DRIPA 2014 declared unlawful

July 17th, 2015 by Robin Hopkins

In a judgment of the Divisional Court handed down this morning, Bean LJ and Collins J have declared section 1 of the Data Retention and Investigatory Powers Act 2014 (DRIPA) to be unlawful.

For the background to that legislation, see our posts on Digital Rights Ireland and then on the UK’s response, i.e. passing DRIPA in an attempt to preserve data retention powers.

That attempt has today suffered a serious setback via the successful challenges brought by the MPs David Davis and Tom Watson, as well as Messrs Brice and Lewis. The Divisional Court did, however, suspend the effect of its order until after 31 March 2016, so as to give Parliament time to consider how to put things right.

Analysis to follow in due course, but for now, here is the judgment: Davis Watson Judgment.

Robin Hopkins @hopkinsrobin

Secret ‘Practice Directions’ and Royal Wills

July 16th, 2015 by Christopher Knight

Mr Brown became a well-known figure in litigation circles when he sought to unseal the Will of Princess Margaret in the belief that it might reveal information showing him to be her illegitimate son. In the course of his unsuccessful litigation, it was revealed that there existed what had been described orally during the court proceedings as a “Practice Direction in respect of the handling of Royal Wills” (although there is dispute over precisely what form this document takes and whether it is really a Practice Direction at all), produced by the-then President of the Family Division following liaison with the Royal Household.

Having failed to unseal the Will, Mr Brown requested a copy of the document from the Attorney General. He was refused, under section 37 FOIA. The First-tier Tribunal upheld that refusal (on which see Robin’s blog here). Mr Brown appealed to the Upper Tribunal on the grounds of inadequacy of the Tribunal’s reasons and a failure to properly apply the public interest test. He was refused permission, but then successfully judicially reviewed the Upper Tribunal for failure to grant him permission (on which, see my blog here).

Much happened subsequently. Having fought hard to prevent disclosure of the ‘Practice Direction’ the AG then released almost all of it to Mr Brown in advance of the substantive appeal hearing before the Upper Tribunal. The unreleased aspect was one paragraph, which was supplied to him in ‘gisted’ form. Nonetheless, Mr Brown sought disclosure of the outstanding paragraph. Perhaps not entirely surprisingly, Charles J in the Upper Tribunal has just refused to give him the final missing piece: Brown v ICO & Attorney General [2015] UKUT 393 (AAC).

The Upper Tribunal decision, in the light of the release by AG, had rather less work to do than it might have done, and the judgment will be of equivalent reduced wider interest. However, Charles J does roundly endorse the proposition that there is a very powerful public interest “against the creation of undisclosed principles and procedures to be applied by the court to an application to seal any will, and this is strengthened when participants in and the decision maker on that application (the court through initially or generally the President of the Family Division) and the normal guardian of the pubic interest (the Attorney General) have been involved in its creation on a confidential and undisclosed basis, and so in favour of the publication of the principles and procedure to be applied on any such application (particularly if initially or generally the application will be made in private)“. In other words, the AG was right to concede that the material should be disclosed. There was no further interest in the gisted paragraph also being revealed because the essential meaning had been conveyed.

Whether this brings Mr Brown’s campaign to an end is another matter, but whatever one might think of his view as to his parentage, his uncovering of a – to put it neutrally – highly unusual document agreed between the AG, the Royal Household and the President of the Family Division concerning court procedures is a worthy effort.

Robin Hopkins appeared for the ICO; Joanne Clement appeared for the Attorney General and Anya Proops appeared for Mr Brown at some of the earlier stages of proceedings.

Christopher Knight

Google and the ordinary person’s right to be forgotten

July 15th, 2015 by Robin Hopkins

The Guardian has reported today on data emerging from Google about how it has implemented the Google Spain ‘right to be forgotten’ principle over the past year or so: see this very interesting article by Julia Powles.

