Facebook, FOI and children

August 6th, 2014 by Robin Hopkins

The Upper Tribunal has got its teeth into personal data disputes on a number of occasions in recent months – Edem was followed by Farrand, and now Surrey Heath Borough Council v IC and Morley [2014] UKUT 0330 (AAC): Morley UT decision. Panopticon reported on the first-instance Morley decision in 2012. In brief: Mr Morley asked for information about members of the local authority’s Youth Council who had provided input into a planning application. The local authority withheld the names of the Youth Councillors (who were minors) under s. 40(2) of FOAI (personal data). In a majority decision, the First-Tier Tribunal ordered that some of those names be disclosed, principally on the grounds that it seemed that they appeared on the Youth Council’s (closed) Facebook page.

The local authority and the ICO challenged that decision. The Upper Tribunal (Judge Jacobs) has agreed with them. He found the dissenting opinion of the First-Tier Tribunal member to have been the more sophisticated (as opposed to the overly generalised analysis of the majority) and ultimately correct. The Youth Councillors’ names were correctly withheld.

In his analysis of the First Data Protection Principle, Judge Jacobs was not much bothered by whether fairness or condition 6(1) (the relevant Schedule 2 condition) should be considered first: “the latter is but a specific instance of the former”.

Judge Jacobs found that there was no sufficient interest in the disclosure of the names of the Youth Councillors. He also rejected the argument that, by putting their names on the relevant Facebook page, the data subjects had implicitly consented to public disclosure of their identities in response to such a FOIA request.

Judge Jacobs stopped short, however, of finding that the personal data of minors should never be disclosed under FOIA, i.e. that the (privacy) interests of children would always take precedence over transparency. Maturity and autonomy matter more than mere age in this context, and sometimes (as here) minors are afforded substantial scope to make their own decisions.

Morley is an important case on the intersection between children’s personal data and transparency, particularly in the social media context, but – as Judge Jacobs himself observed – “it is by no means the last word on the subject”.

There were 11KBW appearances by Joseph Barrett (for the local authority) and Heather Emmerson (for the ICO).

Robin Hopkins @hopkinsrobin

New from the Upper Tribunal: DWP work programmes, personal data. And security service algebra.

July 23rd, 2014 by Robin Hopkins

The Upper Tribunal has handed down a number of FOIA decisions in recent days. I refrain from comment or analysis, given my involvement in the cases (hopefully someone else from the Panopticon fold will oblige before long), but I post the judgments here for those who wish to read for themselves.

In DWP v IC and Zola [2014] UKUT 0334 (AAC), the Upper Tribunal dismissed the DWP’s appeal against this First-Tier Tribunal decision. The disputed information is a list of the identities of companies, charities and other organisations who host placements through the DWP’s work programmes for job seekers. Zola determination 21.07.14

In Farrand v IC and London Fire and Emergency Planning Authority [2014] UKUT 0310 (AAC), the Upper Tribunal dismissed an appeal concerning a report into a fire in a London flat, on the grounds that the requested information was the occupant’s personal data and no condition from Schedule 2 to the DPA was met. The decision discusses Common Services Agency and identification, legitimate interests, necessity and fairness. Farrand UT

Third, in Home Office v IC and Cobain (GIA/1722/2013), the Upper Tribunal has issued an interim decision allowing the appeal. This case concerns this problem: x + y = z, where z is a publicly known number, x is non-exempt information but y is exempt information (in this case, on section 23 grounds – security service information). Normally, the requester is entitled to non-exempt information, but here the automatic effect of disclosure would be to reveal the exempt information. What to do about this? As I say, an interim decision which I don’t analyse here. Have a go at the security service algebra yourself.

Robin Hopkins @hopkinsrobin

Some results may have been removed under data protection law in Europe. Learn more.

July 3rd, 2014 by Robin Hopkins

This is the message that now regularly greets those using Google to search for information on named individuals. It relates, of course, to the CJEU’s troublesome Google Spain judgment of 13 May 2014.

I certainly wish to learn more.

So I take Google up on its educational offer and click through to its FAQ page, where the folks at Google tell me inter alia that “Since this ruling was published on 13 May 2014, we’ve been working around the clock to comply. This is a complicated process because we need to assess each individual request and balance the rights of the individual to control his or her personal data with the public’s right to know and distribute information”.

The same page also leads me to the form on which I can ask Google to remove from its search results certain URLs about me. I need to fill in gaps like this: “This URL is about me because… This page should not be included as a search result because…” 

This is indeed helpful in terms of process, but I want to understand more about the substance of decision-making. How does (and/or should) Google determine whether or not to accede to my request? Perhaps understandably (as Google remarks, this is a complicated business on which the dust is yet to settle), Google doesn’t tell me much about that just yet.

