Evans Vetos Badger Trust?

March 29th, 2015 by Christopher Knight

The world is full of obvious things which nobody by any chance ever observes.” Sherlock Holmes, The Hound of the Baskervilles.

What else can there possibly be to say about Evans not covered in Robin’s excellent post from Thursday? One can contemplate the possible amendments the Government might make (how much clearer could Parliament have made the purpose of section 53), and what other changes might be made at the same time, especially in the light of the PM referring to FOIA as one of the “buggerations” of Government in the Times magazine yesterday. One can analyse the dissenting judgments, which is certainly worthy of time. One can remark again on the constitutional importance of the Supreme Court emphasising the rule of law.

Most information law practitioners probably think there isn’t really anything in Evans that is going to be very relevant to their daily lives. Even central Government FOIA officers have onlyseen seven vetos in ten years, so Evans isn’t going to make much of a practical difference.

But. Almost in passing, there is one passage in the judgment of Lord Neuberger (if not the majority judgment, at least the leading judgment) which is worthy of notice.

As has been previously pointed out on this blog, the Upper Tribunal in Defra v ICO & the Badger Trust [2014] UKUT 526 (AAC) set the cat amongst the FOIA pigeons (if that is not too much of a mixture of animal metaphors) by suggesting at [44]-[48] that it was an open question whether the public interest balance was to be assessed at the time of the request/response or afresh at the time of the Tribunal hearing. That baton is now being taken up in the  latest round of the interminable APPGER litigation.

However, it is possible that the Supreme Court has beaten them to it. The time of the assessment of the balancing exercise was a point of some relevance to the reasoning of Lord Neuberger, because a (powerful) objection to the reasoning of the Court of Appeal (including from me) was that the two permitted exceptional categories, particularly the reliance on fresh evidence, did not leave much room for application of the veto where the public interest was adjudged at or around the time of the request. Lord Neuberger, unlike the Court of Appeal, sought to address the point. In doing so, he noted at [72] that:

It is common ground, in the light of the language of sections 50(1), 50(4) and 58(1), which all focus on the correctness of the original refusal by the public authority, that the Commissioner, and, on any appeal, any tribunal or court, have to assess the correctness of the public authority’s refusal to disclose as at the date of that refusal.”

As the text sets out, no contrary point was argued, but Lord Neuberger does not express any dissent about it and sets out the legal basis for it in the statutory language. Moreover, he went to reiterate the point, and the exceptions to it, at [72]:

However, although the question whether to uphold or overturn (under section 50 or sections 57 or 58) a refusal by a public authority must be determined as at the date of the original refusal, facts and matters and even grounds of exemption may, subject to the control of the Commissioner or the tribunal, be admissible even though they were not in the mind of the indivdual responsible for the refusal or communicated at the time of the refusal to disclose (i) if they existed at the date of the refusal, or (ii) if they did not exist at that date, but only in so far as they throw light on the grounds now given for refusal“.

It is difficult to see how the obiter musings of the Upper Tribunal in Badger Trust can withstand this, fairly prolonged, piece of Supreme Court reasoning. Arguments may be made that it was common ground, and possibly that was obiter itself, but it will self-evidently persusive that such experienced and eminent counsel agreed such a standpoint, and that the leading judgment relies upon it.

Perhaps the debate door is shut only shortly after being opened? Perhaps Evans has something to say to FOIA lawyers outside the scope of the veto power after all? Perhaps, perhaps, perhaps…

Christopher Knight

PS A prize (kudos only though) for the first person to spot the link between opening and closing of this post.

Google and the DPA – RIP section 13(2)

March 27th, 2015 by Christopher Knight

Well, isn’t this an exciting week (and I don’t mean Zayn leaving One Direction)? First, Evans and now Vidal-Hall. We only need Dransfield to appear before Easter and there will be a full red bus analogy. Robin opened yesterday’s analysis of Evans by remarking on the sexiness of FOIA. If there is one thing you learn quickly as an information law practitioner, it is not to engage in a sexiness battle with Robin Hopkins. But high-profile though Evans is, the judgment in Vidal-Hall will be of far wider significance to anyone having to actually work in the field, rather than simply tuning every now and then to see the Supreme Court say something constitutional against a FOIA background. Vidal-Hall might not be the immediate head-turner, but it is probably going to be the life-changer for most of us. So, while still in the ‘friend zone’ with the Court of Appeal, before it all gets serious, it is important to explain what Vidal-Hall v Google [2015] EWCA Civ 311 does.

The Context

The claims concern the collection by Google of information about the internet usage of Apple Safari using, by cookies. This is known as “browser generated information” or “BGI”. Not surprisingly, it is used by Google to more effectively target advertising at the user. Anyone who has experienced this sort of thing will know how bizarre it can sometimes get – the sudden appearance of adverts for maternity clothes which would appear on my computer followed eerily quickly from my having to research pregnancy information for a discrimination case I was doing. Apple Safari users had not given their consent to the collection of BGI. The Claimants brought claims for misuse of private information, breach of confidence and breach of the DPA, seeking damages under section 13. There is yet to be full trial; the current proceedings arise because of the need to serve out of the jurisdiction on Google.