While the data is rough-and-ready, it appears to indicate that the vast majority of RTBF requests actioned by Google have concerned ‘ordinary people’. By that I mean people who are neither famous nor infamous, and who seek not to have high-public-interest stories erased from history, but to have low-public-interest personal information removed from the fingertips of anyone who cares to Google their name. Okay, that explanation here is itself rough-and-ready, but you get the point: most RTBF requests come not from Max Mosley types, but from Mario Costeja González types (he being the man who brought the Google Spain complaint in the first place).

As Julia Powles points out, today’s rough-and-ready is thus far the best we have to go on in terms of understanding how the RTBF is actually working in practice. There is very little transparency on this. Blame for that opaqueness cannot fairly be levelled only at Google and its ilk – though, as the Powles articles argues, they may have a vested interest in maintaining that opaqueness. Opaqueness was inevitable following a judgment like Google Spain, and European regulators have, perhaps forgivably, not yet produced detailed guidance at a European level on how the public can expect such requests to be dealt with. In the UK, the ICO has given guidance (see here) and initiated complaints process (see here).

Today’s data suggests to me that a further reason for this opaqueness is the ‘ordinary person’ factor: the Max Mosleys of the world tend to litigate (and then settle) when they are dissatisfied, but the ordinary person tends not to (Mr González being an exception). We remain largely in the dark about how this web-shaping issue works.

So: the ordinary person is most in need of transparent RTBF rules, but least equipped to fight for them.

How might that be resolved? Options seem to me to include some combination of (a) clear regulatory guidance, tested in the courts, (b) litigation by a Max Mosley-type figure which runs its course, (c) litigation by more Mr González figures (i.e. ordinary individuals), (d) litigation by groups of ordinary people (as in Vidal Hall, for example) – or perhaps (e) litigation by members of the media who object to their stories disappearing from Google searches.

The RTBF is still in its infancy. Google may be its own judge for now, but one imagines not for long.

Robin Hopkins @hopkinsrobin

Data Sharing between Public Bodies

July 10th, 2015 by Christopher Knight

The principle disadvantage, to the data protection lawyer, of the failure of Esperanto is that every now and then the CJEU hands down a judgment which is only available in French, and even Panopticon cannot blog every entry in Franglais. Such is the problem raised by the Opinion of the Advocate General (Cruz Villalon) in Case C-201/14 Bara v Presedintele Casei Nationala de Asigurari de Sanatate. Readers will have to forgive any failure to capture the nuances.

Bara is a reference from the Romanian courts and contains a number of questions, the majority of which concern the compatibility of national tax authority arrangements with Article 124 TFEU (which prohibits in most cases privileged access for public bodies to financial institutions). Those need not concern us, not least because the AG considered them to be inadmissible.

However, the fourth question referred was in the following terms: “May personal data be processed by authorities for which such data were not intended where such an operation gives rise, retroactively, to financial loss?” The context appears to be that people deriving their income from independent activities were called to pay their contributions to the National Fund for health insurance, following a tax notice issued by the Romanian health insurance fund. However, that tax notice was calculated on the basis of data on income provided National Tax Administration Agency under an internal administrative protocol. The complaint was that the transfer by the Tax Agency to the Health Insurance Fund of personal data, particularly related to income, was in breach of Directive 95/46/EC because no consent had been provided to the transfer, the data subjects had not been informed of the transfer and the transfer was not for the same purpose as the data was originally supplied.

The Advocate General answered the fourth question by saying that the Directive precludes national legislation which allows a public institution of a Member State to process personal data that has been supplied by another public institution, including the data relating to the income of the persons concerned, without the latter having been previously informed of this transmission or treatment. This was despite the fact that the AG recognised that the Romanian bodies had a legitimate interest in being able to properly tax self-employed persons; the informal protocol did not constitute a legislative measure setting out a relevant national exemption under Article 13. The AG stressed that the requirement of notification in Article 11 had not been complied with, and that the data subjects accordingly had been unable to object to the transfer. The data subjects had not given their unambiguous consent. Although Article 7(e) (necessary for the performance of a task) could apply to a transfer of income data, it had to be shown that it was strictly necessary for the realisation of the functions of the Health Insurance Fund. (This appears to be a higher test being imposed than the usual interpretation of necessary as ‘reasonably necessary’, as per the Supreme Court in South Lanarkshire). The AG did not consider that test met.

