DRIP – Data Retention Regulations come into force

August 5th, 2014 by Anya Proops

The introduction of the controversial draft Data Retention Regulations 2014 has already been discussed by my colleague Robin Hopkins in his excellent post last month. The Regulations now have the force of law, having come into force on 31 July 2014 – see the Regulations here. In his post, Robin made the point that, following the judgment in Digital Rights Ireland, there were two methods for curtailing the infringement of privacy rights presupposed by the existing communications data retention (CDR) regime: either cut back on the data retention requirements provided for under the legislation, so as generally to limit the potential for interference with privacy rights, or introduce more robust safeguards with a view to ensuring that any interference with privacy rights is proportionate and otherwise justified. The Government, which has evidently opted for the latter approach in the new Regulations, will now need to persuade a somewhat sceptical public that the safeguards which have been adopted in the legislation strike the right balance as between the protection of privacy rights on the one hand and the imperative to support criminal law enforcement functions on the other.

Notably, the Explanatory Memorandum issued with the Regulations itself constitutes a clear attempt to allay concerns that the safeguarding arrangements embodied in the legislation are insufficiently robust. Here are some edited highlights:

Meaning of communications data and its uses – ‘Communications data is the context not the content of a communication. It can be used to demonstrate who was communicating; when; from where; and with whom. It can include the time and duration of a communication, the number or email address of the originator and recipient, and sometimes the location of the device from which the communication was made. It does not include the content of any communication: for example the text of an email or a conversation on a telephone. Communications data is used by the intelligence and law enforcement agencies during investigations regarding national security and, organised and serious crime. It enables investigators to identify members of a criminal network, place them in specific locations at given times and in certain cases to understand the criminality in which they are engaged. Communications data can be vital in a wide range of threat to life investigations, including the investigation of missing persons. Communications data can be used as evidence in court.’ (para. 7.1)

The need for legislation which mandates retention – Data needs to be retained by telecoms providers so that they can be accessed and used for criminal law enforcement purposes (para. 7.2). Absent mandatory retention requirements, there can be no guarantee that telecoms providers will themselves retain communications data for a sufficiently lengthy period time. This is because, in the absence of a mandatory obligation, telecoms providers may retain data for only a few months and indeed possibly only a few days, depending on their commercial needs. However, ‘many [criminal law enforcement] investigations require data that is older than the few months that data may be retained for business purposes, particularly in ongoing investigations into offences such as child abuse and financial crime’ (para. 7.3). This is why the original domestic CDR regime embodied in the Data Retention (EC Directive) Regulations 2009 mandated retention for a period of 12 months.

New safeguards – The new Regulations ‘effectively replicate the obligations on providers contained in the 2009 Regulations, and do not provide for the retention of any additional categories of communications data’ (para. 3.3). ‘These Regulations only differ from the 2009 Regulations in that they provide additional safeguards’ (para. 7.4). Two safeguards in particular are highlighted in the Memorandum.

  • the 2009 Regulations imposed a blanket 12 month retention period where a relevant notice had been served on a telecoms provider. The new Regulations enable ‘different data types to be retained for shorter periods when appropriate’ (para. 7.4).

 

  • the 2009 Regulations did not embody any statutory duty on the Secretary of State to consult providers prior to issuing a notice, although consultation was in practice undertaken. The new Regulations make prior consultation a statutory obligation (para. 7.4).

The following points are worthy of note in respect of the new ‘safeguards’ embodied in the Regulations.

  •  First and perhaps most significantly, the Regulations themselves do not purport to identify the types or categories of data which should to be retained for less than 12 months. They simply posit that 12 months is the maximum retention period (r. 4(2)). This leaves a significant question as to what types of data, if any, will ultimately attract a shorter retention period. The risk which is inevitably inherent in this type of open-ended legislative arrangement is that blanket, indiscriminate 12 month retention continues to be the norm.

 

  • Regulation 5(1) requires the Secretary of State to take into account a variety of matters before issuing a retention notice, including not least the likely number of users who will be affected by the notice. However, such matters would presumably have been treated as relevant considerations as and when the Secretary of State was issuing a notice under the 2009 Regulations. Hence, it is not clear that this particular safeguard will add much of substance to the overall process.

 

  • Similarly the requirement in r. 6 that the Secretary of State must keep any retention notice under review presumably merely codifies an obligation which was already implicitly present in the 2009 regime.

 

  • Regulation 10 makes provision for a statutory code of practice on data retention to be issued by the Secretary of State. It is unclear whether this code may yet shed further light on how the Secretary of State intends to exercise her powers under this highly controversial legislation.