The Issues

These were helpfully set out in the joint judgment of Lord Dyson MR and Sharp LJ (with whom Macfarlane LJ agreed) at [13]. (1) whether misuse of private info is a tort, (2) whether damages are recoverable under the DPA for mere distress, (3) whether there was a serious issue to be tried that the browser generated data was personal data and (4) whether permission to serve out should have been refused on Jameel principles (i.e. whether there was a real and substantial cause of action).

Issues (1) and (4) are less important to readers of this blog, and need only mention them briefly (#spoilers!). Following a lengthy recitation of the development of the case law, the Court held that the time had come to talk not of cabbages and kings, but of the tort of misuse of private information, rather than being an equitable action for breach of confidence: at [43], [50]-[51]. This allowed service out under the tort gateway in PD6B. The comment of the Court on issue (4) is worth noting, because it held that although claims for breach of the DPA would involve “relatively modest” sums in damages, that did not mean the claim was not worth the candle. On the contrary, “the damages may be small, but the issues of principle are large”: at [139].

Damages under Section 13 DPA

Issue (2) is the fun stuff for DP lawyers. As we all know, Johnson v MDU [2007] EWCA Civ 262 has long cast a baleful glare over the argument that one can recover section 13 damages for distress alone. The Court of Appeal have held such comments to be obiter and not binding on them: at [68]. The word ‘damage’ in Art 23 of the Directive had to be given an autonomous EU law meaning: at [72]. It also had to be construed widely having regard to the underlying aims of the legislation: the legislation was primarily designed to protect privacy not economic rights and it would be strange if data subjects could not recover compensation for an invasion of their privacy rights merely because they had not suffered pecuniary loss, especially given Article 8 ECHR does not impose such a bar: at [76]-[79]. However, it is not necessary to establish whether there has also been a breach of Article 8; the Directive is not so restricted (although something which does not breach Article 8 is unlikely to be serious enough to have caused distress): at [82].

What then to do about section 13(2) which squarely bars recovery for distress alone and is incompatible with that reading of Article 23? The Court held it could not be ‘read down’ under the Marleasing principle; Parliament had intended section 13(2) to impose this higher test, although there was nothing to suggest why it had done so: at [90]-[93]. The alternative was striking it down on the basis that it conflicted with Articles 7 and 8 of the EU Charter of Fundamental Rights, which the Court of Appeal accepted. In this case, privacy and DP rights were enshrined as fundamental rights in the Charter; breach of DP rights meant that EU law rights were engaged; Article 47 of the Charter requires an effective remedy in respect of the breach; Article 47 itself had horizontal direct effect (as per the court’s conclusion in Benkharbouche v Embassy of Sudan [2015] EWCA Civ 33); the Court was compelled to disapply any domestic provision which offended against the relevant EU law requirement (in this case Article 23); and there could be no objections to any such disapplication in the present case e.g. on the ground that the Court was effectively recalibrating the legislative scheme: at [95]-[98], [105].

And thus, section 13(2) was no more. May it rest in peace. It has run down the curtain and joined the bleedin’ choir invisible.

What this means, of course, is a potential flood of DP litigation. All of a sudden, it will be worth bringing a claim for ‘mere’ distress even without pecuniary loss, and there can be no doubt many will do so. Every breach of the DPA now risks an affected data subject seeking damages. Those sums will invariably be small (no suggestion from the Court of Appeal that Article 23 requires a lot of money), and perhaps not every case will involve distress, but it will invariably be worth a try for the data subject. Legal costs defending such claims will increase. Any data controllers who were waiting for the new Regulation with its mega-fines before putting their house in order had better change their plans…

Was BGI Personal Data

For the DP geeks, much fun was still to be had with Issue (3). Google cannot identify a particular user by name; it only identifies particular browsers. If I search for nasal hair clippers on my Safari browser, Google wouldn’t recognise me walking down the street, no matter how hirsute my proboscis. The Court of Appeal did not need to determine the issue, it held only that there was a serious issue to be tried. Two main arguments were run. First, whether the BGI looked at in isolation was personal data (under section 1(1)(a) DPA); and secondly, whether the BGI was personal data when taken together with gmail account data held by Google (application of limb (b)).

On the first limb, the Court held that it was clearly arguable that the BGI was personal data. This was supported by the terms of the Directive, an Article 29 WP Opinion and the CJEU’s judgment in Lindqvist. The fact that the BGI data does not name the individual is immaterial: it clearly singles them out, individuates them and therefore directly identifies them: at [115] (see more detail at [116]-[121]).

