It’s Good to TalkTalk About Increased Fines

October 27th, 2015 by Christopher Knight

As if TalkTalk don’t have enough to think about at the moment, the House of Commons yesterday discussed the sanctions available to the Information Commissioner for significant data breaches. Responding to an urgent question on the TalkTalk incident, the Minister for Culture and the Digital Economy (wasn’t that one of Gladstone’s titles once?), Ed Vaizey, made a number of interesting comments. He mentioned that he understood TalkTalk had reported the breach to the ICO on Thursday 22 October and he expressed delight that the Culture Select Committee would be inquiring into the incident. In response to an SNP question that a maximum £500,000 fine was too small to be “terrifying“, the Minister indicated that the existing monetary penalty regime was significant but that he would discuss with the ICO whether more could be done. Oddly, he did not mention the genuinely terrifyingly large maximum fine proposals under the General Data Protection Regulation (ranging from 5% to 2% of global annual turnover, depending on which draft you read), although he did later state that the Regulation negotiations were “almost at the point of being completed“. He completed the urgent question procedure by suggesting that some sort of kitemark for cyber-security was something he would look into.

Whether or not it is really worth increasing the maximum levels of the monetary penalty notice regime before the new Regulation increases them anyway is a matter for debate. Given that the ICO has only rarely imposed fines at the top of the range, there probably has not been much internal appetite for pushing it higher. But, as we all know, there is nothing like shutting the stable door after the unencrypted horse has been ridden away by a 15 year old from County Antrim (allegedly).

Anyone wishing to read the debate (which does not contain very much by way of careful consideration of data protection law but a good deal by way of assumption that TalkTalk should be hung, drawn and quartered) can do on Hansard here.

Christopher Knight

Safe Harbour and the European regulators

October 26th, 2015 by Timothy Pitt-Payne QC

On 6th October 2015 the CJEU declared the Commission’s Safe Harbor Decision invalid, in Case C-362/14 Schrems.  Since then, data protection specialists have discussed little else; and Panopticon has hosted comments by Chris Knight, Anya Proops, and Robin Hopkins.

How have EU data protection regulators responded to the judgment?

The ICO’s immediate response came in a statement from Deputy Commissioner David Smith.  This struck a careful and measured tone, emphasising that the Safe Harbour is not the only basis on which transfers to the US can be made, and referring to the ICO’s earlier guidance on the range of ways in which overseas transfers can be made.

On 16th October the Article 29 Working Party issued a statement taking a rather more combative line.  Here are the main points.

  1. The question of massive and indiscriminate surveillance (i.e. in the US) was a key element of the CJEU’s analysis. The Court’s judgment required that any adequacy analysis implied a broad analysis of the third country domestic laws and international commitments.
  1. The Working Party urgently called on Member States and European institutions to open discussions with the US authorities to find suitable solutions. The current negotiations around a new Safe Harbour could be part of the solution.
  1. Meanwhile the Working Party would continue its analysis of how the CJEU judgment affected other transfer tools. During this period Standard Contractual Clauses and Binding Corporate Rules could still be used.  If by the end of January 2016 no appropriate solution with the US had been found, the EU regulators would take “appropriate actions”.
  1. Transfers still taking place based on the Safe Harbour decision were unlawful.

There are a couple of key messages here.  One is that it seems doubtful that the Article 29 Working Party would regard an adequacy assessment by a data controller as being a proper basis for transfer to the US:  see point 1.  A second is that there is a hint that even standard clauses and BCRs might not be regarded a safe basis for transfer (see point 3): the answer will depend on the outcome of the Working Party’s further analysis of the implications of Schrems.

The rise of the Ubermensch

October 23rd, 2015 by Timothy Pitt-Payne QC


In May 2012, Transport for London licensed Uber London Limited as an operator of private hire vehicles in London.

Uber is controversial.  It’s a good example of how new technology can disrupt existing business models in unexpected ways.  One controversy is addressed by Ouseley J in Transport for London v Uber London Limited and others [2015] EWHC 2918 (Admin):  whether the way in which the Uber fare is calculated infringes the criminal prohibition on the use of a taximeter in a London private hire vehicle. Answer – it doesn’t.

What does any of this have to do with Panopticon?  Our usual concerns, broadly speaking, are with access to public sector information, and with information privacy (including its interaction with freedom of expression).  But these fields are fundamentally shaped by developments in the technology that is used for collecting, sharing and using information.  A wider understanding of the legal issues to which those developments can give rise is valuable, even if it takes us a little outside the usual ambit of this blog.

