New President of the GRC

December 4th, 2014 by Christopher Knight

The Ministry of Justice has today announced the new President of the General Regulatory Chamber to be Judge Peter Lane. He will take up his post on 15 December, replacing Judge Nicholas Warren, who is retiring.

As President of the GRC, Judge Lane will doubtless hear a fair share of Information Rights appeals – as his predecessor did – and will have some familiarity with the regime from his time in the last four years or so sitting in the Upper Tribunal.

Panopticon wishes Judge Lane all the best in his new role (in which guise many Panopticonners will doubtless see more of him), and Judge Warren all the best in his retirement.

Christopher Knight

Kennedy goes to Strasbourg (maybe)

November 18th, 2014 by Anya Proops

Hot of the press – Readers of this blog will be aware of the wonderful saga involving Mr Kennedy and his tireless quest to gain access to information held by the Charity Commission. I have been told today that, having lost his appeal before the Supreme Court (see the relevant Panopticon post here), Mr Kennedy is now seeking to bring the case before the European Court of Human Rights. An application has been lodged and Mr Kennedy is now awaiting a decision on admissibility. All of which means that we may yet see the Strasbourg Court having its say on the vexed question of whether s. 32 FOIA, as currently framed, is compatible with the Art 10 right to receive information. For further updates, watch this space.

Anya Proops

Good Things Come to Those Who (Have Inherent) Weight

October 29th, 2014 by Christopher Knight

Philosophically, everything must have an inherent weight. Otherwise it would have no weight at all. But FOIA is not concerned with philosophy; it is much more concerned with who is in charge of the sheep dip, and indeed the levels of public funding for the sheep being dipped. (No points for spotting that reference, Bruce.) As a result, there are often debates in the FOIA case law about whether a particular qualified exemption contains an inherent weight, i.e. is the fact that the exemption is engaged at all sufficient to place some weight in the public interest balance against disclosure? The answer varies according to the particular exemption.

In Cabinet Office v Information Commissioner [2014] UKUT 461 (AAC), the Cabinet Office appealed against a decision of the FTT that the number of times the Reducing Regulation Committee has met should be disclosed. This apparently supremely uninteresting piece of information was withheld in reliance on section 35(1)(b) FOIA, which provides a qualified exemption for information relating to Ministerial communications. The Cabinet Office argued that the FTT had erred in not ascribing an inherent weight to section 35(1)(b), and also that it had misunderstood aspects of the evidence on prejudice presented to it.

The appeal in fact succeeded on the second ground, because Judge Turnbull took the view that the FTT had misunderstood an aspect of the evidence being given to it  – even though it had got it right in other places – and was not sufficiently sure that that would make no difference, so that the case was remitted. That aspect is very fact-specific and unlikely to be of much wider interest, except possibly to avid watchers of the Reducing Regulation Committee.

The Cabinet Office did not succeed on its first ground. Under the existing state of the jurisprudence, section 35(1)(c) (advice of Law Officers) has some inherent weight (HM Treasury v Information Commissioner [2009] EWHC 1811; [2010] QB 563) but that section 35(1)(a) (formulation of Government policy) does not (OGC v Information Commissioner [2008] EWHC 774 (Admin)). Section 42 (legal professional privilege) also has some inherent weight: DBERR v O’Brien [2009] EWHC 164 (QB). Judge Turnbull concluded at [47]-[70] that there was no inherent weight in the section 35(1)(b) exemption. He reasoned that there were a variety of policy justifications underpinning the various limbs of section 35, and they did not all overlap. The fact that the information has merely to “relate to” Ministerial communications means that the exemption could be engaged without bringing into play to any significant extent any of the public policy considerations underlying the exemption. It was not obvious how the information in issue would undermine the convention of collective Cabinet responsibility, or have an effect of the future behaviour of Ministers. The section 35(1)(c) exemption was narrower in that it was more likely that the information would engage the central policy justification for the exemption, but that where it did not there may be situations where even the exemption in s.35(1)(c) can be engaged without any necessary assumption of some inherent weight (see at [61]). Section 42 was different because it did not include the words “relate to” and any disclosure would undermine the single policy justification of protecting privileged access to legal advice.