So I look to the obvious source – the CJEU’s judgment itself – for guidance. Here I learn that I can in principle ask that “inadequate, irrelevant or no longer relevant” information about me not be returned through a Google search. I also get some broad – and quite startling – rules of thumb, for example at paragraph 81, which tells me this:

“In the light of the potential seriousness of that interference, it is clear that it cannot be justified by merely the economic interest which the operator of such an engine has in that processing. However, inasmuch as the removal of links from the list of results could, depending on the information at issue, have effects upon the legitimate interest of internet users potentially interested in having access to that information, in situations such as that at issue in the main proceedings a fair balance should be sought in particular between that interest and the data subject’s fundamental rights under Articles 7 and 8 of the Charter. Whilst it is true that the data subject’s rights protected by those articles also override, as a general rule, that interest of internet users, that balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life.”

So it seems that, in general (and subject to the sensitivity of the information and my prominence in public life), my privacy rights trump Google’s economic rights and other people’s rights to find information about me in this way. So the CJEU has provided some firm steers on points of principle.

But still I wish to learn more about how these principles will play out in practice. Media reports in recent weeks have told us about the volume of ‘right to be forgotten’ requests received by Google.

The picture this week has moved on from volumes to particulars. In the past few days, we have begun to learn how Google’s decisions filter back to journalists responsible for the content on some of the URLs which objectors pasted into the forms they sent to Google. We learn that journalists and media organisations, for example, are now being sent messages like this:

“Notice of removal from Google Search: we regret to inform you that we are no longer able to show the following pages from your website in response to certain searches on European versions of Google.”

Unsurprisingly, some of those journalists find this puzzling and/or objectionable. Concerns have been ventilated in the last day or two, most notably by the BBC’s Robert Peston (who feels that, through teething problems with the new procedures, he has been ‘cast into oblivion’) and The Guardian’s James Ball (who neatly illustrates some of the oddities of the new regime). See also The Washington Post’s roundup of UK media coverage.

That coverage suggests that the Google Spain ruling – which made no overt mention of free expression rights under Article 10 ECHR – has started to bite into the media’s freedom. The Guardian’s Chris Moran, however, has today posted an invaluable piece clarifying some misconceptions about the right to be forgotten. Academic commentators such as Paul Bernal have also offered shrewd insights into the fallout from Google Spain.

So, by following the trail from Google’s pithy new message, I am able to learn a fair amount about the tenor of this post-Google Spain world.

Inevitably, however, given my line of work, I am interested in the harder edges of enforcement and litigation: in particular, if someone objects to the outcome of a ‘please forget me’ request to Google, what exactly can they do about it?

On such questions, it is too early to tell. Google says on its FAQ page that “we look forward to working closely with data protection authorities and others over the coming months as we refine our approach”. For its part, the ICO tells us that it and its EU counterparts are working hard on figuring this out. Its newsletter from today says for example that:

“The ICO and its European counterparts on the Article 29 Working Party are working on guidelines to help data protection authorities respond to complaints about the removal of personal information from search engine results… The recommendations aim to ensure a consistent approach by European data protection authorities in response to complaints when takedown requests are refused by the search engine provider.”

So for the moment, there remain lots of unanswered questions. For example, the tone of the CJEU’s judgment is that DPA rights will generally defeat economic rights and the public’s information rights. But what about a contest between two individuals’ DPA rights?

Suppose, for example, that I am an investigative journalist with substantial reputational and career investment in articles about a particular individual who then persuades Google to ensure that my articles do not surface in EU Google searches for his name? Those articles also contain my name, work and opinions, i.e. they also contain my personal data. In acceding to the ‘please forget me’ request without seeking my input, could Google be said to have processed my personal data unfairly, whittling away my online personal and professional output (at least to the extent that the relevant EU Google searches are curtailed)? Could this be said to cause me damage or distress? If so, can I plausibly issue a notice under s. 10 of the DPA, seek damages under s. 13, or ask the ICO to take enforcement action under s. 40?

The same questions could arise, for example, if my personal backstory is heavily entwined with that of another person who persuades Google to remove from its EU search results articles discussing both of us – that may be beneficial for the requester, but detrimental to me in terms of the adequacy of personal data about me which Google makes available to the interested searcher.

So: some results may have been removed under data protection law in Europe, and I do indeed wish to learn more. But I will have to wait.

Robin Hopkins @hopkinsrobin

Section 13 DPA in the High Court: nominal damage plus four-figure distress award

June 13th, 2014 by Robin Hopkins

Given the paucity of case law, it is notoriously difficult to estimate likely awards of compensation under section 13 of the Data Protection Act 1998 for breaches of that Act. It is also very difficult to assess any trends in compensation awards over time.