So:  in London there are black cabs, and there are private hire vehicles (PHVs).  PHVs are subject to three-fold licensing:  the operator, the vehicle, and the driver must all be licensed.  One of the restrictions under which PHVs operate is that it is a criminal offence for the vehicle to be equipped with a taximeter: see section 11(1) of the Private Hire Vehicles (London) Act 1998.  A taximeter is defined by section 11(3) as “a device for calculating the fare to be charged in respect of any journey by reference to the distance travelled or time elapsed since the start of the journey (or a combination of both)”.

Uber operates in London as a licensed PHV operator (though the vehicles in its network include both PHVs and black cabs).  It uses technology that – as Ouseley J points out – was not envisaged when the relevant legislation was introduced in 1998.  “As was agreed, the changes brought about by the arrival of Google, the Smartphone equipped with accurate civilian use GPS, mobile internet access and in-car navigation systems, would not have been within the contemplation of Parliament in 1998.” (Google was in fact incorporated in 1998, and what it has to do with the case is obscure, but let that pass).

In order for the Uber system to operate, both the driver and the customer must have a smartphone, and must download the Uber Driver App and Customer App respectively.  The customer makes a booking using the Customer App.  The booking is transmitted to Uber’s servers in the US, and thence to the smartphone of the driver of the nearest vehicle in London – if that driver does not accept the booking, it is sent to the next nearest vehicle.  When the driver picks up the customer, the driver presses the “begin trip” icon on the Driver App.  At the end of the journey he presses “end trip”.  Signals are then sent to Uber’s servers in the US by the driver’s Smartphone, providing them with GPS data from the driver’s smartphone and time details.  One of the servers (“Server 2”) obtains information from another server about the relevant fare structure, and then calculates the fare and transmits information to the Driver App and the Customer App about the amount charged.  The customer’s credit or debit card is charged for the journey.

Does all this mean that the vehicle is equipped with a taximeter?

No, said Ouseley J, in proceedings brought by Transport for London seeking a declaration that PHVs in the Uber network are not equipped with a taximeter.

The argument before Ouseley J was that the driver’s smartphone, operating using the Driver App, was a taximeter.  But the fatal objection to this argument was that the fare was calculated by Server 2 not by the smartphone, and hence the calculation was done remotely and not in the vehicle itself.  To contravene section 11, it was not sufficient that the calculation was done using information uploaded from the smartphone, and that the calculation was then transmitted to and received on the smartphone.  Hence the smartphone was not a device falling within section 11(3). Moreover, even if the smartphone was a relevant device, the vehicle was not equipped with it; it was the driver who was equipped, and so the prohibition in section 11(1) was not infringed in any event.

Ousely J considered the case-law about the need to adopt an updating or “always speaking” construction of legislation, to take account of technological or scientific developments: see R (Quintavalle) v Secretary of State for Health [2003] UKHL 13, [2003] 2 AC 687.  This case law had no bearing, since the section 11 was in general terms and entirely capable of being applied to modern technology; there was no need to adopt any updating construction of the section.

The Uber case is a useful reminder that controversies about the implications of developments such as big data, cloud computing, and mobile internet access, are not just about privacy and data protection.  Rather, the issues are pervasive and can be expected to affect every corner of the law (and of politics, the economy, and society).

The mobile data devices that we use are constantly interacting with other devices and information storage facilities, including servers.  For the purpose of our daily lives, usually all we are interested in is specific transactions (like booking and paying for a PHV): we do not need to think about the different stages of information processing that underpin the transaction.  But for regulatory purposes, breaking down a transaction into those stages, and understanding when and how each stage takes place, can be essential.  Uber drivers and customers don’t need to think about Server 2:  but if you want to know whether Uber breaks the law, Server 2 is crucial.



Court of Appeal considers damages for privacy breaches – data protection to follow suit?

October 20th, 2015 by Robin Hopkins

This week, the Court of Appeal is grappling with a difficult and important question: how do you value an invasion of privacy? In other words, where someone has suffered a breach of their privacy rights, how do you go about determining the compensation they should receive?

The appeal is brought by MGN against the judgment of Mann J in Gulati & Ors v MGN Ltd [2015] EWHC 1482 (Ch). That judgment concerned victims of blagging and phone-hacking (including Paul Gascoigne, Sadie Frost and Alan Yentob) for which Mirror Group Newspapers was held responsible.