Judge Turnbull’s analysis at [67] was to set out a test which is more nuanced and contextual than simply an assertion of inherent weight:

I think that some confusion and apparent contradiction has been introduced into the case law by formulating the question as being whether the exemption in a particular subsection of section 35(1) carries inherent weight. In my judgment it is preferable (i) to consider to what extent the public interest factors potentially underlying the relevant exemption are in play in the particular case and then (ii) to consider what weight attaches to those factors, on the particular facts.”

As a result, the FTT had not erred in law. (In fact, the Cabinet Office had not made the argument before the FTT that there should be an inherent weight in section 35(1)(b). That was evidently the correct position to have taken.) It is difficult to argue with the reasoning of Judge Turnbull, and the judgment is a helpful clarification of the law under sections 35(1)(a) and (b), although it perhaps makes the situation slightly less clear in relation to (c), given the reinterpretation of HM Treasury to allow for less/no inherent weight in more tangential cases. The only surprise is that Lord Steyn’s much cited adage from R (Daly) v Secretary of State for the Home Department [2001] 2 AC 532 at [28] that “in the law, context is everything” did not get another outing.

Robin Hopkins appeared for the ICO.

Christopher Knight

The Government wants to get your PECR up

October 26th, 2014 by Christopher Knight

You – yes, you! – are entitled to FREE compensation! Our records – what records? Magic records! – show that you were missold PPI and can now claim thousands of pounds!

If you haven’t ever had a text message or a phone call along these lines, then you are either managing to live as a hermit or you are extraordinarily lucky. Most of us face spam texts and nuisance cold-calls as a daily fact of life. They are a regular source of irritation and annoyance. They are also blatantly illegal, particularly if you have signed up to the Telephone Preference Service. See: regs 22-23 of the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) (“PECR”), implemented under EU Directive 2002/21/EC.

Unfortunately, the nature of such communications means that it will not be very often that they are a source of “substantial damage or substantial distress”. Yet, that is the test which must be met in order for the Information Commisisoner to impose a monetary penalty notice (“MPN”): section 55A(1) of the Data Protection Act 1998 (implemented as the enforcement regime for PECR as well in a fit of slightly lazy ‘joined-up’ thinking).

As readers of this blog will know, the Upper Tribunal’s interpretation of the MPN regime as applied to PECR in Information Commissioner v Niebel [2014] UKUT 255 (AAC) has had the effect that it will be almost impossible for the ICO to establish substantial damage or distress in spam text message cases (see Anya Proops’ detailed comment here). It is certainly the case that the door remains more ajar in relation to nuisance calls – which by their nature are much more likely to cause genuine distress to some individuals – and the ICO is dealing with a couple of MPN appeals to establish how ajar, but Niebel casts a baleful shadow.

But, to the east, a new dawn may be rising. If the ICO’s war against the orc-like forces of spam is reminscient of the Battle of Helms Deep (and I think we can all agree that it is), then the Secretary of State for Culture, Media and Sport, Sajid Javid, is Gandalf, appearing with the remains of the Rohirrim on the morning of fifth day to turn the tide. For the DCMS has just launched a consultation exercise on amending PECR with a view to altering the test from “substantial damage or distress” to causing “annoyance, inconvenience or anxiety”. On its face, that change will be much more easily met and give PECR some teeth, as well as better implementing the Directive, which did not require anything so high as the section 55A test. The consultation paper can be found here, and the period for responding closes on December 7th. So once you have had fun allocating characters to the players in this area (Is Ed Vaizey Peregrine Took? Is Christopher Graham, the ICO, Aragorn? Is our own Robin Hopkins, counsel for Mr ‘Spamalot’ Niebel, Grima Wormtongue?), do respond to the consultation.

Update

Few areas of the law have such informed and coherent bloggers as information and data protection law, and not surprisingly, the PECR consultation has been grist to the commentariat mill. But at least one leading blogger, Jon Baines, has made the point that the Government’s (and the ICO’s) preferred option from the consultation is actually to remove the threshold entirely. He is right (and however formidable I may be – thanks Jon – I should have made that point). That is what the consultation paper says under option 3 (removing any harm threshold at all). Although it is also fair to say that it is slightly surprising that that is the preferred option, as the rest of the consultation paper appears to be drafted around the utility of adopting the “annoyance, inconvenience or anxiety” threshold. Not only is that what the Government says on the consultation page of its website, but paragraphs 16-20 of the paper (under the heading ‘The Proposal’) talk expressing in terms of the ‘annoyance’ threshold (and cross-refer to that being the test used by Ofcom). At paragraphs 44-45 of the paper the ICO appears to have provided evidence on the different actions it could have taken under an ‘annoyance’ test. Nowhere until the options are presented is it suggested that the talk of “lowering the threshold” might mean removing the threshold altogether. Which might just be an oversight. Or it might indicate that consulting on a preferred no harm option is one of those kite-flying efforts Sir Stephen Sedley warned of in the LRB. Either way, the reader is left less than clear as to what DCMS or the ICO really want.