AB v MoJ [2014] EWHC 1847 (QB) is the Courts’ (Mr Justice Jeremy Baker) latest consideration of compensation under the DPA. The factual background involves protracted correspondence involving numerous subject access requests. Ultimately, it was held that the Defendant failed to provide certain documents to which the Claimant was entitled under section 7 of the DPA within the time frames set out under that section.

Personal data?

There was a dispute as to whether one particular document contained the Claimant’s ‘personal data’. Baker J noted the arguments from Common Services Agency, and he is not the first to observe (at his paragraph 50) that it is sometimes not a ‘straightforward issue’ to determine whether or not information comes within the statutory definition of personal data. Ultimately, he considered that the disputed document did not come within that definition: it “is in wholly neutral terms, and is indeed merely a conduit for the provision of information contained in the letters which it enclosed which certainly did contain the claimant’s personal data”.

Nonetheless, the DPA had been breached in virtue of the delays in the provision of other information to which the Claimant was entitled under section 7. What compensation should he be awarded?

Damage under section 13(1) DPA

Baker J was satisfied, having considered In Halliday v Creation Consumer Finance Limited [2013] EWCA Civ 333, [2013] 2 Info LR 85 (where the same point was conceded), that nominal damage sufficed as ‘damage’ for section 13(1) purposes: “In this regard the word “damage” in this sub-section is not qualified in any way, such that to my mind provided that there has, as in this case, been some relevant loss, then an individual who has also suffered relevant distress is entitled to an award of compensation in respect of it”.

Here the Court was satisfied that nominal damages should be awarded. The Claimant had spent a lot of time pursuing his requests, albeit that much of that time also involved pursuing requests on clients’ behalves, and albeit that no actual loss had been quantified:

“Essentially the claimant is a professional man who, it is apparent from his witness statement, has expended a considerable amount of time and expense in the pursuit of the disclosure of his and others’ data from various Government Departments and other public bodies, including the disclosed and withheld material from the defendant. Having said that, the claimant has not sought to quantify his time and expense, nor has he allocated it between the various requests on his own and others’ behalves. In these circumstances, although I am satisfied that he has suffered damage in accordance with s.13(1) of the DPA 1998, I consider that this is a case in which an award of nominal damages is appropriate under this head, which will be in the conventional sum of £1.00.”

Distress under section 13(2) DPA

That finding opened the door to an award for distress. The Court found that distress had been suffered, although it was difficult to disentangle his distress attributable to the breaches of the DPA from his distress as to the other surrounding circumstances: “doing the best I am able to on the evidence before me I consider that any award of compensation for distress caused as a result of the relevant delays in this case, should be in the sum of £2,250.00”.

Until this week, Halliday was the Courts’ last reported (on Panopticon at any rate) award of compensation under section 13 DPA. That was 14 months ago. In AB, the Court awarded precisely triple that sum for distress.

For a further (and quicker-off-the-mark) discussion of AB, see this post on Jon Baines’ blog, Information Rights and Wrongs.

Robin Hopkins @hopkinsrobin

Global Witness and the journalism exemption: ICO to have the first go?

April 30th, 2014 by Robin Hopkins

Panopticon has previously reported on the novel and important data protection case Steinmetz and Others v Global Witness [2014] EWHC 1186 (Ch). The High Court (Henderson J) has now given a judgment on a procedural point which will set the shape for this litigation.

The broad background to the case has been set out in Jason Coppel QC’s previous post – see here. In a nutshell, Global Witness is an NGO which reports and campaigns on natural resource related corruption around the world. Global Witness is one of a number of organisations which has recently reported on allegations that a particular company, BSG Resources Ltd (“BSGR”), secured a major mining concession in Guinea through corrupt means. Global Witness is now facing claims brought under the Data Protection Act 1998 by a number of individuals who are all in some way connected with BSGR. The claims include a subject access claim brought under s. 7; a claim under s. 10 requiring Global Witness to cease processing data in connection with the claimants and BSGR; a claim for rectification under s. 14 and a claim for compensation under s. 13.

For its part, Global Witness relies on the ‘journalism’ exemption under s. 32 of the DPA, which applies to “processing… undertaken with a view to the publication by any person of any journalistic, literary or artistic material”. Global Witness says it is exempt from the provisions of the DPA on which the claimants rely.