Mann J awarded the claimants compensation ranging between £85,000 and £260,250. His judgment was ground-breaking, in part due to the size of those awards. (By way of comparison, the previous highest award in a privacy case had been made to Max Mosely, in the region of £60,000 – but most awards have been much lower).

It was also ground-breaking in terms of the methodology adopted to calculate quantum for privacy breaches. Here is how Mann J summarised the rival arguments (paragraph 108; I have underlined the components put forward by the claimants):

“… The case of the claimants is that the compensation should have several elements.  There is compensation for loss of privacy or “autonomy” resulting from the hacking or blagging that went on; there is compensation for injury to feelings (including distress); and there is compensation for “damage or affront to dignity or standing”.  The defendant disputes this and submits that all that can be compensated for is distress or injury to feelings…  It is accepted that such things as loss of autonomy are relevant, but only as causes of the distress which is then compensated for.  They are not capable of sustaining separate heads of compensation…”

As is clear from that synopsis, the debate is not just about money, observable cause-and-effect or hard-edged law. The debate also has difficult philosophical and ethical dimensions. It seems that neither society nor the law (which sometimes overlap) has yet got to the bottom of what it really means to have one’s privacy invaded.

In any event, Mann J certainly did his bit to progress that debate. He preferred the analysis of the claimants – hence the large awards they received. See for example his paragraphs 143-144:

“… The tort is not a right to be prevented from upset in a particular way.  It is a right to have one’s privacy respected.  Misappropriating (misusing) private information without causing “upset” is still a wrong.  I fail to see why it should not, of itself, attract damages.  Otherwise the right becomes empty, contrary to what the European jurisprudence requires.  Upset adds another basis for damages; it does not provide the only basis. I shall therefore approach the consideration of quantum in this case on the footing that compensation can be given for things other than distress, and in particular can be given for the commission of the wrong itself so far as that commission impacts on the values protected by the right.”

The Court of Appeal’s judgment in MGN’s appeal will have a huge impact on the size of awards in privacy cases, and thereby on the privacy litigation landscape itself. It will also no doubt contribute to our understanding of how 21st-century society values (or ought to value) privacy.

What impact will it have on compensation under section 13 of the Data Protection Act 1998?

As with privacy compensation, data protection compensation is having a revolutionary year: see the striking down of section 13(2) in Vidal-Hall v Google [2015] EWCA Civ 311. Traditionally, few people brought claims under section 13 DPA, because it was assumed that they could only be compensated for distress (their primary complaint) if they also suffered financial loss (which mostly they hadn’t). Vidal-Hall overturned that: you can be compensated for distress alone under section 13 DPA. This point will be considered by the Supreme Court next year, but for now, the removal of this barrier to successful section 13 claims is hugely important.

Another barrier, however, lingers: section 13 DPA awards tend to be discouragingly low, from a claimant’s perspective. See most crucially Halliday v Creation Consumer Finance [2013] EWCA Civ 333 (where an award for £750 was made): “the sum to be awarded should be of a relatively modest nature since it is not the intention of the legislation to produce some kind of substantial award. It is intended to be compensation…” (per Arden LJ at paragraph 36).

Increasingly, however, case law emphasises the intimate relationship between data protection and fundamental privacy rights: see for example Vidal-Hall, and last year’s ‘right to be forgotten’ judgment in the Google Spain case.

So, if Mann J’s wide, claimant-friendly approach to quantifying damages is upheld in the privacy context, how long before the same approach infiltrates data protection litigation?

Robin Hopkins @hopkinsrobin

Privacy, Patients and Payments – information sharing in the Court of Appeal

October 16th, 2015 by Timothy Pitt-Payne QC


The recent decision of the Court of Appeal in W, X, Y and Z v Secretary of State for Health, Secretary of State for the Home Department and British Medical Association [2015] EWCA Civ 1034 offers rich pickings for information lawyers.  It deals with the status of information about medical treatment; it looks at the scope of common law protection for private and confidential information generally; and it illustrates how wider public law concepts can apply in the field of information sharing.

The context is the arrangements for charging for NHS services.  Persons who are not ordinarily resident can be charged for their use of the NHS, under the National Health Service (Charges to Overseas Visitors) Regulations 2011 (“the Charging Regulations”).  Under amendments made to the Immigration Rules in 2011, individuals with unpaid NHS debts of at least £1,000 may face immigration sanctions.  Also in 2011, the Secretary of State issued Guidance (“the Guidance”) on implementing the Charging Regulations.