(Apologies for the lack of LOTR references in this update. To make up for it, do enjoy this video of Ian McKellen explaining to schoolkids why they should revise for their exams. You’re welcome.)

Christopher Knight

Local Government Transparency Code – Updated

October 7th, 2014 by Christopher Knight

Back in May 2014 the Secretary of State for Communities and Local Government issued the Local Government Transparency Code, and I briefly blogged about that here.

Now, an updated version of the Code dated October 2014 has been issued. Unaccountably, its publication appears to have been overshadowed by Kevin Pietersen’s autobiography, but it might perhaps be unfair to engage in a game of parallels, identifying for example who the “Big Cheese” would be at DCLG. The October 2014 Code is materially the same as its May predecessor (but fully replaces it) and it may assist if my earlier comments are set out again here (with amendments and updated cross-references).

The Code is issued in exercise of the Secretary of State’s powers under section 2 of the Local Government, Planning and Land Act 1980 to issue a Code of Recommended Practice as to the publication of information by local authorities about the discharge of their functions and other matters which he considers to be related.

The Code sets out in some detail in Part 2 the type of information held by local authorities which must be published (some of it annually). This is designed to replicate the requirements prescribed in the Local Government (Transparency) (Descriptions of Information) (England) Order 2014. Part 3 sets out the information which, in the view of the Secretary of State, ought to be published. A helpful Annex A provides the details in tabular form.

Paragraph 17 of the Code provides that: “Where information would otherwise fall within one of the exemptions from disclosure under the Freedom of Information Act 2000, the Environmental Information Regulations 2004, the Infrastructure for Spatial Information in the European Community Regulations 2009 or falls within Schedule 12A to the Local Government Act 1972 then it is in the discretion of the local authority whether or not to rely on that exemption or publish the data.” There is therefore no attempt to override the FOIA exemptions. But where a qualified exemption applies, the appearance of the requested information in one of the categories set out in the Code will have a role (possibly a significant role) in establishing the public interest in support of disclosure. Of course, where the Secretary of State as required – in Part 2 – information to be published, it should be published by the local authority. Any reliance on a qualified exemption will be doomed to fail. Information falling within the scope of Part 3 is also likely to face an uphill struggle to be withheld under FOIA/EIR, but it will be context dependent.

The main substantive difference between the May and October Codes is that the new one has added three datasets to the list of information which must be published: namely information about how the authority delivers waste services, use the parking revenue it collects and tackles fraud.

 

One development between May and October is that the DCLG have obviously been faced with a barrage of questions from concerned Councils. In an attempt to assist, DCLG has also published an accompanying FAQ Guide to the Code, which may help those attempting to practically apply the new Code with what the DCLG was trying to do in particular circumstances.

Christopher Knight

Closed proceedings in FOIA appeals – new FTT checklist

September 4th, 2014 by Anya Proops

The question of how far tribunals should go in terms of allowing evidence and submissions to be dealt with on a closed basis in FOIA appeals is one that looms large for all FOIA practitioners. Judge Nicolas Warren, the President of the First-Tier Tribunal (Information Rights) has now drafted and circulated to all FTT judges a checklist for dealing with closed proceedings under rule 14 of the Tribunal rules. Not being one to keep the public in the dark about such judicial guidance, Judge Warren has kindly agreed to the checklist being reproduced in full on the blog – see further below:

General Regulatory Chamber (Information Rights) – Rule 14 Check list

  1. Has Rule 14 been correctly applied so far?  Should any closed material be made open?
  2. Is it necessary to hold part of the hearing in closed or do the closed written submissions suffice?
  3. Explain purpose of closed hearing to requestor.
  4. Ask requestor if there are any questions he or she particularly wants the Tribunal to put.  If requestor legally represented then the questions should be in writing.
  5. Is the hearing recorded?  If so, the closed session must also be recorded but separately and with the cd sealed and a note that it must not be opened with the permission of the Tribunal or the UT.
  6. During the closed session, keep a running note of anything new that is said which could properly be said in open session.
  7. At the conclusion of the closed session, agree with the representatives what is to be said to the requestor on return to open by way of:- (a) a gist of what must remain closed. (b)anything new that could have been said in open.
  8. In draft decision include an account of the procedure adopted and indicate what use if any was made of the closed material.