On the second limb, it was also clearly arguable that the BGI was personal data. Google had argued that in practice G had no intention of amalgamating them, therefore there was no prospect of identification. The Court rejected this argument both on linguistic grounds (having regard to the wording of the definition of personal data, which does not require identification to actually occur) and on purposive grounds (having regard to the underlying purpose of the legislation): at [122]-[125].

A third route of identification, by which enable individual users could be identified by third parties who access the user’s device and then learn something about the user by virtue of the targeted advertising, the Court concluded it was a difficult question and the judge was not plainly wrong on the issue, and so it should be left for trial: at [126]-[133].

It will be interesting to see whether the trial happens. If it does, there could be some valuable judicial discussion on the nature of the identification question. For now, much is left as arguable.

Conclusion

The Court of Appeal’s judgment in Vidal-Hall is going to have massive consequences for DP in the UK. The disapplication of section 13(2) is probably the most important practical development since Durant, and arguably more so than that. Google are proposing to seek permission to appeal to the Supreme Court, and given the nature of the issues they may well get it on Issues (1) and (2) at least. In meantime, the Court’s judgment will repay careful reading. And data controllers should start looking very anxiously over their shoulders. The death of their main shield in section 13(2) leaves them vulnerable, exposed and liable to death by a thousand small claims.

Anya Proops and Julian Milford appeared for the ICO, intervening in the Court of Appeal.

Christopher Knight

PS No judicial exclamation marks to be found in Vidal-Hall. Very restrained.

Evans – Supreme Court rules that AG’s veto was unlawful

March 26th, 2015 by Anya Proops

The Supreme Court has today handed down a judgment which has very significant ramifications for the operation of the veto regime by the Government in connection with FOIA and EIR cases: R(Evans) v Attorney General. It marks a great victory for the Guardian in its 10 year struggle to gain access to correspondence written by HRH Prince Charles to various government departments. But more than this, it marks an important milestone in the development of FOI jurisprudence, as our highest court makes clear that, when it comes to the application of FOIA, Government cannot trump the decisions of the courts merely because it takes a different view of the facts of the case.

In short, the Supreme Court has held: (a) by a 5:2 majority that the veto issued under FOIA by the AG in respect of the Upper Tribunal’s order that the correspondence should be disclosed was unlawful and (b) by a 6:1 majority that provisions in the EIR which permit the Government to issue a veto in cases falling within the scope of the environmental information access regime were invalid, as they are incompatible with the EU Directive on public access to environmental information (2003/4/EC). The Supreme Court’s Press Summary, which contains a useful summary of the judgment, can be found here.

Posts containing careful analysis of the judgment will undoubtedly follow on Panopticon. 11KBW’s Karen Steyn QC appeared for the Attorney General. Timothy Pitt-Payne QC appeared for the ICO.

Anya Proops

Catt is put back in the bag – supreme court reverses court of appeal in police data retention case

March 11th, 2015 by Anya Proops

The Catt and T cases are both concerned with this important question: to what extent may the police lawfully retain records relating to individuals who have not in fact been arrested or charged in connection with any criminal offence. The Supreme Court has now had its say on this question – see the judgment here.

The background to the appeal is very helpfully set out in this earlier post. In short, Mr Catt (C) is a peaceful protestor who participated in an anti-arms trade protest conducted by a group called Smash-EDO. Smash-EDO is associated with violent crime. The police overtly recorded information about individuals attending Smash EDO demonstrations, including C. The police went on to retain information about C, including his name, address and information confirming his presence at a particular protest. The data was stored on the police’s Domestic Extremism Database. T is an individual who is alleged to have made a homophobic comment to a neighbour’s friend. The police sent her a ‘Prevention of Harassment’ letter warning her that she could be liable to arrest and prosecution should she commit any act amounting to harassment. The letter was originally retained on the police’s files in accordance with its policy that such correspondence should be retained for 7 years. However, in point of fact, the letter sent to T was destroyed after only two and half years.

The High Court dismissed claims made by C and T that the police’s act of retaining their data constituted a breach of their Article 8 rights. The Court of Appeal allowed the claimants’ appeal, reversing the High Court’s judgment. Now the Court of Appeal’s judgment has itself been reversed by the Supreme Court which, in summary, held that whilst retention of the data interfered with the claimants’ Article 8 rights, the retention was justified under Article 8(2). The core question which the Supreme Court had to address was the proportionality of the retention, particularly having regard to the fact that neither claimant had actually been arrested or charged with any offence.

