Forget me knot…BBC publishes list of ‘forgotten’ stories

June 30th, 2015 by Anya Proops

Since the CJEU’s controversial decision in Google Spain,the debates have raged about how the so-called right to be forgotten should cash out in the online world. Particular concerns have been expressed by the media that the judgment rides rough shod over Article 10 rights, including not least the Article 10 rights of the website authors whose stories are being deindexed. Now it seems the BBC is seeking to reassert its Article 10 rights by publishing a list of all the stories which have been deindexed by Google thus far – see here.

The BBC’s position is that the publication of the list does not seek to frustrate the Court’s judgment, because it will not ‘make the stories more findable for anyone looking for a name’. What it will do, according to the BBC is enable a ‘meaningful debate’ about the right to be forgotten to take place. This is a bold step coming from one of the world’s most respected media organisations. It will doubtless provoke a copycat reaction from other media organisations which regard the CJEU’s judgment in Google Spain as an affront to their Article 10 rights. What is interesting about this new approach is that it does very clearly allow the wider public to examine how the right to be forgotten is in practice being weighed against the fundamental right to free expression. No doubt the BBC’s actions will attract criticism from those individuals who had hoped that their requests to be forgotten would result in the relevant links sinking for all time into the soup of online forgetfulness. It remains to be seen how the Information Commissioner will respond to this important and provocative development.

Anya Proops

New A-G’s opinion on territorial application of Data Protection Directive

June 29th, 2015 by Anya Proops

The transnational nature of many modern commercial enterprises can create significant difficulties when it comes to the application of domestic data protection legislation within the EU. Questions can often arise as to whether the enterprise has the necessary territorial presence in order to enable the domestic legislation to apply. These questions can be particularly difficult to resolve where the enterprise in question comprises an online business which has ethereal tentacles stretching into multiple jurisdictions. Of course, we have now all just about got to grips with the interesting intellectual gymnastics embarked upon by the CJEU in Google Spain. Now the issue of the territorial application of data protection legislation has resurfaced in a case concerning a spat between a Slovakian company operating a property-dealing website (W) and various disgruntled Hungarians who sought to sell their properties through the site: Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (Case 230/14).

You can read about the background to the Weltimmo case here. In short, the core question which arose in Weltimmo was whether the Hungarian Data Protection Authority (HDPA) had jurisdiction to fine W in circumstances where:

(a) W had its registered seat in Slovakia;

(b) one of W’s owners was a Hungarian living in Hungary who had legally represented W before the HDPA;

(c) W had received personal data from individuals in Hungary who wished to advertise their Hungarian properties on W’s website and

(d) W had apparently then gone onto misuse the personal data it had received.

The Hungarian Kúria court was unsure as to how to answer this question. This was because it was unclear as to the legal effects of two Articles of Directive 95/46/EC: Article 4 (concerning the territorial scope of domestic data protection laws) and Article 28 (concerning the role of the domestic supervisory authority). Accordingly, the court referred a number of questions to the CJEU, all of which were essentially focused on identifying the territorial reach of the domestic data protection laws and domestic supervisory authorities under the Directive (you can find the questions here). Advocate-General Cruz Villalón (yes he of Digital Ireland fame) has now given his opinion on these questions: see here. Rather frustratingly however, the opinion is not currently available in English. It is available in French and a host of other European languages (including for the multi-lingual amongst you Bulgarian and Czech). My admittedly rather untutored take on the French language version is that it contains the following key conclusions (see in particular paragraph 72):

- The effects of Articles 4 and 28 are that a supervisory authority in Member State X cannot assert jurisdiction over a data controller which is not ‘established’ in Member State X. Instead, that supervisory authority only has jurisdiction in respect of data controllers which are ‘established’ within its own territory (i.e. within Member State X).

- When considering the extent to which a data controller is ‘established’ in Member State X, the focus should be on the de facto, rather than the de jure, position. The crucial question is: from where, in a physical, logistical sense, does the data controller operate the business in question? Answering this question is likely to require a focus on where the business’ human and technical resources are located.