An unusual feature of the s. 32 exemption is that it provides, at subsections (4) and (5), for a mandatory stay mechanism which is designed in essence to enable the ICO to assume an important adjudicative role in the proceedings (my emphasis):

(4) Where at any time (“the relevant time”) in any proceedings against a data controller under section 7(9), 10(4), 12(8) or 14 or by virtue of section 13 the data controller claims, or it appears to the court, that any personal data to which the proceedings relate are being processed

(a) only for the special purposes, and

(b) with a view to the publication by any person of any journalistic, literary or artistic material which, at the time twenty-four hours immediately before the relevant time, had not previously been published by the data controller, the court shall stay the proceedings until either of the conditions in subsection (5) is met.

(5) Those conditions are—

(a) that a determination of the Commissioner under section 45 with respect to the data in question takes effect, or

(b) in a case where the proceedings were stayed on the making of a claim, that the claim is withdrawn.

So: if the conditions in s. 32(4) are met, then the court must stay proceedings until either the claim is withdrawn or the ICO has issued a determination under section 45. S. 45 effectively requires the ICO to adjudicate upon the application of the journalism/’special purposes’ exemption to the facts of the particular case. Any determination made under s. 45 can be appealed to the Tribunal: see s. 48(4), which confers a right of appeal on the data controller.

Global Witness has invoked s. 32(4) in its defence and has since applied to the Court for a stay under that provision. The claimants disagree that a stay should be granted. They say Global Witness’ reliance on section 32 is misconceived and have made a cross-application to have the s. 32 defence struck out and for summary judgment in the alternative.

The question for Henderson J was whether those rival applications should be heard together (the claimant’s case), or whether Global Witness’ application for a stay should be determined first (Global Witness’ case). Henderson J has agreed with Global Witness on this point. In reaching the view that the stay application should be heard first, it appears that Henderson J had in mind arguments to the effect that requiring the two applications to be heard together would itself risk pre-empting Global Witness’ stay application and may also result in a more cumbersome and costly process (see in particular paragraphs 16-24). Henderson J went on to make the following observation as to the effect of s. 32(4): :

“Subject to argument about the precise nature of a claim sufficient to trigger section 32, Parliament has, in my view, pretty clearly taken the line that issues of this kind should be determined in the first instance by the Commissioner, and any proceedings brought in court should be stayed until that has been done” (paragraph 21).

The stay application will now be heard at the end of June. The matter will then either go off to the ICO or, if the stay application fails, the claimants’ summary judgment/strike-out applications will be considered. The stay application will therefore determine the immediate trajectory of this particular litigation. Whilst the Court declined to order indemnity costs against the claimants, it did award Global Witness close to 100% of its costs.

Anya Proops acts for Global Witness.

Robin Hopkins @hopkinsrobin

FOIA disclosures: ‘motive blindness’ and risks to mental health

February 26th, 2014 by Robin Hopkins

Some FOIA ‘mantras’ frustrate requesters, such as judging matters as at the time of the request/refusal, regardless of subsequent events. Others tend to frustrate public authorities, such as ‘motive blindness’. A recent Tribunal discusses and illustrates both principles – in the context of the distress (including a danger to mental health) likely to arise from disclosure.

The background is that a certain pupil referral unit (PRU) in County Durham was the subject of complaints; 13 of its 60 staff had been suspended. An independent investigation team reported in November 2012. Later in that same month, the Council received a FOIA request for a copy of the investigators’ report. At that time, disciplinary proceedings were pending against each of the suspended members of staff. Those proceedings were to be conducted on a confidetial basis.

The Council refused the request, relying on section 31 (prejudice to conduct of function for purpose of ascertaining any improper conduct), section 40 (personal data) and 38 (health and safety). The ICO agreed, and so has the Tribunal, dismissing the requester’s appeal in Hepple v IC and Durham County Council (EA/2013/0168).

The Tribunal confirmed that, notwithstanding the appellant’s practical arguments to the contrary, it had to judge matters as they stood at the time of the Council’s refusal of the request (paras 4-7).

Section 31 was engaged: “We are satisfied, having read the Report in full, that disclosure in full would have given rise to a perception of unfairness and pre-judgement that would have prejudiced the disciplinary proceedings. Those deciding the complaint might have avoided being prejudiced but the perception of a disinterested third party would have been that the staff member’s right to a fair hearing had been undermined, particularly if publication had attracted media comment” (para 14). The public interest favoured maintaining the exemption.

Reliance on section 40(2) was upheld: the unwarranted interference to the data subjects prevailed over public interest arguments. The comparative balance may have shifted slightly since the date of the refusal, but that was not the relevant time for the purposes of the appeal.

Reliance on section 38 was also upheld. This exemption for health and safety (here, danger to mental health) seldom surfaces in FOIA caselaw. Here it was upheld, largely because the requester himself had sent certain text messages (for which he was later apologetic) to some of the individuals involved. The Tribunal “drew the clear impression that the texts had been transmitted with the purpose of menacing those whose addresses the Appellant had acquired” (para 37).