 

  • More generally, there must be serious doubts that the safeguards embodied in the new Regulations are sufficient to meet the deep concerns expressed by the CJEU in the Digital Rights case. Of course it might be said that the real danger to personal privacy arises not in the context of the data retention regime per se but rather in the context of those legislative powers which permit the State to access any communications data which have been retained, most notably the powers provided for in RIPA. However, whatever position you may adopt on that particular line of argument, suffice it to say that the question of whether the State should be entitled, in effect, to create a vast reservoir of potentially accessible communications data still hangs in the balance, the new safeguards in the Data Retention Regulations notwithstanding.

Anya Proops

Google Spain – new High Court judgment

August 4th, 2014 by Anya Proops

Readers of this blog will already be familiar with the ways in which data protection legislation is assuming increasing importance in both the media and technology worlds. Certainly if there were any doubt as to the relevance of this legislation to the way in which both the media and technology companies operate, that doubt was firmly laid to rest following the highly controversial judgment of the CJEU in Google Spain. That judgment has led to extensive debates about the so-called right to be forgotten (as to which see here the recent ITN debate on Google Spain, in which I participated along withthe Information Commissioner and Google’s Spain’s Director of Communications for EMEA). However, the judgment was important, not only because of what it said about the right to be forgotten, but also because of the way in which it managed, in effect, to bring the data processing activities of a large US-based corporation, namely Google Inc, within the territorial scope of the EU Directive. In short, the Court held that personal data which is processed by a search engine operated by a US company is still protected under the Directive, particularly because the search engine is itself commercially supported by advertising which had been sold within Europe by EU-based subsidiary companies, including Google Spain.

The CJEU’s judgment in Google Spain has now been specifically relied upon in English High Court proceedings to support an application for service out of the jurisdiction, on Google Inc, of a set of proceedings brought under the Data Protection Act 1998 (DPA): Hegglin v Google Inc & Ors.

According to the Lawtel case report of the Hegglin judgment, Mr Hegglin is an individual who is resident in Hong Kong, but has previously lived in and retained closed connections with the UK. An anonymous person posted abusive and defamatory material concerning Mr Hegglin on a number of websites which were then indexed on Google. Mr Hegglin went on to bring proceedings against Google Inc under the DPA, including claims under s. 10 (right to prevent processing likely to cause substantial damage or distress) and s. 14 (right to rectification). He sought an injunction requiring Google Inc to block specific sites containing the allegations and a Norwich Pharmacal order was made.  Relying specifically on Google Spain, Bean J held that service of the DPA proceedings could properly be effected on Google Inc. He also held that England was the appropriate forum for the dispute and was also suitable for the trial, particularly as the defamatory remarks risked damage to Mr Hegglin’s reputation in England.

Of course, this is not the first time that the court has permitted proceedings to be served on Google Inc under the DPA. In January 2014, the High Court held that proceedings for compensation under s. 13 DPA could properly be served on Google Inc in connection with its act of collating data from Google-users based in the UK: see Vidal-Hall v Google Inc [2014] EWHC 13 (QB) (which you can read about here). However importantly, in Vidal-Hall, which was decided before Google Spain, Google Inc accepted that it was a data controller in respect of the data originating from the claimants’ browsers. It merely disputed that the data in question amounted to ‘personal data’ for the purposes of s. 1 (see paras. 121-122 of the judgment). Thus, territorial jurisdiction was not ostensibly in issue in Vidal-Hall.

What remains to be seen now is how far the Google Spain judgment will now also be relied upon as against other corporations which are based outside the EU but which use EU subsidiaries to provide commercial support for their activities.

Anya Proops

Section 11 FOIA and the Form of a Request

August 1st, 2014 by Christopher Knight

In the usual end of term rush, the Court of Appeal has handed down judgment in Innes v Information Commissioner [2014] EWCA Civ 1086 on the provision in section 11 FOIA which allows a requestor to express a preference for communication by a particular means, so long as it is reasonably practicable to give effect to the preference. The issue in Innes was that Mr Innes had requested certain school admissions information and had sent a further email shortly afterwards asking for that information to be supplied to him in Excel format. The ICO, the FTT and the Upper Tribunal had all ruled against Mr Innes, in part relying on the Scottish decision of Glasgow City Council v Scottish Information Commissioner [2009] CSIH 73; [2010] SC 125.

