Legislative process

November 18th, 2015 by jamesgoudie

As is well known, Section 35 of FoIA creates a class-based exemption from disclosure designed to protect the effective formulation of Government policy; and Section 36 creates an exemption related to effective conduct of public affairs.  The scope of the Section 35 exemption is that information may be exempt if it relates to the formulation or development of Government policy.  However, the wide scope of the exemption is narrowed by the provision that once a decision as to Government policy has been taken statistical information used to provide an informed background to the decision is no longer exempt.  Moreover, in determining whether the public interest in maintaining the exemption outweighs the public interest in its disclosure, regard must be had to the particular public interest in the disclosure of factual information that has been used, or is intended to be used, to provide an informed background to decision making.

FoIA of course is domestic legislation.  What is the position if the legislative proposal is at EU level and the information is held, not by a UK Government Department or the Welsh or Northern Ireland Assembly, but by the EU Commission?  That was the issue that arose before the EU General Court in Joined Cases T-424/14 and T-425/14, Client Earth v European Commission, in which Judgment was given on 13 November 2015.

That was an environmental case.  It was brought by Client Earth, a non-profit organisation whose aim is the protection of the environment.  The case was concerned with Impact Assessments.  There are of course specific rules at EU and UK level relating to disclosure of environmental information.  Client Earth sought the annulment of two Commission decisions refusing, whilst its decision-making processes were still ongoing, to grant access to Impact Assessment.  The refusals were upheld by the Court.  The access was not sought pursuant to the specific rules on environmental information.  The position was governed rather by EU Regulation1049/2001.  The Regulation provides that decisions by EU Institutions such as the Commission should be taken as openly as possible.  The fullest possible effect should be given to the right of public access to documents of the Institutions.

However, there are exemptions, to be interpreted strictly, under the Regulation.  These include where it can and should be inferred that disclosure of the document would seriously undermine the Institution’s decision-making process, unless there is an overriding public interest in disclosure.  This exemption was held to apply.

The basis of the Court’s decision was that, in the context of the preparation and development of policy proposals, including proposals for legislative acts, at an early and sensitive stage, the Commission may rely on grounds of a general nature relating to the need to preserve its “thinking space”, room for manoeuvre, and independence, the need to preserve the atmosphere of trust during discussions, and the risk of external pressures liable to affect the conduct of the ongoing discussions and negotiations. The Commission was therefore, in the Court’s judgment, entitled to presume, without carrying out a specific and individual examination of each of the documents connected with an Impact Assessment, that the disclosure of those documents would, in principle, seriously undermine its decision-making process for developing a policy proposal, for so long as it has not made a decision to adopt or abandon the proposal.

James Goudie QC

Multi-billion dollar actions for inaccurate personal data?

November 4th, 2015 by Robin Hopkins

Data protection has developed a curious habit of churning up heroic (or anti-heroic, depending on how you view it) figures who take on global behemoths to surprising effect. Maybe I am being too dramatic, but think of Mario Costeja González, the complainant at the heart of the Google Spain ‘right to be forgotten’ case, and Max Schrems, whose litigation has thrown Safe Harbor and transatlantic data transfers into turmoil.

If we maintain a transatlantic gaze, another such figure comes into view. On Monday of this week, the Supreme Court of the United States heard argument in the case of Spokeo Inc v Thomas Robins. Mr Robins – the potential David in this important new David v Goliath episode – is at the forefront of litigation against the ‘people search engine’ Spokeo (see Anya’s earlier post here).

The profile Spokeo compiled about him said he was a graduate, a professional in his 50s and a married man with children. Hardly defamatory stuff, except that none of it was correct. He did not establish that these errors caused him any financial loss, but he seeks damages for the publication of factually incorrect information about his life.

So what, you say? Well, consider the Amicus Briefs put before SCOTUS by Ebay, Facebook, Google and Yahoo. They all say that this is a very big deal. They point out that, as major global tech innovators, they are exposed to numerous federal and state laws which contain statutory damages provisions for private causes of actions. If standing is granted for “no injury” lawsuits “plaintiffs may pursue suits against amici even where they are not actually harmed by an alleged statutory violation, and in certain circumstances, seek class action damages that could run into the billions of dollars”.

The issues in Robins (should you be compensated for mere breaches or for ‘digital injuries’?) resonate with live issues before the courts in the UK: can you be compensated under the Data Protection Act 1998 for mere distress (see Vidal-Hall v Google, en route to the Supreme Court)? How should one compensate for privacy violations (see Gulati, on which the Court of Appeal’s judgment is awaited)?
Regardless of whether Mr Robins emerges as a Goliath-slayer, his case adds to the law’s increasingly intense scrutiny of global tech companies whose stock in trade is personal data.