Those text messages were sent after the refusal of the request, but the Tribunal was satisfied that they evidenced a state of mind likely to have existed at the relevant time. As to ‘motive blindness’, the Tribunal said that “assessing an information request on this “motive blind” basis ought not to prevent us from considering the potential risk to safety posed by the requester him/herself”.

‘Motive blindness’ may be something of a mantra in FOIA cases, but – as with vexatious request cases – it is a principle which should be applied with appropriate nuance.

Robin Hopkins @hopkinsrobin

Personal data and fitness to practice investigations – Tribunal overturns ‘neither confirm nor deny’ position

January 17th, 2014 by Robin Hopkins

When an identifiable individual has been the subject of a formal complaint about their competence or conduct, that fact constitutes their personal data. In terms of privacy/publicity decisions, such situations are often approached in this way: where the complaint is well founded or at least merits serious consideration, publication is warranted, but otherwise confidentiality is maintained, lest unjustified aspersions be cast against that person.

In that respect, the process outlined by the Tribunal in Foster v IC (EA/2013/0176) – which concerned a complaint to the Nursing & Midwifery Council – is typical:

“The complaints procedure administered by the NMC has two stages. The first stage is designed to determine whether or not the matter should be referred to the NMC’s Fitness to Practice Panel. If it is, then the Panel will meet in public and its decision will be made publicly available. But if the complaint does not proceed beyond the first stage, (either because a decision is made not to investigate or because the NMC’s Investigating Committee Panel concludes that the complaint does not justify a reference to the Fitness to Practice Panel), then the process remains confidential. The rationale appears to be that an individual’s professional reputation should not be undermined by the publication of allegations that are found not to have sufficient merit to justify being referred to the Fitness to Practice Panel”.

The Appellant, whose son died following his participation in a drug trial, considered that the NMC investigation in this case – which did not pass the first stage – may have been inadequate. She asked for information about its investigation into her complaint about a named practitioner.

The NMC adopted a ‘neither confirm nor deny’ position under section 40(5), i.e. it considered that to say whether or not it held information on a complaint about this individual would be to tell the world at large whether or not that person had been the subject of a professional complaint of this description. The ICO agreed, but the Tribunal overturned that decision, ordering the NMC to confirm or deny whether it held the requested information.

In reaching that view, the Tribunal – while not passing judgment on the merits of the complaint or the NMC’s investigation – considered the criticisms that had been made:

“If it were to be the case that any member of the care team had realised the error earlier, but had not raised the alarm until after its very sad consequences had become clear, then there would seem to us to be strength in the Appellant’s argument that the evidential basis for the decision of the NMC’s Investigating Committee Panel required investigation”.

In those circumstances, the Tribunal thought the fairness balance favoured confirming or denying whether the requested information was held:

“In reaching that conclusion we reject the Information Commissioner’s argument that it is always unfair, and therefore in breach of the Data Protection Principles, to make a statement that discloses the existence of a complaint of professional misconduct against an individual, where there has been no finding of wrongdoing or malpractice. That would create an inflexible test which prevented all relevant circumstances being taken into account. Nor do we accept the Information Commissioner’s argument that the limited degree of disclosure involved in a “confirm or deny” response would constitute unwarranted interference into X’s privacy, without satisfying a legitimate public interest in disclosure”.

Public authorities who routinely adopt a default ‘neither confirm nor deny stance’ of the type outlined at the start of this post will wish to note that, at least in some circumstances, that approach can be called into question.

Robin Hopkins @hopkinsrobin

The Google/Safari users case: a potential revolution in DPA litigation?

January 16th, 2014 by Robin Hopkins

I posted earlier on Tugendhat J’s judgment this morning in Vidal-Hall and Others v Google Inc [2014] EWHC 13 (QB). The judgment is now available here – thanks as ever to Bailii.

This is what the case is about: a group of claimants say that, by tracking and collating information relating to their internet usage on the Apple Safari browser without their consent, Google (a) misused their private information (b) breached their confidences, and (c) breached its duties under the Data Protection Act 1998 – in particular, under the first, second, sixth and seventh data protection principles. They sought damages and injunctive relief.

As regards damages, “what they claim damages for is the damage they suffered by reason of the fact that the information collected from their devices was used to generate advertisements which were displayed on their screens. These were targeted to their apparent interests (as deduced from the information collected from the devices they used). The advertisements that they saw disclosed information about themselves. This was, or might have been, disclosed also to other persons who either had viewed, or might have viewed, these same advertisements on the screen of each Claimant’s device” (paragraph 24).

