Vidal-Hall to the Supreme Court

July 28th, 2015 by Christopher Knight

Has the announcement of the death of section 13(2) DPA been premature? Might it, after all, be nuzzling up the bars, ready to go ‘Voom’? Perhaps, but the Supreme Court is taking on the role of Burke and Hare because it has today announced that it has given leave to appeal on the following two questions:

  1. Whether the Court of Appeal was right to hold that section 13(2) of the Data Protection Act 1998 was incompatible with Article 23 of the Directive.
  2. Whether the Court of Appeal was right to disapply section 13(2) of the Data Protection Act 1998 on the grounds that it conflicts with the rights guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights.

A further question, on whether it was correct to classify the misuse of private information claims as tortious ones, was refused leave, presumably on the basis that the Supreme Court only wants to think about the super-cool DPA issues.

A hearing is highly unlikely before 2016, but Panopticon will let you know when it knows. In the meantime, section 13(2) is still dead, so get your damages while they are still hot…

Christopher Knight

Circle the Wagons: They are Coming for the Information Tribunal

July 24th, 2015 by Christopher Knight

We all fell for it, didn’t we? If the greatest trick the Devil ever pulled was convincing the world he didn’t exist, then Michael Gove’s may have been to convince everyone that he wasn’t interested in FOIA. His shunting responsibility for FOIA/EIR matters off to the Cabinet Office, and the Cabinet Office’s announcement of the Commission on Freedom of Information (generally staffed by people who publicly don’t much like it), last week has led to a lot of comment and reaction – mostly adverse – from social media, blogs and even the mainstream press.

And that has rather caused everyone to take their eye off the ball, including Panopticon (which was alerted by an informant known only as Deep Throat), because in the midst of kerfuffle over the possible threat to the substance of aspects of FOIA through the new Commission the Ministry of Justice has announced a consultation on a more insidious threat to seekers of information and transparency: the introduction of Tribunal fees.

Contained within a document which is also the Government’s Response to an earlier consultation exercise on raising fees in various aspects of civil litigation (also problematic, but not relevant here) is a consultation is the introduction, for the first time, of fees to use certain parts of the First-tier Tribunal and Upper Tribunal. The Upper Tribunal (Administrative Appeals Chamber) is not within the scope of the proposal – although there is no explanation as to why not – but the First-tier Tribunal (General Regulatory Chamber) is.

The proposal is that there will be a £100 fee for an appeal to be issued, and a further £500 fee if an oral hearing takes place. Cases referred to the Upper Tribunal under rule 19 of the GRC Rules will also be subject to the same fee. There will be a system of remissions in place.

This gives rise to a number of issues. Anyone who has had anything to do with the Employment Tribunals over the last few years will know that since the introduction of fees (and, to be fair, compulsory settlement discussion periods) the workload of the ET has gone through the floor. It seems highly likely that something very similar will happen for FOIA/EIR appeals, where so many of the cases are brought by individuals, many of whom will not be able to afford to spend that kind of money on something which has no prospect, unlike the ET, of ever winning them any money and relates almost inevitably to the public interest rather than their own private interest. There must be a real difference of type between such litigation and private interest litigation elsewhere in the GRC. (To be fair, it is of course the case that judicial reviews brought on a public interest basis still incur fees, but they are the exception to the ordinary use of Part 54, whereas the public interest is at the heart of the vast majority of FOIA appeals, and assessed on that basis.) Why, when the legislation is requestor-blind, should the Tribunal system not be too? Alternatively, one might mount a plausible argument that if a public authority wishes to appeal a Decision Notice then it should have to pay a fee (because it is seeking to avoid transparency) but a requestor should not.

