Monetary penalty for marketing phonecalls: Tribunal upholds ‘lenient’ penalty

December 16th, 2014 by Robin Hopkins

A telephone call made for direct marketing purposes is against the law when it is made to the number of a telephone subscriber who has registered with the Telephone Preference Service (‘TPS’) as not wishing to receive such calls on that number, unless the subscriber has notified the caller that he does not, for the time being, object to such calls being made on that line by that caller: see regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended (‘PECR’).

The appellant in Amber UPVC Fabrications v IC (EA/2014/0112) sells UPVC windows and the like. It relies heavily on telephone calls to market its products and services. It made nearly four million telephone calls in the period May 2011 to April 2013, of which approximately 80% to 90% were marketing calls.

Some people complained to the Information Commissioner about these calls. The Commissioner found that the appellant had committed serious PECR contraventions – he relied on 524 unsolicited calls made in contravention of PECR. The appellant admitted that it made 360 of the calls. The appellant was issued with a monetary penalty under section 55A of the Data Protection Act 1998, as incorporated into PECR.

The appellant was issued with a monetary penalty to the value of £50,000. It appealed to the Tribunal. Its appeal did not go very well.

The Tribunal found the appellant’s evidence to be “rather unsatisfactory in a number of different ways. They took refuge in broad assertions about the appellant’s approach to compliance with the regulations, without being able to demonstrate that they were genuinely familiar with the relevant facts. They were able to speak only in general terms about the changes to the appellant’s telephone systems that had been made from time to time, and appeared unfamiliar with the detail. They had no convincing explanations for the numerous occasions when the appellant had failed to respond to complaints and correspondence from TPS or from the Commissioner. The general picture which we got was of a company which did as little as possible as late as possible to comply with the regulations, and only took reluctant and belated action in response to clear threats of legal enforcement.”

The Tribunal set out in detail the flaws with the appellant’s evidence. It concluded that “the penalty was appropriate (or, indeed, lenient) in the circumstances, and the appellant has no legitimate complaint concerning its size”.

This decision is notable not only for its detailed critique (in terms of PECR compliance) of the appellant’s business practices and evidence on appeal, but also more widely for its contribution to the developing jurisprudence on monetary penalties and the application of the conditions under section 55A DPA. Thus far, the cases have been Scottish Borders (DPA appeal allowed, in a decision largely confined to the facts), Central London Community Healthcare NHS Trust (appeal dismissed at both First-Tier and Upper Tribunal levels) and Niebel (PECR appeal allowed and upheld on appeal).

The Amber case is most closely linked to Niebel, which concerned marketing text messages. The Amber decision includes commentary on and interpretation of the binding Upper Tribunal decision in Niebel on how the section 55A conditions for issuing a monetary penalty should be applied. For example:

PECR should be construed so as to give proper effective to the Directive which it implements – see the Tribunal’s discussion of the Marleasing principle.

The impact of the ‘contravention’ can be assessed cumulatively, i.e. as the aggregate effect of the contraventions asserted in the penalty notice. In Niebel, the asserted contravention was a specified number of text messages which had been complained about, but the Tribunal in Amber took the view that, in other cases, the ICO need not frame the relevant contravention solely by reference to complaints – it could extrapolate, where the evidence supported this, to form a wider conclusion on contraventions.

Section 55A requires an assessment of the “likely” consequences of the “kind” of contravention. “Likely” has traditionally been taken to mean “a significant and weighty chance”, but the Tribunal in Amber considered that, in this context, it might mean “more than fanciful”, ie, “a real, a substantial rather than merely speculative, possibility, a possibility that cannot sensibly be ignored”.

The “kind” of contravention includes the method of contravention, the general content and tenor of the communication, and the number or scale of the contravention.

“Substantial” (as in “substantial damage or substantial distress”) probably means “more than trivial, ie, real or of substance”. Damage or distress can be substantial on a cumulative basis, i.e. even if the individual incidents do not themselves cause substantial damage or substantial distress.

“Damage” is different to “distress” but is not confined to financial loss – for example, personal injury or property interference could suffice.