The Guidance provides for information-sharing in support of the Charging Regulations.  NHS bodies are to transmit certain information (“the Information”) about non-resident patients to the Secretary of State for Health, who then passes it to the Home Office.  The Information includes the name, date of birth and gender of the patient, current address (if known), nationality, travel document number and expiry dates, the amount and date of the patient’s NHS debt, and the NHS body to which it is owed.

In judicial review proceedings, four non-UK residents challenged the legality of part of the Guidance.  In substance, they were challenging the information sharing arrangements outlined above.  They lost before Silber J, who held that the Information did not constitute confidential or private information.  The BMA were sufficiently concerned by this that they applied to intervene in the proceedings on appeal.  They were represented by Panopticon regular Anya Proops.

The Court of Appeal considered the issues under three broad headings: first, whether disclosure breached the claimants’ common law rights to privacy or confidentiality; secondly, a group of arguments about vires; and thirdly, the application of Article 8 of the European Convention on Human Rights.

On the first issue, the Court of Appeal considered privacy and confidentiality together. The Court distinguished two questions.  The first whether the Information was private or confidential in nature; and, if yes, the second was whether the claimants’ rights had been breached.

As to the first question, the Court held that Silber J had adopted the wrong approach by asking whether disclosure would be “highly offensive” (adopting the language of Lord Hope in Campbell v MGN [2004] UKHL 22).  That formulation was relevant to whether an interference with the right to privacy was justified; on the prior question of whether information was private, the touchstone was Lord Nicholls’ formulation in Campbell of whether the person in question had a reasonable expectation of privacy.

The Court accepted the BMA’s submission that the Information was inherently private because it told you something about the individuals’ health: it revealed that they had been unwell to the extent that they needed to seek medical care from an NHS body; and in some cases the nature of the NHS body would indicate the nature of the illness.  It did not matter that the Information was not about the details of the medical treatment in question.  The Court also referred to various guidance (e.g. from the GMC and the BMA) that all identifiable patient data held by a doctor or hospital should be treated as confidential.  Nevertheless, the Court held that the Information was generally not private in relation to the Secretary of State and the Home Office.  The reason was that the Guidance made clear that overseas visitors treated in NHS hospitals would be made aware that in certain circumstance the Information would be passed to the Secretary of State for onward transmission to the Home Office.  This awareness would negate any reasonable expectation of privacy.

The Court was at pains to emphasise that this part of its judgment should not be of concern to the BMA or other medical authorities, and was not intended to dismantle the general principle that health and medical information was inherently private and confidential.  Despite these assurances, this aspect of the judgment is surprising.  If information is inherently private, then one would not expect to be able to negate a reasonable expectation of privacy simply by telling the individual that you intend to disclose the information.  What you told the individual might very well be relevant to the second stage of the inquiry – i.e. whether interference with privacy was justified.  But, to take an extreme example, what if an NHS body told overseas visitors that full details of their treatment would be posted on a public website? Surely this would not be enough to defeat their reasonable expectation of privacy in relation to treatment information.  The point is especially strong given the nature of the services to which the Information related – a patient seeking NHS medical treatment will very often have no real choice whether to accept the service offered, even if they dislike what they are told about how their information will be handled.  It is not like deciding whether you should sign up for a social media site when you are unhappy with its privacy policy.

The Court went on to hold that, even if the claimants had a right to privacy and confidentiality in the Information, that right was not infringed by disclosure in accordance with the Guidance.  This issue required a balancing exercise, weighing the public benefit from disclosure against the harm done by interference with the right.  Silber J had been correct to conclude that the balance (if it needed to be drawn) came down in favour of disclosure.  He had relied on four factors:  the low level of intrusion into individual privacy; the fact that overseas patients were told about the disclosure; the legitimate aim of recovering NHS debts and ensuing defaulters were not able to stay in the UK; and the fact that the Information was securely transmitted to a limited group of civil servants.

On the second issue (as to vires) the Court discussed a range of related challenges.

