EU APPROVES FINANCIAL DATA TRANSFERS TO US FOR COUNTER-TERRORISM PURPOSES

July 28th, 2010 by Anya Proops

On 13 July 2010, the Council of Europe promulgated a decision whereby it approved an agreement between the EU and the US for the transfer of financial messaging data from the EU to the US, specifically for the purposes of the US’s Terrorist Finance Tracking Programme. The decision has now been published in the Official Journal for the EU. See further the Council decision dated 28 June 2010 confirming the signing of the agreement, which you can find here.

TOWARDS A TRUE SINGLE MARKET OF DATA PROTECTION

July 16th, 2010 by jamesgoudie

Viviane Reding Vice-President of the European Commission responsible for Justice, Fundamental Rights and Citizenship, made a speech entitled “Towards a true Single Market of data protection” at a Meeting in Brussels, on July 14, 2010.  In her speech she said that we need a comprehensive and coherent approach so that the fundamental right to data protection is fully respected within the EU and beyond. She put forward five proposals.

 First, individuals’ rights should be strengthened by ensuring that they enjoy a high level of protection and maintain control over their data. Individuals need to be well and clearly informed, in a transparent way, by data controllers – be it services providers, search engines or others – about how and by whom their data are collected and processed. They need to know what their rights are if they want to access, rectify or delete their data. And they should be able to actually exercise these rights without excessive constraints.

Secondly, the internal market requires not only that personal data can flow freely from one Member State to another, but also that the fundamental rights of individuals are safeguarded. Provided that all data protection guarantees are in place and properly applied, personal data should freely circulate within the EU and, where necessary and appropriate, be transferred to third countries. This requires a level playing field for all economic operators in different Member States. This is currently not the case: indeed, one of the main concerns expressed by businesses in recent consultations is the lack of harmonisation and the divergences of national measures and practices implementing the 1995 Directive.  Further harmonisation and approximation of data protection rules at EU level is needed.

Thirdly, the current rules on data protection in the area of police cooperation and judicial cooperation in criminal matters should be revised.  Derogations to general data protection principles should be limited. They should not go beyond what is necessary and proportionate in order to pursue objectives of general interest, such as the fight against terrorism and organised crime, or the need to protect the rights and freedoms of others.

Fourthly, personal data must be adequately protected when transferred and processed outside the EU. To that end, the current procedures for international data transfers, including in the areas of police cooperation and judicial cooperation in criminal matters, will be improved, strengthened and streamlined.

Fifthly, EU monitoring of the implementation and enforcement by Member States of the existing rules to guarantee that individuals’ rights are actually respected will be a priority; the role of data protection authorities should be strengthened; and data protection authorities should be provided with the necessary powers and resources to be able to properly exercise their tasks both at national level and when cooperating with each other.

James Goudie QC

RECENT TRIBUNAL RULINGS – RISKS FOR APPELLANTS

July 15th, 2010 by Anya Proops

The Tribunal has recently issued a ruling highlighting the dangers for a public authority if it submits an inadequately reasoned notice of appeal. In Westminster City Council v IC (EA/2010/0096), the Council had submitted a notice of appeal against the Commissioner’s decision notice within the 28 day time limit allowed for under rule 22 of the Tribunal Procedure (First Tier Tribunal) (General Regulatory Chamber) Rules 2009 (“the Rules”). However, the notice of appeal merely asserted that the Commissioner had erred in deciding that the EIR 2004 rather than the FOIA applied to the disputed information. The notice did not contain any grounds for this assertion. Thereafter, the Tribunal ordered the Council to provide grounds for its appeal. The Council was given a week to provide the relevant grounds. The Council missed that deadline. Moreover, it did so in circumstances where it had not notified the Tribunal that it needed an extension of time for lodging the grounds. The Council invited the Tribunal to overlook the three day delay in submitting the grounds. It alleged that the delay was due to staffing difficulties; the need to take legal advice; a failure to understand the tribunal procedures and a failure properly to record the date set by the Tribunal for submission of the grounds. The Tribunal refused to accept these arguments. It held that the Council was a large authority with a specialised in-house FOIA department; that an alleged lack of resources was not a valid excuse and that advice should have been sought at an earlier stage. Accordingly, the Tribunal refused to accept the grounds. There are two lessons to be derived from this ruling. First, an appellant which fails adequately to particularise its case in its notice of appeal or otherwise to follow up the notice promptly with fully reasoned grounds may well end up losing the right of appeal altogether. Second, where there are concerns that a tribunal deadline may be missed, the affected party should always consider notifying the tribunal of that fact and seeking an extension of time.

