Facebook, child protection and outsourced monitoring

July 22nd, 2015 by Robin Hopkins

Facebook is no stranger to complaints about the content of posts. Usually, one user complains to Facebook about what other users’ posts say about him. By making the offending posts available, Facebook is processing the complainant’s personal data, and must do so in compliance with data protection law.

More unusually, a user could also complain about their own Facebook posts. Surely a complainant cannot make data protection criticisms about information they deliberately posted about themselves? After all, Facebook processes those posts with the author’s consent, doesn’t it?

Generally, yes – but that will not necessarily be true in every instance, especially when it comes to Facebook posts by children. This is the nature of the complaint in striking litigation currently afoot before the High Court in Northern Ireland.

The case is HL v Facebook Inc, Facebook Ireland Ltd, the Northern Health & Social Care Trust and DCMS [2015] NIQB 61. It is currently only in its preliminary stages, but it raises very interesting and important issues about Facebook’s procedures for preventing underage users from utilising the social network. Those issues are illuminated in the recent judgment of Stephen J, who is no stranger to claims against Facebook – he heard the recent case of CG v Facebook [2015] NIQB 11, concerning posts about a convicted paedophile.

From the age of 11 onwards, HL maintained a Facebook page on which she made posts of an inappropriate sexual nature. She was exposed to responses from sexual predators. She says that Facebook is liable for its failure to prevent her from making these posts. She alleges that Facebook (i) unlawfully processed her sensitive personal data, (ii) facilitated her harassment by others, and (iii) was negligent in failing to have proper systems in place to minimise the risks of children setting up Facebook accounts by lying about their age.

The data protection claim raises a number of issues of great importance to the business of Facebook and others with comparable business models. One is the extent to which a child can validly consent to the processing of their personal data – especially sensitive personal data. Minors are (legitimately or not) increasingly active online, and consent is a cornerstone of online business. The consent issue is of one of wide application beyond the HL litigation.

A second issue is whether, in its processing of personal data, Facebook does enough to stop minors using their own personal data in ways which could harm them. In her claim, for example, HL refers to evidence given to a committee of the Australian Parliament – apparently by a senior privacy advisor to Facebook (though Facebook was unable to tell Stephens J who he was). That evidence apparently said that Facebook removes 20,000 under-age user profiles a day.

Stephens J was also referred to comments apparently made by a US Senator to Mark Zuckerberg about the vulnerability of underage Facebook users.

Another element of HL’s case concerns Facebook’s use of an outsourcing company called oDesk, operating for example from Morocco, to moderate complaints about Facebook posts. She calls into question the adequacy of these oversight measures: ‘where then is the oversight body for these underpaid global police?’ (to quote from a Telegraph article referred to in the recent HL judgment). Facebook says that – given its number of users in multiple languages across the globe – effective policing is a tall order (an argument J summed up at paragraph 22 as ‘the needle in a haystack argument, there is just too much to monitor, the task of dealing with underage users is impossible’).

In short, HL says that Facebook seems to be aware of the scale and seriousness of the problem of underage use of its network and has not done enough to tackle that problem.

Again, the issue is one of wider import for online multinationals for whom personal data is stock-in-trade.

The same goes for the third important data protection issue surfacing in the HL litigation. This concerns jurisdiction, cross-border data controllers and section 5 of the Data Protection Act 1998. For example, is Facebook Ireland established in the UK by having an office, branch or agency, and does it process the personal data in Facebook posts in the context of that establishment?

These issues are all still to be decided. Stephens J’s recent judgment in HL was not about the substantive issues, but about HL’s applications for specific discovery and interrogatories. He granted those applications. In addition to details of HL’s Facebook account usage, he ordered the Facebook defendants to disclose agreements between them and Facebook (UK) Ltd and between them and o-Desk (to whom some moderating processes were outsourced). He has also ordered the Facebook defendants to answer interrogatory questions about their procedures for preventing underage Facebook use.

In short, the HL litigation has – thus far – raised difficult data protection and privacy issues which are fundamental to Facebook’s business, and it has required Facebook to lay bare internal details of its safeguarding practices. The case is only just beginning. The substantive hearing, which is listed for next term, could groundbreaking.

Robin Hopkins @hopkinsrobin

DRIPA 2014 declared unlawful

July 17th, 2015 by Robin Hopkins

In a judgment of the Divisional Court handed down this morning, Bean LJ and Collins J have declared section 1 of the Data Retention and Investigatory Powers Act 2014 (DRIPA) to be unlawful.

For the background to that legislation, see our posts on Digital Rights Ireland and then on the UK’s response, i.e. passing DRIPA in an attempt to preserve data retention powers.

That attempt has today suffered a serious setback via the successful challenges brought by the MPs David Davis and Tom Watson, as well as Messrs Brice and Lewis. The Divisional Court did, however, suspend the effect of its order until after 31 March 2016, so as to give Parliament time to consider how to put things right.

Analysis to follow in due course, but for now, here is the judgment: Davis Watson Judgment.