Mr Catt’s case – The judgment in C’s case was a majority judgment, with Lord Toulson dissenting. In terms of the majority (Lords Sumption, Mance and Neuberger and Lady Hale), it is clear that the judges were of the view that the retention of C’s data was not disproportionate because:

  • the level of intrusion with C’s privacy rights was minimal, particularly given that:
    • the information in question is not intimate or sensitive;
    • it related to C’s activities in a public forum – the recorded facts were in that sense in the public domain;
    • there are tight constraints on the uses to which the data may be put (essentially they may only be used for police purposes and are subject to a strict review/deletion policy
  • moreover, it would require disproportionate effort for the police to have to weed out this type of record from its other records.
  • by way of contrast, the benefits to be obtained from retaining the data were potentially substantial and included enabling the police to develop a detailed intelligence picture of organisations prepared to engage in violent crime

Lord Toulson took a different view of the proportionality issues. In essence, he concluded that the information in question was unlikely to add much value in terms of meeting policing objectives and, further, that the weeding exercise would not be unduly onerous, particularly given that the police regularly had to undertake such weeding exercises in any event.

T’s case – In T’s case, the majority (Lady Hale, Lord Toulson and Lord Mance) were of the view that the retention policy in issue was lawful. Lady Hale and Lord Toulson both made the point that retention of such information over an extended period of time was important, particularly in terms of dealing effectively with domestic abuse cases. By way of contrast, Lord Sumption was of the view that such a lengthy retention period was disproportionate, particularly given the trivial nature of the incident in question. However, on the facts relating to T’s case, he held that it was not disproportionate for the police to have retained the letter for the relatively short period of 2.5 years. Thus, he concurred with the conclusion that the appeal should be allowed.

A key point emerging from the judgment, and indeed the litigation history of these appeals, is that there is no perfect science when it comes to applying the proportionality principle. Instead, the exercise of assessing proportionality is inherently impressionistic, as is illustrated by the wide divergence of views expressed by the judges in the High Court, Court of Appeal and the Supreme Court. It is understood that the claimants will now seek to have the case referred to the European Court of Human Rights. So we may yet see another reversal of fortunes in this interesting and important litigation.

Jason Coppel QC and Robin Hopkins appeared for the Secretary of State for the Home Department, who intervened in the appeal.

Anya Proops

High Court considers purpose behind subject access request under the DPA

March 10th, 2015 by Robin Hopkins

It is not uncommon for data controllers to be faced with subject access requests under s. 7 of the Data Protection Act 1998 the motivations for which appear to have nothing whatever to do with the purposes of the DPA.

The DPA seeks to protect individuals’ privacy rights with respect to data which is processed about them. The subject access provisions help people check up on that data and its processing (see for example YS v Minister voor Immigratie (Cases C-141/12 & C-372/12)). In practice, however, a subject access request is a fishing expedition with an eye on prospective litigation.

How does this affect the individual’s right to have his subject access complied with? The general answer is that, at least as regards applications to the Court under s. 7(9) DPA for the enforcement of a subject access request, the remedial discretion is wide enough to take the requester’s motive and purposes into account.

Kololo v Commissioner of Police for the Metropolis [2015] EWHC 600 (QB) – a judgment of Dingemans J handed down yesterday – looked set to consider the relevance of a requester’s motive (albeit that the context was not the commonplace pre-litigation fishing expedition). In the end, the judgment was largely fact-specific. Nonetheless, it is an interesting illustration of a Court engaging with a requester’s motive and that place of that motive in the statutory scheme.

The judgment is here: Kololo. There is also some press coverage in the Telegraph.

Mr Kololo is on death row in Kenya. He is challenging his conviction and sentence for robbery, kidnapping and murder of British nationals. He has never been to the UK, but officers of the Metropolitan Police were involved in the investigation of the crimes in Kenya and in evidence given at the trial.

His lawyers made subject access requests to the Foreign Office and the Metropolitan Police. The former provided data, but the Police refused. It said his request was an abuse of process.

The predominant purpose of the request was to assist with Mr Kololo’s appeal in the Kenyan Courts. The subject access request itself had said that the information sought “could prove crucial to Mr Kololo’s case”.

In his witness statement to the Court, however, Mr Kololo said that he also wanted to know what information the Police held on him “and what they are doing or have done with it”. He said he was worried about how information about him and his family may be used by the Police.

Dingemans J considered such worry to be speculative. Mr Kololo’s principal aim was plainly to obtain information which might assist with his appeal. But Dingemans J took this view (para. 31): “However, in order for any data which Mr Kololo might obtain from the Commissioner to be of any assistance to Mr Kololo on his appeal, it is likely that Mr Kololo will want to try and point to inaccuracies in the data” (if any such inaccuracies existed).

Therefore, Mr Kololo’s purpose was at least in part aligned with the purposes of the DPA: “a purpose for which Mr Kololo is making the subject access request is to determine whether there are inaccuracies in the data. This means that Mr Kololo (or his legal representatives) is making the subject access request to verify the accuracy of the data. This is so even though verifying the accuracy of the data is unlikely to be of assistance to Mr Kololo for his appellate proceedings. However if the data is not accurate Mr Kololo (or his legal representatives) may seek to correct any inaccuracies in the data. This might, depending on the inaccuracies, be of assistance to Mr Kololo for his other purposes” (para. 35).