“Distress” means something more than irritation.

The significant and weighty chance of causing substantial distress to one person is sufficient for the threshold test to be satisfied.

Where the number of contraventions is large, there is a higher inherent chance of affecting somebody who, because of their particular unusual circumstances, is likely to suffer substantial damage or substantial distress due to the PECR breach.

The Amber decision is, to date, the most developed analysis at First-Tier Tribunal level, of the monetary penalty conditions. The decision will no doubt be cited and discussed in future cases.

11KBW’s James Cornwall appeared for the ICO in both Amber and Niebel.

Robin Hopkins @hopkinsrobin

Above and below the waterline: IPT finds that Prism and Tempora are lawful

December 5th, 2014 by Robin Hopkins

The now famous revelations by US whistleblower Edward Snowden focused on US government programmes under which vast amounts of data about individuals’ internet usage and communications were said to have been gathered. The allegations extended beyond the US: the UK government and security agencies, for example, were also said to be involved in such activity.

Unsurprisingly, concerns were raised about the privacy implications of such activity – in particular, whether it complied with individuals’ rights under the European Convention on Human Rights (privacy under Article 8; freedom of expression under Article 10).

The litigation before the Investigatory Powers Tribunal

Litigation was commenced in the UK by Privacy International, Liberty, Amnesty International and others. The cases were heard by a five-member panel of the Investigatory Powers Tribunal (presided over by Mr Justice Burton) in July of this year. The IPT gave judgment ([2014] UKIPTrib 13_77-H) today.

In a nutshell, it found that the particular information-gathering activities it considered – carried out in particular by GCHQ and the Security Service – are lawful.

Note the tense: they are lawful. The IPT has not determined whether or not they were lawful in the past. The key difference is this: an essential element of lawfulness is whether the applicable legal regime under which such activity is conducted is sufficiently accessible (i.e. is it available and understandable to people?). That turns in part on what the public is told about how the regime operates. During the course of this litigation, the public has been given (by means of the IPT’s open judgment) considerably more detail in this regard. This, says the IPT, certainly makes the regime lawful on a prospective basis. The IPT has not determined whether, prior to these supplementary explanations, the ‘in accordance with the law’ requirement was satisfied.

With its forward-looking, self-referential approach, this judgment is unusual. It is also unusual in that it proceeded to test the legality of the regimes largely by references to assumed rather than established facts about the Prism and Tempora activities. This is because not much about those activities has been publicly confirmed, due to the ‘neither confirm nor deny’ principle which is intrinsic to intelligence and security activity.

Prism

The first issue assessed by reference to assumed facts was called the “Prism” issue: this was about the collection/interception by US authorities of data about individuals’ internet communications and the assumed sharing of such data with UK authorities, who could then retain and use it. Would this arrangement be lawful under Article 8(2) ECHR? In particular, was it “in accordance with the law”, which in essence means did it have a basis in law and was it sufficiently accessible and foreseeable to the potentially affected individuals? (These are the so-called Weber requirements, from Weber and Saravia v Germany [2008] 46 EHRR SE5).

When it comes to intelligence, accessibility and foreseeability are difficult to achieve without giving the game away to a self-defeating extent. The IPT recognised that the Weber principles need tweaking in this context. The following ‘nearly-Weber’ principles were applied as the decisive tests for ‘in accordance with the law’ in this context:

“(i) there must not be an unfettered discretion for executive action. There must be controls on the arbitrariness of that action.

(ii) the nature of the rules must be clear and the ambit of them must be in the public domain so far as possible, an “adequate indication” given (Malone v UK [1985] 7 EHRR 14 at paragraph 67), so that the existence of interference with privacy may in general terms be foreseeable.”

Those tests will be met if:

“(i) Appropriate rules or arrangements exist and are publicly known and confirmed to exist, with their content sufficiently signposted, such as to give an adequate indication of it.

(ii) They are subject to proper oversight.”

