction in the litigation context, as is illustrated not least by the following developments.

  • As most readers of this blog will know, last year the CJEU sent shock waves through the information law community when it held, in Google Spain, that EU data protection legislation operated so as to enable the so-called ‘right to be forgotten’ to be asserted against Google. (That principle is due to receive further consideration from our domestic courts in the forthcoming case of Max Mosley v Google – see Robin’s post on the Mosley case here).
  • Then we had the judgment of the High Court in Vidal-Hall v Google, where the court concluded, in the face of a jurisdictional defence mounted by Google, that claims brought against Google concerning its tracking of the internet browsing habits of users could properly proceed. (An appeal against the High Court’s judgment in that case is due to be heard by the Court of Appeal on 2nd or 3rd March – the ICO is intervening in support of the claimants’ case).
  • Now the High Court in Northern Ireland has given judgment in an important case involving a compensation claim made against Facebook: CG v Facebook & Anor [2015] NIQB 11.

Key aspects of the CG judgment are as follows:

  • The claim was brought by a convicted paedophile in respect of a series of postings placed on Facebook by third parties, one of whom had been named as second defendant to the claims. The postings not only included data amounting to vituperative name-calling but also repeated incitements to violence in respect of the claimant.
  • The High Court held that Facebook was liable in respect of the postings, particularly on the basis that it had misused the claimant’s private information by failing to delete the postings after Facebook’s attention had been drawn to their existence.
  • The High Court rejected Facebook’s assertion that its liability in respect of the postings was excluded on an application of the Electronic Commerce (EC Directive) Regulations 2002. On this issue, the court held that: (a) the Regulations only immunise the relevant information society service (ISS) against liability if the ISS has no actual or constructive knowledge of the unlawful activity on its site or, if it has acquired that knowledge, it acts expeditiously to remove or disable access to the relevant information and (b) Facebook could not rely on the Regulations in the present case because, after being notified of the relevant postings, Facebook had failed to remove or disable access to them.
  • The second defendant, an individual who was responsible for one of the disputed postings, was liable for misuse of the claimant’s private information in his capacity as primary publisher. He was also liable for harassment under the Protection from Harassment Act.
  • As for the claim under the DPA 1998, which was brought only against Facebook and not against the second defendant, that claim could not proceed because, on an application of s. 5 DPA 1998, the claim fell outside of the territorial ambit of the legislation. (Notably no reference was made in this context to the CJEU’s approach to territorial ambit under the data protection Directive in the Google Spain case).
  • Whilst no DPA claim was pleaded against the second defendant, the court made the following points about the application of the journalistic exemption contained in s. 32 DPA:
    • The court noted that the Claimant had conceded that the second defendant’s activities in posting material on Facebook might about to ‘journalism’.
    • However, the court went on to conclude there was no scope for the second defendant to rely on the journalistic exemption contained in s. 32 DPA 1998. This was particularly because the second defendant could not have had any ‘reasonable’ belief that his publications were in the public interest for the purposes of s. 32(1)(b).
  •  The claimant was awarded £20,000 in compensation in respect of his claim for misuse of private information.

What is interesting and important about the CG judgment is that it reinforces the point that organisations which operate merely so as to facilitate online freedom of expression can no longer safely assume that they are always operating in the stratosphere, far above the mire of the privacy litigation battlefield. Instead, they must appreciate that those rights are sufficiently flexible and powerful that they can potentially draw such organisations firmly into the fray.

Anya Proops

PECR Thresholds a Substantially Distressing Nuisance of the Past

February 25th, 2015 by Christopher Knight

The Department for Culture Media and Sport has today announced that it is to amend the Privacy and Electronic Communications Regulations 2003 so as to remove the requirement that unlawful nuisance calls and texts are a source of “substantial damage or substantial distress”; that being the test which must be met in order for the Information Commissioner to impose a monetary penalty notice (“MPN”): section 55A(1) of the Data Protection Act 1998.

The plan, which was the subject of consultation (see my post here), is apparently to drop the substantial damage/distress limb altogether. Draft legislation has not yet been published, so we can’t comment on the precise way this is going to be done, or whether there are any other ramifications. But such legislation will have to come soon, because the plan is to implement the change from 6 April 2015. The change will radically increase the ability of the ICO to issue MPNs to the companies which routinely flout the provisions of PECR, but which cause limited distress.