- The data controller may be established in a number of different Member States, provided that its operations in those Member States have the necessary quality of stability.

- Factors such as where the data has been downloaded, the nationality of the injured parties, the domicile of the owners of the company responsible for processing the data or the fact that the service provided is directed at the territory of another Member State are not directly relevant or decisive. They may however be indirectly relevant insofar as they may shed light on the question of where the data controller is established.

It remains to be seen whether the CJEU will follow the Advocate-General’s opinion. If it does, then that will reaffirm the essentially fragmented, patchwork nature of the protections afforded under the current Directive. Of course, if and when the draft General Data Protection Regulation becomes law, this patchwork of protections will give way to a more unified approach, as the era of the one-stop shop will be upon us.

Anya Proops

Comment is (not) free – E-Commerce back in the limelight

June 22nd, 2015 by Anya Proops

Last month I posted about the settlement of the Max Mosley litigation against Google (see my post here). Had that case been fought to its conclusion, we would at the very least have had the pleasure of gaining greater insight into the weird and wonderful world of the E-commerce legislation. However, sadly that was not to be. The good news is that E-Commerce cases now appear to be like buses. No sooner has one case settled, than another one comes motoring down the litigation highway. This time E-Commerce principles have surfaced, not in the context of a right to be forgotten case, but rather in the context of a Strasbourg case concerning the application of Article 10 rights.

The case in question, Delfi AS v Estonia (Case no. 64569/09), concerned an Estonian internet news portal called Delfi. In common with many internet news organisations, Delfi permits readers to write comments about the online stories which they publish. In 2006, Delfi published a story concerning the alleged destruction of certain Estonian ice roads by a particular company (S). The story, which was itself legally unobjectionable, attracted lots of reader comments, including comments which were very attacking of S’s majority shareholder (L). The comments in question were not only defamatory but also amounted to hate speech and an incitement to violence against L, all of which is unlawful under Estonian law. Upon complaint by L, Delfi immediately removed the comments (this was some six weeks after they had first been posted). However, L was not happy with this retrospective deletion of the comments. He brought a claim for damages against Delfi on the basis that Delfi had acted unlawfully by publishing the comments on the site. L eventually won his case in the domestic court and was awarded 320 Euros in compensation.

Delfi then took the case to the Strasbourg court. It alleged that the domestic court’s findings breached its Article 10 right to freedom of expression. A core plank of Delfi’s case was that it had to be treated as a mere intermediary under EU E-Commerce legislation, with the result that it was not liable in respect of the comments. Delfi contended that any other approach to the application of the E-Commerce principles would result in an undue interference with its Article 10 rights. The Strasbourg court rejected Delfi’s case. It held that Delfi was not acting merely as an intermediary in connection with the comments. This was particularly given that:

  • Delfi had comprehensive powers of editorial control over the comments once they had been posted;
  • moreover, Delfi positively encouraged the posting of comments on the basis that this would increase its potential to accrue advertising revenue.

In this respect, the comments on the Delfi site were, in the court’s view, to be contrasted with: ‘other fora on the Internet where third-party comments can be disseminated, for example an Internet discussion forum or a bulletin board where users can freely set out their ideas on any topics without the discussion being channelled by any input from the forum’s manager; or a social media platform where the platform provider does not offer any content and where the content provider may be a private person running the website or a blog as a hobby’ (§116).

The court went on to hold that whilst Delfi could not be expected to pre-vet comments prior to their publication, its obligations as online publisher of the comments were such that it should immediately and of its own motion detect and remove unlawful content (i.e. without waiting for a complaint brought). The court held that such an approach to the management of the comments constituted a justified interference with Delfi’s Article 10 rights.

This is an important judgment for a number of reasons.