It is clear that this guidance is intended to increase the rigour and care with which tribunals approach the issue of closed hearings and, hence, to intensify compliance with natural justice principles. For further discussion of closed procedures in the information tribunal see further my previous posts on the Court of Appeal case of Browning here and here.

Anya Proops

Data protection and journalism – ICO publishes guidance

September 4th, 2014 by Anya Proops

The Information Commissioner has today published his keenly anticipated guidance on ‘Data Protection and Journalism: A Guide for the Media’.  The guidance has been published following a lengthy consultative process and in response to a recommendation made in the Leveson report. The guidance has much to say on the controversial subject of the journalistic exemption provided for under s. 32 DPA. As readers of this blog will know, section 32 largely disapplies the various obligations provided for under the DPA where the conditions provided for in s. 32(1) are met:

‘32(1)     Personal data which are processed only for the special purposes [i.e. the purposes of journalism, literature and art] are exempt from any provision to which this subsection relates if—

(a)     the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b)     the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c)     the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.’

The guidance analyses these various conditions at some length. Below are some edited highlights, along with some initial commentary.

  • Meaning of ‘Journalism’The guidance concludes that, following the ECJ’s judgment in the Satamedia case (Case C-73/07), the concept of journalism should be ‘interpreted broadly ’. Thus, ‘It will clearly cover all output on news, current affairs, consumer affairs or sport. Taken together with art and literature, we consider it is likely to cover everything published in a newspaper or magazine, or broadcast on radio or television – in other words, the entire output of the print and broadcast media, with the exception of paid-for advertising’(p. 29). However, it will also cover the activities of citizen bloggers, insofar as they relate to public interest journalism (p. 30). Moreover ‘non-media organisations may be able to invoke the exemption. If their purpose in processing the specific information is to publish information, opinions or ideas for general public consumption, this will count as a journalistic purpose – even if they are not professional journalists and the publication forms part of a wider campaign to promote a particular cause or achieve a particular objective. However, the information must be used only for publication, and not for the organisation’s other purposes’(p. 30).

 

  • Processing data ‘only for’ special purposes – The guidance effectively assumes that traditional media organisations will typically meet this requirement in respect of their data processing activities. So far as non-media organisations are concerned, it posits that they will not be able to rely on the s. 32 exemption if, in addition to processing the data for journalistic purposes, the data ‘are also used for the organisation’s other purposes – eg in political lobbying or in fundraising campaigns – the exemption will not apply’ (p. 31). [Note - this obviously begs the question of whether there is any neat dividing line between campaign-led journalism (which the Commissioner seems to think falls within the scope of s. 32) and ‘political lobbying’. It also begs the question whether traditional media organisations may themselves be engaged in political lobbying as an integral part of their publication activities].

 

  • ‘With a view to publication’ – The position adopted in the guidance is that, provided that the data processing is being undertaken with ‘the ultimate aim of publishing a story’, the s. 32(1)(a) requirement is fulfilled. The guidance goes on to state ‘In short, this means that the exemption can potentially cover any information collected, created or retained as part of a journalist’s day-to-day activities, both before and after publication. However, the exemption cannot apply to anything that is not an integral part of the newsgathering and editorial process’ (p. 31). [Note – as will be apparent the guidance seems to embody a very broad approach to s. 32(1)(a)].

 