DCMS has also trailed the, as yet unexplained, idea that “We’re also going to look at whether the powers the ICO have to hold to account board level executives for such behaviour are sufficient or we need to do more.” Not clear at the moment what is meant by ‘looking at’, and it may be that another consultation is on the way.

The Government’s announcement can be read here.

Update: The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2015 have now been published and do simply remove the damage/distress limb of the section 55A test when it applies under PECR. It also adds provisions permitting emergency alerts to be sent, placing a limit on the length of time that providers may retain the traffic and location data they process, unless the data is modified in such a way that the data cannot identify an individual or corporate body.

 

Christopher Knight

Quite like a whale

February 24th, 2015 by Peter Lockley

As my colleague Robin Hopkins has warned, the decision of the Upper Tribunal in Fish Legal looks like a pretty big beast: sixty pages on whether water companies are public authorities for the purposes of the Environmental Information Regulations, applying the CJEU’s lengthy ruling on the points of principle (for which, see this post by Chris Knight).

(If you just need the quick answer: yes they are, by virtue of having ‘special powers’, but not by virtue of being under the control of a public body. For the detail, read on.)

In fact, while it could never be classed as a minnow, on closer inspection Fish Legal is not the monster it first seems (see Part 1 of the judgment here and Part 2 here). Fifteen of those sixty pages are appendices. More importantly, the decision poses, but declines to answer, some wider questions. Although Mr Justice Charles was sympathetic to the Information Commissioner’s request for guidance on how to identify a public authority, he stopped short of laying down ‘broad general principles’ on the question (paras.95-97). He gave shorter shrift to the water companies’ request that he list all of their powers which fell within the definition of ‘special powers’– a request made, apparently, with a view to lobbying Parliament to rid the companies of those powers, and so save them from the burden of EIR (para.98).

And one would hardly have expected him to address the question with the widest ramifications: if water companies are public authorities by virtue of their “special powers”, what of the various other privatised industries? It is, of course, a very fact specific analysis. Anxious electricity chiefs, rail bosses, and telecoms honchos will just have to read the judgment and consider how the ‘special powers’ and ‘control’ tests would apply to their own particular circumstances (see para. 110).

 

Background

The UT had two issues before it: (i) whether the Information Commissioner had jurisdiction to decide whether a body was a public authority for the purposes of the EIR or FOIA (as he had purported to do), and therefore whether the UT itself had jurisdiction to hear the case, and (ii) whether privatised water companies in England and Wales are public authorities for the purposes of EIR, applying the principles set down by the CJEU following a referral from the UT (blog post here).

By the time of this, the second outing before the UT, the cast list had expanded significantly, bringing in several 11KBW counsel to join Anya Proops, who acted for the Information Commissioner before the CJEU. The Secretary of State was joined as a party and was represented by Julian Milford. The parties in two related cases, Cross v IC and the Cabinet Office and Bruton v IC and Duchy of Cornwall, were also invited to make submissions on the nature of the tests. Karen Steyn QC and Joseph Barrett appeared for Mr Bruton; Amy Rogers appeared for the Duchy. (Those cases will now go forward to be decided applying the Fish Legal principles.)

 

The jurisdiction issue

The Secretary of State argued that under s.57 FOIA, the First-Tier Tribunal only has jurisdiction over a decision notice issued by the Commissioner under s.50(3)(b) FOIA, and that the Commissioner had no jurisdiction to serve a decision notice on the issue of whether a body is a public authority. Section 50 is based on the premise that a request has been made to a public authority; these elements are anterior to the Commissioner’s jurisdiction and he has no authority to decide them within the framework of FOIA.

The UT rejected these arguments. It took the view that jurisdictional provisions are routinely based on certain assumed conditions, but this does not deprive the body in question of the jurisdiction to decide whether those conditions have been met. So the UT’s jurisdiction to hear an appeal on any point of law arising from a decision made by the FTT assumes that a decision has been properly made by a properly-constituted tribunal, but it does not mean that the UT cannot rule on whether those conditions are met in a given appeal (para 31).

The UT applied this reasoning to both a positive decision by the Commissioner that a body is a public authority, and a negative decision that it is not, even though the latter is not a decision notice under s.50(3) FOIA. To hold otherwise would mean that while a body could appeal against a positive decision, a requester would face the more expensive route of judicial review of a negative decision (para.37). Furthermore, the Commissioner would have no power under the similarly structured s.51 FOIA to require the information he needed to reach an informed decision that a body was not a public authority (para. 41).

After scrutinising the decision of the House of Lords in BBC v Sugar [2009] 1 WLR 430, the UT decided that there was nothing in the case that disturbed its conclusions on the point (paras.43-54).