  • First, it suggests that the defences available to online intermediaries under the E-Commerce are to be narrowly construed. In short, the greater the degree of editorial control over and entrepreneurial interest in the data in question, the more likely it is that the court will find that the defences are not available.
  • Second, it suggests that, when it comes to the publication of data online, Article 10 cannot be treated as an all-purpose get out of jail free card. Instead, as with speech expressed through traditional media, Article 10 rights must be balanced against other affected rights (although note paragraph 113 where the court alluded to the need to adopt a ‘differentiated’ and ‘graduated’ approach to the enforcement of rights as against internet service providers, as opposed to traditional publishers).
  •  Third, it suggests that, in this post Google-Spain world, the CJEU is not alone in its desire to create strong controls around the ways in which data is managed online, particularly where there is a profit-making element to the data processing scheme.

So put simply, online comment is not free, at least not for those media organisations which seek to profit from facilitating free expression within the online environment.

Anya Proops

Data Protection Regulation Update

June 15th, 2015 by Christopher Knight

You know how it took you years to get your head around what the Data Protection Act 1998 meant? Well, the new general Data Protection Regulation took one step closer towards ripping up Directive 95/46/EC (and therefore the DPA) today. The Commission’s proposals for the new Regulation have now been signed off by the Justice Ministers (see press release here). The Commission informs us that the first meeting in the trilogue between the Commission, the European Parliament and the Council of the EU will take place on 24 June, and the aim is to have a text agreed before 2015 is out. The trilogue is where all the nitty gritty stuff has still to be hammered out, and plenty of changes are likely through that process, but at least we have a little more of an idea now of the timescale.

Christopher Knight

Le Right to be Forgotten

June 15th, 2015 by Christopher Knight

Bonjour, et maintenant pour un post de Panopticon dans le style de Miles Kington et ‘Franglais’.

Recallez-vous le judgment de la Cour de justice de l’Union européenne dans Google Spain (ici)? Tres bien. Maintenant, il y a une announcement from CNIL (le ICO de France), informing Google that le ‘right to be forgotten’ applies aux search results decouvert en google.fr et google.com, pas seulement google.fr (voila, ici). Ce n’est pas une announcemente populaire avec Google, mais ce n’est pas une surprise. Dans November 2014 le Article 29 Working Party adopted ‘Guidelines on the Implementation’ of Google Spain, which said the same thing, as an aspect of the principle of effective protection of data subjects’ rights. C’est believed que la France est le premier data protection authority to expressly and publicly take this line with Google. Les developments dans le future sont tres interessant.

(That’s enough of that. Another issue which has caused some interest is the approach Google are taking whereby any search result on google.co.uk for an individual name comes back with the rider at the foot that some search results may have been omitted as a result of Google Spain, regardless of whether they have been or not. This raises some interesting possible questions in defamation (could it be defamatory to imply that an individual has exercised their Google Spain rights?), privacy (does the implication itself invade private life and reputation?) and DPA compliance (is the approach justified because only having the notice where the right has been exercised is tantamount to undermining the exercise of the right, and would no notice at all be too secretive?). That will also be interesting to see if anyone follows it up with Google, the ICO and then the courts. For those of you want to see a bit more analysis, and an example of a complaint, listen carefully, I shall say zis only once: Jon Baines’ blog discusses it ici. Eh bien.)

Ce n’est pas ‘goodbye’, mais seulement ‘au revoir’.

Christophe Chevalier

Ittihadieh Judgment Now Available

June 3rd, 2015 by Christopher Knight

Almost a month ago, I blogged about a decision of the High Court in Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & 6 others [2015] EWHC 1491 (QB), noting that the judgment was not yet available. Since then my postbag has been inundated with letters (sample from a Mrs Trellis of North Wales, “Dear Robin Hopkins, If data protection is so important, why does the postman keep delivering my letters next door?”) haranguing me for further information. Following a suitable period to allow excitement to build, I am happy to oblige. It may now be seen here: Ittihadieh v Cheyne Gdns APPROVED judgment 05 05 15.

