Back in July of this, Anya blogged on the decision of the European Court of Human Rights in   Satakunnan Markkinapörssi Oy And Satamedia Oy v Finland (App. No. 931/13), which concerned a balancing of Article 8 and 10 rights. The Article 8 rights involved data privacy and the Article 10 rights involved those of a media organisation publishing journalism. The balancing exercise gave rise to a number of interesting points, as Anya discussed (here), many of which will only increase in importance under the new Data Protection Regulation.

Those points are now all back up for grabs, as the case has been referred to the Grand Chamber. Panopticon will, of course, keep an eye out for the judgment in the case as and when it appears.

Christopher Knight

Those of you hoping that this post will announce the conclusion of the General Data Protection Regulation will be disappointed. That stocking remains to be filled. There are, however, various other relevant legislative updates from Brussels worth pointing readers in the direction of.

• As was widely reported last week, the trilogue process has reached an agreed text for the new Directive on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Under the new Directive, air carriers will be obliged to provide member states’ authorities with the PNR data for flights entering or departing from the EU. It will also allow, but not oblige, member states to collect PNR data concerning selected intra-EU flights. The European Council has trumpeted various data privacy safeguards in the new text, and the final approved version is awaited to see exactly how that will work. The draft will be voted on by the Parliament next, but is likely to be finally approved in the course of next year. The UK has expressly opted in to the PNR Directive.

• The EU institutions have now approved a final text of a new cyber-security Directive. The aim of the Directive is to put an end to current fragmentation of 28 cyber-security systems by listing sectors – energy, transport, banking, financial market, health and water supply – in which critical service companies will have to ensure that they are robust enough to resist cyber-attacks. Some internet services providers, such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to ensure the safety of their infrastructure and to report on major incidents. The final text has not yet been published as it awaits formal sign-off, but is likely to be available early in the new year.

• The Commission’s Digital Single Market has also seen a step forward this week with a proposed draft Directive on certain aspects concerning contracts for the supply of digital content, looking to harmonise the law in respect of cross-border trade in digital content. The proposal is part of the wider e-Commerce regulation the EU is engaged in, and the Commission’s proposal expressly notes that it is intended to comply with the Data Protection Directive and the e-Privacy Directive.

Christopher Knight

Although most readers of this blog will be familiar, to some extent, with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), they are a rarely sighted beast in the reported jurisprudence. Panopticon is aware of individual damages claims brought in the County Courts for small sums, but even they are few and far between.

The recent judgment of Nicholas Lavender QC, sitting as Deputy, in Lebara Mobile Ltd & others v Lycamobile UK Ltd & others [2015] EWHC 3318 (Ch) is accordingly worth a read for a glimpse into how PECR may have a part to play in major commercial disputes.

The judgment concerns as application for a interim injunction sought by Lebara to prevent Lyca’s continued use of blocking software applied to the SIM cards of Lyca customers, which prevent Lyca customers downloading (or even visiting the Lebara website to read about) a Lebara app which permits free Lebara-to-Lebara calls. It does this by tracking the website use of its customers over the 3G network and block access to Lebara’s website without informing customers that ether is a block. The technical details are complicated and it is unnecessary to set them all out in this post.

Lebara brought a claim on numerous grounds under English and various foreign laws. Under English it relied on conspiracy to injure, inference with its business by unlawful means, unlawful means conspiracy and breach of PECR. PECR had two roles in the claim: not only was it a free-standing claim (breach of regulation 30), but breaches of regulation 7 (and Articles 5 and 6 of the underlying Directive 2002/58/EC) were said to be some of the unlawful means relied on in the economic tort claims.

Given that the application was for interim relief, the question for the Court was whether those claims gave rise to serious issues to be tried, as opposed t essentially unarguable claims. The post would be extremely long if all of the various economic tort claims, and the underlying unlawful means alleged, were gone through, so the avid reader is preferred to the judgment instead. Focus here will just be on the involvement of PECR.