It remains, of course, to be seen whether the CJEU will take the same approach; but it seems fairly likely that Bara will produce a judgment which confirms the illegality of inter-institutional transfer of personal data without express consent or a carefully defined need which is prescribed by law. There is nothing ground-breaking in that conclusion, but it is an important reiteration of the need for data controllers anywhere in the EU to think carefully about the authorisation they have to hand over personal data to other bodies; informal agreements or policy documents are not sufficient without a legal underpinning (through the DPA) or consent of the data subject.

The forthcoming judgment in Case C-582/14, Breyer will also raise issues over consent in the context of IP information retained by websites, along with the vexed question of whether an IP address can constitute personal data when combined with other information available to a third party (issues similar to those raised in Vidal-Hall v Google, on which see here). When the final judgments in Bara and Breyer appear, so will the analysis of some intrepid blogger of this parish.

Christopher Knight

Do Young Thugs have Human Rights? The Supreme Court has a Riot

July 9th, 2015 by Christopher Knight

Following a period of considered reflection, or laziness depending on one’s view, it is worth noting the decision of the Supreme Court in In the matter of an application by JR38 for Judicial Review [2015] UKSC 42. The case is all about Article 8 ECHR, and is of particular interest because of the dispute about the breadth of the correct test for the engagement of Article 8. The context is also one which will be familiar to English data protection and privacy lawyers: the publication by the police of photographs seeking to identify a suspect. If anyone remembers that famous picture of a youth in a hoodie pointing his fingers like a gun behind an awkward looking David Cameron, JR38 is basically that, but with Molotov cocktails and a sprinkling of sectarian hatred.

In JR38, the suspect in question was a 14 year child whose photograph was published by the PSNI as someone involved in rioting in an area of Derry in 2010 which had particular sectarian tensions. The judgment of Lord Kerr makes clear that JR38 has by no means been a well-behaved young man before or since the riots of 2010. Moreover, and amusingly, it is apparent that he and his father failed to correctly identify his own appearance in pictures published, and originally sued on the basis of images which did not show JR38 at all. However, a correct image was eventually alighted upon.

The judgments contain a lengthy and detailed discussion of the domestic and Strasbourg case law on the engagement of Article 8, but there was a 3-2 split in the Court between the correct approach. Lords Toulson and Clarke (with both of whom Lord Hodge agreed) considered that the overwhelming approach of the existing domestic law was to apply the touchstone of the reasonable/legitimate expectation of privacy test: see Lord Toulson at [87]-[88]. The test (originating, of course, in Campbell) focuses on “the sensibilities of a reasonable person in the position of the person who is the subject of the conduct complained about…If there could be no reasonable expectation of privacy, or legitimate expectation of protection, it is hard to see how there could nevertheless be a lack of respect for their article 8 rights”. The warning in Campbell not to bleed justification matters into the engagement analysis was stressed.

The difference between the majority and minority of Lord Kerr (with whom Lord Wilson agreed) was explained by Lord Clarke at [105]. Does the reasonable expectation of privacy test provide the only touchstone? The majority thought that it did, it being the only test set out clearly in the cases, and it being a broad objective concept to applied in all the circumstances of the case and having regard to the underlying values involved, unconcerned with the subjective expectation of the individual, be they child or adult (see at [98] per Lord Toulson and [109] per Lord Clarke).

In essence, the majority did not consider this context to be one which Article 8 was designed to protect. The identification of a suspect was not within the scope of personal autonomy, although publication of the same picture for a different purpose, other than identification, might be: at [98] (and at [112] where Lord Clarke did not consider the mere fact of criminal activity took the matter outside Article 8). Historic or re-published photos may alter the situation: at [101].

By contrast, Lord Kerr took a broader view, holding that the reasonable expectation of privacy test might be the ‘rule of thumb’, but could not be an inflexible, wholly determinative test. The scope of Article 8 was much broader and was contextual, requiring consideration of factors such as: age, consent, stigmatisation, the context of the photographed activity and the use of the image. Reasonable expectation of privacy failed, in his view, to allow for these factors to be considered: at [56]. Rather than shoehorning such factors into the test, they should bear on the issue in a free-standing footing: at [61]. The focus must be on the publication – i.e. the infringement – rather than the activity the photo displays. For Lord Kerr, the fact that JR38 was a child, taken with the potential effect publication might have on the life of the child, was more than sufficient to engage Article 8 (in the way that it might not for an adult): at [65]-[66].