It is not necessary to repeat the commentary already provided in the previous post. HHJ Seymour QC did indeed construe the SAR as being directed only to the company – based on the wording of it and the payment of only one £10 fee – but he also held that directors would not have been data controllers themselves, applying Southern Pacific Personal Loans [2013] EWHC 2485 (Admin). The relevance of the domestic purposes exemption in section 36 came about because it was suggested some of the company directors may have expressed views about the Claimant amongst themselves in a personal capacity. This, thought the judge, would fall within section 36. In any event, he would have exercised his general and untrammelled discretion (applying Durant) under section 7(9) not to make any order requiring them to search personal email accounts.

Finally, at [50], comes a happy reminder that even post Vidal-Hall not every potential breach will sound in damages, as the court noted the claim for distress and expressed severe doubts about it in the following terms:

“It is not necessary or appropriate for me to give lengthy consideration to the prospect that Mr. Ittihadieh has suffered distress, but the material before me does indicate that Mr. Ittihadieh is a person who is accustomed to defending his corner, to put it colloquially, if necessary, or perhaps even if not necessary, by resort to legal proceedings, or threat of legal proceedings, and he certainly seems to engage in the expression of colourful phrases in the English language which are not used in polite society. That use of language suggests that he, himself, may not be a particularly sensitive flower.”

That is not to say that the “sensitive flower” test is one which should be applied generally (one struggles to see Max Mosley, to pick a sadomasochistic example at random, meeting the test), but it is a welcome expression of judicial realism.

Christopher Knight

Mosley v Google: RIP

May 18th, 2015 by Anya Proops

So Max Mosley has done a deal with Google in respect of his claim that Google had breached his rights under the DPA 1998 by refusing to block certain images and videos accessible via the Google search engine (see this FT article which suggests that the settlement also applies to claims brought by Mr Mosley in Germany and France). The settlement of the claim, which follows on from Google’s failed strike out application (discussed further below), leaves unanswered a number of really important questions concerning the application of data protection rights in the online world. Not least, the settlement leaves open the question of the extent to which the so-called ‘right to be forgotten’ can operate so as to force internet search engines, not only to de-index individual URLs on request, but also to block access to the offending data globally (i.e. as ISEs already do, for example, where images of child pornography are identified).

This is an important issue for those data subjects who garner significant public attention within the online environment, as was the case with Mr Mosley. The difficulty for such individuals is that online stories or comments about them can proliferate on the internet at such a rate that they cannot practicably achieve the online amnesia they crave. No sooner have they requested that the relevant internet search engine remove a number of privacy-invasive links, than the story has sprung up in a raft of other different locations on the net, with the result that the individual is effectively left trying to capture lightening in a bottle. This raises the question as to whether a right to be forgotten mechanism which is limited to de-indexing only specific those URL’s identified by the data subject is fit for purpose in terms of achieving the outcomes envisaged by the CJEU in Google Spain. Put shortly, if the ISE is the lightening conductor for privacy intrusive data, can it properly be required to stop the lightening at its source and block all access to the data in question? Is this the way in which the right to be forgotten ultimately cashes out in the online world?

Which takes us on to the defences which Google sought to run in the Mosley case because, certainly in the context of the strike out application, Google was not seeking to argue that data in issue (images and video of Mr Mosley engaging in private sexual activity) was not private or that its online dissemination did not cause substantial damage or substantial distress to Mr Mosley for the purposes of s. 10. Nor did Google seek to dispute that the damage or distress suffered by Mr Mosley was ‘unwarranted’ for the purposes of s. 10(1). Instead, its entire case in the context of the strike out was mounted on the basis that it was shielded from all liability under the DPA by virtue of the protections afforded to intermediary ‘internet society services’ (ISSs) under Part IV of the E-Commerce Directive (Directive 2000/31/EC).