Robin Hopkins @hopkinsrobin

FOI and Article 10: life after Kennedy (and Kenedi)

November 4th, 2015 by Robin Hopkins

The right to freedom of expression under Article 10(1) of the European Convention on Human Rights includes “freedom… to receive and impart information and ideas without interference by public authority”. Does that mean that there is a human right to freedom of information?

The question has haunted the courtrooms of the UK and other EU member states in recent years. In England and Wales, the last domestic word has been Kennedy v Charity Commission [2014] UKSC 20. The answer in Kennedy was ‘no’: Article 10 ECHR does not impose a positive, free-standing duty on public authorities to disclose information upon request.

That is not, however, the final word. Kennedy is to be heard by the European Court of Human Rights in Strasbourg – but the case has been stayed. This is because the Grand Chamber accepted another case raising essentially the same question.

The case is Magyar Helsinki Bizottság v Hungary (18030/11). The applicant, a human rights NGO, asked police forces to disclose information about ‘public defenders’, i.e. defence counsel appointed in criminal proceedings. The police forces refused, and the Hungarian court refused to order disclosure. The applicant complains that the refusal interferes with its rights under Article 10.

The case Bizottság was heard by the Grand Chamber today.

The UK government was an intervener. It urged the Court to conclude that Article 10 ECHR does not create a right to receive information from a public authority, in accordance with a line of authority (Leander v Sweden (1987) 9 EHRR 433, Gaskin v United Kingdom (1990) 12 EHRR 36, Guerra v Italy (1998) 26 EHRR 357 and Roche v United Kingdom (2006) 42 EHRR 30).

The Hungarian government’s position was to the same effect. It contended that concessions made in cases supporting the link between Article 10 and freedom of information (such as Társaság a Szabadsagjogokert v Hungary (2011) 53 EHRR 3 and Kenedi v Hungary 27 BHRC 335) were fact-specific.

Statutory rights to freedom of information in England and Wales are currently under threat of curtailment. Kennedy introduced (or confirmed) that, at least in certain circumstances, freedom of information also has a common law foundation. The Grand Chamber’s judgment in Bizottság will reveal whether, in addition to its statutory and common law pillars, freedom of information has a human rights basis as well.

Jason Coppel QC, Karen Steyn QC and Christopher Knight of 11KBW represented intervening parties in Bizottság.

Robin Hopkins @hopkinsrobin

11KBW ranked No. 1 in Data Protection and Information Law in Chambers and Partners and Legal 500 for another year

November 2nd, 2015 by Panopticon Blog

We are thrilled to be, once again, the only chambers ranked in the top tier in the leading legal directories for data protection and information law.   With 5 silks and 9 juniors listed in Chambers, and 5 silks and 8 juniors listed in Legal 500 as leaders in this field, we are recognised as the pre-eminent set having “an impressive roster of highly accomplished counsel at all levels of seniority” acting for both public and private clients and with a breadth and depth of experience second-to-none.  ​Our information law blog, Panopticon, received special mention in Chambers and Partners as impressing clients.   We look forward to another successful year and are grateful to our clients for their continuing support.

11KBW remains ‘the set others aspire to beat in data protection work’   – Legal 500,  2015

Court of Appeal considers damages for privacy breaches – data protection to follow suit?

October 20th, 2015 by Robin Hopkins

This week, the Court of Appeal is grappling with a difficult and important question: how do you value an invasion of privacy? In other words, where someone has suffered a breach of their privacy rights, how do you go about determining the compensation they should receive?

The appeal is brought by MGN against the judgment of Mann J in Gulati & Ors v MGN Ltd [2015] EWHC 1482 (Ch). That judgment concerned victims of blagging and phone-hacking (including Paul Gascoigne, Sadie Frost and Alan Yentob) for which Mirror Group Newspapers was held responsible.

Mann J awarded the claimants compensation ranging between £85,000 and £260,250. His judgment was ground-breaking, in part due to the size of those awards. (By way of comparison, the previous highest award in a privacy case had been made to Max Mosely, in the region of £60,000 – but most awards have been much lower).