The Court of Appeal, however, took a different view. The judgment of Underhill LJ is surprisingly long, but can be quite quickly summarised. His initial reasoning was that provision of information in permanent form encompassed hard or electronic copies, but no more than that; what was sought was the right to choose the form of permanent form in which the information is provided, but FOIA gives no such right: at [34]. However, Underhill LJ, with some hesitation (not shared by Longmore LJ), went on to accept that that was not the end of the matter. It was a natural use of English to describe the software format in which a copy of the requested information was provided as an aspect of its “form”. It  naturally flowed that he could choose the format in which that electronic information was provided. The fact that a software format such as Excel was more than simply a means of presenting information did not mean that the format could not be described as an aspect of the form of the information. Such a reading fitted with the apparent philosophy of the Act. Citizens were given the right of access to public information at least in part so that they could make use of that information, and there was no countervailing policy consideration. A construction of the Act that made it easier for them to do so effectively was to be preferred: at [38]-[40]. No assistance was drawn from Hansard, the Glasgow case or the dataset amendments. The upshot is that, so long as the request is reasonably practicable and does not require the public authority to put the information into a new format or breach its licence conditions, a request to be supplied with information in a specific programme should be complied with.

The Court also took a non-technical approach to when the request was made. Underhill LJ accepted that the wording of section 11 meant that the request for the format must be made at the time of the information request, and could not be made later. However, it was also quite happy to construe the follow-up email of Mr Innes as further, replacement, FOIA request: at [49]. It is not perhaps entirely to see how those two points are readily compatible, or least how the latter does not fundamentally undermine the former.

Mr Innes had also raised a section 16 complaint. Underhill LJ had some criticisms about the reasoning of the FTT – particularly about the approach it had adopted to what was a section 1 request and therefore what section 16 applied to – but accepted that on the material before it the First Tier Tribunal could not properly have found a breach of section 16 on the part of the Council, it having explained the information it had provided and offered to provide further explanations if required: at [62]. Underhill LJ agreed that section 16 did not encompass assistance in explaining information which he had requested and which had been provided, providing that it was information supplied under section 1: at [61].

Edd Capewell appeared for the ICO.

Christopher Knight

Open justice and freedom of information – Court of Appeal judgment in Browning

July 30th, 2014 by Anya Proops

Last month I penned a post on the issue of how the principle of natural justice can be reconciled with the use of closed procedures in FOIA appeals. The post was written against the backdrop of the Court of Appeal hearing of the appeal in the Browning case. Today the Court of Appeal has handed down its judgment. Mr Browning’s appeal was dismissed.

Before looking at the conclusions reached by the Court, it is important to understand the facts of the Browning case. Mr Browning is a highly regarded journalist. He sought access to information held by DBIS in connection with the application of the export licensing regime, particularly insofar as it had been applied to applications made by third party businesses for licences to export to Iran. The request was refused on an application of ss. 41 and 43 FOIA. The ICO upheld Mr Browning’s complaint about the refusal. However, on appeal to the FTT, and having considered further relevant evidence adduced for the purposes of that appeal, the ICO decided that it would switch sides and support DBIS’s case on appeal. As many operating within the FOIA field will know, it is not uncommon for the ICO to adapt his position in this way.

So far as the hearing itself was concerned, the FTT conducted part of the appeal on a closed basis. This meant that not only the public but also Mr Browning and his legal representative were excluded from part of the hearing. The FTT of course has express power to conduct FOIA appeals in this manner pursuant to rr. 35 and 5 of the FTT Rules. However, Mr Browning was not content with this arrangement and, whilst he did not apply to participate in the closed hearing himself, he did apply for permission for his counsel to participate. The application was made on the basis that Mr Browning’s counsel would give undertakings to the FTT not to reveal any closed material or evidence without the FTT’s permission. The application was made on the basis that this was the minimum derogation from the natural justice principle which should be tolerated by the tribunal.

Notably, the FTT does have power under r. 14(4) of the FTT Rules to permit such an arrangement. However, the FTT in Browning decided that the application should be refused. The FTT went on to hear evidence in closed session from a number of individuals in their capacity as representatives of businesses which had applied for licences permitting them to export to Iran.

It would appear that after the hearing went back into open session, the FTT explained in some detail the nature of the evidence given by the witnesses in closed session (“the substantive evidence”). However, the identity of the witnesses and information revealing the identity of the businesses they represented (“the identifying information”) was withheld. This was on the basis that the disclosure of such information would itself be highly damaging to the relevant businesses.

Of course, whilst in one sense Mr Browning’s position as a party could not be said to have been unduly prejudiced by the convening of the closed session, particularly because he was given a detailed account of the substantive evidence, in another sense, the prejudice was substantial: by being denied access to the closed session, neither Mr Browning nor his counsel had been able to challenge the evidence given by the witnesses through the process of cross-examination. Mr Browning’s concerns about this inability to cross-examine witnesses would appear to have been amplified in the present case because, in contrast with other appeals, where the ICO is effectively supporting the position adopted the applicant, in this case the ICO was supporting the position of DBIS. At the very least this caused Mr Browning to question whether the ICO would be as assiduous in testing the evidence in closed session as he would have been had he been supporting Mr Browning’s position.  See further my earlier post on the general concerns which surround the use of closed procedures in FOIA appeals.