Dingemans J noted that the Court’s discretion under s. 7(9) DPA was “’general and untrammelled’ but it is also common ground that such discretion should be exercised to give effect to the purposes of the DPA and be proportionate” (paragraph 32). On the facts, however, one of Mr Kololo’s purposes did accord with the purposes of the DPA. Therefore, his request was held not to be an abuse of process, and the Police were ordered to comply with it.

Additionally, Dingemans J briefly considered the Crime (International Co-operation) Act 2003 for an overseas court or prosecuting authority to request assistance from UK authorities. The existence of that mechanism also did not render Mr Kololo’s subject access request an abuse of process.

Anya Proops and Chris Knight appeared for the Commissioner of Police for the Metropolis.

Robin Hopkins @hopkinsrobin

Facing justice: judgment against Facebook in privacy/data protection case

February 25th, 2015 by Anya Proops

The extent to which privacy and data protection rights can effectively resonate within the online environment is an acutely important issue for all information law practitioners. Moreover, it is an issue which seems to be gaining ever increasing traction in the litigation context, as is illustrated not least by the following developments.

  • As most readers of this blog will know, last year the CJEU sent shock waves through the information law community when it held, in Google Spain, that EU data protection legislation operated so as to enable the so-called ‘right to be forgotten’ to be asserted against Google. (That principle is due to receive further consideration from our domestic courts in the forthcoming case of Max Mosley v Google – see Robin’s post on the Mosley case here).
  • Then we had the judgment of the High Court in Vidal-Hall v Google, where the court concluded, in the face of a jurisdictional defence mounted by Google, that claims brought against Google concerning its tracking of the internet browsing habits of users could properly proceed. (An appeal against the High Court’s judgment in that case is due to be heard by the Court of Appeal on 2nd or 3rd March – the ICO is intervening in support of the claimants’ case).
  • Now the High Court in Northern Ireland has given judgment in an important case involving a compensation claim made against Facebook: CG v Facebook & Anor [2015] NIQB 11.

Key aspects of the CG judgment are as follows:

  • The claim was brought by a convicted paedophile in respect of a series of postings placed on Facebook by third parties, one of whom had been named as second defendant to the claims. The postings not only included data amounting to vituperative name-calling but also repeated incitements to violence in respect of the claimant.
  • The High Court held that Facebook was liable in respect of the postings, particularly on the basis that it had misused the claimant’s private information by failing to delete the postings after Facebook’s attention had been drawn to their existence.
  • The High Court rejected Facebook’s assertion that its liability in respect of the postings was excluded on an application of the Electronic Commerce (EC Directive) Regulations 2002. On this issue, the court held that: (a) the Regulations only immunise the relevant information society service (ISS) against liability if the ISS has no actual or constructive knowledge of the unlawful activity on its site or, if it has acquired that knowledge, it acts expeditiously to remove or disable access to the relevant information and (b) Facebook could not rely on the Regulations in the present case because, after being notified of the relevant postings, Facebook had failed to remove or disable access to them.
  • The second defendant, an individual who was responsible for one of the disputed postings, was liable for misuse of the claimant’s private information in his capacity as primary publisher. He was also liable for harassment under the Protection from Harassment Act.
  • As for the claim under the DPA 1998, which was brought only against Facebook and not against the second defendant, that claim could not proceed because, on an application of s. 5 DPA 1998, the claim fell outside of the territorial ambit of the legislation. (Notably no reference was made in this context to the CJEU’s approach to territorial ambit under the data protection Directive in the Google Spain case).
  • Whilst no DPA claim was pleaded against the second defendant, the court made the following points about the application of the journalistic exemption contained in s. 32 DPA:
    • The court noted that the Claimant had conceded that the second defendant’s activities in posting material on Facebook might about to ‘journalism’.
    • However, the court went on to conclude there was no scope for the second defendant to rely on the journalistic exemption contained in s. 32 DPA 1998. This was particularly because the second defendant could not have had any ‘reasonable’ belief that his publications were in the public interest for the purposes of s. 32(1)(b).
  •  The claimant was awarded £20,000 in compensation in respect of his claim for misuse of private information.

What is interesting and important about the CG judgment is that it reinforces the point that organisations which operate merely so as to facilitate online freedom of expression can no longer safely assume that they are always operating in the stratosphere, far above the mire of the privacy litigation battlefield. Instead, they must appreciate that those rights are sufficiently flexible and powerful that they can potentially draw such organisations firmly into the fray.