It is pretty likely, although the figures aren’t given in the consultation, that FOIA/EIR appeals make up a large proportion of the GRC’s work. But given their public interest element, are they really the cases to which a fee should be targeted? The GRC also hears appeals concerning the regulation of estate agents, driving instructors, claims management services and exam boards (amongst others). Those are all private interests, as are appeals against fines levied on public authorities for bugging phones without warrants. Is not an appeal about the release of public authority information worthy of greater ring-fencing from fees than an appeal about Defra banning you from micro-chipping a dog? (I may be barking up the wrong tree, but I am not making this up.)

In the calculations of the Government, the GRC costs them £1.6m a year. At best, they expect to recover £0.4m in fees, and that will reduce if the caseload drops as a result of fee introduction (which, bizarrely, they apparently do not anticipate). One might think that that was a relative drop in the ocean, although of course every penny counts, but fees won’t pay the GRC’s way (and Gambling disproportionately contributes already given the very high fees and the very low number of cases).

But aside from the issues of principle, there are also real problems of practice, particularly around the hearing fee. The proposal says “The claimant may alternatively elect for an oral hearing, in which case a further fee of £500 would be payable.” But this doesn’t reflect the reality of the GRC Rules. Rule 32 requires the GRC to hold a hearing where one party requests it: what if the ICO or the public authority request one? What if both do? Who pays then? What if the Tribunal itself lists a hearing, against the wishes of the parties, because it thinks it cannot do justice without one under rule 32(1)(b)? Who pays for that decision? The proposal appears to anticipate that the appellant will still have to pay the fee, presumably on the basis that that it is their ‘fault’ that the appeal exists at all, but that seems very unfair. What about directions hearings – does the fee apply to those, and who has to request one for it to be triggered? The proposal seems remarkably un-thought through and the consultation will need to point that out.

Why is it the GRC which is being targeted by fees rather than the appellate stage in the Upper Tribunal? Surely having a second bite on appeal is more worthy of a financial penalty, and a discouragement to unnecessary appeals on the facts? If fees still apply to rule 19 transfers, will it not be in the interest of every litigant to try and get a case transferred to the UT on the basis that if he has to pay, he may as well get the best court he can for his buck?

 

The consultation paper and the impact assessment on tribunal fees are both online. Panopticon strongly encourages readers to respond to the consultation, which closes on 15 September 2015.

Christopher Knight

Child Protection and Data Protection

July 23rd, 2015 by Christopher Knight

The spectre of Jimmy Saville casts a long shadow and now it extends to data protection, the Data Protection Act 1998 being the latest august and uniformly popular institution (following the BBC, Broadmoor and Margaret Thatcher to name just some) to suffer as a result of his actions. The perennial sight of investigations and public inquiries into historic sex abuse of children in local authority, chiefly arising out of the wider ramifications of Operation Yewtree, has provided a very ready explanation for local authorities for the need to retain child protection data.

The fifth data protection principle says data should not be kept longer than necessary for the purposes for which it is processed, whereas the reality will often be that the information of greatest significance (accusations of abuse or records of care) will only become significant after the expiry of a lot of time and the child’s growth into an adult able to confront the abuse they have suffered.

As a result, there is no consistent practice across the country. The High Court in R (C) v Northumberland County Council & ICO [2015] EWHC 2134 (Admin) was informed that authorities adopt an approach which ranges from retention until the 21st birthday, to six years after the 18th birthday, to 75 years from the date of birth, to 35 years from the closure of a case: at [10]. This obviously poses concerns about compliance with the DPA and Article 8 ECHR.

C sought the destruction of his child protection held by Northumberland CC and considered that it had been retained under the 35 year policy applicable in Northumberland for too long. C considered that a period of six years after his 18th birthday would have been the cut-off point, and the ICO agreed intervening (although the ICO copped a lot of flak from Simon J for having issued a section 42 DPA determination indicating it was ‘likely’ the Council had complied with the DPA and had subsequently changed its mind).