Robin Hopkins @hopkinsrobin

Google and the ordinary person’s right to be forgotten

July 15th, 2015 by Robin Hopkins

The Guardian has reported today on data emerging from Google about how it has implemented the Google Spain ‘right to be forgotten’ principle over the past year or so: see this very interesting article by Julia Powles.

While the data is rough-and-ready, it appears to indicate that the vast majority of RTBF requests actioned by Google have concerned ‘ordinary people’. By that I mean people who are neither famous nor infamous, and who seek not to have high-public-interest stories erased from history, but to have low-public-interest personal information removed from the fingertips of anyone who cares to Google their name. Okay, that explanation here is itself rough-and-ready, but you get the point: most RTBF requests come not from Max Mosley types, but from Mario Costeja González types (he being the man who brought the Google Spain complaint in the first place).

As Julia Powles points out, today’s rough-and-ready is thus far the best we have to go on in terms of understanding how the RTBF is actually working in practice. There is very little transparency on this. Blame for that opaqueness cannot fairly be levelled only at Google and its ilk – though, as the Powles articles argues, they may have a vested interest in maintaining that opaqueness. Opaqueness was inevitable following a judgment like Google Spain, and European regulators have, perhaps forgivably, not yet produced detailed guidance at a European level on how the public can expect such requests to be dealt with. In the UK, the ICO has given guidance (see here) and initiated complaints process (see here).

Today’s data suggests to me that a further reason for this opaqueness is the ‘ordinary person’ factor: the Max Mosleys of the world tend to litigate (and then settle) when they are dissatisfied, but the ordinary person tends not to (Mr González being an exception). We remain largely in the dark about how this web-shaping issue works.

So: the ordinary person is most in need of transparent RTBF rules, but least equipped to fight for them.

How might that be resolved? Options seem to me to include some combination of (a) clear regulatory guidance, tested in the courts, (b) litigation by a Max Mosley-type figure which runs its course, (c) litigation by more Mr González figures (i.e. ordinary individuals), (d) litigation by groups of ordinary people (as in Vidal Hall, for example) – or perhaps (e) litigation by members of the media who object to their stories disappearing from Google searches.

The RTBF is still in its infancy. Google may be its own judge for now, but one imagines not for long.

Robin Hopkins @hopkinsrobin

Austria will not host Europe vs Facebook showdown

July 6th, 2015 by Robin Hopkins

As illustrated by Anya Proops’ recent post on a Hungarian case currently before the CJEU, the territorial jurisdiction of European data protection law can raise difficult questions.

Such questions have bitten hard in the Europe vs Facebook litigation. Max Schrems, an Austrian law graduate, is spearheading a massive class action in which some 25,000 Facebook users allege numerous data protection violations by the social media giant. Those include: unlawful obtaining of personal data (including via plug-ins and “like” buttons); invalid consent to Facebook’s processing of users’ personal data; use of personal data for impermissible purposes, including the unlawful analysing of data/profiling of users (“the Defendant analyses the data available on every user and tries to explore users’ interests, preferences and circumstances…”); unlawful sharing of personal data with third parties and third-party applications. The details of the claim are here.

Importantly, however, the claim is against Facebook Ireland Ltd, a subsidiary of the Californian-based Facebook Inc. The class action has been brought in Austria.

Facebook challenged the Austrian court’s jurisdiction. Last week, it received a judgment in its favour from the Viennese Regional Civil Court. The Court said it lacks jurisdiction in part because Mr Schrems is not deemed to be a ‘consumer’ of Facebook’s services. In part also, it lacks jurisdiction because Austria is not the right place to be bringing the claim. Facebook argued that the claim should be brought either in Ireland or in California, and the Court agreed.

Mr Schrems has announced his intention to appeal. In the meantime, the Austrian decision will continue to raise both eyebrows and questions, particularly given that a number of other judgments in recent years have seen European courts accepting jurisdiction to hear claims against social media companies (such as Google: see Vidal-Hall, for example) based elsewhere.

The Austrian decision also highlights the difficulties of the ‘one-stop shop’ principle which remains part of the draft Data Protection Regulation (albeit in more nuanced and complicated formulation than had earlier been proposed). In short, why should an Austrian user have to sue in Ireland?

Panopticon will report on any developments in this case in due course. It will also report on the other strand of Mr Schrems’ privacy campaign, namely his challenge to the lawfulness of the Safe Harbour regime for the transferring of personal data to the USA. That challenge has been heard by the CJEU, and the Advocate General’s opinion is imminent. The case will have major implications for those whose business involves transatlantic data transfers.

Robin Hopkins @hopkinsrobin

Freedom of Information in Scotland

June 15th, 2015 by jamesgoudie

The Scottish Government has initiated a Consultation on further extension of coverage of the Freedom of Information (Scotland) Act 2002 (“FoIS”) to more organisations, specifically contractors who run privately managed prisons, providers of secure accommodation for children, grant-aided schools and independent special schools.