Anya Proops

PECR Thresholds a Substantially Distressing Nuisance of the Past

February 25th, 2015 by Christopher Knight

The Department for Culture Media and Sport has today announced that it is to amend the Privacy and Electronic Communications Regulations 2003 so as to remove the requirement that unlawful nuisance calls and texts are a source of “substantial damage or substantial distress”; that being the test which must be met in order for the Information Commissioner to impose a monetary penalty notice (“MPN”): section 55A(1) of the Data Protection Act 1998.

The plan, which was the subject of consultation (see my post here), is apparently to drop the substantial damage/distress limb altogether. Draft legislation has not yet been published, so we can’t comment on the precise way this is going to be done, or whether there are any other ramifications. But such legislation will have to come soon, because the plan is to implement the change from 6 April 2015. The change will radically increase the ability of the ICO to issue MPNs to the companies which routinely flout the provisions of PECR, but which cause limited distress.

DCMS has also trailed the, as yet unexplained, idea that “We’re also going to look at whether the powers the ICO have to hold to account board level executives for such behaviour are sufficient or we need to do more.” Not clear at the moment what is meant by ‘looking at’, and it may be that another consultation is on the way.

The Government’s announcement can be read here.

Update: The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2015 have now been published and do simply remove the damage/distress limb of the section 55A test when it applies under PECR. It also adds provisions permitting emergency alerts to be sent, placing a limit on the length of time that providers may retain the traffic and location data they process, unless the data is modified in such a way that the data cannot identify an individual or corporate body.

 

Christopher Knight

Down the Rabbit Hole – Late Reliance under FOIA

February 15th, 2015 by Christopher Knight

Says the White Rabbit in Alice in Wonderland, “Oh my furry whiskers, I’m late, I’m late, I’m late!” Although the application of FOIA may sometimes feel like Wonderland, the feeling it induces is normally more akin to turning up unexpectedly at the Mad Hatter’s Tea Party (although attributing FTT judicial figures to the characters of the Mad Hatter and the Dormouse is beyond me). But one thing that has, since Birkett v DEFRA [2011] EWCA Civ 1606, not generally proved very controversial is the question of late reliance on exemptions; the White Rabbit need have little fear. Birkett made clear that late (usually after the DN and in the course of litigation before the FTT) reliance on substantive exemptions is permissible, subject to case management powers, under the EIR. The unappealed equivalent decision under FOIA, Information Commissioner v Home Office [2011] UKUT 17 (AAC), has generally been assumed to be correct.

However, there is a generous ‘but’ involved, about which lawyers are second only to Sir Mixlot in their appreciation. Can one rely late upon an exemption in Part I of FOIA? There has been a conflict of FTT and Upper Tribunal authority on the point. Independent Police Complaints Commission v Information Commissioner [2012] 1 Info LR 427 had held that there could be late reliance on section 12. The Upper Tribunal in All Party Parliamentary Group on Extraordinary Rendition v Information Commissioner & Ministry of Defence [2011] UKUT 153 (AAC); [2011] 2 Info LR 75 expressed the clear, if obiter, view that section 12 was not in the same position as substantive FOIA Part II exemptions because it had a different purpose; section 12 is not about the nature of the information but the effect on the public authority of having to deal with the request. The scheme of FOIA was likely to be distorted, the Upper Tribunal held, if the authority could suddenly rely on section 12 after already having carried out the search and engaged with the requestor: at [45]-[47]. The APPGER approach was accepted by the FTT in Sittampalam v Information Commissioner & BBC [2011] 2 Info LR 195. There was at least a school of thought that the APPGER logic ought also to apply to section 14 (which, as was explained in Dransfield, is not properly an exemption at all: at [10]-[11]). Then, in Department for Education v Information Commissioner & McInerney (EA/2013/0270), Judge Warren firmly concluded that section 14 (and by implication section 12) could be relied upon late. I suggested at the time that the conflict of authority on the point might require appellate resolution, and Ms McInerney appealed on that basis (in partial reliance, it appears, on my blogpost: see at [22] of the UT judgment).

 The appeal in McInerney v Information Commissioner and the Department for Education [2015] UKUT 0047 (AAC) has now been determined by Judge Jacobs (who heard the Birkett and Home Office cases). It has definitively resolved that a public authority may rely on sections 12 or 14 for the first time before the FTT, subject to the case management powers of the FTT. Although the judgment of the Upper Tribunal is fairly lengthy, the key part of the analysis is fairly brief. Judge Jacobs considered the principles derived from Birkett overtook the reasoning in APPGER, that the discussion of principle in his Home Office decision applied equally to the Part I exemptions, that section 17(1) did not prevent late reliance, that there was nothing in section 12 to require a different answer, and that late reliance may be forced on a public authority for good reasons (such as the instant appeal): at [33]-[41]. The Upper Tribunal did not consider it necessary to review the various FTT decisions. If section 12 is relied upon before the FTT for the first time, it will be the FTT which has to review the reasonableness of the estimate: at [40]. The Upper Tribunal considered that the answer on section 14 followed naturally from the answer on section 12.