The claimants relied on the principle of legality, whereby fundamental rights cannot be infringed without clear Parliamentary authority.  The Court held that the principle did not apply, since disclosure did not infringe the claimants’ privacy rights:  see above.  Next, the claimants argued that the NHS bodies did not have the power to pass on the information to the Secretary of State.  The Court held that they had both the power and the duty to pass it on:  the Guidance, read as a whole, amounted to a direction that they should do so, and the Secretary of State had the power to give such a direction under section 48 of the National Health Service Act 2006.  The use of that power was not impliedly excluded by the existence of a power under section 251 of the same Act to make regulations about the processing of patient information.  The Secretary of State was entitled to rely on the section 48 power, and was not obliged to use the regulation-making power under section 251.  The power under section 48 could only be used where the Secretary of State considered its use to be necessary for his functions under the 2006 Act. It was true that under the Charging Regulations it was the NHS bodies, not the Secretary of State, that made and recovered charges; but the Secretary of State could rely on his own general functions under section 1 of the 2006 Act, to continue the promotion of a comprehensive health service, as providing a proper basis for use of the section 48 power.

The Court then held that the Secretary of State had the power to pass the information on in turn to the Home Office.  He could rely for this purpose on his incidental powers under section 2 of the 2006 Act.  Alternatively, he could rely on his common law powers, even if the residual category of ministerial power not dependent on either statute or prerogative was to be confined to the exercise of powers for identifiably governmental purposes (as to which, see R (Shrewsbury and Atcham BC) v Secretary of State for Communities and Local Government [2008] EWCA Civ 148).  Finally, the Guidance did not fetter the NHS bodies’ discretion:  the effect of the Guidance, in conjunction with section 48 of the 2006 Act, was that they had no choice but to pass on the information, and hence there was no discretion to be fettered.

On the third issue (Article 8) the Court concluded that any interference with the Article 8(1) right would be justified under Article 8(2).

It was argued for the claimants that any interference with the Article 8(1) right would not be “prescribed by law”.  The Court held that the combination of the Guidance and the operation of the Data Protection Act 1998 provided sufficient safeguards against arbitrary or abusive disclosure to satisfy this aspect of Article 8(2).

Review of FOIA – call for evidence

October 9th, 2015 by Anya Proops

The commission set up by the Government to review FOIA, in the wake of the Evans judgment, has today issued a call for evidence, as part of a six week consultative exercise (see here). The questions posed in the call for evidence tend to reconfirm the overall impression that the commission is keen to explore ways in which FOIA can be recalibrated so as to be a more State-friendly enactment. The commission has made clear that it is particularly focussed on the following six questions:

‘Question 1: What protection should there be for information relating to the internal deliberations of public bodies? For how long after a decision does such information remain sensitive? Should different protections apply to different kinds of information that are currently protected by sections 35 and 36?

Question 2: What protection should there be for information which relates to the process of collective Cabinet discussion and agreement? Is this information entitled to the same or greater protection than that afforded to other internal deliberative information? For how long should such material be protected?

Question 3: What protection should there be for information which involves candid assessment of risks? For how long does such information remain sensitive?

Question 4: Should the executive have a veto (subject to judicial review) over the release of information? If so, how should this operate and what safeguards are required? If not, what implications does this have for the rest of the Act, and how could government protect sensitive information from disclosure instead?

Question 5: What is the appropriate enforcement and appeal system for freedom of information requests?

Question 6: Is the burden imposed on public authorities under the Act justified by the public interest in the public’s right to know? Or are controls needed to reduce the burden of FoI on public authorities? If controls are justified, should these be targeted at the kinds of requests which impose a disproportionate burden on public authorities? Which kinds of requests do impose a disproportionate burden?’

No doubt much can be gleaned about the commission’s direction of travel from these questions. However, the commission’s repeated use of the ‘how long’ question is particularly interesting. Query whether it suggests that the commission is looking to propose minimum terms for the disclosure of certain categories of information, for example under ss. 35 and 36. Such a blanket approach to the protection of particular classes of information under these provisions would of course would mark a significant departure from the current more case/fact-specific approach presupposed by these provisions as currently framed. No doubt further commentary on Panopticon will follow in due course.