The judgment of Simon J is not always the easiest to follow. It appears that the key question before the Court was whether the retention for 35 years (which clearly engaged Article 8) was in accordance with the law, and if it was, whether it was proportionate. Although the judgment does not actually reason expressly in this way, it seems as though the analysis revolves around the fifth principle: if data retention does not breach the longer than necessary test, it will be in accordance with the law and it will be proportionate. This is not actually what the judgment says; it must be broadly how the analysis goes (see at [9]), and it is open to some debate whether those assumptions are correct in law or in analysis of the judgment.

Simon J held that the purpose for retaining child protection records was not limited to defending litigation, and so an adoption of six years – based on the limitation period – did not read across. The purpose was broader: it was to protect other children, to allow data subjects access in later life, and to make the information available to subsequent investigation: at [33]. The Judge was clearly influenced by the difficulty of seeing the importance of information at the time, and its significance only becoming clear through a more historical lens: at [37]. The clearest examples are, of course, Saville-esque: at [49]-[53]. A six year cut off period would, in the view of Simon J, restrict the ability of people over 24 from making a request and learning about their child protection file contents: at [45]-[47]. Simon J concluded that the Council was not required to adopt a “cumbersome and time-consuming predictive exercise” and retention would help to identify risks only seen with hindsight: at [56]. Regular review, every seven years, was considered a disproportionate use of labour: at [58]. 35 years “fell within the bracket of legitimate periods of retention”: at [61].

One can readily sympathise with the position of the Council in a case like C, which will be (with other linked agencies) between a rock and a hard place on child protection data. If they delete too quickly they risk being castigated by history for not being able to answer questions; if they don’t delete they are hoarders of sensitive and traumatic data. Simon J clearly sympathised very strongly with this. However, the structure of the reasoning is regrettably unclear. The reader is left uncertain whether Simon J has found the fifth principle complied with (probably, on the basis of a wider reading of its purposes), whether that has meant the interference with Article 8 was in accordance with the law (presumably, but query how that works where it only falls within a legitimate bracket), and how the structured proportionality analysis has been carried out. It may well not matter on the conclusions of the judgment, but it does mean it will be harder to advise on and apply in related contexts. Nor does it give much guidance as to other periods adopted; is 6 years too short and is 75 years too long? Doubtless further case law will explore the undiscovered country. In the meantime, some national guidance wouldn’t go amiss…

Paul Greatorex appeared for C, Karen Steyn QC for Northumberland and Robin Hopkins for the ICO.

Christopher Knight

Time to End the Time Debate

July 23rd, 2015 by Christopher Knight

The apparently endless APPGER litigation has produced yet another decision of the Upper Tribunal for seasoned FOIA watchers, which amongst some very fact-specific issues, also contains two important clarifications of law: APPGER v ICO & FCO [2015] UKUT 377 (AAC).

As anyone who has ever done any information law ever will know, the APPGER litigation concerns requests under FOIA for information related to alleged British involvement in extraordinary rendition. Some information has been released, some has been released following earlier rounds of litigation, some remains withheld under various exemptions.

Following previous hearings staying various points, the present round of litigation concerned the application of section 23 (the security bodies exemption) and section 27 (international relations). There were two points of wider interest discussed in particular. One is the time at which the public interest is assessed (relevant to section 27), and one is the breadth of the “relates to” limb of section 23.

The time point was one which only really arose because of the Upper Tribunal’s desire to throw a mangy cat amongst the pigeons by suggesting in Defra v ICO & Badger Trust [2014] UKUT 526 (AAC) at [44]-[48] that the correct time to assess the public interest might be the date of Tribunal hearing. As some wise and learned commentators have pointed out, this rather seemed to have been overtaken by the Supreme Court’s – technically obiter – reasoning in R (Evans) v Attorney General [2015] UKSC 21 at [72]-[73] that the time was at the point of the authority’s refusal.

The Upper Tribunal in APPGER (containing at least one member of the panel in Badger Trust) issued a mea culpa and accepted that Evans was right: at [49]-[57]. It did not reach any more specific decision on situations where, for example, the authority has been late in complying. Doubtless the difference in time will often not matter very much. But the principle of the point now seems resolved.