For the uninitiated, Part IV of the E-Commerce Directive is designed to afford protections to intermediary ISSs which are genuine data intermediaries in the sense that they merely transmit, cache (i.e. store) or host data generated by others. The idea which lies behind Part IV is that the development of electronic commerce within the information society, one of the key objectives of the E-Commerce Directive (see recital [2]), would be frustrated if entities acting essentially as online data messengers could too readily get shot by third party claimants. Thus, we see:

  • in Article 12 a limitation on liability where the ISS is acting as a mere conduit;
  • in Article 13 a limitation on liability where the ISS is merely caching the data;
  • in Article 14 a limitation on liability where the ISS is merely hosting the data (this was the provision invoked by Facebook in CG v Facebook, as to which see my post here) and, finally,
  • in Article 15 a specific exclusion of any general obligation on the part of the ISS to monitor content falling within the scope of Articles 12, 13 or 14.

Google’s case on the strike out was that it was not liable in respect of Mr Mosley’s claim under s. 10 DPA on the basis that: (a) it was merely caching the data in issue (thus Article 13 of the E-Commerce Directive was engaged) and, in any event (b) the order being sought by Mr Mosley would conflict with the requirement of Article 15 of the E-Commerce Directive, as it would result in Google having to engage in general monitoring of cached content.

Mitting J considered both of these arguments in the context of Google’s strike out application (see his judgment here). So far as Google’s case on Article 13 was concerned, Mitting J clearly took the view that, where an individual’s data protection rights are being infringed by virtue of an ISS’s continued processing of privacy-invasive data, there is nothing in Article 13 of the E-Commerce Directive which purports to limit the ISS’s liability to cease processing that data; quite the contrary Article 13(2) specifically leaves the door open to a cease processing order being made in these circumstances (see in particular [47]). This conclusion dovetailed with Mitting J’s more general (albeit provisional) conclusion that the Data Protection Directive and the E-Commerce Directive were intended to work ‘in harmony’ with one another (see [45]-46]). On the Article 15 defence, Mitting J was clearly sceptical about Google’s argument that the order being sought by Mr Mosley would result in the kind of general monitoring which was ostensibly prohibited by Article 15 [54]. However, he accepted that this was an issue which would have to be decided by the trial judge.

Of course, in light of the recent settlement, it is clear that that issues concerning Google’s Article 15 defence are now unfortunately not going to be decided by the trial judge. Which leaves us all pondering in particular the following important questions:

  • First, where right to be forgotten claims are formulated as claims to have data blocked by the relevant ISE, will such claims in practice effectively require a form of general monitoring by the ISE?
  • Second, if they do require a form of general monitoring, does that mean that the claims must fail by reference to Article 15 of the E-Commerce Directive or does Article 15 itself have to fall silent in the face of the imperatives of the data protection legislation? (Mitting J made clear in his judgment he was not expressing a view on this issue)
  • Third, what about claims for compensation brought against an ISE which refuses to block data? Do E-Commerce principles afforded ISEs a refuge against such claims? (Notably, Mitting J had stayed Mr Mosley’s compensation claim pending the outcome in Vidal-Hall so he did not address this issue).

It is perhaps worth pointing out here that no reference was made in Mitting J’s judgment to the EU Charter of Fundamental Rights (presumably because Charter rights were not specifically relied on in argument). Obviously in the post-Vidal-Hall world, Charter rights - including not least Article 8 (concerning the protection of personal data) – are bound to play a dominating role in discussions concerning the relationship between the E-Commerce Directive and data protection rights. Which all tends to suggest that this is an area which remains rich in litigation potential.

Finally, it should be pointed out that as at today’s date the various images which Mr Mosley was seeking suppress all appear still to be available online via Google. It remains to be seen whether in time these images will in fact quietly sink into the soup of online forgetfulness.

Anya Proops

Life for the CD Yet

May 14th, 2015 by Christopher Knight

Does anyone remember compact discs? Isn’t everything downloadable from iTunes, or Napster, or whatever it is that young people are using these days? Well, to the joy of crotchety old people everywhere, the court system still uses CDs. Indeed, the Upper Tribunal records hearings before it on CD, and when a litigant wants access to those recordings the Upper Tribunal may take the view that it is interests of justice to disclose it to them. (We are not yet at the thrilling stage of having Upper Tribunal hearings filmed and made available online, as in the Supreme Court. One cannot imagine why.)