In a separate development, the Tribunal recently decided in Thackeray v IC (EA/2010/0088) that an appellant would not be allowed to proceed with his appeal in view of his refusal to provide the Tribunal with a postal address. Mr Thackeray had provided an email address in his notice of appeal but refused to provide a postal address, allegedly because he was concerned that he would face harassment if the address was disclosed. Mr Thackeray argued that provision of an email address was sufficient in order to meet the requirements of rule 22(a) and (c) of the Rules. The Tribunal decided that the notice of appeal would be invalid in the absence of the provision of a postal address. The Tribunal took the view that a postal address was a pre-requisite not least in view of: (a) the fact that parties may want, for reasons of security, to deliver documents directly rather than by email; and (b) a postal address would be required to protect the position of the other parties in the event that costs were awarded against the appellant. Unfortunately, neither of these rulings can at present be found on the Tribunal website.

NEW ICO CODE OF PRACTICE FOR PROCESSING OF PERSONAL DATA ONLINE

July 15th, 2010 by Robin Hopkins

The Information Commissioner has published a new Code of Practice explaining how the DPA applies in an online world, and offering ‘good practice’ advice for the collection and use of personal data through the internet.

The Code covers (among other things) application and payment forms, social networking sites, cookies and other personally-targeted marketing. It considers the difficulties of ‘non-obvious identifiers’ (such as IP addresses linked to devices rather than to individuals), cross-border data transfers by multinational or non-domestic organisations, and the practice of outsourcing the storage of databases to other web-based companies.

With the aid of examples from such contexts, the Code turns established principles into specific recommendations for internet businesses, including: avoid collecting personal data too early in the relationship or transaction with the user; only collect personal as far as is necessary; provide a clear explanation of how users’ personal data will be processed; ensure that employees only have access to customers’ personal data where necessary, and that this access withdrawn as soon as their employment ends.

Certain suggestions will be particularly welcomed by privacy campaigners: alert users to the security risks associated with ‘autocomplete’ forms; give users a simple option of declining to have their personal data stored and of disabling cookies or other trackers of their online behaviour, and make it easy for them to contact the data controller about how their personal data is being used.

STRENGTHENED POWERS FOR THE COMMISSIONER?

July 15th, 2010 by jamesgoudie

 

The European Commission has requested the UK to strengthen the powers of its data protection authority so that it complies with the EU’s Data Protection Directive. The Commission request takes the form of a reasoned opinion – the second stage under EU infringement procedures. The UK has two months to inform the Commission of measures taken to ensure full compliance with the Directive.

 

In the Commission’s view data rules in the UK are curtailed in several ways that leave the standard of protection lower than required.  The Commission is concerned about limitations upon the Information Commissioner’s powers, in particular that he cannot monitor whether third countries’ data protection is adequate, assessments which should come before international transfers of personal information, and he can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks. Also the Commission is concerned that Courts in the UK can refuse the right to have personal data rectified or erased, and that the right to compensation for moral damage when personal information is used inappropriately is also restricted.

James Goudie QC

PREPARATION OF WITNESS STATEMENTS – SOME DOs AND DONTs

July 12th, 2010 by Anya Proops

In a paper which I delivered at the 11KBW Information Law seminar in May 2010, I identified a number of tips designed to assist parties in preparing for hearings before the information tribunal – the paper can be found here. Very recently, the tribunal has handed down a decision which highlights the dangers to a public authority if it fails to ensure that any witness statements generated for the purposes of the tribunal hearing are sufficiently full and illuminating: Metropolitan Police Service v IC (EA/2010/0006).