The debate is an interesting one, but there is a very strong chance that the flexibility of the majority orthodox approach is likely to mean very little difference in substance between the two. It will, however, be worth emphasising the importance of context, particularly in child cases under Article 8.

The Court was, however, unanimous in agreeing that publication was justified in any event; rioters had to be identified (and other methods had been tried internally first), with the peril in which inter-community harmony was placed being particularly important in the fair balance.

Where, readers of this blog might ask, was the DPA in all this namby-pamby human rights discussion? Why is there no mention of schedules and data protection principles and all the other black letter statutory stuff that so gets the blood pumping? Well, it was mentioned, at [70], by Lord Kerr who considered that compliance with the DPA would mean that the limb of proportionality which requires the act to be in accordance with the law would be met. In very brief reasoning, Lord Kerr concluded that this type of case was within section 29 because publication was processing for the purposes of prevention and detection of crime, and that the relevant condition met in both Schedule 2 and 3 (because he agreed it was clearly sensitive personal data) was that of the processing being necessary for the administration of justice. Unfortunately, there was no analysis of the way in it was necessary for the administration of justice, or the extent to which this is the same as the prevention and detection of crime. Nor is it quite the same reasoning as adopted by Lord Woolf CJ in the well-known ‘naming and shaming’ case of R (Ellis) v Chief Constable of Essex Police [2003] EWHC 1321 (Admin), which, at [29], appeared to apply the conditions in Schedules 2 and 3 whereby processing was necessary for the performance of functions by or under any enactment (without further specification). Where the Supreme Court speaks, we follow, but it might have been helpful to detail this aspect a little more, although it is another example of a case in which Article 8 is presumed to do all of the work and the DPA be raced through in a paragraph to avoid having to think about it too much. That Article 8 and the DPA are ensured to be pulling in the same direction is, however, a relief to us all.

 Christopher Knight

Austria will not host Europe vs Facebook showdown

July 6th, 2015 by Robin Hopkins

As illustrated by Anya Proops’ recent post on a Hungarian case currently before the CJEU, the territorial jurisdiction of European data protection law can raise difficult questions.

Such questions have bitten hard in the Europe vs Facebook litigation. Max Schrems, an Austrian law graduate, is spearheading a massive class action in which some 25,000 Facebook users allege numerous data protection violations by the social media giant. Those include: unlawful obtaining of personal data (including via plug-ins and “like” buttons); invalid consent to Facebook’s processing of users’ personal data; use of personal data for impermissible purposes, including the unlawful analysing of data/profiling of users (“the Defendant analyses the data available on every user and tries to explore users’ interests, preferences and circumstances…”); unlawful sharing of personal data with third parties and third-party applications. The details of the claim are here.

Importantly, however, the claim is against Facebook Ireland Ltd, a subsidiary of the Californian-based Facebook Inc. The class action has been brought in Austria.

Facebook challenged the Austrian court’s jurisdiction. Last week, it received a judgment in its favour from the Viennese Regional Civil Court. The Court said it lacks jurisdiction in part because Mr Schrems is not deemed to be a ‘consumer’ of Facebook’s services. In part also, it lacks jurisdiction because Austria is not the right place to be bringing the claim. Facebook argued that the claim should be brought either in Ireland or in California, and the Court agreed.

Mr Schrems has announced his intention to appeal. In the meantime, the Austrian decision will continue to raise both eyebrows and questions, particularly given that a number of other judgments in recent years have seen European courts accepting jurisdiction to hear claims against social media companies (such as Google: see Vidal-Hall, for example) based elsewhere.

The Austrian decision also highlights the difficulties of the ‘one-stop shop’ principle which remains part of the draft Data Protection Regulation (albeit in more nuanced and complicated formulation than had earlier been proposed). In short, why should an Austrian user have to sue in Ireland?