Section 23(1) was not a point answered by Evans, and an argument was run by the requestor that “relates to” should be construed narrowly, as in the DPA. The Upper Tribunal disagreed: at [15]-[19]. The ordinary meaning of the language was broad, it was consistent with the aim of shutting the backdoor to the security bodies, it was consistent with authority, and met the contextual aim of FOIA where the contextual aim of the DPA was very different. The idea of requiring a “focus or main focus” was rejected.

Whilst agreeing that it should not attempt to gloss the statutory language, the Upper Tribunal nonetheless sought to assist future cases by indicating that asking whether the information requested had been supplied to a security body for the purposes of the discharge of its statutory functions (a test attributed to Mitting J) would have considerable utility. It would enable a clear explanation, it would allow differentiation within and without the scope of the exemption, and it was less likely to require a detailed line-by-line approach to redactions: at [33]. The language remains broad, but the practical application of it appears to have been ‘guided’ into a slightly narrower pigeon-hole than might have otherwise been the case.

The judgment as a whole is worth reading on the application of those exemptions to the particular information and the treatment of the evidence by the Upper Tribunal, but those two points of principle are the keys to take away. And about time too.

Timothy Pitt-Payne QC and Joanne Clement appeared for APPGER; Karen Steyn QC appeared for the FCO; Robin Hopkins appeared for the ICO.

Christopher Knight

Journalism and data protection – new Strasbourg judgment

July 21st, 2015 by Anya Proops

There has been much debate as of late as to how data privacy rights should be reconciled with journalistic freedoms under the data protection legislation. This is a difficult issue which surfaced domestically in the recent case of Steinmetz & Ors v Global Witness and is now being debated across Europe in the context of the controversial right to be forgotten regime. One of the many important questions which remains at large on this issue is: what degree of protection is to be afforded under the data protection legislation to those publication activities which might be said to be of low public interest value (i.e. they satisfy the curiosity of readers but do not per se contribute to public debate).

It was precisely this question which the European Court of Human Rights was recently called upon to consider in the case of Satakunnan Markkinapörssi Oy And Satamedia Oy V. Finland(Application No. 931/13). In Satamedia, the Finnish Supreme Court had concluded that a magazine which published publicly available tax data could lawfully be prevented from publishing that data on the basis that this was required in order to protect the data privacy rights of the individuals whose tax data was in issue. The Finnish Court held that this constituted a fair balancing of the Article 10 rights of the publishers and the data privacy rights of affected individuals, particularly given that: (a) the freedom of expression derogation provided for under the Finnish data protection legislation had to be interpreted strictly and (b) the publication of the tax data was not itself required in the public interest, albeit that it may have satisfied the curiosity of readers. The owners of the magazine took the case to Strasbourg. They argued that the conclusions reached by the Finnish Court constituted an unjustified interference with their Article 10 rights. The Strasbourg Court disagreed. It concluded that the Finnish Court had taken into account relevant Strasbourg jurisprudence on the balancing of Article 10 and Article 8 rights (including Von Hannover v. Germany (no. 2) and Axel Springer AG v. Germany) and had arrived at a permissible result in terms of the balancing of the relevant interests (see para. 72).

There are three key points emerging from the judgment:

- first, it confirms the point made not least in the ICO’s recent guidance on data protection and the media, namely that there is no blanket protection for journalistic activities under the data protection legislation;

- second, it makes clear that, where there is a clash between data privacy rights and Article 10 rights, the courts will closely scrutinise the public interest value of the publication in issue (or lack thereof);

- third, it confirms that the lower the public interest value of the publication in question (as assessed by the court), the more likely it is that the rights of the data subject will be treated as preeminent.