  • Balancing rights The guidance repeatedly asserts that, when handling personal data in the media context, decision-makers should be weighing the public interest in publication/pursuing the story as against the privacy rights of affected data subjects. Thus, for example, on the subject of publication, the guidance states Publication is likely either to be fair and to comply with the DPA or to fall within the journalism exemption if it can be shown that someone at an appropriate level considered whether the public interest in publication outweighed individual privacy in the circumstances of the case and can give good reasons for this view when challenged’ (p. 13, emphasis added). When specifically discussing the s. 32 exemption, the guidance states: ‘You must reasonably believe publication is in the public interest – and that the public interest justifies the extent of the intrusion into private life. You must also reasonably believe that compliance with the relevant provision is incompatible with journalism. In other words, it must be impossible to comply and fulfil your journalistic purpose, or unreasonable to comply in light of your journalistic aims, having balanced the public interest in journalism against the effect upon privacy rights.’ (p. 27 emphasis added and see pp. 33-34). The guidance invites a similar balancing exercise to be conducted as and when journalists/editors are deciding whether or not to notify a data subject about the fact that their data is being collected or, further, whether or not to collect data using covert means (p. 10). [Note - this analysis is likely to be regarded as particularly controversial. This is because it arguably marks a significant departure from the language of the s. 32 exemption, which on its face seems to presuppose that the focus of the analysis is simply on whether publication is in the public interest, with no balancing of that interest as against the privacy rights of data subjects].

 

  • Responsibility for applying the public interest testThat said the guidance repeatedly states that, so far as the s. 32 exemption is concerned, it is journalists/editors and not the Commissioner who are responsible for deciding what is ‘in the public interest’. The Commissioner sees his role as testing whether the decisions of the relevant journalist/editor is reasonable, albeit that the guidance also states that he will not ‘disregard [the media’s views] lightly’ (p. 35).

 

  • ‘Compliance incompatible with the special purposes’ In his original draft guidance, the Commissioner suggested that, in order to invoke s. 32, it would have to be established that compliance with the provisions of the DPA would make it impossible to fulfil the journalistic purpose (see p. 30: ‘you must decide that the provision in question would stop you from doing your job’). The final version of the guidance states that, in order for reliance to be placed on the s. 32 exemption: …it must be impossible to comply and fulfil your journalistic purpose, or unreasonable to comply in light of your journalistic aims, having balanced the public interest in journalism against the effect upon privacy rights’ (p. 27, emphasis added). The underlined section of the citation indicates a more flexible test than the ‘you cannot do your job’ test suggested in the draft guidance (see further p. 37).

 

The guidance also contains the following noteworthy conclusions:

  • NotificationWhere media organisations are gathering data about individuals they should as a matter of course notify them of this fact, unless this is not practicable or it would undermine the journalistic activity. In deciding whether or not to notify, consideration should be given to the level of privacy intrusion resulting from the processing (pp. 9-10).

 

  • Covert methodsCovert methods should be used only where this is justified in the public interest, taking into account the adverse effects on the individual’s privacy. Even if covert methods have been used, once the data has been obtained the issue of notifying the data subject should be considered (p. 10).

 

  • Data retention – Data should be retained for no longer than is necessary and, any data which is retained, should be regularly reviewed in order to assess its utility. Contact details and background research are a vital journalistic resource, and you are likely to want to keep them for long periods or indefinitely, even if there is no specific story in mind at present. But you are ‘processing’ personal data just by keeping it, so you must comply with the DPA’ (p. 11). [This latter conclusion represents an important concession by the Commissioner that, in the context of journalism, data archives are likely to have an ongoing utility, even if they are not being actively deployed in the context of a current story].

 

  • Confidential sources – The guidance makes clear that the subject access regime cannot be used to gain access to information identifying confidential journalistic sources. Indeed, it confirms that disclosure of such information is itself likely to amount to a breach of the DPA ‘in many cases’ (p. 16).

 

  • Section 55 offences– The guidance states that, where you knowingly or recklessly obtain or disclose personal data without the consent of the relevant data controller, you may be committing a criminal offence under s. 55 DPA, even if your activities fall within the scope of s. 32. This is because the public interest defence available in respect of s. 55 offences holds you to a higher standard than the standard imposed under s. 32 (p. 10).

Finally, I should add that many of the principles identified in the guidance are likely to be subject to scrutiny and debate in the context of the ongoing Steinmetz v Global Witness case (discussed here), which is now before the Commissioner .

Anya Proops

Information Tribunal Consultation

August 18th, 2014 by Christopher Knight

The Senior President of Tribunals, Sullivan LJ, has launched a consultation paper on altering the composition of the First-tier Tribunal (General Regulatory Chamber) in some Information Rights cases. With the support of GRC Chamber President, Judge Warren, it is proposed to remove the requirement that a judge sit with two non-legal members and allow the Chamber President flexibility to direct that certain cases be heard by a judge alone.