Panopticon will report on any developments in this case in due course. It will also report on the other strand of Mr Schrems’ privacy campaign, namely his challenge to the lawfulness of the Safe Harbour regime for the transferring of personal data to the USA. That challenge has been heard by the CJEU, and the Advocate General’s opinion is imminent. The case will have major implications for those whose business involves transatlantic data transfers.

Robin Hopkins @hopkinsrobin

Forget me knot…BBC publishes list of ‘forgotten’ stories

June 30th, 2015 by Anya Proops

Since the CJEU’s controversial decision in Google Spain,the debates have raged about how the so-called right to be forgotten should cash out in the online world. Particular concerns have been expressed by the media that the judgment rides rough shod over Article 10 rights, including not least the Article 10 rights of the website authors whose stories are being deindexed. Now it seems the BBC is seeking to reassert its Article 10 rights by publishing a list of all the stories which have been deindexed by Google thus far – see here.

The BBC’s position is that the publication of the list does not seek to frustrate the Court’s judgment, because it will not ‘make the stories more findable for anyone looking for a name’. What it will do, according to the BBC is enable a ‘meaningful debate’ about the right to be forgotten to take place. This is a bold step coming from one of the world’s most respected media organisations. It will doubtless provoke a copycat reaction from other media organisations which regard the CJEU’s judgment in Google Spain as an affront to their Article 10 rights. What is interesting about this new approach is that it does very clearly allow the wider public to examine how the right to be forgotten is in practice being weighed against the fundamental right to free expression. No doubt the BBC’s actions will attract criticism from those individuals who had hoped that their requests to be forgotten would result in the relevant links sinking for all time into the soup of online forgetfulness. It remains to be seen how the Information Commissioner will respond to this important and provocative development.

Anya Proops

New A-G’s opinion on territorial application of Data Protection Directive

June 29th, 2015 by Anya Proops

The transnational nature of many modern commercial enterprises can create significant difficulties when it comes to the application of domestic data protection legislation within the EU. Questions can often arise as to whether the enterprise has the necessary territorial presence in order to enable the domestic legislation to apply. These questions can be particularly difficult to resolve where the enterprise in question comprises an online business which has ethereal tentacles stretching into multiple jurisdictions. Of course, we have now all just about got to grips with the interesting intellectual gymnastics embarked upon by the CJEU in Google Spain. Now the issue of the territorial application of data protection legislation has resurfaced in a case concerning a spat between a Slovakian company operating a property-dealing website (W) and various disgruntled Hungarians who sought to sell their properties through the site: Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (Case 230/14).

You can read about the background to the Weltimmo case here. In short, the core question which arose in Weltimmo was whether the Hungarian Data Protection Authority (HDPA) had jurisdiction to fine W in circumstances where:

(a) W had its registered seat in Slovakia;

(b) one of W’s owners was a Hungarian living in Hungary who had legally represented W before the HDPA;

(c) W had received personal data from individuals in Hungary who wished to advertise their Hungarian properties on W’s website and

(d) W had apparently then gone onto misuse the personal data it had received.

The Hungarian Kúria court was unsure as to how to answer this question. This was because it was unclear as to the legal effects of two Articles of Directive 95/46/EC: Article 4 (concerning the territorial scope of domestic data protection laws) and Article 28 (concerning the role of the domestic supervisory authority). Accordingly, the court referred a number of questions to the CJEU, all of which were essentially focused on identifying the territorial reach of the domestic data protection laws and domestic supervisory authorities under the Directive (you can find the questions here). Advocate-General Cruz Villalón (yes he of Digital Ireland fame) has now given his opinion on these questions: see here. Rather frustratingly however, the opinion is not currently available in English. It is available in French and a host of other European languages (including for the multi-lingual amongst you Bulgarian and Czech). My admittedly rather untutored take on the French language version is that it contains the following key conclusions (see in particular paragraph 72):

- The effects of Articles 4 and 28 are that a supervisory authority in Member State X cannot assert jurisdiction over a data controller which is not ‘established’ in Member State X. Instead, that supervisory authority only has jurisdiction in respect of data controllers which are ‘established’ within its own territory (i.e. within Member State X).