The Commissioner therefore has jurisdiction to decide the issue, the FTT to hear appeals against his decisions and the UT to hear appeals against the decisions of the FTT.

The public authority issue

Two of the limbs of the definition of ‘public authority’ under the EIR were in issue. A finding that the companies fell within either would suffice to make them public authorities. (A little care is needed with the numbers of the provisions in question: Article 2(2)(b) of the Environmental Information Directive is transposed as Reg. 2(2)(c) of the EIR, and Article 2(2)(c) of the Directive as Reg. 2(2)(d) of the EIR.)

 

Persons performing public administrative functions – the ‘special powers’ test

The CJEU expanded on Art. 2(2)(b) of the Directive by explaining that persons ‘performing public administrative functions’ are

52 […] entities, be they legal persons governed by public law or by private law, which are entrusted, under the legal regime which is applicable to them, with the performance of services of public interest, inter alia in the environmental field, and which are, for this purpose, vested with special powers beyond those which result from the normal rules applicable in relations between persons governed by private law.

Only the parts underlined were in dispute in the case of the water companies, which clearly meet the rest of the test.

The UT declined to draw any conclusion from the fact that the CJEU had not seen fit to apply the principles to the facts of this case (paras. 99-100). It also rejected a suggestion that it should ask itself whether the companies’ powers were in the nature of State powers (as the Advocate General had suggested). That was because the definition of ‘State powers’ was unclear and ever-changing, and also because the CJEU had not adopted that test. In the end, however, the UT did adopt the State powers test ‘as a check’ – leaving the status of the test somewhat unclear (paras.113-117).

The main analysis focussed on the following powers of water companies:

Compulsory Purchase (under s.155 of the Water Industry Act 1991, “WIA”): this looks like a quintessential government power unavailable to ordinary citizens, but in fact the water companies enjoy the power at one remove: before exercising it they require authorisation by the Secretary of State, which they can apply for via a process set out in Schedule 11 to the WIA. Nonetheless, the provisions conferred a real, practical advantage on the water companies. Firstly, the application process afforded them privileged access to those advising the Secretary of State on whether to authorise a compulsory purchase. Secondly, it conferred significant commercial leverage on the companies in any negotiation to purchase land, even if they rarely resorted to it in practice (para 107).

Power to make byelaws (s.157 WIA): such byelaws  require confirmation from the Secretary of State, but as with compulsory purchase, the power still confers an advantage on the companies. The section confers power beyond that of any private landowner, since byelaws under s.157 can be backed by criminal sanctions, unlike a landowner’s licence. ‘Special powers’ extends to ‘special powers of enforcement’ (para. 110).

Power to lay pipes (s.159 WIA): this power was the subject of a detailed comparison with the powers ordinarily available under private law. The companies argued that the same powers could be acquired through a license or easement. While accepting that this was potentially so, the UT emphasised that private law typically requires consent of the parties to achieve such a result (through the law of contract or property). By contrast, the WIA gives the water companies effective power to compel this result (para.121).

Power to enter land (s.168 WIA): although there are powers within private law allowing entry to another’s land (eg self-help to abate a nuisance at common law), they are narrowly circumscribed (eg they require possession of neighbouring land). The water companies’ powers are both wider and deeper: they apply against any landowner in the company’s area of license, and they extend to surveying and even boring on the land (para.125).

Hosepipe bans (ss.76-76C WIA): these powers are unlike anything available at private law, and moreover are backed by criminal sanctions.

Since it was content that the companies enjoyed a cluster of special powers, the UT formally left open the question of whether one would have been enough (see para. 105). However its comment in conclusion that the powers mentioned were ‘sufficient, collectively in themselves and as examples of powers of the same type’ to meet the test (para. 130) suggests that some pattern of powers will probably be necessary before a body is considered a public authority.

 

Persons under the control of public authorities

The CJEU’s elaboration of Article 2(2)(c) set out the test for ‘control’ in the following terms:

68 […] this third, residual, category of public authorities covers any entity which does not determine in a genuinely autonomous manner the way in which it performs the functions in the environmental field which are vested in it, since a public authority covered by Article 2(2)(a) or (b) of the directive is in a position to exert decisive influence on the entity’s action in that field.