On the Prism issue, the IPT found that those tests are met. The basis in law comes from the Security Service Act 1989, Intelligence Services Act 1994 and the Counter-Terrorism Act 2008. Additionally, the Data Protection Act 1998 DPA, the Official Secrets Act 1989 and the Human Rights Act 1998 restrain the use of data of the sort at issue here. Taken together, there are sufficient and specific statutory limits on the information that each of the Intelligence Services can obtain, and on the information that each can disclose.

In practical terms, there are adequate arrangements in place to safeguard against arbitrary of unfettered use of individuals’ data. These included the “arrangements below the waterline” (i.e. which are not publicly explained) which the Tribunal was asked to – and did – take into account.

Oversight of this regime comes through Parliament’s Intelligence and Security Committee and the Interception of Communications Commissioner.

Further, these arrangements are “sufficiently signposted by virtue of the statutory framework … and the statements of the ISC and the Commissioner… and as now, after the two closed hearings that we have held, publicly disclosed by the Respondents and recorded in this judgment”.

Thus, in part thanks to closed evidence of the “below the waterline” arrangements and open disclosure of more detail about those arrangements, the Prism programme (on the assumed facts before the IPT) is lawful, i.e. it is a justified intrusion into Article 8 ECHR rights.

The alleged Tempora interception operation

Unlike the Prism programme, the second matter scrutinised by the IPT – the alleged Tempora programme – involved the interception of communications by UK authorities. Here, in contrast to Prism (where the interception is done by someone else), the Regulation of Investigatory Powers Act 2000 is pivotal.

This works on a system of warrants for interception. The warrants are issued under section 8 of RIPA (supplemented by sections 15 and 16) by the Secretary of State, rather than by a member of the judiciary. The regime is governed by the Interception of Communications Code of Practice.

The issue for the IPT was: is this warrant system (specifically, the section 8(4) provision for ‘certified’ warrants) in accordance with the law, for ECHR purposes?

This has previously been considered by the IPT in the British Irish Rights Watch case in 2004. Its answer was that the regime was in accordance with the law. The IPT in the present cases re-examined the issue and took the same view. It rejected a number of criticisms of the certified warrant regime, including:

The absence of a tightly focused, ‘targeting’ approach at the initial stages of information-gathering is acceptable and inevitable.

There is no call “for search words to be included in an application for a warrant or in the warrant itself. It seems to us that this would unnecessarily undermine and limit the operation of the warrant and be in any event entirely unrealistic”.

There is also “no basis for objection by virtue of the absence for judicial pre-authorisation of a warrant. The United Kingdom system is for the approval by the highest level of government, namely by the Secretary of State”.

Further, “it is not necessary that the precise details of all the safeguards should be published, or contained in legislation, delegated or otherwise”.

The overall assessment was very similar as for Prism: in light of the statutory regime, the oversight mechanisms, the open and closed evidence of the arrangements (above and below the “waterline”) and additional disclosures by the Respondents, the regime for gathering, retaining and using intercepted data was in accordance with the law – both as to Article 8 and Article 10 ECHR.

Conclusion

This judgment is good news for the UK Government and the security bodies, who will no doubt welcome the IPT’s sympathetic approach to the practical exigencies of effective intelligence operations in the digital age. These paragraphs encapsulate the complaints and the IPT’s views:

“158. Technology in the surveillance field appears to be advancing at break-neck speed. This has given rise to submissions that the UK legislation has failed to keep abreast of the consequences of these advances, and is ill fitted to do so; and that in any event Parliament has failed to provide safeguards adequate to meet these developments. All this inevitably creates considerable tension between the competing interests, and the ‘Snowden revelations’ in particular have led to the impression voiced in some quarters that the law in some way permits the Intelligence Services carte blanche to do what they will. We are satisfied that this is not the case.

159. We can be satisfied that, as addressed and disclosed in this judgment, in this sensitive field of national security, in relation to the areas addressed in this case, the law gives individuals an adequate indication as to the circumstances in which and the conditions upon which the Intelligence Services are entitled to resort to interception, or to make use of intercept.”

11KBW’s Ben Hooper and Julian Milford appeared for the Respondents.