So it was in the case of Mr Edem – he of ‘is a name personal data?’ fame – who did not approve of being given his recordings but under terms which did not permit him to more widely disclose them. Instead, he sought them under FOIA and was met with the fairly predictable reliance by the Ministry of Justice on the absolute exemption for court records in section 32(1)(c). Aha, said Mr Edem, but a CD is not a “document” within the meaning of section 32(1).

This may come as something of a surprise argument to anyone looking at the broad definition of information in section 84, the approach of the Court of Appeal in IPSA (see here), the Upper Tribunal decision in Peninsula Business Services v ICO & Ministry of Justice [2014] UKUT 284 (AAC), and indeed common sense. It is less of a surprise to see the argument fail in Edem v ICO & Ministry of Justice [2015] UKUT 210 (AAC).

Judge Wikeley had little difficulty in accepting that the purpose of section 32(1), to enable the courts to control access to their own files and records, indicates a broader interpretation of document than merely paper files, and the effect of the distinction that an audio record would not be caught but a transcript would be was patently not intended to be the outcome. In any event, a document is simply something which contains information. It does not determine the form or mode of container. Various cases from different contexts (including of course the Kennedy litigation under FOIA) gave support for the conclusion that “document” naturally includes an audio recording which contains relevant information. In so concluding, Judge Wikeley reached precisely the same conclusion as Judge Williams had done in Peninsula. The Upper Tribunal also dismissed the argument that simply because the use of “document” in section 25 (on national security certificates) must mean a written document because of the specific context of a certificate did not require the same interpretation generally: a written document is a document but the reverse is not true. The strike out of the appeal was upheld.

Rupert Paines appeared for the ICO; Rachel Kamm was for the MoJ.

Christopher Knight

Vexed by Vexatiousness? The Court of Appeal is Here to Help

May 14th, 2015 by Christopher Knight

The Court of Appeal has today handed down judgment in Dransfield v ICO & Devon County Council; Craven v ICO & Department for Energy and Climate Change [2015] EWCA Civ 454 (Dransfield Craven FINAL JUDGMENT 14 5 15. As people will recall, Dransfield is concerned only with section 14 FOIA, and Craven is concerned with whether the same approach should be adopted under the differently worded regulation 12(4)(b) EIR. For those desperately hoping it would not require completely relearning everything just as everyone was getting used to the Upper Tribunal decisions (on which see Robin’s lengthy screed here), a sigh of relief can be exhaled. Arden LJ gives the only substantive judgment (with which Gloster and Macur LJJ agree), which she helpfully summarises at [5]-[7] and which I set out in full so people with better things to do can stop reading:

5. The appeals raise different and difficult questions. In my judgment, for the detailed reasons given below, this court should dismiss each appeal.  

6. In Mr Dransfield’s case, the request, taken on its own, is a precise and politely-worded request. There is nothing on the face of this request which could be termed “vexatious”. Nonetheless the UT held that it was vexatious because of the past history of dealings between him and the authority. So the principal issue on his appeal is whether a request can treated as vexatious if it is not itself vexatious but previous requests have been. The FTT thought that the line had to be drawn at previous requests which “infected” the request under consideration (“the current request”). The UT rejected that test and held that there was no line to be drawn. Mr Dransfield seeks to uphold the test applied by the FTT. I do not accept this submission because it involves writing words into FOIA which the court may not do. The UT went on to formulate and apply guidance as to the meaning of “vexatious” which he has not challenged.

7. In Mrs Craven’s case, the principal question is whether the tests under section 14 FOIA and regulation 12(4)(b) have the same meaning (“the two-tests-one-meaning issue”). I conclude that to all intents and purposes they do. The next questions are whether the IC could raise an objection under regulation 12(4)(b) when the authority had not done so, whether section 14 (2) affects the meaning of section 14(1) and whether the costs of compliance could be taken into account under both tests (“the costs of compliance issue”). I agree with the UT on those points too. I would therefore dismiss Mrs Craven’s appeal also.”