It was also ground-breaking in terms of the methodology adopted to calculate quantum for privacy breaches. Here is how Mann J summarised the rival arguments (paragraph 108; I have underlined the components put forward by the claimants):

“… The case of the claimants is that the compensation should have several elements.  There is compensation for loss of privacy or “autonomy” resulting from the hacking or blagging that went on; there is compensation for injury to feelings (including distress); and there is compensation for “damage or affront to dignity or standing”.  The defendant disputes this and submits that all that can be compensated for is distress or injury to feelings…  It is accepted that such things as loss of autonomy are relevant, but only as causes of the distress which is then compensated for.  They are not capable of sustaining separate heads of compensation…”

As is clear from that synopsis, the debate is not just about money, observable cause-and-effect or hard-edged law. The debate also has difficult philosophical and ethical dimensions. It seems that neither society nor the law (which sometimes overlap) has yet got to the bottom of what it really means to have one’s privacy invaded.

In any event, Mann J certainly did his bit to progress that debate. He preferred the analysis of the claimants – hence the large awards they received. See for example his paragraphs 143-144:

“… The tort is not a right to be prevented from upset in a particular way.  It is a right to have one’s privacy respected.  Misappropriating (misusing) private information without causing “upset” is still a wrong.  I fail to see why it should not, of itself, attract damages.  Otherwise the right becomes empty, contrary to what the European jurisprudence requires.  Upset adds another basis for damages; it does not provide the only basis. I shall therefore approach the consideration of quantum in this case on the footing that compensation can be given for things other than distress, and in particular can be given for the commission of the wrong itself so far as that commission impacts on the values protected by the right.”

The Court of Appeal’s judgment in MGN’s appeal will have a huge impact on the size of awards in privacy cases, and thereby on the privacy litigation landscape itself. It will also no doubt contribute to our understanding of how 21st-century society values (or ought to value) privacy.

What impact will it have on compensation under section 13 of the Data Protection Act 1998?

As with privacy compensation, data protection compensation is having a revolutionary year: see the striking down of section 13(2) in Vidal-Hall v Google [2015] EWCA Civ 311. Traditionally, few people brought claims under section 13 DPA, because it was assumed that they could only be compensated for distress (their primary complaint) if they also suffered financial loss (which mostly they hadn’t). Vidal-Hall overturned that: you can be compensated for distress alone under section 13 DPA. This point will be considered by the Supreme Court next year, but for now, the removal of this barrier to successful section 13 claims is hugely important.

Another barrier, however, lingers: section 13 DPA awards tend to be discouragingly low, from a claimant’s perspective. See most crucially Halliday v Creation Consumer Finance [2013] EWCA Civ 333 (where an award for £750 was made): “the sum to be awarded should be of a relatively modest nature since it is not the intention of the legislation to produce some kind of substantial award. It is intended to be compensation…” (per Arden LJ at paragraph 36).

Increasingly, however, case law emphasises the intimate relationship between data protection and fundamental privacy rights: see for example Vidal-Hall, and last year’s ‘right to be forgotten’ judgment in the Google Spain case.

So, if Mann J’s wide, claimant-friendly approach to quantifying damages is upheld in the privacy context, how long before the same approach infiltrates data protection litigation?

Robin Hopkins @hopkinsrobin

Unsafe Harbor: some practical implications of the Schrems judgment

October 6th, 2015 by Robin Hopkins

Panopticon has been quick-off-the-mark in reporting on today’s enormously significant Schrems judgment from the CJEU: see Chris’ alert and Anya’s commentary. I hope readers will excuse a third excursion into the same waters, given the enormous consequences the judgment. Here are a few observations on what those consequences mean in practice.

  1. Is this the end for Safe Harbor?

In its current form, yes. In theory, it can be fixed, rather than binned. Efforts have in fact been underway for some time aimed at renegotiating and tightening up aspects of the Safe Harbor arrangements, spurred by the Snowden revelations about the extent of US surveillance. The tenor of the judgment, however, is that tweaks will not suffice. ‘Dead in the water’ is the right shorthand for Safe Harbor.

  1. Does the Schrems judgment affect all companies transferring data to the US?

No – it torpedoes the Safe Harbor scheme, but it does not torpedo all EU-US data transfers. The Safe Harbor scheme was one of the major ways in which EU-US transfers of personal data ticked the box in terms of complying with Article 25 of Directive 95/46/EC (or the eighth data protection principle, in UK parlance). But it was not the only way.

Not all US companies were part of that scheme – in fact, you can see the full list of companies that are certified for Safe Harbor on the website of the US Department of Commerce (which administers certification for the scheme) here. There are around 5,000 companies affected by the Schrems judgment.