Robin Hopkins @hopkinsrobin

Information Rights: imminent developments

December 4th, 2014 by Robin Hopkins

Like any self-respecting Panopticon, this website keeps tabs on imminent developments in its fields of interest. Here are some of the major cases to look out for in the information rights field.

State surveillance and the Prism/Tempora programmes

The obtaining, use and retention of personal data by state agencies has come under intense scrutiny since Edward Snowden’s revelations about the Prism/Tempora programmes. Litigation brought in the UK by Privacy International and Liberty against GCHQ and others reaches a head tomorrow, when the Investigatory Powers Tribunal gives judgment in that case.

Google Spain – and beyond

The Google Spain ‘right to be forgotten’ judgment has been one of the major events of 2014, in information rights terms. How is the right to be forgotten supposed to be applied in practice? The authoritative Article 29 Working Party (the cross-EU panel established under Article 29 of the DP Directive) has now given definitive guidance on how regulators should deal with such matters: see its guidelines adopted on 26 November.

Additionally, in X & Y v Google France the French Court (the Paris Tribunal de Grande Instance) has saddled Google with liability (on pain of monetary penalties) for defamation, in that google.com continued to provide links to Facebook and other webpages containing defamatory material. See this comment from Wiggin LLP on this case.

Domestic privacy/data protection litigation against Google

The case of Vidal-Hall v Google Inc saw Mr Justice Tugendhat grant permission to serve a claim extra-territorially. In so doing, he made a number of potentially significant observations about data protection and the privacy impact of Google’s activities through Apple’s Safari browser. The Court of Appeal is considering the appeal against the Tugendhat judgment next week. The ICO has been granted permission to intervene.

Police information

This week, the Supreme Court has heard appeals in the Catt and T cases, which concern the application of Article 8 ECHR and the DPA to information retained by the Metropolitan Police about persons who were not said to have committed criminal offences.

Next week, the Court of Appeal hears the case of Commissioner of Police of the Metropolis & X v Z (Children) & the Secretary of State for the Home Department, which concerns whether DNA profiles obtained under Part II of PACE (police powers to gather evidence from crime scenes) may lawfully be disclosed for purposes other than criminal law enforcement.

Medical information and confidentiality

Permission has also been granted to appeal in W and Others v Secretary of State for Health and Another [2014] EWHC 1532 (Admin), which concerns the disclosure of by the NHS of information about unpaid NHS debts by non-UK residents to departments of the UK government. One of the issues is the extent (if any) to which patient confidentiality applies to such information.

Panopticon understands that the British Medical Association has been given permission to intervene, and that the case will be before the Master of the Rolls (among others). The case is due to be heard next spring.

MPs’ expenses and the meaning of ‘information’ for FOIA purposes

Another case due before the Court of the Appeal (including the Master of the Rolls) next spring is IPSA v Information Commissioner, which concerns a FOIA request by Ben Leapman (then of the Daily Telegraph) for copies of original receipts submitted by a number of named MPs in support of their expenses claims. Issues include the meaning of ‘information’ for the purposes of FOIA.

The EIRs – public authorities and charges

The Fish Legal litigation – concerning the meaning of a ‘public authority’ for EIR purposes – has returned from the CJEU and has been heard by the Upper Tribunal. Piggy-backing onto this case are other appeals concerning whether the Duchy of Cornwall and the Sovereign are public authorities for EIR purposes.

In the opposite direction of travel, the CJEU will next week consider the case of East Sussex CC v ICO & LGA, a referral from the Tribunal on the question of reasonable charges for the provision of information under the EIRs.

As ever, watch this space.

Panopticon is also pleased to highlight the heavy presence of 11KBW counsel in the majority of the cases referred to above.

Robin Hopkins @hopkinsrobin

Public access to local authority information: transparency with teeth

November 20th, 2014 by Robin Hopkins

The Freedom of Information Act and Environmental Information Regulations are the dominant statutory regimes for public transparency, but they are of course not the only ones. A good example is the regime under the Local Government Act 1972 (as amended), particularly sections 100A-K. Those provisions govern public access to local authority meetings, as well as the public availability of minutes, reports, background documents and so on for such meetings, subject to provisions for exempt information (Schedule 12A).