The test applies to the manner in which functions are performed, not the functions themselves: a body is not under control of the Government merely because its powers derive from statute (para. 133). There are two elements to the test: the body must (i) operate in fact in a non-autonomous manner, and (ii) do so because a public authority is in a position to control it (para. 134). In other words, although the public authority need not actually be exercising its powers of control, the existence of the powers must have a real constraining effect on the body in question (para.135). Furthermore, the test required the UT to look at the companies’ overall manner of performing their environmental services: it would not be enough to find control in ‘one or two marginal aspects of their business’ (para. 136).

As for prior authorities, Smartsource was simply no longer relevant: the task of the UT was to consider the issue afresh in the light of the CJEU’s ruling (para.137).

The UT was at pains to point out that ‘no legitimate business has complete freedom of action’: all operate in a framework of legal and commercial constraints. Something more is needed before one can say that they have lost their autonomy (paras 142-144).

The two counsel for the requesting parties sought to supply that ‘something more’ by advancing ‘macro’ and ‘micro’ examples of actual state intervention in the water industry: recommendations by the Secretary of State made on reviewing a Draft Water Resources Management Plan, and an enforcement notice issued by OFWAT in respect of the risk of sewer flooding in the Penketh area. These were dismissed as no more than ‘increased intensity of oversight at particular times and in respect of particular activities’ (para.148).

A list of potential interventions was also provided – an analysis of the Secretary of State’s powers under the WIA. Although these clearly put the Secretary of State ‘in a position to exert decisive influence’ over the water companies’ actions, they too were rejected as not demonstrating control. The UT’s first two reasons are a little puzzling. The first was that the powers are (to some extent) a substitute for the forces of competition, since water companies enjoy local monopolies (para. 151). This rather begs the question: the grant of a monopoly confers great power on a private entity, which needs to be limited in the public interest. Just because state control is a substitute for market forces, this does not stop it from being a form of control. The second reason was that ‘the risk of enforcement is at most only a marginal consideration for a reputable company’ (para.152). Really? Why then did OFWAT need to issue that enforcement notice for the Penketh sewers?

However, the UT went on to find that whatever the potential for intervention, the more basic aspect of the control test was not satisfied. Merely listing all the possible interventions distorted the picture of how the companies operate in fact, and only addressed the second element of the test. The UT’s overall conclusion on the control test was that ‘despite the extent to which there is scope to influence the companies’ decision-making on the way it delivers its services, the evidence does not show that that influence is actually exerted to such an extent that overall the companies lack genuine autonomy (para.153).

You might not have predicted this result if you had read the CJEU’s heavy hint on the question of control – see [71] of its judgment

The weight that the UT afforded to the companies’ status as ordinary private companies is one of the surprises of the judgment. And it will be one of the few points of comfort for other privatised utilities. Not many can be as heavily regulated as the water industry; perhaps they too can avoid at least this limb of the definition.

 

POSTSCRIPT: if you’ve come here from Robin’s post, you may be wondering what Lewis Carroll has to do with all this. Loyal reader (which you must be if you’ve got this far), your guess is as good as mine. Why is the section on the State powers test (paras. 113-117) headed ‘Hunting of the Snark’? Answers on an e-postcard please.

 

 Peter Lockley

 

 

 

Leviathan

February 23rd, 2015 by Robin Hopkins

Hot off the press: the Upper Tribunal has given its judgment in Fish Legal.

Applying the principles from the CJEU’s judgment of December 2013, it has held that the respondent water companies are public authorities for the purposes of the Environmental Information Regulations 2004, by virtue of their “special powers”.

The issues and facts are complex, and the judgment is lengthy. It also makes reference to Lewis Carroll, who now somehow appears in two consecutive Panopticon posts.

The judgment is contained in these two documents: FISH LEGAL UT DECISON PART 1 and FISH LEGAL UT DECISON PART 2.

Analysis  of the judgment will follow on Panopticon shortly (thus the barrister dreamed, while the bellowing seemed to grow every moment more clear).

Robin Hopkins

Down the Rabbit Hole – Late Reliance under FOIA

February 15th, 2015 by Christopher Knight

Says the White Rabbit in Alice in Wonderland, “Oh my furry whiskers, I’m late, I’m late, I’m late!” Although the application of FOIA may sometimes feel like Wonderland, the feeling it induces is normally more akin to turning up unexpectedly at the Mad Hatter’s Tea Party (although attributing FTT judicial figures to the characters of the Mad Hatter and the Dormouse is beyond me). But one thing that has, since Birkett v DEFRA [2011] EWCA Civ 1606, not generally proved very controversial is the question of late reliance on exemptions; the White Rabbit need have little fear. Birkett made clear that late (usually after the DN and in the course of litigation before the FTT) reliance on substantive exemptions is permissible, subject to case management powers, under the EIR. The unappealed equivalent decision under FOIA, Information Commissioner v Home Office [2011] UKUT 17 (AAC), has generally been assumed to be correct.