The FTT ultimately decided the appeal in DBIS’s favour. It is clear from the judgment that the evidence given in closed session played a determinative role in this context.

Mr Browning went on to appeal the FTT’s decision to refuse his application for counsel-only access to the UT. He lost before the UT. He then appealed the UT’s judgment to the Court of Appeal. The appeal was put on the basis of the following relatively narrow ground:

-        the Tribunals Courts and Enforcement Act 2007 provides for a power to make rules to govern the procedures of the tribunal. However, pursuant to s. 22(4), that rule-making power must be exercised so as to ensure: (a) that ‘justice is done’ and (b) that the ‘tribunal system is accessible and fair’;

-        the FTT rules, as applied in the FOIA context, are ultra vires s. 22(4). This is because endowing the FTT with a power to conduct closed procedures in the absence of the applicant’s representative (as to which see rules 35 and 5) produces the result that, in cases where representatives are excluded, justice is not done and the tribunal system is not accessible and fair.

Thus, the appeal was advanced solely on the issue of the vires of the rules. It was not argued on the ground that the FTT’s decision had been perverse on the facts of the case before it.

The Court of Appeal dismissed the appeal. Marice Kay LJ, who gave the leading judgment, held in short that the rules were on their face intra vires s. 22(4) and, further, that application of the principle of natural justice did not require a different result. In reaching this conclusion, the Court noted in particular relevant jurisprudence concerning the serious practical difficulties attendant on permitting counsel-only access in the context of closed procedures, including not least the House of Lords’ judgment in Somerville v Scottish Ministers [2007] 1 WLR 2734. The key paragraph of Marice Kay LJ’s judgment is paragraph 35:

‘35. The crucial task is to devise an approach, in the context of a specific case, which best reconciles the divergent interests of the various parties. In my judgment, the approach adopted in this case and originating in the [British Union for the Abolition of Vivisection v ICO and Newcastle University EA 2010/0064] case does precisely that, having regard to the unique features of appeals under FOIA where issues of third party confidentiality and damage to third party interests loom large. The features to which reference was made in the BUAV case – the expertise of the Tribunal, the role of the IC as guardian of FOIA etc – make it permissible to exclude both an appellant and his legal representative except in circumstances where the FTT

“cannot carry out its investigatory function of considering and testing the closed material and give appropriate reasons for its decision on a sufficiently informed basis and so fairly and effectively in the given case having regard to the competing rights and interests involved. ”

In associating myself with this formulation I am accepting that there are features surrounding a case such as this which merit the description of the procedure as being at least in part investigatory as opposed to adversarial.’ 

The net effect of the judgment is that counsel-only access can potentially be contemplated by the tribunal but only in those exceptional cases where the tribunal concludes that the lack of counsel’s participation means that the tribunal cannot do justice to the case.

It is at this point important to note that the case in Browning was mounted exclusively on the basis that Mr Browning’s counsel should be permitted access to the closed session. There was no suggestion that this was a case where use of a special advocate would be apt, although it is understood that the use of special advocates was discussed before the Court of Appeal. This is important because in many senses the special advocate system avoids the acute practical difficulties which go hand in hand with the use of counsel-only access. Moreover, the fact that certain cases may warrant use of a special advocate was specifically confirmed by the FTT in BUAV.

One suspects that, in view of the concerns expressed by the Court of Appeal in Browning on the subject of counsel-only access, the debate around achieving natural justice in the context of FOIA appeals will now start to focus more heavily on the use of special advocates. Of course the use of special advocates is costly, as was noted in BUAV. This will often mean that their deployment is disproportionate. However, there will nonetheless be cases where the importance of the issues at stake in the appeal and the lack of access to substantive evidence given in closed session create a powerful if not overwhelming imperative in favour of adopting the special advocate procedure. It will be interesting to see whether this is an argument which surfaces before the FTT in the near future.

11KBW’s Ben Hooper acted for the Information Commissioner before the Court of Appeal.

Anya Proops

New from the Upper Tribunal: DWP work programmes, personal data. And security service algebra.

July 23rd, 2014 by Robin Hopkins

The Upper Tribunal has handed down a number of FOIA decisions in recent days. I refrain from comment or analysis, given my involvement in the cases (hopefully someone else from the Panopticon fold will oblige before long), but I post the judgments here for those who wish to read for themselves.