A recent judgment of the Admin Court (Cranston J) in a planning matter, Joicey v Northumberland County Council [2014] EWHC 3657 (Admin) illustrates the importance of compliance with that regime for public access to information.

The claimant challenged the local authority’s grant of planning permission for a wind turbine. One of his grounds was its failure to make available the noise assessment report which had been considered in the granting of permission, contrary to the provisions of the 1972 Act referred to above, and also in breach of the council’s Statement of Community Involvement.

The Council had argued that the report, being on its files, was duly available. Cranston J disagreed: “it was not open to inspection by members of the public since the files were in such a state that the duty officer on 1 November fetched what must have been a Brackenside file, but not one with the report. If the Council cannot organize its files in a way which means the duty officer is able to produce a particular report within a reasonably practicable time the report is not available” (paragraph 44). This is a compelling warning to public authorities to make sure relevant information is properly (rather than technically or hypothetically) available where required.

Here is an important passage from Cranston J’s judgment about the practical and democratic value of transparency (paragraph 47):

“… Right to know provisions relevant to the taking of a decision such as those in the 1972 Act and the Council’s Statement of Community Involvement require timely publication. Information must be published by the public authority in good time for members of the public to be able to digest it and make intelligent representations: cf. R v North and East Devon Health Authority Ex p. Coughlan [2001] Q.B. 213, [108]; R (on the application of Moseley) (in substitution of Stirling Deceased) v Haringey LBC [2014] UKSC 56, [25]. The very purpose of a legal obligation conferring a right to know is to put members of the public in a position where they can make sensible contributions to democratic decision-making. In practice whether the publication of the information is timely will turn on factors such as its character (easily digested/technical), the audience (sophisticated/ ordinary members of the public) and its bearing on the decision (tangential/ central)”.

Here, the dense and technical report had not been made available with sufficient time for it to be digested acted upon.

Cranston J was also clear that, had the information been made properly available, it could have made a real difference. Officers could have been prompted to rethink certain points, and decision-makers could well have been swayed: the decision was made by “a committee of politicians where the vote was not whipped. It is a very bold person who will hazard that in such circumstances a particular result is inevitable”.

Relief was therefore appropriate: “the claimant will be entitled to relief unless the decision-maker can demonstrate that the decision it took would inevitably have been the same had it complied with its statutory obligation to disclose information in a timely fashion” (paragraph 51).

The Council’s decision was therefore quashed on the transparency ground (among others). See paragraph 59:

“Here the claimant had standing to challenge a decision of his local Council. By denying him timely access to information to which he was entitled it limited his full participation in democratic decision-making. The fact that he might not be immediately affected by the proposal where he lives is not a sufficient reason to deny him the remedy he seeks. This was a serious breach by the Council of its statutory obligations. An additional factor bearing on the exercise of discretion in this case is the Council’s own behaviour in the back-dating of the website to when the WSP noise assessment was available to it. Although it did not have any consequences in the circumstances of this case, it had the potential to mislead members of the public about their right to know and to use the information disclosed. In all there is no reason to deny the claimant his remedy.”

The case is a powerful illustration of the practical value of transparency and public participation, and of how failure to comply with laws aimed at those ends can really bite.

Robin Hopkins @hopkinsrobin

Disclosure to GMC

November 19th, 2014 by jamesgoudie

The disclosure of material to the General Medical Council (“the GMC”) by other agencies, including the Police, has an important role to play in the exercise of the GMC’s public interest functions as they relate to a Doctor’s fitness to practice.  Section 35A of the Medical Act 1983 grants a specific power to the GMC to require the disclosure of information which appears relevant to the discharge of these functions.

The leading case in relation to the duties of the Police, when a request for disclosure is received from a regulatory body, such as the GMC, remains the decision of the Court of Appeal in Woolgar v Chief Constable of Sussex Police [2000] 1 WLR 25.