FoIS provides a statutory right of access to information held by Scottish public authorities. These range from the Scottish Parliament and Government, to local authorities, NHS boards, higher and further education bodies, doctors and dental practitioners.  However, the provisions of FoIS can be extended to bodies that carry out functions of a public nature or which provide, under a contract with a Scottish public authority, a service which is a function of that authority. This can be done by making an Order under s5 of FoIS, which designates those bodies as a Scottish public authority for the purposes of FoIS. They are then subject to the full requirements of FoIS. They would also automatically become subject to the requirements of the Environmental Information (Scotland) Regulations 2004. In accordance with s7(3) of FoIS, bodies proposed for coverage would be covered only in respect of the information they hold about specified public functions or services. Their duties under FoIS would therefore be limited to those functions or services as set out in the Order.

The Scottish Government brought forward Scotland’s first Order under s5(1) of FoIS in September 2013. Following consideration by the Parliament the Order came into effect on 1 April 2014. The Order extended coverage of FoIS to certain trusts which have been created by local authorities to deliver sporting, cultural and leisure facilities and/or activities on behalf of the local authority(ies).

The Scottish Government are now consulting on options for further extension of coverage. They are proposing to lay an Order in the Scottish Parliament in Autumn 2015. Subject to the Scottish Parliament supporting the Order, they would expect the bodies covered to become subject to FoIS and the EIR from Spring 2016. In addition to the organisations discussed in the Consultation Paper, suggestions are sought as to what other bodies – whether individually or collectively – should be considered in any future consultation.

In the previous consultation in 2010 the Scottish Government adopted a factor-based approach in determining the extent to which a function of an organisation could be described as being ‘of a public nature’.  They continue to believe that a factor-based approach is appropriate, and that a range of factors should be considered in assessing the ‘public nature’ of particular functions undertaken by certain organisations.

The Consultation Paper notes that the Scottish Information Commissioner has called for the extension of FoIS coverage to social housing owned by RSLs.  For a number of reasons, the Scottish Government are not currently persuaded of the merits of extending coverage to housing associations.

The Scottish Government do, however,  consider that a number of factors apply in relation to the functions undertaken, or services provided, by those various organisations highlighted in the Consultation Paper. In particular, there is a focus on organisations who, for the purposes of s5 of FoIS, undertake functions of a public nature or provide a service that is a function of a public authority(ies) relating to security, care and education.

The organisations considered for inclusion at this stage are:

  • contractors who run privately-managed prisons
  • providers of secure accommodation for children
  • grant-aided schools
  • independent special schools

With all these groups it is envisaged that any Order would provide a ‘class description’ in respect of the particular function undertaken or service provided. Given the potential for contractors or service providers to change over a period of time, a ‘class description’ gives more flexibility than listing specific bodies or contractors in the Order.

James Goudie QC

Disclosing child protection information: make sure you ask the right questions first

June 1st, 2015 by Robin Hopkins

High-profile revelations in recent years illustrate the importance of public authorities sharing information on individuals who are of concern in relation to child protection matters. When inaccurate information is shared, however, the consequences for the individual can be calamitous.

AB v Chief Constable of Hampshire Constabulary [2015] EWHC 1238 (Admin) is a recent High Court judgment (Jeremy Baker J) which explores the implications of such inaccurate disclosures. The case is not only about inaccuracies per se, but about why those inaccuracies were not picked up before the disclosure was made.

Perhaps the most notable point from the judgment is this: if such a disclosure is to be necessary, then the data controller must take care to ask themselves reasonable questions about that information, check it against other obvious sources, and make necessary enquiries before disclosure takes place.

In other words, failure to ask the right questions can lead to the wrong course of action in privacy terms. Here is how that principle played out in the AB case.

Background

In 2010, AB was summarily dismissed from his job as a science teacher for inappropriate comments and conduct with potential sexual undertones, as well as a failure to maintain an appropriately professional boundary with students. His appeal against dismissal failed. The Independent Safeguarding Authority, however, decided not to include AB on its barred lists. The General Teaching Council also investigated AB, but it did not find that the allegations of improper conduct were made out.

AB’s dismissal, however, came to the attention of a member of the child abuse investigation public protection unit of the Hampshire Constabulary. Enquiries were made of the college, and certain email correspondence and records were generated and retained on police systems.

Later the following year, AB was offered a teaching job elsewhere. This came to the police’s attention in 2013. There was internal discussion within the police about this. One officer said in an email that, among other things (i) AB had also been dismissed from another school, and (ii) AB’s 2010 dismissal had involved inappropriate touching between himself and pupils. There was no evidence that either of those points was true. That email concluded “From What I’ve been told he should be nowhere near female students. I will put an intel report in on [AB]”.

The above information was passed to the Local Authority Designated Officer (‘LADO’) and in turn to the school, who terminated AB’s employment. He then made a subject access request under the DPA, by which he learnt of the above communication, and also the source of that information, which was said to be a notebook containing a police officer’s notes from 2010 (which did not in fact record either (i) or (ii) above). AB complained of the disclosure and also of the relevant officer’s failures to follow the requisite safeguarding procedures. The police dismissed his complaint.

The Court’s judgment

AB sought judicial review of both the disclosure of the inaccurate email in the email, and of the dismissal of his complaint about the police officer’s conduct in his reporting of the matter.