However, there is a generous ‘but’ involved, about which lawyers are second only to Sir Mixlot in their appreciation. Can one rely late upon an exemption in Part I of FOIA? There has been a conflict of FTT and Upper Tribunal authority on the point. Independent Police Complaints Commission v Information Commissioner [2012] 1 Info LR 427 had held that there could be late reliance on section 12. The Upper Tribunal in All Party Parliamentary Group on Extraordinary Rendition v Information Commissioner & Ministry of Defence [2011] UKUT 153 (AAC); [2011] 2 Info LR 75 expressed the clear, if obiter, view that section 12 was not in the same position as substantive FOIA Part II exemptions because it had a different purpose; section 12 is not about the nature of the information but the effect on the public authority of having to deal with the request. The scheme of FOIA was likely to be distorted, the Upper Tribunal held, if the authority could suddenly rely on section 12 after already having carried out the search and engaged with the requestor: at [45]-[47]. The APPGER approach was accepted by the FTT in Sittampalam v Information Commissioner & BBC [2011] 2 Info LR 195. There was at least a school of thought that the APPGER logic ought also to apply to section 14 (which, as was explained in Dransfield, is not properly an exemption at all: at [10]-[11]). Then, in Department for Education v Information Commissioner & McInerney (EA/2013/0270), Judge Warren firmly concluded that section 14 (and by implication section 12) could be relied upon late. I suggested at the time that the conflict of authority on the point might require appellate resolution, and Ms McInerney appealed on that basis (in partial reliance, it appears, on my blogpost: see at [22] of the UT judgment).

 The appeal in McInerney v Information Commissioner and the Department for Education [2015] UKUT 0047 (AAC) has now been determined by Judge Jacobs (who heard the Birkett and Home Office cases). It has definitively resolved that a public authority may rely on sections 12 or 14 for the first time before the FTT, subject to the case management powers of the FTT. Although the judgment of the Upper Tribunal is fairly lengthy, the key part of the analysis is fairly brief. Judge Jacobs considered the principles derived from Birkett overtook the reasoning in APPGER, that the discussion of principle in his Home Office decision applied equally to the Part I exemptions, that section 17(1) did not prevent late reliance, that there was nothing in section 12 to require a different answer, and that late reliance may be forced on a public authority for good reasons (such as the instant appeal): at [33]-[41]. The Upper Tribunal did not consider it necessary to review the various FTT decisions. If section 12 is relied upon before the FTT for the first time, it will be the FTT which has to review the reasonableness of the estimate: at [40]. The Upper Tribunal considered that the answer on section 14 followed naturally from the answer on section 12.

 The position now at least has the benefit of consistency. Requestors will doubtless continue to be extremely frustrated by public authorities who appear to change their position at the last moment (usually when lawyers have become involved), and the FTT does not appear to have been often exercising its powers to restrict late reliance, or to punish incorrect late reliance in costs. However, if an exemption is relied upon correctly, reaching the correct answer is important. Whiskers may soothed, pocket watches stowed away, and lateness need rarely be an issue.

 Also of some practical interest will be the discussion of Judge Jacobs on the interaction of sections 14 and 16. It might be thought difficult to see how the section 16 duty could really apply to a vexatious request (“we advise you to submit a request which is not vexatious” perhaps?). Judge Jacobs accepted at [55] that a request should not have to be dissected to see if it can be severed, because that would undermine the purpose of section 14, but that section 16 cannot be ignored. The circumstances might allow a public authority to extract one part to create a non-vexatious request: at [56]. This is a little hard to understand; it might be thought the better analysis would be that properly construed, that one part was not a vexatious request, and it is not clear whether section 16 adds much. He added that it is not for the FTT to apply section 16 to assist a requestor – only the public authority is obliged to do so: at [57]-[58].

 Andrew Sharland appeared for the DfE and Robin Hopkins appeared for the ICO.

 Christopher Knight

 

Keynote speaker announced for 11KBW Information Law Conference 2015

February 9th, 2015 by Panopticon Blog

We are delighted to be joined by Maurice Frankel, Director of the Campaign for Freedom of Information, who will giving the keynote address at this year’s conference on “FOIA: is this what we expected – and is it good enough for the future?”