The issue in R (Nakash v Metropolitan Police Service (“MPS”) and GMC [2014] EWHC 3810 (Admin), in which Judgment was given by Cox J on 17 November 2014, was whether, as the Claimant Doctor contended, the Administrative Court should prohibit the disclosure by the MPS of material requested by the GMC, on the basis that it was unlawfully obtained by the police, in breach of the Claimant’s ECHR Article 8 rights; that it included material of a highly personal and confidential nature; and that the material had no relevance to the issue of the Claimant’s fitness to practise as a medical practitioner.

Cox J concluded that the decision by the MPS to disclose the material requested by the GMC was in error. They had failed to carry out the “careful balancing exercise of competing interests” required by Article 8.  Relevance of the material is obviously an important factor.  So too, however, is the personal and confidential nature of the material requested.

At paragraph 46, Cox J said:-

 “… Since the primary decision as to disclosure will be made in these cases by the police, it is important that before the decision to disclose is made, there is a rational assessment of the relevant competing interests and that consideration is given, in each case, to the extent of the interference, and whether the disclosure sought is in accordance with the law and is a proportionate response to a legitimate aim …”

The MPS’s decision having been found to have been flawed, Cox J proceeded to carry out the balancing exercise herself, and found that disclosure by the MPS to the GMC was justified, under Article 8(2), notwithstanding the circumstances in which the MPS had obtained the material and the interference with the Doctor’s Article 8(1) rights.

James Goudie QC

Video recordings

November 18th, 2014 by jamesgoudie

The classification requirements imposed by the Video Recording Acts are lawful, the Court of Appeal (Criminal Division) has ruled, on 14 November 2014, in R v Dryzmer and Play Media Distribution Ltd.  The prohibition on supplying video recordings which have not been classified by the British Board of Film Classification is not rendered unlawful either by ECHR Article 10, on freedom of expression, or by TFEU Articles 34-36 on non-interference with trade. The reason is the same in both cases.  Qualitative restrictions on grounds of public health and morals are justified.

This was an application of the ECJ decision in Case 244/06, Dynamic Medien Vertriebs GmbH v Avides Media AG.  In that case the ECJ observed as follows.  The protection of the rights of the child is recognised by various international instruments which the Member States have cooperated on or acceded to, such as the International Covenant on Civil and Political Rights, which was adopted by the General Assembly of the United Nations on 19 December 1966 and entered into force on 23 March 1976, and the Convention on the Rights of the Child, which was adopted by the General Assembly of the United Nations on 20 November 1989 and entered into force on 2 September 1990. Those international instruments are among those concerning the protection of human rights of which it takes account in applying the general principles of Community law.  Under Article 17 of the Convention on the Rights of the Child, the States Parties recognise the important function performed by the mass media and are required to ensure that the child has access to information and material from a diversity of national and international sources, especially those aimed at the promotion of his or her social, spiritual and moral well-being and physical and mental health. Article 17(e) provides that those States are to encourage the development of appropriate guidelines for the protection of the child from information and material injurious to his or her well-being. The protection of the child is also enshrined in instruments drawn up within the framework of the European Union, such as the Charter of Fundamental Rights, Article 24(1) of which provides that children have the right to such protection and care as is necessary for their well-being. Furthermore, the Member States’ right to take the measures necessary for reasons relating to the protection of young persons is recognised by a number of Community-law instruments. Although the protection of the child is a legitimate interest which, in principle, justifies a restriction on a fundamental freedom guaranteed by the EC Treaty, such as the free movement of goods, such restrictions may be justified only if they are suitable for securing the attainment of the objective pursued and do not go beyond what is necessary in order to attain it.  However, it is not indispensable that restrictive measures laid down by the authorities of a Member State to protect the rights of the child correspond to a conception shared by all Member States as regards the level of protection and the detailed rules relating to it.  As that conception may vary from one Member State to another on the basis of, inter alia, moral or cultural views, Member States must be recognised as having a definite margin of discretion.  Prohibiting the sale and transfer by mail order of image storage media which have not been examined and classified by the competent authority for the purpose of protecting young persons and which do not bear a label from that authority indicating the age from which they may be viewed constitutes a measure suitable for protecting children against information and materials injurious to their well-being.