In DWP v IC and Zola [2014] UKUT 0334 (AAC), the Upper Tribunal dismissed the DWP’s appeal against this First-Tier Tribunal decision. The disputed information is a list of the identities of companies, charities and other organisations who host placements through the DWP’s work programmes for job seekers. Zola determination 21.07.14

In Farrand v IC and London Fire and Emergency Planning Authority [2014] UKUT 0310 (AAC), the Upper Tribunal dismissed an appeal concerning a report into a fire in a London flat, on the grounds that the requested information was the occupant’s personal data and no condition from Schedule 2 to the DPA was met. The decision discusses Common Services Agency and identification, legitimate interests, necessity and fairness. Farrand UT

Third, in Home Office v IC and Cobain (GIA/1722/2013), the Upper Tribunal has issued an interim decision allowing the appeal. This case concerns this problem: x + y = z, where z is a publicly known number, x is non-exempt information but y is exempt information (in this case, on section 23 grounds – security service information). Normally, the requester is entitled to non-exempt information, but here the automatic effect of disclosure would be to reveal the exempt information. What to do about this? As I say, an interim decision which I don’t analyse here. Have a go at the security service algebra yourself.

Robin Hopkins @hopkinsrobin

Personal Data in the CJEU

July 18th, 2014 by Christopher Knight

Working out what is and what is not personal data is often difficult, and all the more so where a document is contains different sections or has mixed purposes. In Cases C‑141/12 and C‑372/12 YS v Minister voor Immigratie, Integratie en Asiel (judgment of 17 July 2014, nyr), a request had been made by an immigrant in Holland for a copy of an administrative report concerning his application for a residence permit. It is helpful to set out the details of the document sought. A case officer drafts a document in which he explains the reasons for his draft decision (“the Minute”). The Minute is part of the preparatory process within that service but not of the final decision, even though some points mentioned in it may reappear in the statement of reasons of that decision.

Generally, the Minute contains the following information: name, telephone and office number of the case officer responsible for preparing the decision; boxes for the initials and names of revisers; data relating to the applicant, such as name, date of birth, nationality, gender, ethnicity, religion and language; details of the procedural history; details of the statements made by the applicant and the documents submitted; the legal provisions which are applicable; and, finally, an assessment of the foregoing information in the light of the applicable legal provisions. This assessment is referred to as the ‘legal analysis’. Depending on the case, the legal analysis may be more or less extensive, varying from a few sentences to several pages. In an in-depth analysis, the case officer responsible for the preparation of the decision addresses, inter alia, the credibility of the statements made and explains why he considers an applicant eligible or not for a residence permit. A summary analysis may merely refer to the application of a particular policy line.

Was the Minute personal data within the meaning Article 2(a) of Directive 95/46/EC? There is no doubt, said the CJEU, that the data relating to the applicant for a residence permit and contained in a minute, such as the applicant’s name, date of birth, nationality, gender, ethnicity, religion and language, are information relating to that natural person, who is identified in that minute in particular by his name, and must consequently be considered to be ‘personal data’: at [38].

However, the legal analysis in the Minute, although it may contain personal data, does not in itself constitute such data: at [39]. Held the CJEU, “a legal analysis is not information relating to the applicant for a residence permit, but at most, in so far as it is not limited to a purely abstract interpretation of the law, is information about the assessment and application by the competent authority of that law to the applicant’s situation, that situation being established inter alia by means of the personal data relating to him which that authority has available to it”: at [40]. Extending the application of personal data to cover the legal analysis would not guarantee the right to privacy, or the right to check the accuracy of the personal data itself, but would amount to a right to administrative documents, which the Directive does not provide: at [45]-[46].

Not the most ground-breaking decision to emanate from Luxembourg, but a nonetheless interesting reminder of the utility of carefully distinguishing between different types of data within the same document.

Christopher Knight

Late Reliance on Part I Exemptions

July 18th, 2014 by Christopher Knight

Although hardly at the top of anyone’s list of burning questions which keep them awake at night, there has been a debate about whether the permission to rely on exemptions late (usually after the DN and in the course of litigation before the FTT) extends beyond the substantive exemptions in Part II of FOIA – as provided for in Birkett v DEFRA [2011] EWCA Civ 1606 - to the procedural exemptions of sections 12 and 14.