Anya Proops

 

Right to be forgotten claim rejected by the administrative court

July 21st, 2015 by Anya Proops

So here’s the question: you’re an individual who wants to have certain links containing information about you deindexed by Google; Google has refused to accede to your request and, upon complaint to the ICO, the Commissioner has decided that your complaint is unfounded and so he refuses to take enforcement action against Google under s. 40 DPA 1998; can you nonetheless secure the result you seek in terms of getting your data forgotten by mounting a judicial review challenge to the ICO’s decision? Well if the recent decision by the Administrative Court in the case of R(Khashaba) v Information Commissioner (CO/2399/2015) is anything to go by, it seems that you’ll be facing a rather mountainous uphill struggle.

In Khashaba, Mr Khashaba had complained to the Commissioner about Google’s refusal to de-index certain articles which apparently contained information revealing that Mr Khashaba had failed in his legal attempts to get his gun licences reinstated and had also failed to obtain placement on the Register of Medical Specialists in Ireland. The Commissioner concluded that Google had acted lawfully under the DPA 1998 in refusing to de-index the articles in question. Mr Khashaba was evidently unhappy with this result. Accordingly, he brought a judicial review claim against the Commissioner in which he contended in essence that the Commissioner had erred: (a) when he concluded, in exercise of his assessment powers under s. 42, that Google had acted lawfully in refusing to de-index the articles and (b) by failing to take enforcement action against Google under s. 40. By way of an order dated 17 July 2015, Hickinbottom J dismissed Mr Khashaba’s application for permission to judicially review the Commissioner’s decision. His reasoning was based on the Commissioner’s summary grounds, upon which the court felt itself unable to improve:

- first, permission was refused on the ground that Mr Khashaba had an alternative remedy because it was open to him to bring proceedings against Google directly in connection with its refusal of his application to be forgotten;

- second, the Commissioner had a wide discretion under s. 42 as to the manner in which he conducts his assessment and as to his conclusions on breach. He also had a wide discretion when it came to the issue of enforcement under s. 40. There was no basis for concluding that the way in which the Commissioner had exercised his powers in response to Mr Khashaba’s complaint was unreasonable or otherwise disproportionate.

All of which tends to suggest that: (a) the courts are likely to be very slow in impugning a decision of the Commissioner that particular information should not be forgotten and (b) that, if you’re an applicant who wants your data to be forgotten, you may yet find that the regulatory route offers little by way of comfort in terms of securing the necessary amnesiac effect.

11KBW’s Christopher Knight represented the Commissioner.

Anya Proops

 

FOIA Under Review

July 17th, 2015 by Christopher Knight

An important rule of Government is to outsource anything difficult or potentially controversial to an independent body which can then deliver a report to be ignored or implemented as required or the political mood dictate. The recent investigation into new runways at Heathrow was a good example, at least until it came up with an answer the Prime Minister didn’t entirely want to hear, and the Commission on a Bill of Rights was a superlative instance of a very learned study which achieved precisely nothing other than kicking a political football into the long grass.

Now it is the turn of the Freedom of Information Act 2000 to be undergone scrutiny by the Independent Commission on Freedom of Information. Snappy title. It is chaired by Lord Burns (former senior civil servant at HM Treasury) and contains such luminaries as Jack Straw, Lord Michael Howard, Lord Carlisle and Dame Patricia Hodgson (of Ofcom). Just in case anyone was suffering under the delusion that the Commission would be looking into widening the scope and application of FOIA, the terms of reference are set by the Cabinet Office as:

  • whether there is an appropriate public interest balance between transparency, accountability and the need for sensitive information to have robust protection
  • whether the operation of the Act adequately recognises the need for a ‘safe space’ for policy development and implementation and frank advice
  • the balance between the need to maintain public access to information, the burden of the Act on public authorities and whether change is needed to moderate that while maintaining public access to information

One would not, however, wish readers to think that the Government were anything less than fully committed to revealing information. On the contrary, the written statement laid by the Minister, Lord Bridges, opens by saying “We are committed to being the most transparent government in the world.” Well, quite. “We fully support the Freedom of Information Act [could there be a 'but' coming?] but [ah yes, there it is] after more than a decade in operation it is time that the process is reviewed, to make sure it’s working effectively.” The new Commission has a webpage here and is to report by November, which gives the grass limited time to lengthen… The Commission won’t, of course, be able to do anything about the EIRs.