 James Goudie QC

Unforgettable that’s what you are – Google Spain revisited

October 13th, 2014 by Anya Proops

The debates over whether the CJEU’s judgment in Google Spain represents an unjustified attack on free speech rights have raged for months now. Interestingly, it seems that some judges at the local level at least are proving somewhat resistant to this highly privacy-centred judgment. Thus, according to online reports, in recent weeks a Dutch preliminary court has apparently held that a man convicted of a serious offence dating back over some years could not rely on Google Spain to have the links to websites referring to the offence excised. According to reports about the judgment (which seems only to be available in Dutch), the court held that information revealing that someone has committed an offence has relevance notwithstanding its vintage and, as such, should not be de-indexed by Google (see here). Outside of Europe, a judge sitting in the Israeli magistrate’s court has apparently refused to countenance a claim against Google based on the so-called right to be forgotten. According to a report in the Israel Hayom online newspaper, the judge held that imposing an obligation on Google to de-index results, even if they were defamatory, would entail converting Google unjustifiably into a ‘super-censor’ (see the report here). It will be interesting to see how the English courts, with their strong tradition of upholding free speech rights, will in due course seek to navigate their way through the challenging jurisprudential landscape set by the CJEU in Google Spain.

Anya Proops

Assessing the FOIA veto power

September 17th, 2014 by Robin Hopkins

For those of you still following the Prince of Wales correspondence veto saga, and who have access to law journals in print or online, you may be interested to read the casenote published in the latest issue of the Law Quarterly Review discussing the Court of Appeal judgment. The casenote is by 11KBW and Panopticon stalwart Chris Knight. The full reference is CJS Knight, ‘The Veto in the Court of Appeal’ (2014) 130 LQR 552.

Loss of personal data: £20k award upheld on appeal

September 16th, 2014 by Robin Hopkins

If you breach your legal duties as regards personal data in your control, what might you expect to pay by way of compensation to the affected individual? The received wisdom has tended to be something along these lines. First, has the individual suffered any financial loss? If not, they are not entitled to a penny under s. 13 DPA. Second, even if they get across that hurdle, how much should they get for distress? Generally, not very much – reported awards have tended to be very low (in the low thousands at most).

All of that is very comforting for data controllers who run into difficulties.

That picture is, however, increasingly questionable. “Damage” (the precondition for any award, under s. 13 DPA) could mean something other than “financial loss” – other sorts of damage (even a nominal sort of damage) can, it seems, serve as the trigger. Also, provided the evidence is sufficiently persuasive, it seems that awards – whether under the DPA or at common law (negligence) – could actually be substantial.

These trends are evident in the judgment of the Court of Appeal of Northern Ireland in CR19 v Chief Constable of the Police Service of Northern Ireland [2014] NICA 54.

The appellant, referred to as CR19, was a police officer with the Royal Ulster Constabulary. Due to his exposure to some serious terrorist incidents, he developed Post-Traumatic Stress Disorder (PTSD); he also developed a habit of excessive alcohol consumption. He left the Constabulary in 2001. In 2002, there was a burglary at Castlereagh Police, apparently carried out on behalf of a terrorist organisation. Data and records on officers including CR19 were stolen.

The Constabulary admitted both negligence and a breach of the seventh data protection principle (failure to take appropriate technical and organisational measures). The issue at trial was the amount of compensation to which CR19 was entitled.

Note the losses for which CR19 sought compensation: he claimed that, as a result of the stress which that data loss incident caused him, his PTSD and alcohol problems worsened, he lost out on an employment opportunity and that his house had been devalued as a result of threats to the property and the package of security measures that had been implemented for protection.

The trial judge heard evidence from a number of parties, including medical experts on both sides. He found some aspects of CR19’s evidence unsatisfactory. Overall, however, he awarded CR19 £20,000 (plus interest) for the Constabulary’s negligence. He did not expressly deal with any award under s. 13 of the DPA.

CR19 appealed, saying the award was too low. His appeal was largely dismissed: the trial judge had been entitled to reach his conclusions on the evidence before him.