- When considering the extent to which a data controller is ‘established’ in Member State X, the focus should be on the de facto, rather than the de jure, position. The crucial question is: from where, in a physical, logistical sense, does the data controller operate the business in question? Answering this question is likely to require a focus on where the business’ human and technical resources are located.

- The data controller may be established in a number of different Member States, provided that its operations in those Member States have the necessary quality of stability.

- Factors such as where the data has been downloaded, the nationality of the injured parties, the domicile of the owners of the company responsible for processing the data or the fact that the service provided is directed at the territory of another Member State are not directly relevant or decisive. They may however be indirectly relevant insofar as they may shed light on the question of where the data controller is established.

It remains to be seen whether the CJEU will follow the Advocate-General’s opinion. If it does, then that will reaffirm the essentially fragmented, patchwork nature of the protections afforded under the current Directive. Of course, if and when the draft General Data Protection Regulation becomes law, this patchwork of protections will give way to a more unified approach, as the era of the one-stop shop will be upon us.

Anya Proops

Comment is (not) free – E-Commerce back in the limelight

June 22nd, 2015 by Anya Proops

Last month I posted about the settlement of the Max Mosley litigation against Google (see my post here). Had that case been fought to its conclusion, we would at the very least have had the pleasure of gaining greater insight into the weird and wonderful world of the E-commerce legislation. However, sadly that was not to be. The good news is that E-Commerce cases now appear to be like buses. No sooner has one case settled, than another one comes motoring down the litigation highway. This time E-Commerce principles have surfaced, not in the context of a right to be forgotten case, but rather in the context of a Strasbourg case concerning the application of Article 10 rights.

The case in question, Delfi AS v Estonia (Case no. 64569/09), concerned an Estonian internet news portal called Delfi. In common with many internet news organisations, Delfi permits readers to write comments about the online stories which they publish. In 2006, Delfi published a story concerning the alleged destruction of certain Estonian ice roads by a particular company (S). The story, which was itself legally unobjectionable, attracted lots of reader comments, including comments which were very attacking of S’s majority shareholder (L). The comments in question were not only defamatory but also amounted to hate speech and an incitement to violence against L, all of which is unlawful under Estonian law. Upon complaint by L, Delfi immediately removed the comments (this was some six weeks after they had first been posted). However, L was not happy with this retrospective deletion of the comments. He brought a claim for damages against Delfi on the basis that Delfi had acted unlawfully by publishing the comments on the site. L eventually won his case in the domestic court and was awarded 320 Euros in compensation.

Delfi then took the case to the Strasbourg court. It alleged that the domestic court’s findings breached its Article 10 right to freedom of expression. A core plank of Delfi’s case was that it had to be treated as a mere intermediary under EU E-Commerce legislation, with the result that it was not liable in respect of the comments. Delfi contended that any other approach to the application of the E-Commerce principles would result in an undue interference with its Article 10 rights. The Strasbourg court rejected Delfi’s case. It held that Delfi was not acting merely as an intermediary in connection with the comments. This was particularly given that:

  • Delfi had comprehensive powers of editorial control over the comments once they had been posted;
  • moreover, Delfi positively encouraged the posting of comments on the basis that this would increase its potential to accrue advertising revenue.

In this respect, the comments on the Delfi site were, in the court’s view, to be contrasted with: ‘other fora on the Internet where third-party comments can be disseminated, for example an Internet discussion forum or a bulletin board where users can freely set out their ideas on any topics without the discussion being channelled by any input from the forum’s manager; or a social media platform where the platform provider does not offer any content and where the content provider may be a private person running the website or a blog as a hobby’ (§116).

The court went on to hold that whilst Delfi could not be expected to pre-vet comments prior to their publication, its obligations as online publisher of the comments were such that it should immediately and of its own motion detect and remove unlawful content (i.e. without waiting for a complaint brought). The court held that such an approach to the management of the comments constituted a justified interference with Delfi’s Article 10 rights.

This is an important judgment for a number of reasons.