The Court (Jeremy Baker J) granted the application on both issues. I focus here on the first, namely the lawfulness of the disclosure in terms of Article 8 ECHR.

Was the disclosure “in accordance with the law” for Article 8 purposes?

The Court considered the key authorities in this – by now quite well-developed – area of law (Article 8 in the context of disclosures by the police), notably:

MM v United Kingdom [2010] ECHR 1588 (the retention and disclosure of information relating to an individual by a public authority engages Article 8, and must therefore be justified under Article 8(2));

Tysiac v Poland (2007) 45 EHRR 42, where the ECtHR stressed the importance of procedural safeguards to protecting individuals’ Article 8 rights from unlawful interference by public bodies;

R v Chief Constable of North Wales Ex. Parte Thorpe [1999] QB 396: a decision about whether or not to disclose the identity of paedophiles to members of the public, is a highly sensitive one. “Disclosure should only be made when there is a pressing need for that disclosure”);

R (L) v Commissioner of Police for the Metropolis [2010] 1 AC 410: such cases are essentially about proportionality;

R (A) v Chief Constable of Kent [2013] EWCA Civ 1706: such a disclosure is often “in practice the end of any opportunity for the individual to be employed in an area for which an [Enhanced Criminal Record Certificate] is required. Balancing the risks of non-disclosure to the interests of the members of the vulnerable group against the right of the individual concerned to respect for his or her private life is a particularly sensitive and difficult exercise where the allegations have not been substantiated and are strongly denied”;

R (T) v Chief Constable of Greater Manchester Police & others [2015] AC 49 and R (Catt) v ACPO [2015] 2 WLR 664 on whether disclosures by police were in accordance with the law and proportionate.

The Court concluded that, in light of the above authorities, the disclosure made in AB’s case was “in accordance with the law”. It was made under the disclosure regime made up of: Part V of the Police Act 1997, the Home Office’s Statutory Disclosure Guidance on enhanced criminal records certificates, section 10 of the Children Act 2004 and the Data Protection Act 1998.

See Jeremy Baker J’s conclusion – and notes of caution – at [73]-[75]:

“73. In these circumstances it seems to me that not only does the common law empower the police to disclose relevant information to relevant parties, where it is necessary for one of these police purposes, but that the DPA 1998, together with the relevant statutory and administrative codes, provide a sufficiently clear, accessible and consistent set of rules, so as to prevent arbitrary or abusive interference with an individual’s Article 8 rights; such that the disclosure will be in accordance with law.

74. However, it will clearly be necessary in any case, and in particular in relation to a decision to disclose information to a third party, for the decision-maker to examine with care the context in which his/her decision is being made.

75. In the present case, although the disclosure of the information by the police was to a LADO in circumstances involving the safeguarding of children, it also took place in the context of the claimant’s employment. The relevance of this being, as DC Pain was clearly aware from the contents of his e-mail to PS Bennett dated 10th June 2013, that the disclosure of the information had the potential to adversely affect the continuation of the claimant’s employment at the school….”

Was the disclosure proportionate?

While the disclosure decision was in accordance with the law, this did not remove the need for the police carefully to consider whether disclosure was necessary and proportionate, particularly in light of the serious consequences of disclosure for AB’s employment.

The Court held that the disclosure failed these tests. The crucial factor was that if such information about AB was well founded, then it would have been contained in his Enhanced Criminal Record Certificate – and if it was not, this would have prompted enquiries about the cogency of the information (why, if it was correct, was such serious information omitted from the ECRC?) which would reasonably have been pursued to bottom the matter out before the disclosure was made. These questions had not been asked in this case. See [80]-[81]:

“… In these circumstances, it was in my judgment, a necessary procedural step for DC Pain to ascertain from the DBS unit as to, whether, and if so, what information it had already disclosed on any enhanced criminal record certificate, as clearly if the unit had already disclosed the information which DC Pain believed had been provided to him by the college, then it would not have been necessary for him to have made any further disclosure of that information.

81. If either DC Pain or PS Bennett had taken this basic procedural step, then not only would it have been immediately obvious that this information had not been provided to the school, but more importantly, in the context of this case, it would also have been obvious that further enquiries were required to be made: firstly as to why no such disclosure had been made by the DBS unit; and secondly, once it had been ascertained that the only information which was in the possession of the DBS unit was the exchange of e-mails on the defendant’s management system, as to the accuracy of the information with which DC Pain believed he had been provided by the college.”

Judicial reviews of disclosure decisions concerning personal data: the DPA as an alternative remedy?

Finally, the Court dealt with a submission that judicial review should not be granted as this case focused on what was essentially a data protection complaint, which could have been taken up with the ICO under the DPA (as was suggested in Lord Sumption’s comments in Catt). That submission was dismissed: AB had not simply ignored or overlooked that prospect, but had rather opted to pursue an alternative course of complaint; the DPA did not really help with the police conduct complaint, and the case raised important issues.

Robin Hopkins @hopkinsrobin

Why Evans gets the spiders

March 26th, 2015 by Robin Hopkins

I told you FOI was sexy.