Anya Proops

California surfs the digital data privacy wave

October 9th, 2015 by Anya Proops

There has been a lot of excitement this week about EU-US data sharing in the light of the Schrems judgment (see not least the stream of posts on the judgment on our very own Panopticon). Of course what triggered the Schrems litigation was the Snowden revelations concerning Prism, the US government’s mass surveillance programme, revelations which themselves forced an intensive debate on the protection of digital privacy rights on both sides of the Atlantic. Against that background, it is very interesting to learn that yesterday the Californian Governor, Jerry Brown, signed into law an Electronic Communications Privacy Act designed to place substantial controls around the accessing of digital communications by law enforcement agencies (see further the report from the Electronic Frontier Foundation here). This important legislative development, which essentially subjects the access regime to a system of judicial warrants, suggests that California is very much ahead of the curve within the US when it comes to recognising the need to ensure greater protection for data privacy rights within the digital environment. It is also worth noting that the tech companies themselves appear to have played a strong role in the achievement of this more privacy-sensitive approach to law enforcement. This is hardly surprising given the impact which the Snowden revelations have had on consumer trust in the tech giants of Silicon Valley. It remains to be seen whether the pro-privacy stance being adopted in California is going to attract law-makers in the States as a whole. However, it is interesting to note that the new law in California was itself born out of a bipartisan bill, something which itself reconfirms the fact that the protection of privacy rights is an issue which transcends traditional party politics.

Anya Proops

Is it Getting Chilly in Here?

October 7th, 2015 by Christopher Knight

It has been an admirable trend of Tribunals in FOIA cases over the last few years that they have been increasingly sceptical of assertions on the part of public authorities that disclosure will provide chilling effects on their activities. An inevitable pattern forms of an insistence that the sky will fall in if information is released, information is released (or leaked), and the sky appears not to fall in. Government grinds on. But Judge Jacobs has provided a little more comfort for such arguments in DWP v Information Commissioner, Slater & Collins [2015] UKUT 535 (AAC). The case related to various risk register documents related to Universal Credit.

Before the FTT (see here) the DWP’s evidence was criticised for failing to provide any concrete evidence of ways in which this chilling effect had manifested itself across Government and noted that a different, but related, document had been leaked and had not appeared to have any chilling effect. Judge Jacobs was not impressed by this. He condemned the reasoning as sufficiently irrational to amount to an error of law because it had required evidence of something which would be very unlikely to be able to be evidenced (i.e. there wouldn’t be a paper trail of civil servants being circumspect) and because it compared the disputed information with a document it hadn’t seen (the leaked document). That error was sufficiently important to impugn the judgment as a whole, even though it was just one paragraph in a lengthy decision.

One can see the point about drawing conclusions from a document the Tribunal had not actually seen, but the other aspect of the criticism is more problematic. There might be expected to be some evidence of a chilling effect, if only by a comparison of the way in which civil servants worked before and after relevant events. Civil servants have duties to advise frankly which Tribunals have been rightly slow to conclude they would avoid complying with. The Justice Select Committee has previously found little evidence of such a chilling effect across Government (see the summary here). It is particularly difficult to see how the approach is especially consistent with that of Charles J in Department of Health v Information Commissioner & Lewis [2015] UKUT 159 (AAC), in which a Departmental tendency to indulge in a Mandy Rice-Davies approach was noted, along with a cautionary requirement for specific evidence of harm (see my commentary here). In short, the approach of Judge Jacobs is a little too close for comfort to allowing bare assertions of a nebulous chilling effect provided by a professional civil service. One must recognise the difficulties of proving a counter-factual, but whether Slater or Lewis more accurately casts the balance is a matter for some debate.

Judge Jacobs also noted that evidence will need to consider what officials ought to do as an aspect of the Tribunal’s predictive duties in relation to the actual effect of disclosure. More unusually, he also indicated a willingness (obiter) to open up the question of the trouble that can be caused by the media taking a selective approach to what it publishes and putting its own spin on that material as a relevant aspect. The ICO has long taken a clear line – applied in numerous cases by the FTT – that subsequent use and possible misrepresentation is, essentially, tough. Public authorities have to take it on the chin as part of the wider debate and can publish it with explanatory material which mitigates the risk of decontextualizing. Given the ability of people to take pretty much any sentence out of context, this would appear to be a very anti-disclosure line of reasoning of very broad scope and it will be interesting to see if it is returned to in future cases in which it matters more directly.

In the meantime, Judge Jacobs appears to have adopted the words of House Stark on the chilling effect: “Winter is Coming”.

Julian Milford appeared for the DWP and Robin Hopkins for the ICO.

Christopher Knight

Charging Ahead under the EIR

October 7th, 2015 by Christopher Knight

It is difficult to imagine what could possibly have happened yesterday to cause the CJEU’s judgment in Case C-71/14 East Sussex County Council v Information Commissioner (judgment of 6 October 2015) to slip beneath the waves, but for those who spent the day reading, talking and thinking about Safe Harbo(u)rs (presumably something to do with shipping?) East Sussex represents a comforting return to normality, if not mundanity, where the CJEU is asked straightforward questions and it doesn’t quite answer them.