Responsibility for FOIA has also been transferred to the Cabinet Office, which at least gives Michael Gove one less constitutional headache to deal with.

Christopher Knight

Secret ‘Practice Directions’ and Royal Wills

July 16th, 2015 by Christopher Knight

Mr Brown became a well-known figure in litigation circles when he sought to unseal the Will of Princess Margaret in the belief that it might reveal information showing him to be her illegitimate son. In the course of his unsuccessful litigation, it was revealed that there existed what had been described orally during the court proceedings as a “Practice Direction in respect of the handling of Royal Wills” (although there is dispute over precisely what form this document takes and whether it is really a Practice Direction at all), produced by the-then President of the Family Division following liaison with the Royal Household.

Having failed to unseal the Will, Mr Brown requested a copy of the document from the Attorney General. He was refused, under section 37 FOIA. The First-tier Tribunal upheld that refusal (on which see Robin’s blog here). Mr Brown appealed to the Upper Tribunal on the grounds of inadequacy of the Tribunal’s reasons and a failure to properly apply the public interest test. He was refused permission, but then successfully judicially reviewed the Upper Tribunal for failure to grant him permission (on which, see my blog here).

Much happened subsequently. Having fought hard to prevent disclosure of the ‘Practice Direction’ the AG then released almost all of it to Mr Brown in advance of the substantive appeal hearing before the Upper Tribunal. The unreleased aspect was one paragraph, which was supplied to him in ‘gisted’ form. Nonetheless, Mr Brown sought disclosure of the outstanding paragraph. Perhaps not entirely surprisingly, Charles J in the Upper Tribunal has just refused to give him the final missing piece: Brown v ICO & Attorney General [2015] UKUT 393 (AAC).

The Upper Tribunal decision, in the light of the release by AG, had rather less work to do than it might have done, and the judgment will be of equivalent reduced wider interest. However, Charles J does roundly endorse the proposition that there is a very powerful public interest “against the creation of undisclosed principles and procedures to be applied by the court to an application to seal any will, and this is strengthened when participants in and the decision maker on that application (the court through initially or generally the President of the Family Division) and the normal guardian of the pubic interest (the Attorney General) have been involved in its creation on a confidential and undisclosed basis, and so in favour of the publication of the principles and procedure to be applied on any such application (particularly if initially or generally the application will be made in private)“. In other words, the AG was right to concede that the material should be disclosed. There was no further interest in the gisted paragraph also being revealed because the essential meaning had been conveyed.

Whether this brings Mr Brown’s campaign to an end is another matter, but whatever one might think of his view as to his parentage, his uncovering of a – to put it neutrally – highly unusual document agreed between the AG, the Royal Household and the President of the Family Division concerning court procedures is a worthy effort.

Robin Hopkins appeared for the ICO; Joanne Clement appeared for the Attorney General and Anya Proops appeared for Mr Brown at some of the earlier stages of proceedings.

Christopher Knight

Data Sharing between Public Bodies

July 10th, 2015 by Christopher Knight

The principle disadvantage, to the data protection lawyer, of the failure of Esperanto is that every now and then the CJEU hands down a judgment which is only available in French, and even Panopticon cannot blog every entry in Franglais. Such is the problem raised by the Opinion of the Advocate General (Cruz Villalon) in Case C-201/14 Bara v Presedintele Casei Nationala de Asigurari de Sanatate. Readers will have to forgive any failure to capture the nuances.

Bara is a reference from the Romanian courts and contains a number of questions, the majority of which concern the compatibility of national tax authority arrangements with Article 124 TFEU (which prohibits in most cases privileged access for public bodies to financial institutions). Those need not concern us, not least because the AG considered them to be inadmissible.