The Supreme Court’s judgment in R (Evans) v Attorney General [2015] UKSC 21 has received vast amounts of media coverage – more in a single day than everything else about FOI has received in ten years, I reckon. No need to explain what the case was about – the upshot is that Rob Evans gets Prince Charles’ ‘black spider’ letters. Here’s why.

In other words, this post summarises why the judgment went Evans’ way 5:2 on the FOIA veto and 6:1 on the EIR veto. I leave aside the trenchant dissenting judgments (Lord Wilson on both FOIA and the EIRs; Lord Hughes on FOIA only), which merit a post in their own right.

FOIA and the ministerial veto

Three of the five JSCs who found that the Attorney General’s veto under FOIA was unlawful took the following view (that of Lord Neuberger).

The constitutional context and the restrictive view of section 53

“A statutory provision which entitles a member of the executive… to overrule a decision of the judiciary merely because he does not agree with it would not merely be unique in the laws of the United Kingdom. It would cut across two constitutional principles which are also fundamental components of the rule of law”, i.e. (i) that a court’s decisions are binding and cannot be ignored or set aside by anyone, and (ii) that the executive’s actions are reviewable by the court on citizens’ behalf. “Section 53, as interpreted by the Attorney General’s argument in this case, flouts the first principle and stands the second principle on its head” (paragraphs 51-52).

Therefore, if Parliament intends to permit the executive to override a judicial decision merely because it disagrees with that decision, it must ‘squarely confront what it is doing’ and make its intentions ‘crystal clear’. Section 53 FOIA is a long way from authorising such an override on the grounds of disagreement (paragraphs 56-58).

The upshot is that a minister cannot use section 53 to override a judicial decision simply on the grounds that, having considered the issue based on the same facts and arguments as the court or tribunal, he reaches a different view. In their context, and in light of the serious constitutional implications, the words “on reasonable grounds” in section 53 FOIA must be construed more restrictively: mere disagreement with the court/tribunal will not do.

The threshold is higher: a section 53 certificate will be lawful if there has been a material change in circumstances, or if facts or matters come to light at some point which (a) indicate that the judicial decision being overturned was seriously flawed, but (b) cannot give rise to an appeal against that decision. Such cases will be exceptional, but they are a real possibility, in Lord Neuberger’s judgment. Section 53 therefore retains some utility (see paragraphs 68, 77 and 78). Lord Kerr and Lord Reed agreed with Lord Neuberger’s restrictive view of section 53.

A less restrictive view of section 53

Lord Mance (with whom Lady Hale agreed) also found the Attorney General’s veto in this case to have been unlawful. He agreed that mere disagreement with the decision being overturned will not do. Lord Mance’s interpretation of section 53, however, is markedly less restrictive than that of Lord Neuberger: the accountable person is entitled under section 53 to reach a different view on the balancing of competing interests, even in the absence of the sorts of new considerations Lord Neuberger envisages, provided he gives properly explained and solid reasons against the background and law established by the judicial decision (see paragraphs 130-131).

There is thus more scope for a lawful veto on Lord Mance’s view – but his was not the majority view. Lord Neuberger’s more restrictive view commanded wider support. This makes a big difference to the future use of section 53.

What about First-Tier and ICO decisions?

Here are some further important implications addressed by Lord Neuberger.

This veto was against a decision of the Upper Tribunal, which is a court of record. Do the same stringent restrictions apply to an attempt to veto a decision of the First-Tier Tribunal? Answer: yes.

What about the ICO’s decisions? Is the threshold for a lawful veto equally high, or is it lower? Answer: it is lower, as the ICO’s evaluation can seldom be as exhaustive as that of a Tribunal. Nonetheless, the option to appeal to the Tribunal will be a relevant consideration: to use the section 53 power to achieve what you could also achieve by the more constitutionally appropriate route of an appeal may be an abuse of that power.

Those distinctions are important. Some section 53 certificates have been issued against First-Tier Tribunal decisions – the NHS risk register veto, for example. Others have been against ICO decisions – the High Speed 2 veto, for example. The Iraq war cabinet minutes have been the subject of two section 53 certificates – one against a Tribunal decision, the other against an ICO decision.

The EIRs and the ministerial veto

By comparison, the answer under the EIRs was relatively straightforward: Article 6 of Directive 2003/4/EC requires that refusals to disclose environmental information can be challenged before court whose decisions will be final. The ministerial veto provision does not square with that requirement. Environmental information cannot be the subject of the ministerial veto. These were the arguments advanced by Mr Evans, and by Tim Pitt-Payne on the ICO’s behalf. They were accepted by six of the seven JSCs.

So, a triumphant day for Rob Evans and The Guardian – and indeed for FOIA, the EIRs, transparency and the rule of law.

The outlook for the future use of section 53 is challenging, though there is nuance aplenty, even aside from the dissenting judgments.