As a form of unlawful means, Article 5 and 6 of the PECR Directive were relied on by Lebara. Article 5 requires measures to be taken which prohibit the inception or surveillance of communications and related traffic data. Article 6 extends that to consent. The Judge considered the focus of the argument really be on Article 5, because Lyca argued that the regulation 7(1) PECR (implementing Article 6) applies only to the traffic data relating to subscribers or users, and that a website address is not data relating to that subscriber or user because it does not identify them. (Identification being a requirement by virtue of regulation 7(1)(b) and (c). As a result, Lebara argued that regulation 7 had to be interpreted more purposively, which does not require identification, in order to ensure Article 5 was correctly implemented under the Marleasing principle. This is a complicated argument, and it was only briefly summarised by the Judge, who held it to be sufficiently arguable to amount to a serious issue to be tried at [85]. If the matter goes to trial, it has the potential to say interesting things about PECR and its application to internet tracking.

The Court was prepared to assume for the purposes of a serious issue to be tried that other Member States would have implemented the PECR Directive, such that there would also be a serious issue to be tried under the law of those States, but noted that there was no evidence yet before the Court to determine the point and it could not be assumed at the trial.

It is also interesting to note at [96] that the breach of confidence allegation was closely wrapped up with the content of the PECR arguments, and so also gave rise to a serious issue to be tried, including, for example, whether website names constitute confidential information.

The Judge was clearly less impressed by the free-standing reliance on regulation 30 of PECR, noting that it required Lebara to be within the class of persons intended to benefit from the right to bring claims for compensation, and that there was no clear indication from the Directive that breaches of the Articles 5 and 6 were intended to sound in damages. A contrast was drawn with regulation 22 (prohibition on spam emails), which did have such purposive support, particularly in recital (28). The Judge concluded at [108] that he doubted there was a serious issue to be tried but did not decide the point.

In the event, the Judge declined to grant an injunction applying the balance of convenience test, so the block Lyca (modified in the course of litigation) remains in place until any trial. It would be interesting to see if the case fights; a judgment would be worth a read.

However, such a trail may be overtaken by events. Of some interest may be the acknowledgment by both parties at [25]-[27] that the block imposed by Lyca would be rendered unlawful when a new proposed EU regulation came into force in April 2016. This so-called ‘net neutrality’ Regulation. This too will be something to watch out for.

Those of you (all of you, surely?) who are keenly following the nail-biting, cheek-clenching progress of the Trilogue’s negotiations over the General Data Protection Regulation will be overjoyed to read this 370 page official EU document, dated 20 November 2015, summarising the original Commission proposal, the Parliament’s position, the approach of the Council and the “tentative” agreement reached thus far in Trilogue (or, where there is no tentative agreement, the suggestions of the Council’s Presidency).

There is limited purpose in analysing in detail all of the changes and proposals at this stage – enough ink has already been wasted on overtaken drafts – but what the tentative agreements do indicate is that a final text is getting closer. Will it beat Christmas? Who knows. Somehow, it is unlikely that Santa is keen on having to lug a new Regulation around to try and squeeze it into your stockings, but progress is progress.

Christopher Knight

Did we all make submissions to the Independent Commission on Freedom of Information last week? It sounds as though many of you did. Lord Burns, Chair of the Commission, has announced that they received some 30,000 responses to their consultation. Not surprisingly, reading those and thinking about them is something the Commission does not now feel it can do before Christmas. Indeed, Lord Burns has announced he will call oral evidence from some respondents on 20 and 25 January 2016, and the Commission will write their report after that. Hopefully this is a sign that the Commission wants its work to be evidence-based. We wait to see who the lucky individuals are who have been invited to the oral evidence party.

The announcement is here.

Christopher Knight

As all celebrities know, to get the High Court to stop paparazzi pictures of you from being published, the first thing you have to do is show you had a reasonable expectation of privacy.  But what if you were snapped outside of the jurisdiction and whilst English law principles suggest that you did have such an expectation, the local law where the photographs were taken says you do not?

The answer given by the Court of Appeal in Weller v Associated Newspapers [2015] EWCA Civ 1176 is that the local law is not determinative and the weight to be given to it is a matter for the judge.