The ability to impose charges for the provision of property search information is an important financial issue for many local authorities. Historically it had been thought by many that the imposition of such charges was governed by the Local Authorities (England) (Charges for Property Searches) Regulations 2008 (“CPSR”), which allow local authorities to recover all the costs of making such information available (including staff costs, overhead costs and the costs of maintaining relevant information systems). However, in recent years there has been an increasing awareness of the fact that requests for property search information to a large extent amount to requests for access to environmental information, such that they call for an application of the charging regime provided for in reg 8 of the Environmental Information Regulations 2004. The CPSR itself specifically provides that it does not apply to the provision of any information which is governed by other statutory charging regimes. Accordingly, it would seem that the CPSR is inapplicable in respect of requests for property search information insofar as those requests are made under the EIR.

Regulation 8 EIR – implementing Article 5 of Directive 2003/4/EC – allows reasonable charges to be imposed for making environmental information available, save that no charge may be imposed for permitting access to public registers or examining the requested information in situ. In East Sussex the applicant requested answers to questions in the standard property search form issued by the Law Society, the CON29R form. The Council imposed a fixed charge for providing this information, the fixed charge having been calculated on the basis of the approach provided for in the CPSR (i.e. was a charge which was intended to produce a cost neutral result for the Council). The charge itself factored in not only disbursement costs, but also staff time, a portion of the Council’s overhead costs, office costs and a portion of the costs of maintaining the information systems from which the relevant information is derived. Was this lawful? And also, was it permissible to approach the question of whether the costs were reasonable on a judicial review-type basis (which follows from reg 8(3) EIR which frames the question in terms whether the “the public authority is satisfied” that the charge was reasonable)?

To be fair to the CJEU, it provided a relatively clear answer on the first issue of what sort of costs can be recouped through charging. It emphasised that the charges must relate to the supply of the information, and that supply had to be something over and above the costs of establishing and maintaining the register/list of environmental information which had to be able to be inspected in situ for free. Any cost which relates to maintaining that database cannot be attributed to the supply: at [33]-[38]. The sort of thing which can be charged for encompasses “not only postal and photocopying costs but also the costs attributable to the time spent by the staff of the public authority concerned on answering an individual request for information, which includes the time spent on searching for the information and putting it in the form required. Such costs do not arise from the establishment and maintenance of registers and lists of environmental information held and facilities for the examination of that information“: at [39]. Staff costs/overheads which are actually attributable to the supply (as opposed to database maintenance) are recoverable in the application of ordinary accounting principles: at [41].

Any charge must still not exceed a reasonable amount, not least because there should not be a deterrent effect on those wishing to exercise their right of access to environmental information, applying Case C-217/97 Commission v Germany [1999] ECR I-5087. In assessing whether such an effect would result, and the charge is unreasonable, the Tribunal must consider both an objective analysis of the situation and the subjective financial position of the requestor: at [43]. The point of this is, of course, to ensure that a charge is not waved through simply because the requestor happens to be rich or well-funded when it would plainly deter others, and nor should the Court be taken to be approving requestor-specific variable charges. Although the Court did not finally determine the matter, it gave a clear indication at [44] that costs of £1-£4.50 were unlikely to fall foul of the reasonableness requirement, particularly given a reduction would be required to ensure the charges complied with the Court’s interpretation of what charges could be recovered in the first place.

More abstractly, the CJEU also considered the nature of the review process applied under reg 8(3), which has been interpreted to be restricted to judicial review principles. This the Court does not quite answer. It reiterates the unsurprising principle that the review must comply with the principles of equivalence and effectiveness, that JR which does not involve a full factual assessment is not necessarily problematic for EU law (at [58]; which is entirely consistent with the flexible nature of English JR principles in any event: R (A) v Croydon LBC [2009] UKSC 8; [2009] 1 WLR 2557), but that the assessment of whether charges are actually for supplying and whether they are reasonable are questions of EU law which must be capable of review on the basis of objective elements: at [58]-[59].