  1. Without Safe Harbour, how can data transfers to the US be lawful?

Obviously, the options include avoiding transfers to the US henceforth. Data processing arrangements could be retained within the EU, or they could be switched to one of a number of countries which already have an EU seal of approval: see the list here, which include Andorra, New Zealand, Canada, Uruguay, Israel and Argentina. Again, however, the Schrems judgment arguably implies that not even those countries are immune from scrutiny. Though those countries are not tainted by the Snowden/NSA revelations, their approved status is no longer inviolable.

Another option for multinationals transferring data to the US (or elsewhere) is to use Binding Corporate Rules. These provide a framework for how the organisation handles personal data. The data controller drafts its BCRs and submits them to the regulator for approval. Where more than one EU state is involved, the other regulators all need to have their say before the data controller’s arrangements are given the green light.

The BCR process is explained by the ICO here. Note the observation that a straightforward BCR application can take 12 months. So no quick fix for plugging the Safe Harbor gap here. Companies may need to find interim solutions while they work on adopting BCRs.

Another option is the use of Model Contract Clauses, explained by the ICO here. This involves incorporating off-the-shelf, EU-approved provisions into your contracts relating to personal data. These are inflexible, and they will not fit every data controller’s needs. Again, data controllers may need to craft stop-gap contractual solutions.

And again, it is arguably implicit in the Schrems judgment that even BCRs and Model Contract Clauses are flawed, i.e. they do not suffice to ensure that adequate data protection standards are maintained.

Lastly, as a data controller, you are able to do it yourself, i.e. to carry out your own assessment of the level of protection afforded in your data’s destination country. Again, the ICO helpfully explains. Again, however, the solutions are not straightforward.

  1. Are regulators going to take immediate action against all Safe Harbor-based transfers?

Unclear, but it is doubtful that they have the will or the way.

In the immediate term, the Irish Data Protection Commissioner now needs to decide whether or not Facebook’s US data transfers are lawful in the absence of Safe Harbor. This alone will be an important decision.

In the UK, the ICO has issued a press release on Schrems. It recognises that it will take time for businesses to adapt. Its tone is neither immediate nor pitiless.

This is no doubt because the business implications – both for the private sector and the regulators – would be enormous if a whole-scale clampdown were to be commenced immediately. It is likely that many regulators will give data controllers some time to get their houses (or harbors) in order – though the CJEU declined to take a similar approach in its judgment today.

  1. Will the new Data Protection Regulation fix the problem?

No. Its approach to international transfers is largely the same to the one which is currently in place. It contains no automatic fixes to the current quandary.

These are just preliminary observations. The dust has not yet settled, and businesses face some thorny practicalities in the meantime.

Robin Hopkins @hopkinsrobin

‘Vilified’ doctor cannot publish patient’s private information

October 1st, 2015 by Robin Hopkins
In the Matter of C (A Child) (Application by Dr X and Y) [2015] EWFC 79 involved, in the words of Munby J, an unusual and indeed unprecedented application. It pitted the right to defend one’s reputation against the privacy and confidentiality rights of others. In this case, the latter won.
Dr X had treated C and C’s mother; he had also been an expert witness in the family court care proceedings concerning C. C’s mother was unhappy about the treatment given by Dr X. She complained about him to the GMC, whose Fitness to Practise panel in due course found the allegations against Dr X to be unproven. C’s mother also criticised Dr X publicly in the media.
Dr X felt that his “otherwise unblemished reputation … has been cataclysmically damaged … through inaccurate reporting and internet postings” and that he has been “unfairly and unjustly pilloried by the mother and, through her, by the press” (his skeleton argument, cited at para 10 of Munby J’s judgment).
Dr X wanted to be able to put his side of the story, and to have the original source documents – from the family court proceedings and the Fitness to Practice proceedings – available, to quote from (while respecting anonymity) if his public statements were challenged. He sought disclosure of documents from those proceedings.
One difficulty he faced was that the law restricts the use to which documents from family proceedings could be put. The court had a discretion to allow disclosure, but generally subject to restrictions on the use to which documents could be put.
A further major difficulty was that he was bound by doctor-patient confidentiality, both as a matter of legal duty and professional confidentiality. That duty permits of exceptions – for example, to allow a doctor who is being unfairly vilified by a patient to defend himself – but even then any departure from confidentiality obligations must be proportionate.
The same applies to interference with patients’ privacy under Article 8 ECHR; privacy rights were particularly acute here, because what was sought (for disclosure, and for deployment in public statements) was “a mass of medical materials relating to the mother’s mental health” (Munby J at paragraph 42). Disclosure of those materials, even in redacted form, would have major implications for the privacy of the child, C.
Those difficulties were fatal to the application. Munby J said that “the remedy being sought by Dr X – permission to put the mother’s medical records and related documents into the public domain, at a time and in circumstances of his own choosing and without any of the safeguards usually imposed – is wholly disproportionate to anything which he can legitimately or reasonably demand”.
In relation to the documents filed in the Fitness to Practise proceedings but which were not part of the documentation filed in the care proceedings, the court had no jurisdiction to grant an application for disclosure. In any event, disclosure of the confidential material Dr X sought for deployment in the public domain would again be wholly disproportionate.
Heather Emmerson of 11KBW appeared for the GMC.​
Robin Hopkins @hopkinsrobin