Further, the s. 13 DPA claim added nothing to the quantum. The Court of Appeal considered the cases of Halliday (a £750 award) and AB (£2,250) (both reported on Panopticon) and concluded as follows (para. 24):

“In this case we have earlier recorded that three eminent psychiatrists gave professional evidence as to the distress sustained by CR19 as a consequence of the break-in. While accepting that the breach and its consequences in this case are of a different order to the matters considered in Halliday or AB, we conclude that the damages for distress arising from the breach of the Data Protection Act must be considered to be subsumed into the judge’s award which, while rejected as too low by the appellant, was by no means an insignificant award. The assessment took account of the distress engendered by the breach of data protection. We cannot conceive of any additional evidence that might be relevant to any additional damages for distress in respect of breach of section 4. Accordingly, we affirm the award of compensation made by the learned trial judge. However, in view of Arden LJ’s reasoning in Halliday, we conclude that the appellant must in addition be entitled to nominal damages of £1.00 to reflect the fact that there was an admitted breach of section 4 of the Data Protection Act.”

Whilst it is not strictly correct to read the CR19 judgment as affirming a DPA award for £20,000 (that award was for negligence), the judgment is nonetheless interesting from a DPA perspective in a number of respects, including these:

(i) While it was conceded in Halliday that nominal damage suffices as “damage” for s. 13(1) purposes, that conclusion looks like it is being applied more widely.

(ii) One problem in Halliday (and to an extent also in AB) was the lack of cogent evidence supporting the alleged damage. The CR19 case illustrates how evidence, including expert medical evidence, can be deployed to effect in data breach cases (whether based on negligence or on the DPA).

(iii) Unlawful acts with respect to individuals’ personal information can, it seems, lead one way or another to a substantial award. The DPA may aim to offer relatively modest awards (so said the Court of Appeal in Halliday), but serious misuse or loss of personal data can nonetheless be very damaging, and the law will recognise and compensate for this where appropriate.

Robin Hopkins @hopkinsrobin

Facebook, FOI and children

August 6th, 2014 by Robin Hopkins

The Upper Tribunal has got its teeth into personal data disputes on a number of occasions in recent months – Edem was followed by Farrand, and now Surrey Heath Borough Council v IC and Morley [2014] UKUT 0330 (AAC): Morley UT decision. Panopticon reported on the first-instance Morley decision in 2012. In brief: Mr Morley asked for information about members of the local authority’s Youth Council who had provided input into a planning application. The local authority withheld the names of the Youth Councillors (who were minors) under s. 40(2) of FOAI (personal data). In a majority decision, the First-Tier Tribunal ordered that some of those names be disclosed, principally on the grounds that it seemed that they appeared on the Youth Council’s (closed) Facebook page.

The local authority and the ICO challenged that decision. The Upper Tribunal (Judge Jacobs) has agreed with them. He found the dissenting opinion of the First-Tier Tribunal member to have been the more sophisticated (as opposed to the overly generalised analysis of the majority) and ultimately correct. The Youth Councillors’ names were correctly withheld.

In his analysis of the First Data Protection Principle, Judge Jacobs was not much bothered by whether fairness or condition 6(1) (the relevant Schedule 2 condition) should be considered first: “the latter is but a specific instance of the former”.

Judge Jacobs found that there was no sufficient interest in the disclosure of the names of the Youth Councillors. He also rejected the argument that, by putting their names on the relevant Facebook page, the data subjects had implicitly consented to public disclosure of their identities in response to such a FOIA request.

Judge Jacobs stopped short, however, of finding that the personal data of minors should never be disclosed under FOIA, i.e. that the (privacy) interests of children would always take precedence over transparency. Maturity and autonomy matter more than mere age in this context, and sometimes (as here) minors are afforded substantial scope to make their own decisions.

Morley is an important case on the intersection between children’s personal data and transparency, particularly in the social media context, but – as Judge Jacobs himself observed – “it is by no means the last word on the subject”.

There were 11KBW appearances by Joseph Barrett (for the local authority) and Heather Emmerson (for the ICO).

Robin Hopkins @hopkinsrobin