And so orthodoxy reigns.

As to the detail of the judgment, although it is relatively long (28 pages), when one strips out the annexed statutory provisions, the factual background and the submissions of the parties, the actual analysis only runs from [61]-[73] on Mr Dransfield’s appeal and [74]-[88] on Mrs Craven’s.

In relation to Dransfield, the issue was the degree to which a prior course of conduct of the requestor could infect a request which in and of itself was inoffensive. Arden LJ agreed that no comprehensive or exhaustive definition should be adopted, but considered that the focus should be “on an objective standard and that the starting point is that vexatiousness primarily involves making a request which has no reasonable foundation, that is, no reasonable foundation for thinking that the information sought would be of value to the requester, or to the public or any section of the public“. The test should be a high one to meet, but all relevant circumstances should be considered. Where a motive can be established, that may be evidence of vexatiousness, although if the request is aimed at disclosure of important information which ought to be publicly available then even a “vengeful” request may not meet the test: at [68]. Motive was relevant here; section 14 is an exception to the ordinary approach that the reason why a right is exercised is irrelevant: at [66]. The FTT’s approach had been wrong; there were no bright lines and attempting them was illogical. Evidence of prior requests was capable of throwing light on the current request and the motivation behind it: at [69]. Had it been necessary to do so, the Court would have accepted that the Upper Tribunal had made an unchallengeable finding that the belligerent and unreasonable tone linked to the present request: at [71]. Because, as stressed at [6], there was no challenge to the Upper Tribunal’s general guidance, the Court of Appeal cast no doubt upon it and it will continue to be a useful source of assistance (with the caveat that protection of public resources cannot lower the high standard of vexatiousness required: at [72]).

In relation to Craven, Arden LJ dealt with a slightly wider range of issues. She made further comments on section 14 itself, noting that vexatiousness could not mean a requirement for persistent requests, still less for persistent requests to a range of different authorities, which would not be readily discoverable: at [77]. Section 14(2), on repeat requests, is a separate power which does not assist in interpreting section 14(1): at [82]. A key question in Craven was whether there should be any difference between the two regimes. Arden LJ held that there was not, particularly because section 14 was primarily an objective analysis, which accorded with the natural meaning of “unreasonable“. The word “manifestly” simply means that it must be clearly shown, and does not require detailed investigation by the authority into things it does not know: at [78]. There was no suggestion that the answer would have been any different under section 14: at [79] (although of course CJEU case law may develop in a different direction). One notable aspect of Craven is that it was a single request which was particularly burdensome and costly to deal with, but there was no section 12 equivalent in the EIR, and on this Arden LJ agreed with the Upper Tribunal’s approach: cost of compliance can be taken into account, although those costs would have to be balanced against the benefits of disclosure: at [83]. An unconcluded view was expressed that a higher hurdle might apply to rely on the costs burden under the EIR than FOIA, but no decision was reached: at [84]. The Court was satisfied that a costs burden could indeed apply to section 14: at [85].

We are, as a result, more or less where we were before the Court of Appeal’s judgment. Indeed all it has probably added is the weight of authority in some places and a bit of confusion (mostly around section 14 being objective, which is unhelpfully expressed but not, it appears, substantively different) in others. People can sensibly continue to guide themselves by the much more detailed guidance of the Upper Tribunal, subject to the caveats noted here. All the important clarifications made by the Upper Tribunal survive, and one suspects very limited changes will be required to the ICO’s Guidance. Repeat requestors should beware, particularly if they are unreasonable ones, and those making single but large requests should too.

The ICO was represented in both appeals by Tom Cross; Devon CC by Rachel Kamm and DECC by James Cornwell.

Christopher Knight

Right to be forgotten…in Japan

May 13th, 2015 by Anya Proops

I have just had my attention drawn to this interesting article from the Japan Times about how the right to be forgotten is beginning to gain traction in Japan. Just goes to show that Europe is not the only environment within which this highly controversial right can potentially gain a foothold.

Anya Proops