Robin Hopkins @hopkinsrobin

Google Spain, freedom of expression and security: the Dutch fight back

March 13th, 2015 by Robin Hopkins

The Dutch fighting back against the Spanish, battling to cast off the control exerted by Spanish decisions over Dutch ideologies and value judgments. I refer of course to the Eighty Years’ War (1568-1648), which in my view is a sadly neglected topic on Panopticon.

The reference could also be applied, without too much of a stretch, to data protection and privacy rights in 2015.

The relevant Spanish decision in this instance is of course Google Spain, which entrenched what has come to be called the ‘right to be forgotten’. The CJEU’s judgment on the facts of that case saw privacy rights trump most other interests. The judgment has come in for criticism from advocates of free expression.

The fight-back by free expression (and Google) has found the Netherlands to be its most fruitful battleground. In 2014, a convicted criminal’s legal battle to have certain links about his past ‘forgotten’ (in the Google Spain sense) failed.

This week, a similar challenge was also dismissed. This time, a KPMG partner sought the removal of links to stories about him allegedly having to live in a container on his own estate (because a disgruntled builder, unhappy over allegedly unpaid fees, changed the locks on the house!).

In a judgment concerned with preliminary relief, the Court of Amsterdam rejected his application, finding in Google’s favour. There is an excellent summary on the Dutch website Media Report here.

The Court found that the news stories to which the complaint about Google links related remained relevant in light of public debates on this story.

Importantly, the Court said of Google Spain that the right to be forgotten “is not meant to remove articles which may be unpleasant, but not unlawful, from the eyes of the public via the detour of a request for removal to the operator of a search machine.”

The Court gave very substantial weight to the importance of freedom of expression, something which Google Spain’s critics say was seriously underestimated in the latter judgment. If this judgment is anything to go by, there is plenty of scope for lawyers and parties to help Courts properly to balance privacy and free expression.

Privacy rights wrestle not only against freedom of expression, but also against national security and policing concerns.

In The Hague, privacy has recently grabbed the upper hand over security concerns. The District Court of The Hague has this week found that Dutch law on the retention of telecommunications data should be down due to its incompatibility with privacy and data protection rights. This is the latest in a line of cases challenging such data retention laws, the most notable of which was the ECJ’s judgment in Digital Rights Ireland, on which see my post here. For a report on this week’s Dutch judgment, see this article by Maarten van Tartwijk in The Wall Street Journal.

As that article suggests, the case illustrates the ongoing tension between security and privacy. In the UK, security initially held sway as regards the retention of telecoms data: see the DRIP Regulations 2014 (and Panopticon passim). That side of the argument has gathered some momentum of late, in light of (for example) the Paris massacres and revelations about ‘Jihadi John’.

Just this week, however, the adequacy of UK law on security agencies has been called into question: see the Intelligence and Security Committee’s report entitled “Privacy and Security: a modern and transparent legal framework”. There are also ongoing challenges in the Investigatory Powers Tribunal – for example this one concerning Abdul Hakim Belhaj.

So, vital ideological debates continue to rage. Perhaps we really should be writing more about 17th century history on this blog.

Robin Hopkins @hopkinsrobin

Quite like a whale

February 24th, 2015 by Peter Lockley

As my colleague Robin Hopkins has warned, the decision of the Upper Tribunal in Fish Legal looks like a pretty big beast: sixty pages on whether water companies are public authorities for the purposes of the Environmental Information Regulations, applying the CJEU’s lengthy ruling on the points of principle (for which, see this post by Chris Knight).

(If you just need the quick answer: yes they are, by virtue of having ‘special powers’, but not by virtue of being under the control of a public body. For the detail, read on.)

In fact, while it could never be classed as a minnow, on closer inspection Fish Legal is not the monster it first seems (see Part 1 of the judgment here and Part 2 here). Fifteen of those sixty pages are appendices. More importantly, the decision poses, but declines to answer, some wider questions. Although Mr Justice Charles was sympathetic to the Information Commissioner’s request for guidance on how to identify a public authority, he stopped short of laying down ‘broad general principles’ on the question (paras.95-97). He gave shorter shrift to the water companies’ request that he list all of their powers which fell within the definition of ‘special powers’– a request made, apparently, with a view to lobbying Parliament to rid the companies of those powers, and so save them from the burden of EIR (para.98).

And one would hardly have expected him to address the question with the widest ramifications: if water companies are public authorities by virtue of their “special powers”, what of the various other privatised industries? It is, of course, a very fact specific analysis. Anxious electricity chiefs, rail bosses, and telecoms honchos will just have to read the judgment and consider how the ‘special powers’ and ‘control’ tests would apply to their own particular circumstances (see para. 110).

 

Background

The UT had two issues before it: (i) whether the Information Commissioner had jurisdiction to decide whether a body was a public authority for the purposes of the EIR or FOIA (as he had purported to do), and therefore whether the UT itself had jurisdiction to hear the case, and (ii) whether privatised water companies in England and Wales are public authorities for the purposes of EIR, applying the principles set down by the CJEU following a referral from the UT (blog post here).