The 11KBW Information Law Conference is being held on 19th March 2015. As well as providing an over-view of the key developments in the field of information law, the conference will cover a range of topical issues including: whether the law governing State surveillance is fit for purpose, the relationship between data protection and the media and whether, at 10 years old, FOIA should be seen a boon to or a burden on society.

Date: 19th March 2015
Venue: Royal College of Surgeons, 35 – 43 Lincoln Inn Fields, London WC2A 3PE
Cost: £99 + VAT (20%) = £118.80 to attend half day plus lunch £150 + VAT (20%) = £180.00 to attend full day. We are offering a EARLY BIRD DISCOUNT – 10% off if you book before 27th February 2015 on both half and full day places.

For more information on the conference agenda and details on how to book please click here

Local Offers

February 6th, 2015 by jamesgoudie

Section 30 in Part 3 of the Children and Families Act 2014 defines and prescribes the content of a “Local Offer”.  A local authority in England must publish information about the education and training, social care and health provision, for children and young people who have special educational needs or a disability, that it expects to be available in its area (or in some circumstances outside), whether or not it will be making that provision itself.  Schedule 2 to the Special Educational Needs and Disability Regulations 2014, SI 2014/1530, specify what information must be included in the Local Offer.  Mostyn J has considered these provisions in R (L & P) v Warwickshire County Council (2015) EWHC 203 (Admin).  He observed, at para 48, that Schedule 2 provides for a “very extensive range of information” to be published in the Local Offer, and referred to the “vast number” of people and bodies each local authority must consult before publishing its Local Offer and to the “huge range of information that must be referenced”.

Having referred to the statutory guidance, Mostyn J stated:

“51.       Although the prescriptions are extremely extensive it is important to understand that the requirement is no more than to publish information about what services are expected to be available.  Section 30 of the 2014 Act incorporates a publication obligation, no more, no less.”

At para 54, he said:

“…it must be very clearly understood what the purpose of the consultation is. It is about what appears in the Local Offer, which is a compendium of information. I remind myself of the words of section 30. The local authority has a duty to publish information about certain provision it expects to be available.”

At para 57, Mostyn J reiterated that the statutory consultation is about what the Local Offer should say about services to be provided, not about what services should be provided.  He dismissed the challenge to the fairness of the consultation.  He emphasized (para 59) that the Local Offer by its nature will always be subject to continuous updating; and, at para 77, approved the following submissions on behalf of the County Council:

(i) The development and publication of the Local Offer is, as the legislative framework envisages and the implementation guidance makes clear, intended to be an iterative process, subject to consultation and to be done in accordance with the new spirit of “co-production”. To update the website with further information on the Local Offer and to continue to do so as the Offer is refined and further developed is entirely lawful.

(ii) It is obviously not arguably unlawful for information to be published on the Council’s website by way of a link through to a partner’s website, for example with respect to the information on healthcare provision and SEN provision in schools.

James Goudie QC

The Algebra of FOIA

February 6th, 2015 by Christopher Knight

It is no matter of Euclidian geometry to say that where x + y = z, and z = 13, being told what y equals one need not be Pythagoras to establish the value of x. But what happens when z is in the public domain, x is absolutely exempt information under FOIA (because it is caught by section 23(1)) and the public interest otherwise favours the disclosure of y, which is not the subject of an exemption? Inevitably, the effect of disclosure is that the absolutely exempt information is also revealed. The Interim Decision of the Upper Tribunal in Home Office v ICO & Cobain [2014] UKUT 306 (AAC) was that the Tribunal had to consider whether it was appropriate to utilise the section 50(4) FOIA power so as not to direct disclosure. The issue may be formulaic, but the answer is not.

The application of section 50(4) has only previously received analysis in ICO v HMRC & Gaskell [2011] UKUT 296 (AAC), in which Judge Wikeley held (at [24]) that section 50(4) could be used so as not to require disclosure of information where it would be “unlawful, impossible or wholly impractical”. On the facts of Gaskell, section 50(4) was appropriate because since the request had been made the law had made disclosure of the information unlawful.