It is important to note that “what each of the Claimants claims in the present case is that they have suffered acute distress and anxiety. None of them claims any financial or special damage. And none of them claims that any third party, who may have had sight of the screen of a device used by them, in fact thereby discovered information about that Claimant which was detrimental” (paragraph 25).

The Claimants needed permission to serve proceedings on the US-based Google. They got permission and served their claim forms. Google then sought to have that service nullified, by seeking an order declaring that the English court has no jurisdiction to try these particular claims (i.e. it was not saying that it could never be sued in the English courts).

Tugendhat J disagreed – as things stand, the claims will now progress before the High Court (although Google says it intends to appeal).

Today’s judgment focused in part on construction of the CPR rules about service outside of this jurisdiction. I wanted to highlight some of the other points.

One of the issues was whether the breach of confidence and misuse of private information claims were “torts”. Tugendhat J said this of the approach: “Judges commonly adopt one or both of two approaches to resolving issues as to the meaning of a legal term, in this case the word “tort”. One approach is to look back to the history or evolution of the disputed term. The other is to look forward to the legislative purpose of the rule in which the disputed word appears”. Having looked to the history, he observed that “history does not determine identity. The fact that dogs evolved from wolves does not mean that dogs are wolves”.

The outcome (paragraphs 68-71): misuse of private information is a tort (and the oft-cited proposition that “the tort of invasion of privacy is unknown in English law” needs revisiting) but breach of confidence is not (given Kitetechnology BV v Unicor GmbH Plastmaschinen [1995] FSR 765).

Google also objected to the DPA claims being heard. This was partly because they were raised late; this objection was dismissed.

Google also said that, based on Johnson v MDU [2007] EWCA Civ 262; (2007) 96 BMLR 99, financial loss was required before damages under section 13 of the DPA could be awarded. Here, the Claimants alleged no financial loss. The Claimants argued against the Johnson proposition: they relied on Copland v UK 62617/00 [2007] ECHR 253, argued for a construction of the DPA that accords with Directive 95/46/EC as regards relief, and argued that – unlike in Johnson – this was a case in which their Article 8 ECHR rights were engaged. Tugendhat J has allowed this to proceed to trial, where it will be determined: “This is a controversial question of law in a developing area, and it is desirable that the facts should be found”.

If the Johnson approach is overturned – i.e. if the requirement for financial loss is dispensed with, at least for some types of DPA claim – then this could revolutionise data protection litigation in the UK. Claims under section 13 could be brought without claimants having suffered financially due to the alleged DPA breaches they have suffered.

Tugendhat went on to find that there were sufficiently serious issues to be tried here so as to justify service out of the jurisdiction – it could not be said that they were “not worth the candle”.

Further, there was an arguable case that the underlying information was, contrary to Google’s case, “private” and that it constituted “personal data” for DPA purposes (Google say the ‘identification’ limb of that definition is not met here).

Tugendhat was also satisfied that this jurisdiction was “clearly the appropriate one” (paragraph 134). He accepted the argument of Hugh Tomlinson QC (for the Claimants) that “in the world in which Google Inc operates, the location of documents is likely to be insignificant, since they are likely to be in electronic form, accessible from anywhere in the world”.

Subject to an appeal from Google, the claims will proceed in the UK. Allegations about Google’s conduct in other countries are unlikely to feature. Tugendhat J indicated a focus on what Google has done in the UK, to these individuals: “I think it very unlikely that a court would permit the Claimants in this case to adduce evidence of what Mr Tench refers to as alleged wrongdoing by Google Inc against other individuals, in particular given that it occurred in other parts of the world, governed by laws other than the law of England” (paragraph 47).

Robin Hopkins @hopkinsrobin

Personal data: Tribunal analyses the ‘relates to’ and ‘identification’ limbs

January 9th, 2014 by Robin Hopkins

I have commented in previous posts on how infrequently the Data Protection Act 1998 has been the subject of substantive litigation before the courts. One consequence of this is persistent uncertainty over how pivotal concepts such as ‘personal data’ are to be analysed and approached.

Last year, the High Court in Kelway v The Upper Tribunal, Northumbria Police and the Information Commissioner (2013) EWHC 2575 (Admin) considered how ‘personal data’ issues should be approached – see for example this piece by Cynthia O’Donoghue of Reed Smith.

The Kelway approach is rather complicated; it remains to be seen whether it is picked up as any sort of guiding test. The imminent Court of Appeal judgment in the Edem case is also likely to add to the picture on how to determine whether information is personal data.