However, the fourth question referred was in the following terms: “May personal data be processed by authorities for which such data were not intended where such an operation gives rise, retroactively, to financial loss?” The context appears to be that people deriving their income from independent activities were called to pay their contributions to the National Fund for health insurance, following a tax notice issued by the Romanian health insurance fund. However, that tax notice was calculated on the basis of data on income provided National Tax Administration Agency under an internal administrative protocol. The complaint was that the transfer by the Tax Agency to the Health Insurance Fund of personal data, particularly related to income, was in breach of Directive 95/46/EC because no consent had been provided to the transfer, the data subjects had not been informed of the transfer and the transfer was not for the same purpose as the data was originally supplied.

The Advocate General answered the fourth question by saying that the Directive precludes national legislation which allows a public institution of a Member State to process personal data that has been supplied by another public institution, including the data relating to the income of the persons concerned, without the latter having been previously informed of this transmission or treatment. This was despite the fact that the AG recognised that the Romanian bodies had a legitimate interest in being able to properly tax self-employed persons; the informal protocol did not constitute a legislative measure setting out a relevant national exemption under Article 13. The AG stressed that the requirement of notification in Article 11 had not been complied with, and that the data subjects accordingly had been unable to object to the transfer. The data subjects had not given their unambiguous consent. Although Article 7(e) (necessary for the performance of a task) could apply to a transfer of income data, it had to be shown that it was strictly necessary for the realisation of the functions of the Health Insurance Fund. (This appears to be a higher test being imposed than the usual interpretation of necessary as ‘reasonably necessary’, as per the Supreme Court in South Lanarkshire). The AG did not consider that test met.

It remains, of course, to be seen whether the CJEU will take the same approach; but it seems fairly likely that Bara will produce a judgment which confirms the illegality of inter-institutional transfer of personal data without express consent or a carefully defined need which is prescribed by law. There is nothing ground-breaking in that conclusion, but it is an important reiteration of the need for data controllers anywhere in the EU to think carefully about the authorisation they have to hand over personal data to other bodies; informal agreements or policy documents are not sufficient without a legal underpinning (through the DPA) or consent of the data subject.

The forthcoming judgment in Case C-582/14, Breyer will also raise issues over consent in the context of IP information retained by websites, along with the vexed question of whether an IP address can constitute personal data when combined with other information available to a third party (issues similar to those raised in Vidal-Hall v Google, on which see here). When the final judgments in Bara and Breyer appear, so will the analysis of some intrepid blogger of this parish.

Christopher Knight

Do Young Thugs have Human Rights? The Supreme Court has a Riot

July 9th, 2015 by Christopher Knight

Following a period of considered reflection, or laziness depending on one’s view, it is worth noting the decision of the Supreme Court in In the matter of an application by JR38 for Judicial Review [2015] UKSC 42. The case is all about Article 8 ECHR, and is of particular interest because of the dispute about the breadth of the correct test for the engagement of Article 8. The context is also one which will be familiar to English data protection and privacy lawyers: the publication by the police of photographs seeking to identify a suspect. If anyone remembers that famous picture of a youth in a hoodie pointing his fingers like a gun behind an awkward looking David Cameron, JR38 is basically that, but with Molotov cocktails and a sprinkling of sectarian hatred.

In JR38, the suspect in question was a 14 year child whose photograph was published by the PSNI as someone involved in rioting in an area of Derry in 2010 which had particular sectarian tensions. The judgment of Lord Kerr makes clear that JR38 has by no means been a well-behaved young man before or since the riots of 2010. Moreover, and amusingly, it is apparent that he and his father failed to correctly identify his own appearance in pictures published, and originally sued on the basis of images which did not show JR38 at all. However, a correct image was eventually alighted upon.