The Upper Tribunal has now exercised that decision itself in Home Office v ICO & Cobain [2015] UKUT 27 (AAC), in which Judge Wikeley held that the appropriate exercise of the section 50(4) discretion requires no steps to be taken (i.e. y need not be disclosed, even though section 1 FOIA entitles Mr Cobain to see it). The Upper Tribunal stressed that the application of section 50(4) should be rare, given the need to construe FOIA liberally, and use of it must be lawful in a public law sense. Judge Wikeley broadly endorsed the ICO’s ten listed factors as of potential relevance (although they will vary on the facts of each case): at [18]. He saw it as particularly important that the absolute exemption which would be undermined in this case was section 23(1), expressly drawn widely by Parliament and by contrast to section 24. Indeed, he accepted that section 23 “affords the widest protection”: at [29]. Judge Wikeley also considered the degree of public interest in the information, which he considered not to be especially high given the existing material in the public domain. He therefore agreed that section 50(4) should be applied so as not to require the Home Office to take steps to disclose the information.

It remains to be seen how often there really will be such issues in practice. The Cobain case appears to be the first of its type, although the Upper Tribunal recognised that it might occur under other class-based exemptions, such as sections 30, 35, 41 and 42. What may be more interesting is where different exemptions apply to x and y, one of which is absolutely exempt and one of which is subject to a qualified exemption. Is the algebraic problem a matter for the public interest balance in relation to y, or should it only be resolved at section 50(4)? Strictly speaking, one can see the analytical purity of considering the interest only in relation the specific information covered by y, but it is hard to imagine that the impact of disclosure in relation to x will not bleed across into the weighing. And if there has already been a public interest exercise, what room will there remain for it to be taken into account under section 50(4) – in such cases it would look a lot like double-counting. Perhaps we shall never know, and this may be what happens when the maths fox runs loose in the FOIA henhouse.

One brief procedural addition. The Upper Tribunal had, in ICO v Bell [2014] UKUT 106 (AAC), held that the Tribunal should usually explain that a Decision Notice was wrong in law and why, rather than substituting a new Decision Notice. Judge Wikeley was rather less convinced at the appropriateness or necessity of that conclusion (see at [40]-[42], and in particular the amusing and obvious implicit support given to the Tribunal’s castigation of Bell in Clucas v ICO (EA/2014/0006)) and happily availed himself of the crack left open by Judge Jacobs in Bell to substitute a new Decision Notice in this case. Given that it was a case using section 50(4), that seems a particularly sensible step. Doubtless a case will arise in which Bell can be reconsidered, and God bless all those who have to sail in her.

In the meantime, it is time for FOIA lawyers to get back to the calculators.

Christopher Knight

New Court of Appeal Judgment on handling of DNA materials by the police

February 6th, 2015 by Rupert Paines

The question of what uses can properly be made of DNA data held by the police is an acutely sensitive one. In X and Commissioner of the Police of the Metropolis and anor v Z (Children) and anor[2015] EWCA Civ 34, the Court of Appeal has held that, where such data is obtained by police in exercise of their search and seizure powers under Part II of PACE 1984, it may be retained and used only for the purposes of criminal law enforcement function. Thus, such data cannot be used, for example, in order to resolve issues of paternity in care proceedings before the family court.

The background to the appeal was that X had murdered his partner Y. In the context of care proceedings involving Y’s children, an issue had arisen as to whether X was in fact the biological father of the children. X, despite asserting that he was the children’s biological father, had refused to undergo DNA testing. In response to this refusal, the children’s guardian applied to the court for disclosure of certain DNA profiles held by the Metropolitan Police Service, particularly on the basis that those profiles could then be used to resolve the paternity issue. X objected to the disclosure. Importantly, the DNA profiles in issue had been derived from blood swabs taken by the police from the scene of the murder by the MPS under Part II PACE. It was common ground that the court could not order disclosure of those DNA profiles held by the police in exercise of their powers under Part V PACE (samples taken directly from persons). This was because there is a statutory prohibition contained in Part V of PACE which expressly prohibited the use of such materials other than for the purposes of criminal law enforcement. Munby P, who decided the case at first instance, concluded that the court had a discretion to order disclosure of the Part II DNA profiles and that the disclosure was justified, particularly in view of the Article 8 rights of the children. The MPS appealed, alongside the putative father. The Secretary of State appeared as intervenor.

The Court of Appeal allowed the appeal. It did so on the basis that the President’s approach could not be reconciled with the statutory scheme embodied in PACE, particularly when that scheme was read in a purposive manner and having regard to the Article 8 rights of those individuals whose DNA profiles were held by the police. In reaching this conclusion, the Court relied heavily on the judgment of the European Court of Human Rights in Marper, which itself highlighted the need for substantial controls around the handling of DNA data by the police.

Anya Proops and Sean Aughey acted for the MPS.