As things stand, such determinations are not always straightforward. Oates v IC and DWP (EA/2013/0040) is a recent example at First-Tier Tribunal level. Mr Oates was medically examined by in connection with his incapacity benefit claim by a doctor engaged by Atos Healthcare. He was dissatisfied and complained to Atos. At the ‘independent tier’ of its complaint investigation, Atos engaged an independent medical practitioner and also an external company tasked with reviewing Atos’ handling of the initial complaint. Mr Oates wanted to know, inter alia, the names of the medical practitioner and of the company.

The DWP refused, relying on FOIA exemptions (section 40(2) and section 43(2)). The ICO decided that the withheld names should have been handled under the DPA rather than FOIA. This was because, in the ICO’s view, the withheld names constituted Mr Oates’ personal data –thus, by section 40(1) of FOIA, it was exempt under FOIA. Mr Oates had to seek it by a subject access request under the DPA instead.

The DWP said these names were not Mr Oates’ personal data. The Tribunal agreed. As to the ‘relates to’ limb of the definition of personal data, it applied Durant v FSA [2003] EWCA Civ 1746: it found there to be sufficient distance between the complaints review procedure and Mr Oates’ personal privacy to mean that the information did not ‘relate to’ him for DPA purposes.

As to the ‘identification’ limb of the definition of personal data, the DWP had argued that Mr Oates could not be identified from these names alone and that it was not in possession of information to link Mr Oates to the requested names. The ICO argued that the request itself provided that link. In other words, by asking for information about his own assessment and complaint, Mr Oates was providing the DWP with information which linked him to the requested names and allowed him to be identified as the person who had been assessed and who had complained.

Its argument was this: “at the moment when the DWP received the Request, it was put into possession of all the information it needed to relate the information requested to an identifiable individual, namely Mr Oates himself. The fact that he sought information about individuals who had been involved in the assessment of his particular complaint created the necessary connection between himself and the requested information – it both related to him and he could be identified from it.”

The Tribunal did not agree with that ‘linking’ argument. It said this:

“… we reject the Information Commissioner’s suggestion that we should take into account the Request itself. We are satisfied that the correct approach is to consider the body of relevant information held by the public authority in question immediately before the request was received. If that information can be seen to relate to the individual, and to identify him or her, then the case for characterising it as that individual’s personal data is made out. But if it does not do so then it is not appropriate, in our view, to close the circle by taking into account the additional information (as to the name of the individual who is both requester and data subject) which is set out in the request itself, in order to.”

Therefore, the ‘identification’ limb of the definition of personal data was not met either. The requested names did not comprise Mr Oates’ own personal data and fell to be dealt with under FOIA rather than through the subject access provisions of the DPA.

The decision in Oates raises a number of questions. For example, on ‘relates to’, the Durant principles are intended to offer guidance in ‘borderline’ cases – implicitly therefore, the Tribunal in Oates appears to have considered this to be a borderline situation.

On ‘identification’, the Tribunal did not mention the principle from Common Services Agency v Scottish Information Commissioner [2008] UKHL 47; [2011] 1 Info LR 184 that the ‘other information’ which can assist with identification of the individual encompasses not only information held by the data controller, but also information held by any person.

This is not to comment on whether the Tribunal reached the right decision or not – rather, it illustrates that the definition and limits of ‘personal data’ continues to raise tricky questions.

11KBW’s Tom Cross appeared for the ICO in Oates.

Robin Hopkins @hopkinsrobin

Legal analysis of individual’s situation is not their personal data, says Advocate General

December 18th, 2013 by Robin Hopkins

YS, M and S were three people who applied for lawful residence in the Netherlands. The latter two had their applications granted, but YS’ was refused. All three wanted to see a minute drafted by an official of the relevant authority in the Netherlands containing internal legal analysis on whether to grant them residence status. They made subject access requests under Dutch data protection law, the relevant provisions of which implement Article 12 of Directive 95/46/EC. They were given some of the contents of the minutes, but the legal analysis was withheld. This was challenged before the Dutch courts. Questions were referred to the CJEU on the application of data protection law to such information. In Joined Cases C‑141/12 and C‑372/12, Advocate General Sharpston has given her opinion, which the CJEU will consider before giving its judgment next year. Here are some important points from the AG’s opinion.

The definition of personal data

The minutes in question contained inter alia: the name, date of birth, nationality, sex, ethnicity, religion and language of the applicant; information about the procedural history; information about declarations made by the applicant and documents submitted; the applicable legal provisions and an assessment of the relevant information in the light of the applicable law.

Apart from the latter – the legal advice – the AG’s view is that this information does come within the meaning of personal data under the Directive. She said this:

“44. In general, ‘personal data’ is a broad concept. The Court has held that the term covers, for example, ‘the name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies’, his address, his daily work periods, rest periods and corresponding breaks and intervals, monies paid by certain bodies and the recipients, amounts of earned or unearned incomes and assets of natural persons.