The judgments contain a lengthy and detailed discussion of the domestic and Strasbourg case law on the engagement of Article 8, but there was a 3-2 split in the Court between the correct approach. Lords Toulson and Clarke (with both of whom Lord Hodge agreed) considered that the overwhelming approach of the existing domestic law was to apply the touchstone of the reasonable/legitimate expectation of privacy test: see Lord Toulson at [87]-[88]. The test (originating, of course, in Campbell) focuses on “the sensibilities of a reasonable person in the position of the person who is the subject of the conduct complained about…If there could be no reasonable expectation of privacy, or legitimate expectation of protection, it is hard to see how there could nevertheless be a lack of respect for their article 8 rights”. The warning in Campbell not to bleed justification matters into the engagement analysis was stressed.

The difference between the majority and minority of Lord Kerr (with whom Lord Wilson agreed) was explained by Lord Clarke at [105]. Does the reasonable expectation of privacy test provide the only touchstone? The majority thought that it did, it being the only test set out clearly in the cases, and it being a broad objective concept to applied in all the circumstances of the case and having regard to the underlying values involved, unconcerned with the subjective expectation of the individual, be they child or adult (see at [98] per Lord Toulson and [109] per Lord Clarke).

In essence, the majority did not consider this context to be one which Article 8 was designed to protect. The identification of a suspect was not within the scope of personal autonomy, although publication of the same picture for a different purpose, other than identification, might be: at [98] (and at [112] where Lord Clarke did not consider the mere fact of criminal activity took the matter outside Article 8). Historic or re-published photos may alter the situation: at [101].

By contrast, Lord Kerr took a broader view, holding that the reasonable expectation of privacy test might be the ‘rule of thumb’, but could not be an inflexible, wholly determinative test. The scope of Article 8 was much broader and was contextual, requiring consideration of factors such as: age, consent, stigmatisation, the context of the photographed activity and the use of the image. Reasonable expectation of privacy failed, in his view, to allow for these factors to be considered: at [56]. Rather than shoehorning such factors into the test, they should bear on the issue in a free-standing footing: at [61]. The focus must be on the publication – i.e. the infringement – rather than the activity the photo displays. For Lord Kerr, the fact that JR38 was a child, taken with the potential effect publication might have on the life of the child, was more than sufficient to engage Article 8 (in the way that it might not for an adult): at [65]-[66].

The debate is an interesting one, but there is a very strong chance that the flexibility of the majority orthodox approach is likely to mean very little difference in substance between the two. It will, however, be worth emphasising the importance of context, particularly in child cases under Article 8.

The Court was, however, unanimous in agreeing that publication was justified in any event; rioters had to be identified (and other methods had been tried internally first), with the peril in which inter-community harmony was placed being particularly important in the fair balance.

Where, readers of this blog might ask, was the DPA in all this namby-pamby human rights discussion? Why is there no mention of schedules and data protection principles and all the other black letter statutory stuff that so gets the blood pumping? Well, it was mentioned, at [70], by Lord Kerr who considered that compliance with the DPA would mean that the limb of proportionality which requires the act to be in accordance with the law would be met. In very brief reasoning, Lord Kerr concluded that this type of case was within section 29 because publication was processing for the purposes of prevention and detection of crime, and that the relevant condition met in both Schedule 2 and 3 (because he agreed it was clearly sensitive personal data) was that of the processing being necessary for the administration of justice. Unfortunately, there was no analysis of the way in it was necessary for the administration of justice, or the extent to which this is the same as the prevention and detection of crime. Nor is it quite the same reasoning as adopted by Lord Woolf CJ in the well-known ‘naming and shaming’ case of R (Ellis) v Chief Constable of Essex Police [2003] EWHC 1321 (Admin), which, at [29], appeared to apply the conditions in Schedules 2 and 3 whereby processing was necessary for the performance of functions by or under any enactment (without further specification). Where the Supreme Court speaks, we follow, but it might have been helpful to detail this aspect a little more, although it is another example of a case in which Article 8 is presumed to do all of the work and the DPA be raced through in a paragraph to avoid having to think about it too much. That Article 8 and the DPA are ensured to be pulling in the same direction is, however, a relief to us all.

 Christopher Knight