Refusing a subject access request: proportionality, anxious scrutiny and judicial discretion

August 25th, 2015 by Robin Hopkins

Zaw Lin and Wai Phyo v Commissioner of Police for the Metropolis [2015] EWHC 2484 (QB), a judgment of Green J handed down today, is an interesting – if somewhat fact-specific – contribution to the burgeoning body of case law on how subject access requests (SARs) made under the Data Protection Act 1998 (DPA) should be approached, both by data controllers and by courts.

The Claimants are on trial in Thailand for the murder in September 2014 of British tourists Hannah Witheridge and David Miller. They could face the death penalty if convicted.

Under the Police Act 1996, and following high-level discussions (including at Prime Ministerial level), it was agreed that the Metropolitan Police Service (MPS) would send an officer to observe and review – but not assist with – the Thai police investigation. The MPS compiled a detailed Report. They agreed to keep this confidential, except that it could be summarised verbally to the families of the victims so as to reassure about the state of the investigation and proceedings. The Report has never been provided to the families or the Thai authorities.

The Claimants made SARs, seeking disclosure of the MPS’ Report. Green J summarised their objectives as follows (para 29):

“The Claimants have endeavoured to clothe their arguments in the somewhat technical language of the DPA.  It seems to me that the bottom line of these arguments, stripped bare of technical garb, can be put in two ways.  First, the views of the MPS carry weight. Scotland Yard has an international reputation.  If the Report is seen as favourable to the prosecution and contains material supportive of the RTP [Royal Thai Police] investigation (which is in effect how the Claimants say it has been presented in public by the families) then they should have the right to see the personal data so they can correct any misapprehensions.  Secondly, that in any event they should be able to use any personal data which is favourable to their defence.”

The Claimants were entitled to request disclosure of at least some of the contents of the Report, though Green J estimated that only a small percentage of its contents constituted their personal data (para 25).

The MPS refused the SARs, relying on the exemption for crime and taxation under section 29 DPA.

In determining the claim under section 7(9) DPA, Green J considered arguments as to the applicability (or not) of Directive 95/46/EC (which contains exceptions for criminal matters: see Articles 3 and 13) and the European Convention on Human Rights. His view was that not much turned on these points here (para 49). At common law, the court’s scrutiny must always be fact- and context-specific. In a life-and-death context, anxious scrutiny would be applied to a data controller’s refusal. See para 69:

“… when construing the DPA 1998 (whether through common law or European eyes) decision makers and courts must have regard to all relevant fundamental rights that arise when balancing the interest of the State and those of the individual.  There are no artificial limits to be placed on the exercise.”

Green J expressed his discomfort about the application of section 15(2) DPA, which allows the court – but not the data subject – to view the withheld information. This, together with the prospect of a closed session, raised concerns as to natural and open justice. Given the expedited nature of the case before him, it was not appropriate to appoint a special advocate, but that may need to be considered in future cases where the stakes are very high. Green J proceeded by asking questions and hearing submissions on an open basis in a sufficiently generic and abstract way.

In expressing those procedural misgivings, Green J has touched on an important aspect of DPA litigation which has received little attention to date.

He also took a narrower view of the breadth of his discretion under section 7(9) DPA than has often been assumed. At para 98, he said this of the ‘general and untrammelled’ nature of that judicial discretion:

“If Parliament had intended to confer such a broad residual discretion on the court then, in my view, it would have used far more specific language in section 7(9) than in fact it did. In any event I do not understand the observations in the authorities referred to above to suggest that if I find that the MPS has erred that I should simply make up and then apply whatever test I see fit.  If I find an error on the part of the MPS such that I must form my own view then I should do in accordance with the principles set out in the DPA 1998 and taking account of the relevant background principles in the Directive and the Convention. My discretion is unfettered by the decision that has gone before, and which I find unlawful, but I cannot depart from Parliament’s intent.”

Such an approach to section 7(9) could make a material difference to litigation concerning SARs.