45. The actual content of that information appears to be of no consequence as long as it relates to an identified or identifiable natural person. It can be understood to relate to any facts regarding that person’s private life and possibly, where relevant, his professional life (which might involve a more public aspect of that private life). It may be available in written form or be contained in, for example, a sound or image.”

The suggestion in the final paragraph is that the information need not have a substantial bearing on the individual’s privacy in order to constitute their personal data.

The AG also observed that “Directive 95/46 does not establish a right of access to any or every document or file in which personal data are listed or used” (paragraph 71). This resonates with the UK’s long-established Durant ‘notions of assistance’.

Legal analysis is not personal data

AG Sharpston’s view, however, was that the legal analysis of the individuals’ situations did not constitute their personal data. Her reasoning – complete with illustrative examples – is as follows:

“55. I am not convinced that the phrase ‘any information relating to an identified or identifiable natural person’ in Directive 95/46 should be read so widely as to cover all of the communicable content in which factual elements relating to a data subject are embedded.

56. In my opinion, only information relating to facts about an individual can be personal data. Except for the fact that it exists, a legal analysis is not such a fact. Thus, for example, a person’s address is personal data but an analysis of his domicile for legal purposes is not.

57. In that context, I do not find it helpful to distinguish between ‘objective’ facts and ‘subjective’ analysis. Facts can be expressed in different forms, some of which will result from assessing whatever is identifiable. For example, a person’s weight might be expressed objectively in kilos or in subjective terms such as ‘underweight’ or ‘obese’. Thus, I do not exclude the possibility that assessments and opinions may sometimes fall to be classified as data.

58. However, the steps of reasoning by which the conclusion is reached that a person is ‘underweight’ or ‘obese’ are not facts, any more than legal analysis is.”

Interestingly, her conclusion did touch upon the underlying connection between personal data and privacy. At paragraph 60, she observed that “… legal analysis as such does not fall within the sphere of an individual’s right to privacy. There is therefore no reason to assume that that individual is himself uniquely qualified to verify and rectify it and ask that it be erased or blocked. Rather, it is for an independent judicial authority to review the decision for which that legal analysis was prepared.”

In any event, legal analysis does not amount to “processing” for data protection purposes

The AG considered that legal analysis such as this was neither ‘automatic’ nor part of a ‘relevant filing system’. “Rather, it is a process controlled entirely by individual human intervention through which personal data (in so far as they are relevant to the legal analysis) are assessed, classified in legal terms and subjected to the application of the law, and by which a decision is taken on a question of law. Furthermore, that process is neither automatic nor directed at filing data” (paragraph 63).

Entitlement to data, but not in a set form

The AG also says that what matters is that individuals are provided with their data – data controllers are not, under the Directive, required to provide it in any particular form. For example, they can extract or transcribe rather than photocopy the relevant minute:

“74. Directive 95/46 does not require personal data covered by the right of access to be made available in the material form in which they exist or were initially recorded. In that regard, I consider that a Member State has a considerable margin of discretion to determine, based on the individual circumstances in case, the form in which to make personal data accessible.

75. In making that assessment, a Member State should take account of, in particular: (i) the material form(s) in which that information exists and can be made available to the data subject, (ii) the type of personal data and (iii) the objectives of the right of access.”

If the legal analysis is personal data, then the exemptions do not apply

Under the Directive, Article 12 provides the subject access right. Article 13 provides exemptions. The AG’s view was that if, contrary to her opinion, the legal analysis is found to be personal data, then exemptions from the duty to communicate that data would not be available. Of particular interest was her view concerning the exemption under Article 13(1)(g) for the “protection of the data subject or of the rights and freedoms of others”. Her view is that (paragraph 84):

“the protection of rights and freedoms of others (that is, other than the data subject) cannot be read as including rights and freedoms of the authority processing personal data. If a legal analysis is to be categorised as personal data, that must be because it is related to the private interests of an identified or identifiable person. Whilst the public interest in protecting internal advice in order to safeguard the administration’s ability to exercise its functions may indeed compete with the public interest in transparency, access to such advice cannot be restricted on the basis of the first of those two interests, because access covers only what falls within the private interest.”

If the Court agrees with the AG’s view, the case will be an important addition to case law offering guidance on the limits of personal data. It would also appear to limit, at least as regards the exemption outlined above, the data controller’s ability to rely on its own interests or on public interests to refuse subject access requests. That said, there is of course the exemption under Article 9 of the Directive for freedom of expression.

Robin Hopkins @hopkinsrobin