No need then to rip up reg 8 EIR, but some finessing on the part of local authorities will probably be needed as to their charging schemes, and Tribunals will need to be willing to engage a little more closely with those charging decisions on appeal. As Radiohead would say, “no surprises”. And they would. Panopticon has it on good (/made up) authority that Radiohead are very interested in charging decisions, lobbying strongly for a ‘pay what you want’ approach not only to albums but also to environmental information. Maybe next time lads.

Anya Proops appeared for the ICO.

Christopher Knight

Unsafe Harbor: some practical implications of the Schrems judgment

October 6th, 2015 by Robin Hopkins

Panopticon has been quick-off-the-mark in reporting on today’s enormously significant Schrems judgment from the CJEU: see Chris’ alert and Anya’s commentary. I hope readers will excuse a third excursion into the same waters, given the enormous consequences the judgment. Here are a few observations on what those consequences mean in practice.

  1. Is this the end for Safe Harbor?

In its current form, yes. In theory, it can be fixed, rather than binned. Efforts have in fact been underway for some time aimed at renegotiating and tightening up aspects of the Safe Harbor arrangements, spurred by the Snowden revelations about the extent of US surveillance. The tenor of the judgment, however, is that tweaks will not suffice. ‘Dead in the water’ is the right shorthand for Safe Harbor.

  1. Does the Schrems judgment affect all companies transferring data to the US?

No – it torpedoes the Safe Harbor scheme, but it does not torpedo all EU-US data transfers. The Safe Harbor scheme was one of the major ways in which EU-US transfers of personal data ticked the box in terms of complying with Article 25 of Directive 95/46/EC (or the eighth data protection principle, in UK parlance). But it was not the only way.

Not all US companies were part of that scheme – in fact, you can see the full list of companies that are certified for Safe Harbor on the website of the US Department of Commerce (which administers certification for the scheme) here. There are around 5,000 companies affected by the Schrems judgment.

  1. Without Safe Harbour, how can data transfers to the US be lawful?

Obviously, the options include avoiding transfers to the US henceforth. Data processing arrangements could be retained within the EU, or they could be switched to one of a number of countries which already have an EU seal of approval: see the list here, which include Andorra, New Zealand, Canada, Uruguay, Israel and Argentina. Again, however, the Schrems judgment arguably implies that not even those countries are immune from scrutiny. Though those countries are not tainted by the Snowden/NSA revelations, their approved status is no longer inviolable.

Another option for multinationals transferring data to the US (or elsewhere) is to use Binding Corporate Rules. These provide a framework for how the organisation handles personal data. The data controller drafts its BCRs and submits them to the regulator for approval. Where more than one EU state is involved, the other regulators all need to have their say before the data controller’s arrangements are given the green light.

The BCR process is explained by the ICO here. Note the observation that a straightforward BCR application can take 12 months. So no quick fix for plugging the Safe Harbor gap here. Companies may need to find interim solutions while they work on adopting BCRs.

Another option is the use of Model Contract Clauses, explained by the ICO here. This involves incorporating off-the-shelf, EU-approved provisions into your contracts relating to personal data. These are inflexible, and they will not fit every data controller’s needs. Again, data controllers may need to craft stop-gap contractual solutions.

And again, it is arguably implicit in the Schrems judgment that even BCRs and Model Contract Clauses are flawed, i.e. they do not suffice to ensure that adequate data protection standards are maintained.

Lastly, as a data controller, you are able to do it yourself, i.e. to carry out your own assessment of the level of protection afforded in your data’s destination country. Again, the ICO helpfully explains. Again, however, the solutions are not straightforward.

  1. Are regulators going to take immediate action against all Safe Harbor-based transfers?

Unclear, but it is doubtful that they have the will or the way.

In the immediate term, the Irish Data Protection Commissioner now needs to decide whether or not Facebook’s US data transfers are lawful in the absence of Safe Harbor. This alone will be an important decision.

In the UK, the ICO has issued a press release on Schrems. It recognises that it will take time for businesses to adapt. Its tone is neither immediate nor pitiless.

This is no doubt because the business implications – both for the private sector and the regulators – would be enormous if a whole-scale clampdown were to be commenced immediately. It is likely that many regulators will give data controllers some time to get their houses (or harbors) in order – though the CJEU declined to take a similar approach in its judgment today.

  1. Will the new Data Protection Regulation fix the problem?

No. Its approach to international transfers is largely the same to the one which is currently in place. It contains no automatic fixes to the current quandary.

These are just preliminary observations. The dust has not yet settled, and businesses face some thorny practicalities in the meantime.

Robin Hopkins @hopkinsrobin