Green J then set out and determined the issues before him as follows:

Issue I: Who has the burden of proof of proving both the right to invoke the exemption? What is the standard of proof?

Following R (Lord) v Secretary of State of the Home Department [2003] EWHC 2073 (Admin), the answer is that the data controller bears the burden. “The burden of proof is thus upon the MPS in this case to show its entitlement to refuse access and it must do this with significant and weighty grounds and evidence” (para 85).

Issue II: Was the personal data in the MPS report “processed” for purposes of (a) the prevention or detection of crime or (b) the apprehension or prosecution of offenders?

Green J’s answer was yes. Although the purposes behind the Report differed from the usual policing context, there should be no artificially narrow interpretation of the ‘prevention and detection of crime/apprehension or prosecution of offenders’.

Issue III: Would granting access be likely to prejudice any of those purposes?

This required a balancing exercise to be performed between the individual’s right to access and the interests being pursued by the data controller in refusing disclosure. This called for a “classic proportionality balancing exercise to be performed” (para 78).

Here, the starting point was the Claimant’s prima facie right to the personal data. This was bolstered by the life-and-death context of the present case.

The MPS’ refusal, however, pursued legitimate and weighty objectives. In assessing those objectives, it was relevant to consider what precedent would be set by disclosure: the “focus of attention was not just on the facts of the instant case but could also take account of the impact on other cases” (as per Lord).

On that basis, and in light of the evidence, the MPS’ ‘chilling effect’ argument was powerful. See para 107:

“… I accept their judgment and opinion as to the risks that release of the Report would give rise to and in particular, their position on: the considerable benefit to the public interest (in relation to crime enforcement and public security) generally in the MPS (and other relevant police authorities) being able to engage with foreign authorities; the high importance that is attached by foreign authorities to confidentiality; and the risk that not being able to give strong assurances as to confidentiality would pose to the ability of the MPS and others to enter into meaningful working relationship with such overseas authorities.”

It was also important to avoid any potential interference with a criminal trial in a foreign country.

The Claimants’ SARs were not made for any improper purposes, i.e. for purposes other than those which Directive 95/46/EC sought to further. In that respect, the present case was wholly unlike Durant.

The balancing exercise, however, favoured the MPS. Having considered each item of personal data, Green J said his “ultimate conclusion is that there is nothing in the personal data which would be of any real value to the Claimants” (para 125). He expressed his unease with both the procedure and the outcome. Permission to appeal was granted, though Panopticon understands that an appeal is not being pursued by the Claimants.

Anya Proops and Christopher Knight acted for the Defendant.

Robin Hopkins @hopkinsrobin

Privacy and data protection – summer roundup

August 18th, 2015 by Robin Hopkins

August tends to be a quiet month for lawyers. There has, however, been little by way of a summer break in privacy and data protection developments. Here are some August highlights.

Privacy injunction: sexual affairs of sportsman (not philosophers)

Mrs Justice Laing’s August does not appear to have begun restfully. Following a telephone hearing on the afternoon of Saturday 1 August, she granted what became a widely-reported privacy injunction (lasting only until 5 August) restraining the publication of a story about an affair which a prominent sportsman had some years ago: see the judgment in AMC and KLJ v News Group Newspapers [2015] EWHC 2361 (QB).

As usual in such cases, Article 8 and Article 10 rights were relied upon to competing ends. There is no automatic favourite in such contests – an intense focus on the facts is required.

In this case, notwithstanding submissions about the extent to which the affected individuals ‘courted publicity’ or were not ‘private persons’ – there was a reasonable expectation of privacy about a secret sexual affair conducted years ago. The interference needed to be justified.

The right to free expression did not constitute adequate justification without more: “I cannot balance these two incommensurables [Articles 8 and 10] without asking why, and for what purposes, X and R seek to exercise their article 10 rights… The public interest here is, I remind myself, a contribution to a debate in the general interest”.

On the facts, there was insufficient public interest to justify that interference. The sportsman was not found to have hypocritically projected himself as ‘whiter than white’, and his alleged deceits and breaches of protocols in the coducting of his affair were not persuasive – especially years after the event. In any event, the sportsman was a role model for sportsmen or aspiring sportsmen: “he is not a role model for cooks, or for moral philosophers”. The latter point will no doubt be a weight off many a sporting shoulder.

Subject access requests: upcoming appeals

Subject access requests have traditionally received little attention in the courts. As with data protection matters more broadly, this is changing.