 The position now at least has the benefit of consistency. Requestors will doubtless continue to be extremely frustrated by public authorities who appear to change their position at the last moment (usually when lawyers have become involved), and the FTT does not appear to have been often exercising its powers to restrict late reliance, or to punish incorrect late reliance in costs. However, if an exemption is relied upon correctly, reaching the correct answer is important. Whiskers may soothed, pocket watches stowed away, and lateness need rarely be an issue.

 Also of some practical interest will be the discussion of Judge Jacobs on the interaction of sections 14 and 16. It might be thought difficult to see how the section 16 duty could really apply to a vexatious request (“we advise you to submit a request which is not vexatious” perhaps?). Judge Jacobs accepted at [55] that a request should not have to be dissected to see if it can be severed, because that would undermine the purpose of section 14, but that section 16 cannot be ignored. The circumstances might allow a public authority to extract one part to create a non-vexatious request: at [56]. This is a little hard to understand; it might be thought the better analysis would be that properly construed, that one part was not a vexatious request, and it is not clear whether section 16 adds much. He added that it is not for the FTT to apply section 16 to assist a requestor – only the public authority is obliged to do so: at [57]-[58].

 Andrew Sharland appeared for the DfE and Robin Hopkins appeared for the ICO.

 Christopher Knight

 

The Algebra of FOIA

February 6th, 2015 by Christopher Knight

It is no matter of Euclidian geometry to say that where x + y = z, and z = 13, being told what y equals one need not be Pythagoras to establish the value of x. But what happens when z is in the public domain, x is absolutely exempt information under FOIA (because it is caught by section 23(1)) and the public interest otherwise favours the disclosure of y, which is not the subject of an exemption? Inevitably, the effect of disclosure is that the absolutely exempt information is also revealed. The Interim Decision of the Upper Tribunal in Home Office v ICO & Cobain [2014] UKUT 306 (AAC) was that the Tribunal had to consider whether it was appropriate to utilise the section 50(4) FOIA power so as not to direct disclosure. The issue may be formulaic, but the answer is not.

The application of section 50(4) has only previously received analysis in ICO v HMRC & Gaskell [2011] UKUT 296 (AAC), in which Judge Wikeley held (at [24]) that section 50(4) could be used so as not to require disclosure of information where it would be “unlawful, impossible or wholly impractical”. On the facts of Gaskell, section 50(4) was appropriate because since the request had been made the law had made disclosure of the information unlawful.

The Upper Tribunal has now exercised that decision itself in Home Office v ICO & Cobain [2015] UKUT 27 (AAC), in which Judge Wikeley held that the appropriate exercise of the section 50(4) discretion requires no steps to be taken (i.e. y need not be disclosed, even though section 1 FOIA entitles Mr Cobain to see it). The Upper Tribunal stressed that the application of section 50(4) should be rare, given the need to construe FOIA liberally, and use of it must be lawful in a public law sense. Judge Wikeley broadly endorsed the ICO’s ten listed factors as of potential relevance (although they will vary on the facts of each case): at [18]. He saw it as particularly important that the absolute exemption which would be undermined in this case was section 23(1), expressly drawn widely by Parliament and by contrast to section 24. Indeed, he accepted that section 23 “affords the widest protection”: at [29]. Judge Wikeley also considered the degree of public interest in the information, which he considered not to be especially high given the existing material in the public domain. He therefore agreed that section 50(4) should be applied so as not to require the Home Office to take steps to disclose the information.

It remains to be seen how often there really will be such issues in practice. The Cobain case appears to be the first of its type, although the Upper Tribunal recognised that it might occur under other class-based exemptions, such as sections 30, 35, 41 and 42. What may be more interesting is where different exemptions apply to x and y, one of which is absolutely exempt and one of which is subject to a qualified exemption. Is the algebraic problem a matter for the public interest balance in relation to y, or should it only be resolved at section 50(4)? Strictly speaking, one can see the analytical purity of considering the interest only in relation the specific information covered by y, but it is hard to imagine that the impact of disclosure in relation to x will not bleed across into the weighing. And if there has already been a public interest exercise, what room will there remain for it to be taken into account under section 50(4) – in such cases it would look a lot like double-counting. Perhaps we shall never know, and this may be what happens when the maths fox runs loose in the FOIA henhouse.

One brief procedural addition. The Upper Tribunal had, in ICO v Bell [2014] UKUT 106 (AAC), held that the Tribunal should usually explain that a Decision Notice was wrong in law and why, rather than substituting a new Decision Notice. Judge Wikeley was rather less convinced at the appropriateness or necessity of that conclusion (see at [40]-[42], and in particular the amusing and obvious implicit support given to the Tribunal’s castigation of Bell in Clucas v ICO (EA/2014/0006)) and happily availed himself of the crack left open by Judge Jacobs in Bell to substitute a new Decision Notice in this case. Given that it was a case using section 50(4), that seems a particularly sensible step. Doubtless a case will arise in which Bell can be reconsidered, and God bless all those who have to sail in her.