From the consultation document, it does not appear that the formal Composition Practice Statement will set out itself when non-legal members will be used, but the Chamber President’s anticipation is stated to be that a judge alone will be used in more procedural cases, such as whether the information is held, or time limit issues, or whether the cost of compliance limits are breached, or whether the information is readily accessible by other means. A single judge may also be used where the judge is already familiar with the evidence because of previous involvement with the case and all parties are content that a decision should be taken without a hearing. Other cases, and therefore questions of the balance of the public interest, will continue to be heard by a panel of three.

Consultation responses are to be sent by 3 October 2014.

The details of the questions, and the address for responses, can be found in the consultation paper here.

Christopher Knight

 

DRIP – Data Retention Regulations come into force

August 5th, 2014 by Anya Proops

The introduction of the controversial draft Data Retention Regulations 2014 has already been discussed by my colleague Robin Hopkins in his excellent post last month. The Regulations now have the force of law, having come into force on 31 July 2014 – see the Regulations here. In his post, Robin made the point that, following the judgment in Digital Rights Ireland, there were two methods for curtailing the infringement of privacy rights presupposed by the existing communications data retention (CDR) regime: either cut back on the data retention requirements provided for under the legislation, so as generally to limit the potential for interference with privacy rights, or introduce more robust safeguards with a view to ensuring that any interference with privacy rights is proportionate and otherwise justified. The Government, which has evidently opted for the latter approach in the new Regulations, will now need to persuade a somewhat sceptical public that the safeguards which have been adopted in the legislation strike the right balance as between the protection of privacy rights on the one hand and the imperative to support criminal law enforcement functions on the other.

Notably, the Explanatory Memorandum issued with the Regulations itself constitutes a clear attempt to allay concerns that the safeguarding arrangements embodied in the legislation are insufficiently robust. Here are some edited highlights:

Meaning of communications data and its uses – ‘Communications data is the context not the content of a communication. It can be used to demonstrate who was communicating; when; from where; and with whom. It can include the time and duration of a communication, the number or email address of the originator and recipient, and sometimes the location of the device from which the communication was made. It does not include the content of any communication: for example the text of an email or a conversation on a telephone. Communications data is used by the intelligence and law enforcement agencies during investigations regarding national security and, organised and serious crime. It enables investigators to identify members of a criminal network, place them in specific locations at given times and in certain cases to understand the criminality in which they are engaged. Communications data can be vital in a wide range of threat to life investigations, including the investigation of missing persons. Communications data can be used as evidence in court.’ (para. 7.1)

The need for legislation which mandates retention – Data needs to be retained by telecoms providers so that they can be accessed and used for criminal law enforcement purposes (para. 7.2). Absent mandatory retention requirements, there can be no guarantee that telecoms providers will themselves retain communications data for a sufficiently lengthy period time. This is because, in the absence of a mandatory obligation, telecoms providers may retain data for only a few months and indeed possibly only a few days, depending on their commercial needs. However, ‘many [criminal law enforcement] investigations require data that is older than the few months that data may be retained for business purposes, particularly in ongoing investigations into offences such as child abuse and financial crime’ (para. 7.3). This is why the original domestic CDR regime embodied in the Data Retention (EC Directive) Regulations 2009 mandated retention for a period of 12 months.

New safeguards – The new Regulations ‘effectively replicate the obligations on providers contained in the 2009 Regulations, and do not provide for the retention of any additional categories of communications data’ (para. 3.3). ‘These Regulations only differ from the 2009 Regulations in that they provide additional safeguards’ (para. 7.4). Two safeguards in particular are highlighted in the Memorandum.

  • the 2009 Regulations imposed a blanket 12 month retention period where a relevant notice had been served on a telecoms provider. The new Regulations enable ‘different data types to be retained for shorter periods when appropriate’ (para. 7.4).

 

  • the 2009 Regulations did not embody any statutory duty on the Secretary of State to consult providers prior to issuing a notice, although consultation was in practice undertaken. The new Regulations make prior consultation a statutory obligation (para. 7.4).

The following points are worthy of note in respect of the new ‘safeguards’ embodied in the Regulations.

  •  First and perhaps most significantly, the Regulations themselves do not purport to identify the types or categories of data which should to be retained for less than 12 months. They simply posit that 12 months is the maximum retention period (r. 4(2)). This leaves a significant question as to what types of data, if any, will ultimately attract a shorter retention period. The risk which is inevitably inherent in this type of open-ended legislative arrangement is that blanket, indiscriminate 12 month retention continues to be the norm.