Holly Stout blogged earlier this month about the High Court’s judgment in Dawson-Damer and Ors v Taylor Wessing and Ors [2015] EWHC 2366 (Ch). The case concerned legal professional privilege, manual records and relevant filing systems, disproportionate searches and the court’s discretion under section 7(9) DPA. That case is on its way to the Court of Appeal.

So too is the case of Ittihadieh [2015] EWHC 1491 (QB), in which I appeared. That case concerned, among other issues, identification of relevant data controllers and the domestic purposes exemption. It too is on its way to the Court of Appeal.

Subject access requests: the burden of review and redaction

There has also been judgment this month in a County Court case in which I appeared for the Metropolitan Police Service. Mulcahy v MPS, a judgment of District Judge Langley in the Central London County Court, deals in part with the purposes behind a subject access request. It also deals with proportionality and burden, which – as Holly’s recent post discusses – has tended to be a vexed issue under the DPA (see Ezsias, Elliott, Dawson-Damer and the like).

Mulcahy deals with the proportionality of the burden imposed not so much by searching for information within the scope of a subject access request, but for reviewing (and, where necessary, redacting) that information before disclosure. This is an issue which commonly concerns data controllers. The judgment is available here: Mulcahy Judgment.

Privacy damages: Court of Appeal to hear Gulati appeal

May of 2015 saw Mr Justice Mann deliver a ground-breaking judgment on damages awards for privacy breaches: see Gulati & Ors v MGN Ltd [2015] EWHC 1482 (Ch), which concerned victims of phone-hacking (including Paul Gascoigne and Sadie Frost). The awards ranged between £85,000 and £260,250. The judgment and grounds of appeal against the levels of damages awards are explained in this post by Louise Turner of RPC.

Earlier this month, the Court of Appeal granted MGN permission to appeal. The appeal is likely to be expedited. It will not be long before there is a measure of certainty on quantum for privacy breaches.

ICO monetary penalties

Lastly, I turn to privacy-related financial sanctions of a different kind. August has seen the ICO issue two monetary penalty notices.

One was for £50,000 against ‘Stop the Calls’ (ironically, a company which markets devices for blocking unwanted marketing calls) for serious contraventions of regulation 21 of the Privacy and Electronic Regulations 2003 (direct marketing phone calls to persons who registered their opposition to such calls with the Telephone Preference Service).

Another was for £180,000 for a breach of the seventh data protection principle. It was made against The Money Shop following a burglary in which an unencrypted server containing customers’ personal information was stolen.

Robin Hopkins @hopkinsrobin

Refusing to respond to subject access requests – legal professional privilege, disproportionate effort and collateral purposes

August 12th, 2015 by Holly Stout

The Information Commissioner’s Code of Practice on Data Protection steadfastly maintains that data controllers cannot refuse to respond to a subject access request unless one of the specific exceptions in the Data Protection Act 1998 (“DPA”) applies.  However, there is a growing body of case law on the circumstances in which the courts will refuse to enforce compliance with subject access requests under s 7(9) of the Act, even where one of the specific exceptions under the Act does not apply.  See previous Panopticon posts on this subject here and here.

In a judgment handed down on 6 August 2015, HHJ Behrens (sitting as Judge of the High Court) considered a refusal by Taylor Wessing LLP (“TW”) and two individual defendants to respond to a subject access request made by a family involved in legal proceedings in the Bahamas concerning a discretionary settlement known as the Glenfinnan Settlement.  TW’s client (Grampian) is the sole trustee of that Settlement.

TW resisted the family’s application for an order under s 7(9) requiring compliance with the subject access request on the following bases:

  1. The data in question was covered by legal professional privilege as it is only processed by TW in connection with their capacity as legal advisors;
  2. Some of the information was held in manual files and not in a relevant filing system for the purposes of the DPA;
  3. It was not reasonable or proportionate to expect TW even to carry out a search for the information and to assess what was covered by privilege and what was not;
  4. As a matter of discretion the Court should refuse to make an order under s 7(9) because the application had been made for improper purposes.

The Court’s ruling on each of these issues is worthy of note.  The full judgment is available here.

Legal professional privilege 

Paragraph 10 of Schedule 7 to the DPA provides a specific exception for “information in respect of which a claim to legal professional privilege or, in Scotland, to confidentiality as between client and professional legal adviser, could be maintained in legal proceedings”.  The family argued that this exception was restricted to English law professional privilege and did not extend to documents that were covered by Bahamian rules on disclosure or which were subject to equitable rules in English trust law about non-disclosure of information to Trust beneficiaries.  HHJ Behrens did not accept these submissions.  He considered, following Durant v FSA [2003] EWCA 1746 that a purposive approach is to be taken to interpretation of the DPA and that the exception in para 10 of Sch 7 was not to be strictly construed.  Adopting a purposive approach, he held that the exception was to be construed as if it applied to any documents in respect of which there is a right to resist compulsory disclosure in legal proceedings.  Accordingly, it covered all the documents in respect of which the parties would be entitled to resist compulsory disclosure in the Bahamian proceedings, even though these were not covered by the English doctrine of legal professional privilege.  This is a novel interpretation that may receive further attention from the courts in due course.