  • First, it suggests that the defences available to online intermediaries under the E-Commerce are to be narrowly construed. In short, the greater the degree of editorial control over and entrepreneurial interest in the data in question, the more likely it is that the court will find that the defences are not available.
  • Second, it suggests that, when it comes to the publication of data online, Article 10 cannot be treated as an all-purpose get out of jail free card. Instead, as with speech expressed through traditional media, Article 10 rights must be balanced against other affected rights (although note paragraph 113 where the court alluded to the need to adopt a ‘differentiated’ and ‘graduated’ approach to the enforcement of rights as against internet service providers, as opposed to traditional publishers).
  •  Third, it suggests that, in this post Google-Spain world, the CJEU is not alone in its desire to create strong controls around the ways in which data is managed online, particularly where there is a profit-making element to the data processing scheme.

So put simply, online comment is not free, at least not for those media organisations which seek to profit from facilitating free expression within the online environment.

Anya Proops

Freedom of Information in Scotland

June 15th, 2015 by jamesgoudie

The Scottish Government has initiated a Consultation on further extension of coverage of the Freedom of Information (Scotland) Act 2002 (“FoIS”) to more organisations, specifically contractors who run privately managed prisons, providers of secure accommodation for children, grant-aided schools and independent special schools.

FoIS provides a statutory right of access to information held by Scottish public authorities. These range from the Scottish Parliament and Government, to local authorities, NHS boards, higher and further education bodies, doctors and dental practitioners.  However, the provisions of FoIS can be extended to bodies that carry out functions of a public nature or which provide, under a contract with a Scottish public authority, a service which is a function of that authority. This can be done by making an Order under s5 of FoIS, which designates those bodies as a Scottish public authority for the purposes of FoIS. They are then subject to the full requirements of FoIS. They would also automatically become subject to the requirements of the Environmental Information (Scotland) Regulations 2004. In accordance with s7(3) of FoIS, bodies proposed for coverage would be covered only in respect of the information they hold about specified public functions or services. Their duties under FoIS would therefore be limited to those functions or services as set out in the Order.

The Scottish Government brought forward Scotland’s first Order under s5(1) of FoIS in September 2013. Following consideration by the Parliament the Order came into effect on 1 April 2014. The Order extended coverage of FoIS to certain trusts which have been created by local authorities to deliver sporting, cultural and leisure facilities and/or activities on behalf of the local authority(ies).

The Scottish Government are now consulting on options for further extension of coverage. They are proposing to lay an Order in the Scottish Parliament in Autumn 2015. Subject to the Scottish Parliament supporting the Order, they would expect the bodies covered to become subject to FoIS and the EIR from Spring 2016. In addition to the organisations discussed in the Consultation Paper, suggestions are sought as to what other bodies – whether individually or collectively – should be considered in any future consultation.

In the previous consultation in 2010 the Scottish Government adopted a factor-based approach in determining the extent to which a function of an organisation could be described as being ‘of a public nature’.  They continue to believe that a factor-based approach is appropriate, and that a range of factors should be considered in assessing the ‘public nature’ of particular functions undertaken by certain organisations.

The Consultation Paper notes that the Scottish Information Commissioner has called for the extension of FoIS coverage to social housing owned by RSLs.  For a number of reasons, the Scottish Government are not currently persuaded of the merits of extending coverage to housing associations.

The Scottish Government do, however,  consider that a number of factors apply in relation to the functions undertaken, or services provided, by those various organisations highlighted in the Consultation Paper. In particular, there is a focus on organisations who, for the purposes of s5 of FoIS, undertake functions of a public nature or provide a service that is a function of a public authority(ies) relating to security, care and education.

The organisations considered for inclusion at this stage are:

  • contractors who run privately-managed prisons
  • providers of secure accommodation for children
  • grant-aided schools
  • independent special schools

With all these groups it is envisaged that any Order would provide a ‘class description’ in respect of the particular function undertaken or service provided. Given the potential for contractors or service providers to change over a period of time, a ‘class description’ gives more flexibility than listing specific bodies or contractors in the Order.

James Goudie QC