 

  • Regulation 5(1) requires the Secretary of State to take into account a variety of matters before issuing a retention notice, including not least the likely number of users who will be affected by the notice. However, such matters would presumably have been treated as relevant considerations as and when the Secretary of State was issuing a notice under the 2009 Regulations. Hence, it is not clear that this particular safeguard will add much of substance to the overall process.

 

  • Similarly the requirement in r. 6 that the Secretary of State must keep any retention notice under review presumably merely codifies an obligation which was already implicitly present in the 2009 regime.

 

  • Regulation 10 makes provision for a statutory code of practice on data retention to be issued by the Secretary of State. It is unclear whether this code may yet shed further light on how the Secretary of State intends to exercise her powers under this highly controversial legislation.

 

  • More generally, there must be serious doubts that the safeguards embodied in the new Regulations are sufficient to meet the deep concerns expressed by the CJEU in the Digital Rights case. Of course it might be said that the real danger to personal privacy arises not in the context of the data retention regime per se but rather in the context of those legislative powers which permit the State to access any communications data which have been retained, most notably the powers provided for in RIPA. However, whatever position you may adopt on that particular line of argument, suffice it to say that the question of whether the State should be entitled, in effect, to create a vast reservoir of potentially accessible communications data still hangs in the balance, the new safeguards in the Data Retention Regulations notwithstanding.

Anya Proops

Google Spain – new High Court judgment

August 4th, 2014 by Anya Proops

Readers of this blog will already be familiar with the ways in which data protection legislation is assuming increasing importance in both the media and technology worlds. Certainly if there were any doubt as to the relevance of this legislation to the way in which both the media and technology companies operate, that doubt was firmly laid to rest following the highly controversial judgment of the CJEU in Google Spain. That judgment has led to extensive debates about the so-called right to be forgotten (as to which see here the recent ITN debate on Google Spain, in which I participated along withthe Information Commissioner and Google’s Spain’s Director of Communications for EMEA). However, the judgment was important, not only because of what it said about the right to be forgotten, but also because of the way in which it managed, in effect, to bring the data processing activities of a large US-based corporation, namely Google Inc, within the territorial scope of the EU Directive. In short, the Court held that personal data which is processed by a search engine operated by a US company is still protected under the Directive, particularly because the search engine is itself commercially supported by advertising which had been sold within Europe by EU-based subsidiary companies, including Google Spain.

The CJEU’s judgment in Google Spain has now been specifically relied upon in English High Court proceedings to support an application for service out of the jurisdiction, on Google Inc, of a set of proceedings brought under the Data Protection Act 1998 (DPA): Hegglin v Google Inc & Ors.

According to the Lawtel case report of the Hegglin judgment, Mr Hegglin is an individual who is resident in Hong Kong, but has previously lived in and retained closed connections with the UK. An anonymous person posted abusive and defamatory material concerning Mr Hegglin on a number of websites which were then indexed on Google. Mr Hegglin went on to bring proceedings against Google Inc under the DPA, including claims under s. 10 (right to prevent processing likely to cause substantial damage or distress) and s. 14 (right to rectification). He sought an injunction requiring Google Inc to block specific sites containing the allegations and a Norwich Pharmacal order was made.  Relying specifically on Google Spain, Bean J held that service of the DPA proceedings could properly be effected on Google Inc. He also held that England was the appropriate forum for the dispute and was also suitable for the trial, particularly as the defamatory remarks risked damage to Mr Hegglin’s reputation in England.

Of course, this is not the first time that the court has permitted proceedings to be served on Google Inc under the DPA. In January 2014, the High Court held that proceedings for compensation under s. 13 DPA could properly be served on Google Inc in connection with its act of collating data from Google-users based in the UK: see Vidal-Hall v Google Inc [2014] EWHC 13 (QB) (which you can read about here). However importantly, in Vidal-Hall, which was decided before Google Spain, Google Inc accepted that it was a data controller in respect of the data originating from the claimants’ browsers. It merely disputed that the data in question amounted to ‘personal data’ for the purposes of s. 1 (see paras. 121-122 of the judgment). Thus, territorial jurisdiction was not ostensibly in issue in Vidal-Hall.

What remains to be seen now is how far the Google Spain judgment will now also be relied upon as against other corporations which are based outside the EU but which use EU subsidiaries to provide commercial support for their activities.

Anya Proops