The question is made all the more enthralling by a conflict of case law, which those who attended our Information Law Conference in 2013 and who weren’t snoozing during my paper will recall. Independent Police Complaints Commission v Information Commissioner [2012] 1 Info LR 427 had held that there could be late reliance on section 12. The Upper Tribunal in All Party Parliamentary Group on Extraordinary Rendition v Information Commissioner & Ministry of Defence [2011] UKUT 153 (AAC); [2011] 2 Info LR 75 expressed the clear, if obiter, view that section 12 was not in the same position as substantive FOIA Part II exemptions because it had a different purpose; section 12 is not about the nature of the information but the effect on the public authority of having to deal with the request. The scheme of FOIA was likely to be distorted, the Upper Tribunal held, if the authority could suddenly rely on section 12 after already having carried out the search and engaged with the requestor: at [45]-[47]. The APPGER approach was accepted by the FTT in Sittampalam v Information Commissioner & BBC [2011] 2 Info LR 195. There was at least a school of thought that the APPGER logic ought also to apply to section 14 (which, as was explained in Dransfield, is not properly an exemption at all: at [10]-[11]).

In Department for Education v Information Commissioner & McInerney (EA/2013/0270) GRC Chamber President Judge Warren considered the late reliance by the DfE on sections 12 and 14, and upheld the DfE’s appeal under section 14. In an appendix, he dismissed the suggestion of the ICO that APPGER meant that section 14 could not be relied upon late. In rather brief reasoning, he considered that if section 17 did not bar late reliance on Part II exemptions (as it was clear that it did not following Birkett), there was no linguistic reason to apply the same approach to Part I exemptions. Sections 12 and 14 could therefore be relied upon late, as a matter of right.

So that is that. Except of course, that there is now a real conflict of authority at FTT level, and with conflicting dicta at UT level too (APPGER having doubted Information Commissioner v Home Office [2011] UKUT 17 (AAC) on this point). Maybe someone would like to take the point on appeal and have it properly determined.

Andrew Sharland was for the DfE and Robin Hopkins was for the ICO.

Christopher Knight

Academies and FOI

July 16th, 2014 by Robin Hopkins

The question of whether information is ‘held’ by a public authority for FOIA or EIR purposes can raise difficulties. This is especially so where the boundaries between public and private service provision are blurred: consider outsourcing, privatisation of services, public/private partnerships, joint ventures, the use of external consultants and so on. Legal separation and practical day-to-day realities can often point in different directions in terms of who holds information on whose behalf.

Geraldine Hackett v IC and United Learning Trust (EA/2012/0265) is a recent First-Tier Tribunal decision which addresses such issues – specifically in the context of academy school provision.

The United Church Schools Foundation Limited delivers schools through two separate trusts: the United Church Schools Trust (which runs 11 private schools) and the United Learning Trust (which runs 20 academies, and receives approximately £110k of its £129k of annual income from public funds).

Para 52A Schedule 1 FOIA brings within the scope of FOIA “the proprietor of an academy” but only in respect of “information held for the purposes of the proprietor’s functions under academy arrangements.”

Geraldine Hackett asked for information about the employment package of ULT’s chief executive (pay, pension contribution, expenses etc) and of the other members of the ULT senior management team.

ULT said it did not hold the information; the information was instead held by UCST (the private school provider). The ICO agreed. So did the First-Tier Tribunal, but this was overturned by the Upper Tribunal on account of aspects of procedural fairness which had gone badly awry at first instance.

On reconsideration by a fresh First-Tier Tribunal, the ICO’s decision was overturned. The Tribunal asked itself the questions which the Upper Tribunal had invited for consideration:

“Was it really the case that ULT had delegated day-to-day running of its charitable activities to a chief executive of whose duties under his contract of employment, ULT was ignorant? Was it permissible to avoid FOIA by the device of a contract of employment made by another body?”

It applied the leading case of University of Newcastle upon Tyne v ICO and BUAV [2011] UKUT 185 (AAC) and concluded that ULT did hold the requested information for FOIA purposes. This meant that “ULT would fulfil its obligations under FOIA by disclosing not the total sums involved but that proportion, calculated in accordance with the agreement, which relates to the academies; in other words excluding that proportion which can be attributed to USCT’s private schools.”

The Tribunal noted that “in 2006 both trusts entered into an agreement with each other to apportion the expenditure on shared services” and observed that “it appeared to us from the oral and written evidence that staff work together seamlessly for all three trusts”.

Those who grapple with held/not held questions in contexts like this will wish to note the key paragraph (19) illuminating the Tribunal’s reasoning:

“We were told at the hearing, and we accept, that the disputed information is held in hard copy in one of the filing cabinets at the United Learning Head Office. Those with access to it work seamlessly, we have found, for all three trusts. They have responsibilities to all three trusts. For these purposes, we are not attracted by artificial theories suggesting that staff hold these documents only on behalf of one or two of the trusts. Looking at actualities, and applying the plain words of the statute, in our judgment the disputed information is held by ULT, even if it is also held by UCST and UCSF. This finding is consistent with the obligations of the ULT accounting officer in respect of senior officers’ payroll arrangements…”

Robin Hopkins @hopkinsrobin

In the wake of Google Spain: freedom of expression down (but not out)

July 15th, 2014 by Robin Hopkins

The CJEU’s judgment in Google Spain was wrong and has created an awful mess.