In the meantime, it is time for FOIA lawyers to get back to the calculators.

Christopher Knight

Googling Orgies – Thrashing out the Liability of Search Engines

January 30th, 2015 by Christopher Knight

Back in 2008, the late lamented News of the World published an article under the headline “F1 boss has sick Nazi orgy with 5 hookers”. It had obtained footage of an orgy involving Max Mosley and five ladies of dubious virtue, all of whom were undoubtedly (despite the News of the World having blocked out their faces) not Mrs Mosley. The breach of privacy proceedings before Eady J (Mosley v News Group Newspapers Ltd [2008] EWHC 687 (QB)) established that the ‘Nazi’ allegation was unfounded and unfair, that the footage was filmed by a camera secreted in “such clothing as [one of the prostitutes] was wearing” (at [5]), and also the more genteel fact that even S&M ‘prison-themed’ orgies stop for a tea break (at [4]), rather like a pleasant afternoon’s cricket, but with a rather different thwack of willow on leather.

Since that time, Mr Mosley’s desire to protect his privacy and allow the public to forget his penchant for themed tea breaks has led him to bring or fund ever more litigation, whilst simultaneously managing to remind as many people as possible of the original incident. His latest trip to the High Court concerns the inevitable fact of the internet age that the photographs and footage obtained and published by the News of the World remain readily available for those in possession of a keyboard and a strong enough constitution. They may not be on a scale of popularity as last year’s iCloud hacks, but they can be found.

Alighting upon the ruling of the CJEU in Google Spain that a search engine is a data controller for the purposes of the Data Protection Directive (95/46/EC) (on which see the analysis here), Mr Mosley claimed that Google was obliged, under section 10 of the Data Protection Act 1998, to prevent processing of his personal data where he served a notice requesting it to do so, in particular by not blocking access to the images and footage which constitute his personal data. He also alleged misuse of private information. Google denied both claims and sought to strike them out. The misuse of private information claim being (or soon to be) withdrawn, Mitting J declined to strike out the DPA claim: Mosley v Google Inc [2015] EWHC 59 (QB). He has, however, stayed the claim for damages under section 13 pending the Court of Appeal’s decision in Vidal-Hall v Google (on which see the analysis here).

Google ran a cunning defence to what, post-Google Spain, might be said to be a strong claim on the part of a data subject. It relied on Directive 2000/31/EC, the E-Commerce Directive. Article 13 protects internet service providers from liability for the cached storage of information, providing they do not modify the information. Mitting J was content to find that by storing the images as thumbnails, Google was not thereby modifying the information in any relevant sense: at [41]. Article 15 of the E-Commerce Directive also prohibits the imposition of a general obligation on internet service providers to monitor the information they transmit or store.

The problem for Mitting J was how to resolve the interaction between the E-Commerce Directive and the Data Protection Directive; the latter of which gives a data subject rights which apparently extend to cached information held by internet service providers which the former of which apparently absolves them of legal responsibility for. It was pointed out that recital (14) and article 1.5(b) of the E-Commerce Directive appeared to make that instrument subject to the Data Protection Directive. It was also noted that Google’s argument did not sit very comfortably with the judgment (or at least the effect of the judgment) of the CJEU in Google Spain.

Mitting J indicated that there were only two possible answers: either the Data Protection Directive formed a comprehensive code, or the two must be read in harmony and given full effect to: at [45]. His “provisional preference is for the second one”: at [46]. Unfortunately, the judgment does not then go on to consider why that is so, or more importantly, how both Directives can be read in harmony and given full effect to. Of course, on a strike out application provisional views are inevitable, but it leaves rather a lot of legal work for the trial judge, and one might think that it would be difficult to resolve the interaction without a reference to the CJEU. What, for example, is the point of absolving Google of liability for cached information if that does not apply to any personal data claims, which will be a good way of re-framing libel/privacy claims to get around Article 13?

The Court also doubted that Google’s technology really meant that it would have to engage in active monitoring, contrary to Article 15, because they may be able to do so without “disproportionate effort or expense”: at [54]. That too was something for the trial judge to consider.

So, while the judgment of Mitting J is an interesting interlude in the ongoing Mosley litigation saga, the final word certainly awaits a full trial (and/or any appeal by Google), and possibly a reference. All the judgment decides is that Mr Mosley’s claim is not so hopeless it should not go to trial. Headlines reading ‘Google Takes a Beating (with a break for tea)’ would be premature. But the indications given by Mitting J are not favourable to Google, and it may well be that the footage of Mr Mosley will not be long for the internet.

Christopher Knight