The MPS case involved a request made to the MPS for disclosure of information as to how much money Croydon Police had spent on paying informants in the preceding three years. The MPS refused disclosure of the requested information relying on a range of exemptions, including s. 30 (criminal investigations) and s. 31 (law enforcement). The Commissioner upheld the applicant’s complaint against the refusal notice. In the course of the appeal to the tribunal, the MPS produced witness statements in support of its case on appeal. However, as it happened, the significant evidence given by these witnesses was only obtained through the process of cross-examination. The tribunal voiced serious concerns about the fact that the MPS had not included such evidence in its witness statements (which had been exchanged some time before the hearing) but had, instead, effectively ambushed the Commissioner by giving such evidence orally at the hearing. The tribunal noted that this was not the first time the MPS had adopted such a course in proceedings before the tribunal and that ‘there may be cost consequences for the MPS in future cases’ (see paragraphs 16-17). What this judgment highlights is the importance of generating witness statements which contain, so far as possible, the core evidential points upon which the authority wishes to rely in advancing its case. If parts of the evidence are highly sensitive, this does not justify withholding the evidence. Instead, it merely means that the authority should structure the witness statements so that any sensitive, confidential elements are dealt with in the closed statements (which are then considered in closed session.

The tribunal went on to hold that the disputed information was in fact exempt from disclosure under s 24 (the national security exemption – as to which see my earlier post below). The point to be noted here is that the case may never have come before the tribunal had the MPS: (a) identified that s. 24 was in issue at a much earlier stage; and (b) been full and frank with the Commissioner as to the reasons why the information was exempt under s. 24. 11KBW’s Ben Hooper was instructed on behalf of the Commissioner.

SECTION 36 REVISITED – DANGERS FOR THE PUBLIC AUTHORITY

July 12th, 2010 by Anya Proops

Section 36(2) FOIA provides for a number of qualified exemptions, all of which are essentially designed to ensure that disclosures under FOIA do not unduly prejudice the effective conduct of public affairs. The exemptions provided for under section 36(2) are somewhat unusual in that the question whether they are engaged turns upon whether a ‘qualified person’ has given a ‘reasonable opinion’ that disclosure of the particular information would or would be likely to prejudice or inhibit one of the particular matters provided for under s. 36(2) (e.g. it would inhibit the free and frank provision of advice or the free and frank exchange of views). In other words, it is the creation of the reasonable opinion which itself operates to engage the particular s. 36(2) exemption.

The application of s. 36(2) has caused some difficulties in practice. In particular, difficulties have arisen where the public authority has sought to rely on s. 36(2) in circumstances where the reasonable opinion was not in fact generated until sometime after the request was refused by the public authority. In the case of Roberts v IC (EA/2009/0035), the tribunal held that s. 36(2) will not be engaged in these circumstances. This is because, if the information was not in fact exempt at the time the refusal notice was sent out (i.e. because the relevant reasonable opinion was not in existence at that time), it cannot be rendered exempt ex post facto (i.e. as a result of a reasonable opinion having been created after the request has been responded to). See further my paper which examines the Roberts judgment which you can find here.

The restrictive approach to s. 36(2) adopted in Roberts has recently been approved in the case of Chief Constable of Surrey Police v IC (EA/2009/0081). Interestingly, the tribunal in this case went on to highlight the significant dangers for a public authority if it fails to keep a record of the opinion as and when it is reached. Following an earlier decision in University of Central Lancashire v IC (EA/2009/0034), the tribunal in the Chief Constable case effectively held that a public authority will struggle to rely on the exemptions afforded under s. 36(2): (a) if it does not keep a record of the opinion which has been reached and, further, (b) if, in the context of any record which it has made, it fails to identify the particular sub-sections of s. 36(2) which the qualified person has concluded are engaged. Notably, in reaching this conclusion, the tribunal confirmed that it was not the function of the Commissioner to speculate about or forage around for opinions which might have been reached by the qualified person where there was no good evidence that such opinions had in fact been formed at the time the request was being responded to (see in particular paragraphs 54-59 of the decision). 11KBW’s Akhlaq Choudhury appeared on behalf of the Chief Constable.