That was the near-unanimous verdict of a panel of experts – including 11KBW’s Anya Proops – at a debate hosted by ITN and the Media Society on Monday 14 July and entitled ‘Rewriting History: Is the new era in Data Protection compatible with journalism?’.

The most sanguine participant was the Information Commissioner, Christopher Graham. He cautioned against a ‘Chicken Licken’ (the sky is falling in) alarmism – we should wait and see how the right to be forgotten (RTBF) pans out in practice. He was at pains to reassure the media that its privileged status in data protection law was not in fact under threat: the s. 32 DPA exemption, for example, was here to stay. There remains space, Google Spain notwithstanding, to refuse RTBF inappropriate requests, he suggested – at least as concerns journalism which is in the public interest (a characteristic which is difficult in principle and in practice).

‘I am Chicken Licken!’, was the much less sanguine stance of John Battle, ITN’s Head of Compliance. Google Spain is a serious intrusion into media freedom, he argued. This was echoed by The Telegraph’s Holly Watt, who likened the RTBF regime to book-burning.

Peter Barron, Google’s Director of Communications and Public Affairs for Europe, Africa and the Middle East, argued that in implementing its fledgling RTBF procedure, Google was simply doing as told: it had not welcomed the Google Spain judgment, but that judgment is now the law, and implementing it was costly and burdensome. On the latter point, Chris Graham seemed less than entirely sympathetic, pointing out that Google’s business model is based heavily on processing other people’s personal data.

John Whittingdale MP, Chairman of the Culture, Media & Sport Select Committee, was markedly Eurosceptic in tone. Recent data protection judgments from the CJEU have overturned what we in the UK had understood the law to be – he was referring not only to Google Spain, but also to Digital Rights Ireland (on which see my DRIP post from earlier today). The MOJ or Parliament need to intervene and restore sanity, he argued.

Bringing more legal rigour to bear was Anya Proops, who honed in on the major flaws in the Google Spain judgment. Without there having been any democratic debate (and without jurisprudential analysis), the CJEU has set a general rule whereby privacy trumps freedom of expression. This is hugely problematic in principle. It is also impracticable: the RTBF mechanism doesn’t actually work in practice, for example because it leaves Google.com (as opposed to Google.co.uk or another EU domain) untouched – a point also made by Professor Luciano Floridi, Professor of Philosophy and Ethics of Information at the University of Oxford.

There were some probing questions from the audience too. Mark Stephens, for example, asked Chris Graham how he defined ‘journalism’ (answer: ‘if it walks and quacks like a journalist’…) and how he proposed to fund the extra workload which RTBF complaints would bring for the ICO (answer: perhaps a ‘polluter pays’ approach?).

Joshua Rozenberg asked Peter Barron if there was any reason why people should not switch their default browsers to the RTBF-free Google.com (answer: no) and whether Google would consider giving aggrieved journalists rights of appeal within a Google review mechanism (the Google RTBF mechanism is still developing).

ITN is making the video available on its website this week. Those seeking further detail can also search Twitter for the hashtag #rewritinghistory or see Adam Fellows’ blog post.

The general tenor from the panel was clear: Google Spain has dealt a serious and unjustifiable blow to the freedom of expression.

Lastly, one of my favourite comments came from ITN’s John Battle, referring to the rise of data protection as a serious legal force: ‘if we’d held a data protection debate a year ago, we’d have had one man and his dog turn up. Now it pulls in big crowds’. I do not have a dog, but I have been harping on for some time about data protection’s emergence from the shadows to bang its fist on the tables of governments, security bodies, big internet companies and society at large. It surely will not be long, however, before the right to freedom of expression mounts a legal comeback, in search of a more principled and workable balance between indispensible components of a just society.

Robin Hopkins @hopkinsrobin

Surveillance powers to be kept alive via DRIP

July 15th, 2014 by Robin Hopkins

The legal framework underpinning state surveillance of individuals’ private communications is in turmoil, and it is not all Edward Snowden’s fault. As I write this post, two hugely important developments are afoot.

Prism/Tempora

The first is the challenge by Privacy International and others to the Prism/Tempora surveillance programmes implemented by GCHQ and the security agencies. Today is day 2 of the 5-day hearing before the Investigatory Powers Tribunal. To a large extent, this turmoil was unleashed by Snowden.