By the time of this, the second outing before the UT, the cast list had expanded significantly, bringing in several 11KBW counsel to join Anya Proops, who acted for the Information Commissioner before the CJEU. The Secretary of State was joined as a party and was represented by Julian Milford. The parties in two related cases, Cross v IC and the Cabinet Office and Bruton v IC and Duchy of Cornwall, were also invited to make submissions on the nature of the tests. Karen Steyn QC and Joseph Barrett appeared for Mr Bruton; Amy Rogers appeared for the Duchy. (Those cases will now go forward to be decided applying the Fish Legal principles.)

 

The jurisdiction issue

The Secretary of State argued that under s.57 FOIA, the First-Tier Tribunal only has jurisdiction over a decision notice issued by the Commissioner under s.50(3)(b) FOIA, and that the Commissioner had no jurisdiction to serve a decision notice on the issue of whether a body is a public authority. Section 50 is based on the premise that a request has been made to a public authority; these elements are anterior to the Commissioner’s jurisdiction and he has no authority to decide them within the framework of FOIA.

The UT rejected these arguments. It took the view that jurisdictional provisions are routinely based on certain assumed conditions, but this does not deprive the body in question of the jurisdiction to decide whether those conditions have been met. So the UT’s jurisdiction to hear an appeal on any point of law arising from a decision made by the FTT assumes that a decision has been properly made by a properly-constituted tribunal, but it does not mean that the UT cannot rule on whether those conditions are met in a given appeal (para 31).

The UT applied this reasoning to both a positive decision by the Commissioner that a body is a public authority, and a negative decision that it is not, even though the latter is not a decision notice under s.50(3) FOIA. To hold otherwise would mean that while a body could appeal against a positive decision, a requester would face the more expensive route of judicial review of a negative decision (para.37). Furthermore, the Commissioner would have no power under the similarly structured s.51 FOIA to require the information he needed to reach an informed decision that a body was not a public authority (para. 41).

After scrutinising the decision of the House of Lords in BBC v Sugar [2009] 1 WLR 430, the UT decided that there was nothing in the case that disturbed its conclusions on the point (paras.43-54).

The Commissioner therefore has jurisdiction to decide the issue, the FTT to hear appeals against his decisions and the UT to hear appeals against the decisions of the FTT.

The public authority issue

Two of the limbs of the definition of ‘public authority’ under the EIR were in issue. A finding that the companies fell within either would suffice to make them public authorities. (A little care is needed with the numbers of the provisions in question: Article 2(2)(b) of the Environmental Information Directive is transposed as Reg. 2(2)(c) of the EIR, and Article 2(2)(c) of the Directive as Reg. 2(2)(d) of the EIR.)

 

Persons performing public administrative functions – the ‘special powers’ test

The CJEU expanded on Art. 2(2)(b) of the Directive by explaining that persons ‘performing public administrative functions’ are

52 […] entities, be they legal persons governed by public law or by private law, which are entrusted, under the legal regime which is applicable to them, with the performance of services of public interest, inter alia in the environmental field, and which are, for this purpose, vested with special powers beyond those which result from the normal rules applicable in relations between persons governed by private law.

Only the parts underlined were in dispute in the case of the water companies, which clearly meet the rest of the test.

The UT declined to draw any conclusion from the fact that the CJEU had not seen fit to apply the principles to the facts of this case (paras. 99-100). It also rejected a suggestion that it should ask itself whether the companies’ powers were in the nature of State powers (as the Advocate General had suggested). That was because the definition of ‘State powers’ was unclear and ever-changing, and also because the CJEU had not adopted that test. In the end, however, the UT did adopt the State powers test ‘as a check’ – leaving the status of the test somewhat unclear (paras.113-117).

The main analysis focussed on the following powers of water companies:

Compulsory Purchase (under s.155 of the Water Industry Act 1991, “WIA”): this looks like a quintessential government power unavailable to ordinary citizens, but in fact the water companies enjoy the power at one remove: before exercising it they require authorisation by the Secretary of State, which they can apply for via a process set out in Schedule 11 to the WIA. Nonetheless, the provisions conferred a real, practical advantage on the water companies. Firstly, the application process afforded them privileged access to those advising the Secretary of State on whether to authorise a compulsory purchase. Secondly, it conferred significant commercial leverage on the companies in any negotiation to purchase land, even if they rarely resorted to it in practice (para 107).

Power to make byelaws (s.157 WIA): such byelaws  require confirmation from the Secretary of State, but as with compulsory purchase, the power still confers an advantage on the companies. The section confers power beyond that of any private landowner, since byelaws under s.157 can be backed by criminal sanctions, unlike a landowner’s licence. ‘Special powers’ extends to ‘special powers of enforcement’ (para. 110).

Power to lay pipes (s.159 WIA): this power was the subject of a detailed comparison with the powers ordinarily available under private law. The companies argued that the same powers could be acquired through a license or easement. While accepting that this was potentially so, the UT emphasised that private law typically requires consent of the parties to achieve such a result (through the law of contract or property). By contrast, the WIA gives the water companies effective power to compel this result (para.121).