Relevant filing system 

HHJ Behrens referred to the observations of Auld LJ in Durant in relation to the meaning of ‘relevant filing system’ for the purposes of the DPA.  Auld LJ held (at [48] of Durant) that “Parliament intended to apply the Act to manual records only if they are of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system.  That requires a filing system so referenced or indexed that it enables the data controller’s employee responsible to identify at the outset of his search with reasonable certainty and speed the file or files in which the specific data relating to the person requesting the information is located and to locate the relevant information about him within the file or files, without having to make a manual search of them. To leave it to the searcher to leaf through files, possibly at great length and costs, and fruitlessly, to see whether it or they contain information relating to the person requesting information and whether that information is data within the Act bears … no resemblance to a computerised search”.  Although HHJ Behrens did not ultimately determine whether TW’s filing system satisfied the definition of ‘relevant filing system’ he indicated that as it appeared that documents within the manual files were not chronologically arranged or filed in any way by reference to individuals, they may well fall outside the scope of the Act.

Disproportionate effort 

Section 8(2) of the DPA provides that a data controller need not supply copies of information “in permanent form” if that would require “disproportionate effort”.  The Information Commissioner in his Code of Practice is keen to minimise reliance on this exception stating, “You cannot refuse to comply with a SAR on the basis that it would involve disproportionate effort, simply because it would be costly and time consuming to find the requested personal data held in archived emails.”  And: “We stress that you should rely on the disproportionate effort exception only in the most exceptional of cases. The right of subject access is central to data protection law and we rarely hear of instances where an organisation could legitimately use disproportionate effort as a reason for denying an individual access to any of their personal data. Even if you can show that supplying a copy of information in permanent form would involve disproportionate effort, you must still comply with the request in some other way.”  However, in this case HHJ Behrens referred to his own earlier judgment in Elliott v Lloyds TSB Bank and Hickinbottom J’s decision in Ezsias v Welsh Ministers before summarising the position in relation to s 8(2) as follows: “A data controller is only required under s 8(2) to supply the individual with such personal data as is found after a reasonable and proportionate search”.  This is arguably a significantly more relaxed approach than that taken by the Information Commissioner.  It remains to be seen whether the Information Commissioner will amend his guidance in the light of this string of decisions.

In this case, HHJ Behrens went on to hold that it would not have been reasonable and proportionate for TW to carry out the search in this case.  In reaching this conclusion, HHJ Behrens interestingly appears to have been influenced by the disproportionality of requiring ‘skilled lawyers’ to review documents for LPP when the applicant need only pay £10 for a subject access request.

Improper purposes 

Section 7(9) of the DPA undoubtedly gives the court a discretion as to whether to order a data controller to comply with a subject access request.  In a number of cases now the courts have ruled that this discretion enables the court to refuse to make such an order even if none of the exceptions under the DPA apply and therefore the data controller is breaching the Act by refusing to respond: see the previous Panopticon posts mentioned in the first paragraph of this blog.  This case is another such.  Although not necessary to his decision, as TW had already ‘won’ on the LPP and disproportionate effort points above, HHJ Behrens gave three reasons why he would not in any event have exercised his discretion under s 7(9) in this case:

  1. The real purpose of the subject access requests was to obtain information for used in connection with the Bahamian proceedings.  HHJ Behrens was satisfied that the claimants would not have brought the applications at all were it not for the Bahamian proceedings.  This was, following Durant, not a proper purpose for a request under the DPA;
  2. It would be unreasonable and disproportionate to order TW to comply with the request: the same points as were relevant to the s 8(2) exception were relevant to the s 7(9) discretion; and
  3. It was not a proper use of the DPA to enable the claimants to obtain documents that they could not have obtained in the Bahamian proceedings.

HHJ Behrens recognised that a number of points in his judgment were novel and indicated that he was therefore minded to grant permission to appeal, if permission were sought.  Permission was sought and duly granted so expect to hear further from the Court of Appeal on these issues in due course.

Jonathan Swift QC appeared for the claimants.

Holly Stout