APPLICATION OF NATIONAL SECURITY EXEMPTION TO AIRPORT SECURITY INFORMATION

July 12th, 2010 by Anya Proops

As might be expected, FOIA contains a specific exemption designed to safeguard national security, see the exemption provided for under s. 24. In essence, the s. 24 exemption is engaged if the exemption ‘is required for the purposes of safeguarding national security’. Perhaps somewhat surprisingly, the section 24 exemption is a qualified exemption (see s. 2(3) FOIA). This means that, even if the exemption is required in respect of particular information to safeguard national security, the information may still be disclosable on an application of the public interest test provided for under s. 2 FOIA. In Kalman v IC & Department for Transport (EA/2009/0111), the Tribunal was for the first time called upon to consider the substantive application of s. 24 (i.e. how it applied to specific information – cf. Baker v IC & Ors EA/2006/0045, where the tribunal considered the application of the national security exemption in the context of the duty to confirm or deny whether the information was held). The Kalman case involved an application for disclosure of information relating to airport security arrangements. The DfT refused to disclose the information on the basis that there was a real risk that the information, if disclosed, would be exploited by terrorist organisations. The Commissioner largely rejected Mr Kalman’s complaint against the DfT’s decision. Mr Kalman appealed to the Tribunal. There were two issues at stake in the appeal. First, whether s. 24 was engaged in respect of the disputed information and, second, if it was engaged, whether the public interest balance nonetheless weighed in favour of disclosure.

During the course of the hearing, the DfT conceded that some of the disputed information could be disclosed, not least because it was already effectively the stuff of public knowledge. The Tribunal went on to hold that there was other information which ought to have been disclosed for much the same reason. With respect to the remainder of the information, the tribunal accepted that s. 24 was engaged and that the public interest weighed in favour of maintaining the exemption. Notably, the tribunal held that the nature of the risk posed by the disclosure was so serious in this case (i.e. potential significant loss of life due to terrorists exploiting weaknesses in the airport security system) that, even if the risk was relatively slight, there would have to be an extremely strong public interest in disclosure to avoid the information being lawfully withheld. In reaching this conclusion, the tribunal adopted a similar analysis to the one which it had previously adopted in PETA v IC & Oxford University (EA/2009/0076) (case involving the application of the health and safety exemption in a case involving risk of attack by animal extremists).

DATA PROTECTION IN EUROPE – JUDGMENT IN BAVARIAN BEER

July 2nd, 2010 by Anya Proops

On 29 June 2010, the European Court of Justice handed down an important judgment on how provisions within EU law which permit access to documents held by EU institutions are to be applied where the documents contain third party personal data – European Commission & United Kingdom v Bavarian Lager (Case C-28/08 P). The case involved an application for disclosure of a document held by the European Commission which recorded discussions on the application of certain beer import restrictions within the UK. A number of individuals were identified by name in the document. The application for disclosure was made by Bavarian Lager under EU Regulation 1049/2001 (the Access Regulation). The Access Regulation is designed to facilitate public access to documents held by EU institutions with a view to increasing their transparency and accountability. Importantly, like FOIA, the Access Regulation is, on its face, motive-blind (i.e. it does not require the applicant to establish a legitimate reason for accessing the information). The Commission provided the requested document, save that it redacted the names of certain individuals identified in the document. The key issue which arose in the case was whether, in deciding whether to release the names of the individuals in question, the Commission had been entitled to take into account whether Bavarian Lager had established that it had legitimate interests in receiving this particular data.

The Court of First Instance (now ‘the General Court’) held that: (a) particularly having regard to the motive blind nature of the Access Regulation, the Commission had erred in taking into account Bavarian Lager’s interests in receiving the information and (b) the names should be disclosed. On appeal by the Commission, the ECJ overturned the CFI’s judgment. In summary, the ECJ reached the following conclusions on the appeal:

(1)   the CFI had erred because it had failed to have due regard to the way in which the Access Regulation effectively deferred to provisions contained in other EU legislation, particular Regulation 45/2001 which is specifically concerned with protecting individuals with regard to the processing of their personal data by EU institutions (“the DP Regulation”);

 

(2)   the DP Regulation itself required consideration of the question of whether the applicant had a legitimate interest in receiving the particular personal data;

 

(3)   accordingly, the Commission had not erred when it decided that Bavarian Lager had not established a legitimate interest in receiving the personal data contained in the documents;

 

(4)   the data had been lawfully withheld by the Commission.

11KBW’s Jason Coppel appeared on behalf of the United Kingdom.

PUBLIC SECTOR EARNINGS – MORE INFORMATION

July 2nd, 2010 by Timothy Pitt-Payne QC

The Cabinet Office has now published details of quango employees earning more than £150,000.  The information has been added to the list-  published at the beginning of June – of the highest earning senior civil servants, and the consolidated list is available here.  According to the Cabinet Office website, information has been withheld for 24 individuals:  there is no explanation as to whether this was simply because the individuals objected, or for other reasons. 

Further information about special advisers was published on 10th June, including a list of those earning more than £58,200 a year (sadly,  Tamzin Lightwater does not appear).