DRIP – the background

The second strand of the turmoil is thanks to Digital Rights Ireland and others, whose challenge to the EU’s Data Retention Directive 2006/24 was upheld by the CJEU in April of this year. That Directive provided for traffic and location data (rather than content-related information) about individuals’ online activity to be retained by communications providers for a period of 6-24 months and made available to policing and security bodies. In the UK, that Directive was implemented via the Data Retention (EC Directive) Regulations 2009, which mandated retention of communications data for 12 months.

In Digital Rights Ireland, the CJEU held the Directive to be invalid on the grounds of incompatibility with the privacy rights enshrined under the EU’s Charter of Fundamental Rights. Strictly speaking, the CJEU’s judgment (on a preliminary ruling) then needed to be applied by the referring courts, but in reality the foundation of the UK’s law fell away with the Digital Rights Ireland judgment. The government has, however, decided that it needs to maintain the status quo in terms of the legal powers and obligations which were rooted in the invalid Directive.

On 10 July 2014, the Home Secretary made a statement announcing that this gap in legal powers was to be plugged on a limited-term basis. A Data Retention and Investigatory Powers (DRIP) Bill would be put before Parliament, together with a draft set of regulations to be made under the envisaged Act. If passed, these would remain in place until the end of 2016, by which time longer-term solutions could be considered. Ms May said this would:

“…ensure, for now at least, that the police and other law enforcement agencies can investigate some of the criminality that is planned and takes place online. Without this legislation, we face the very prospect of losing access to this data overnight, with the consequence that police investigations will suddenly go dark and criminals will escape justice. We cannot allow this to happen.”

Today, amid the ministerial reshuffle and shortly before the summer recess, the Commons is debating DRIP on an emergency basis.

Understandably, there has been much consternation about the extremely limited time allotted for MPs to debate a Bill of such enormous significance for privacy rights (I entitled my post on the Digital Rights Ireland case “Interfering with the fundamental rights of practically the entire European population”, which is a near-verbatim quote from the judgment).

DRIP – the data retention elements

The Bill is short. A very useful summary can be found in the Standard Note from the House of Commons Library (authored by Philippa Ward).

Clause 1 provides power for the Secretary of State to issue a data retention notice on a telecommunications services provider, requiring them to retain certain data types (limited to those set out in the Schedule to the 2009 Regulations) for up to 12 months. There is a safeguard that the Secretary of State must consider whether it is “necessary and proportionate” to give the notice for one or more of the purposes set out in s22(2) of RIPA.

Clause 2 then provides the relevant definitions.

The Draft Regulations explain the process in more detail. Note in particular regulation 5 (the matters the Secretary of State must consider before giving a notice) and regulation 9 (which provides for oversight by the Information Commissioner of the requirements relating to integrity, security and destruction of retained data).

DRIP – the RIPA elements

DRIP is also being used to clarify (says the government) or extend (say some critics) RIPA 2000. In this respect, as commentators such as David Allen Green have pointed out, it is not clear why the emergency legislation route is necessary.

Again, to borrow the nutshells from the House of Commons Library’s Standard Note:

Clause 3 amends s5 of RIPA regarding the Secretary of State’s power to issue interception warrants on the grounds of economic well-being.

Clause 4 aims to clarify the extra-territorial reach of RIPA in in relation to both interception and communications data by adding specific provisions. This confirms that requests for interception and communications data to overseas companies that are providing communications services within the UK are subject to the legislation.

Clause 5 clarifies the definition of “telecommunications service” in RIPA to ensure that internet-based services, such as webmail, are included in the definition.

Criticism

The Labour front bench is supporting the Coalition. A number of MPs, including David Davis and Tom Watson, have been vociferous in their opposition (see for example the proposed amendments tabled by Watson and others here). So too have numerous academics and commentators. I won’t try to link to all of them here (as there are too many). Nor can I link to a thorough argument in defence of DRIP (as I have not been able to find one). For present purposes, an excellent forensic analysis comes from Graham Smith at Cyberleagle.

I don’t seek to duplicate that analysis. It is, however, worth remembering this: the crux of the CJEU’s judgment was that the Directive authorised such vast privacy intrusions that stringent safeguards were required to render it proportionate. In broad terms, that proportionately problem can be fixed in two ways: reduce the extent of the privacy intrusions and/or introduce much better safeguards. DRIP does not seek to do the former. The issue is whether it offers sufficient safeguards for achieving an acceptable balance between security and privacy.

MPs will consider that today and Peers later this week. Who knows? – courts may even be asked for their views in due course.

Robin Hopkins @hopkinsrobin