Power to enter land (s.168 WIA): although there are powers within private law allowing entry to another’s land (eg self-help to abate a nuisance at common law), they are narrowly circumscribed (eg they require possession of neighbouring land). The water companies’ powers are both wider and deeper: they apply against any landowner in the company’s area of license, and they extend to surveying and even boring on the land (para.125).

Hosepipe bans (ss.76-76C WIA): these powers are unlike anything available at private law, and moreover are backed by criminal sanctions.

Since it was content that the companies enjoyed a cluster of special powers, the UT formally left open the question of whether one would have been enough (see para. 105). However its comment in conclusion that the powers mentioned were ‘sufficient, collectively in themselves and as examples of powers of the same type’ to meet the test (para. 130) suggests that some pattern of powers will probably be necessary before a body is considered a public authority.

 

Persons under the control of public authorities

The CJEU’s elaboration of Article 2(2)(c) set out the test for ‘control’ in the following terms:

68 […] this third, residual, category of public authorities covers any entity which does not determine in a genuinely autonomous manner the way in which it performs the functions in the environmental field which are vested in it, since a public authority covered by Article 2(2)(a) or (b) of the directive is in a position to exert decisive influence on the entity’s action in that field.

The test applies to the manner in which functions are performed, not the functions themselves: a body is not under control of the Government merely because its powers derive from statute (para. 133). There are two elements to the test: the body must (i) operate in fact in a non-autonomous manner, and (ii) do so because a public authority is in a position to control it (para. 134). In other words, although the public authority need not actually be exercising its powers of control, the existence of the powers must have a real constraining effect on the body in question (para.135). Furthermore, the test required the UT to look at the companies’ overall manner of performing their environmental services: it would not be enough to find control in ‘one or two marginal aspects of their business’ (para. 136).

As for prior authorities, Smartsource was simply no longer relevant: the task of the UT was to consider the issue afresh in the light of the CJEU’s ruling (para.137).

The UT was at pains to point out that ‘no legitimate business has complete freedom of action’: all operate in a framework of legal and commercial constraints. Something more is needed before one can say that they have lost their autonomy (paras 142-144).

The two counsel for the requesting parties sought to supply that ‘something more’ by advancing ‘macro’ and ‘micro’ examples of actual state intervention in the water industry: recommendations by the Secretary of State made on reviewing a Draft Water Resources Management Plan, and an enforcement notice issued by OFWAT in respect of the risk of sewer flooding in the Penketh area. These were dismissed as no more than ‘increased intensity of oversight at particular times and in respect of particular activities’ (para.148).

A list of potential interventions was also provided – an analysis of the Secretary of State’s powers under the WIA. Although these clearly put the Secretary of State ‘in a position to exert decisive influence’ over the water companies’ actions, they too were rejected as not demonstrating control. The UT’s first two reasons are a little puzzling. The first was that the powers are (to some extent) a substitute for the forces of competition, since water companies enjoy local monopolies (para. 151). This rather begs the question: the grant of a monopoly confers great power on a private entity, which needs to be limited in the public interest. Just because state control is a substitute for market forces, this does not stop it from being a form of control. The second reason was that ‘the risk of enforcement is at most only a marginal consideration for a reputable company’ (para.152). Really? Why then did OFWAT need to issue that enforcement notice for the Penketh sewers?

However, the UT went on to find that whatever the potential for intervention, the more basic aspect of the control test was not satisfied. Merely listing all the possible interventions distorted the picture of how the companies operate in fact, and only addressed the second element of the test. The UT’s overall conclusion on the control test was that ‘despite the extent to which there is scope to influence the companies’ decision-making on the way it delivers its services, the evidence does not show that that influence is actually exerted to such an extent that overall the companies lack genuine autonomy (para.153).

You might not have predicted this result if you had read the CJEU’s heavy hint on the question of control – see [71] of its judgment

The weight that the UT afforded to the companies’ status as ordinary private companies is one of the surprises of the judgment. And it will be one of the few points of comfort for other privatised utilities. Not many can be as heavily regulated as the water industry; perhaps they too can avoid at least this limb of the definition.

 

POSTSCRIPT: if you’ve come here from Robin’s post, you may be wondering what Lewis Carroll has to do with all this. Loyal reader (which you must be if you’ve got this far), your guess is as good as mine. Why is the section on the State powers test (paras. 113-117) headed ‘Hunting of the Snark’? Answers on an e-postcard please.

 

 Peter Lockley

 

 

 

Leviathan

February 23rd, 2015 by Robin Hopkins

Hot off the press: the Upper Tribunal has given its judgment in Fish Legal.

Applying the principles from the CJEU’s judgment of December 2013, it has held that the respondent water companies are public authorities for the purposes of the Environmental Information Regulations 2004, by virtue of their “special powers”.

The issues and facts are complex, and the judgment is lengthy. It also makes reference to Lewis Carroll, who now somehow appears in two consecutive Panopticon posts.

The judgment is contained in these two documents: FISH LEGAL UT DECISON PART 1 and FISH LEGAL UT DECISON PART 2.

Analysis  of the judgment will follow on Panopticon shortly (thus the barrister dreamed, while the bellowing seemed to grow every moment more clear).

Robin Hopkins