Rupert Paines

Googling Orgies – Thrashing out the Liability of Search Engines

January 30th, 2015 by Christopher Knight

Back in 2008, the late lamented News of the World published an article under the headline “F1 boss has sick Nazi orgy with 5 hookers”. It had obtained footage of an orgy involving Max Mosley and five ladies of dubious virtue, all of whom were undoubtedly (despite the News of the World having blocked out their faces) not Mrs Mosley. The breach of privacy proceedings before Eady J (Mosley v News Group Newspapers Ltd [2008] EWHC 687 (QB)) established that the ‘Nazi’ allegation was unfounded and unfair, that the footage was filmed by a camera secreted in “such clothing as [one of the prostitutes] was wearing” (at [5]), and also the more genteel fact that even S&M ‘prison-themed’ orgies stop for a tea break (at [4]), rather like a pleasant afternoon’s cricket, but with a rather different thwack of willow on leather.

Since that time, Mr Mosley’s desire to protect his privacy and allow the public to forget his penchant for themed tea breaks has led him to bring or fund ever more litigation, whilst simultaneously managing to remind as many people as possible of the original incident. His latest trip to the High Court concerns the inevitable fact of the internet age that the photographs and footage obtained and published by the News of the World remain readily available for those in possession of a keyboard and a strong enough constitution. They may not be on a scale of popularity as last year’s iCloud hacks, but they can be found.

Alighting upon the ruling of the CJEU in Google Spain that a search engine is a data controller for the purposes of the Data Protection Directive (95/46/EC) (on which see the analysis here), Mr Mosley claimed that Google was obliged, under section 10 of the Data Protection Act 1998, to prevent processing of his personal data where he served a notice requesting it to do so, in particular by not blocking access to the images and footage which constitute his personal data. He also alleged misuse of private information. Google denied both claims and sought to strike them out. The misuse of private information claim being (or soon to be) withdrawn, Mitting J declined to strike out the DPA claim: Mosley v Google Inc [2015] EWHC 59 (QB). He has, however, stayed the claim for damages under section 13 pending the Court of Appeal’s decision in Vidal-Hall v Google (on which see the analysis here).

Google ran a cunning defence to what, post-Google Spain, might be said to be a strong claim on the part of a data subject. It relied on Directive 2000/31/EC, the E-Commerce Directive. Article 13 protects internet service providers from liability for the cached storage of information, providing they do not modify the information. Mitting J was content to find that by storing the images as thumbnails, Google was not thereby modifying the information in any relevant sense: at [41]. Article 15 of the E-Commerce Directive also prohibits the imposition of a general obligation on internet service providers to monitor the information they transmit or store.

The problem for Mitting J was how to resolve the interaction between the E-Commerce Directive and the Data Protection Directive; the latter of which gives a data subject rights which apparently extend to cached information held by internet service providers which the former of which apparently absolves them of legal responsibility for. It was pointed out that recital (14) and article 1.5(b) of the E-Commerce Directive appeared to make that instrument subject to the Data Protection Directive. It was also noted that Google’s argument did not sit very comfortably with the judgment (or at least the effect of the judgment) of the CJEU in Google Spain.

Mitting J indicated that there were only two possible answers: either the Data Protection Directive formed a comprehensive code, or the two must be read in harmony and given full effect to: at [45]. His “provisional preference is for the second one”: at [46]. Unfortunately, the judgment does not then go on to consider why that is so, or more importantly, how both Directives can be read in harmony and given full effect to. Of course, on a strike out application provisional views are inevitable, but it leaves rather a lot of legal work for the trial judge, and one might think that it would be difficult to resolve the interaction without a reference to the CJEU. What, for example, is the point of absolving Google of liability for cached information if that does not apply to any personal data claims, which will be a good way of re-framing libel/privacy claims to get around Article 13?

The Court also doubted that Google’s technology really meant that it would have to engage in active monitoring, contrary to Article 15, because they may be able to do so without “disproportionate effort or expense”: at [54]. That too was something for the trial judge to consider.

So, while the judgment of Mitting J is an interesting interlude in the ongoing Mosley litigation saga, the final word certainly awaits a full trial (and/or any appeal by Google), and possibly a reference. All the judgment decides is that Mr Mosley’s claim is not so hopeless it should not go to trial. Headlines reading ‘Google Takes a Beating (with a break for tea)’ would be premature. But the indications given by Mitting J are not favourable to Google, and it may well be that the footage of Mr Mosley will not be long for the internet.

Christopher Knight