Readers of Panopticon may recall a similar issue arose in Douglas v Hello [2005] EWCA Civ 595 where the Court of Appeal said that the provisions of New York law, which had entitled Michael Douglas and Catherine Zeta-Jones to arrange their wedding there in private, had no direct application since the question of whether the information was private was one of English law.  However, it had also expressed the view that the reverse was not necessarily true, saying that if New York law had permitted any member of the public to be present at a hotel wedding and to take and publish photographs of that wedding, then the photographs “would have been unlikely to have satisfied the test of privacy”.

Ten years later, the decision in Weller suggests the position is not necessarily that simple.  The case concerned a claim by the children of Paul Weller for an injunction and damages for misuse of private information and/or breach of the Data Protection Act 1998, arising out of the publication by the Mail Online of unpixellated photographs of them taken on a street and in a cafe in California.

The Court of Appeal agreed with the judge below that, applying ordinary principles of English law, the children did have a reasonable expectation of privacy and the fact (found by the judge and unchallenged on appeal) that that under Californian law there was no such expectation, did not mean the claim must fail.  The Court of Appeal said the position under local law was not determinative and the weight to give to it had been for the judge to determine: see [67-71].

On the facts it was held that there was no error by the judge in giving it the very little weight to it that he had: the connection of the two youngest children (aged 10 months) with California was slight, and certainly so when compared with their parents’ connection with England where the photographs were unlawfully published, and it had heard “very little, if any, argument” about the impact of the fact that the eldest child was living in California at the time.  Challenging matters of weight on appeal is always very difficult although this brief reasoning at [70] suggests a particular reluctance to interfere with the decision below.

There are three other points of interest in the judgment.

The first is the summary provided by the Court of Appeal at [29-30] of the case law governing children and privacy:

• a child does not have a separate right to privacy merely by virtue of being a child;
• the broad approach to reasonable expectation of privacy is the same for children and adults but as there are several considerations relevant to children but not to adults, a child may in a particular case have such an expectation where an adult does not;
• in the case of children (as in the case of adults) all the circumstances of the case should be taken into account in deciding whether there is a reasonable expectation of privacy, which should include those listed in Murray v MGN [2008] EWCA Civ 446 at [36] (attributes of the claimant, nature of activity in claimant was engaged, place at which it was happening, nature and purpose of intrusion, absence of consent and whether known or inferred, effect on the claimant, and circumstances/purposes surrounding information coming into hands of publisher).

The second is that at [81-88] the Court of Appeal upheld the grant of an injunction restraining further publication of the photographs even though the judge had originally found there was no evidence that this would happen, simply on the basis that the Mail subsequently refused to give an undertaking to this effect.  This was said to satisfy the requirement that there be reason to apprehend further publication and complaints about the adverse consequences for freedom of expression were dismissed, although again the terms of the judgment suggest a real reluctance to interfere with the judge’s discretion.

The third is to note that the judgment does not record any appeal against the awards of damages (£5,000 for the eldest child and £2,500 for each of the twins).  Since the claim under the Data Protection Act 1998 was said to stand or fall with the claim for misuse of private information, it remains to be seen whether these awards are used as guidance in nascent case law concerning damages in “pure” DPA claims.

Paul Greatorex

Is a request for information made in a tweet a valid request within the meaning of sections 1 and 8 FOIA? Not in Ghafoor v Information Commissioner (EA/2015/0140). The FTT held that section 8(1) requires the request for information to be made using the “real name” of the person making it, and that the provision of an address for correspondence must one which is “suitable for correspondence” between the requestor and the public authority about the request.

In Mr Ghafoor’s case, his Twitter handle does not contain his real name (it is the well-known @FOIkid account, tweeting about all matters information rights), and the public authority should not, in the view of the FTT, be obliged to look anywhere else for it (even in the Twitter profile itself below the handle). Moreover, a 140 character tweet is not a suitable method of correspondence concerning the request. The FTT did agree that if a request has been validly made through one address, section 11 obliges the public authority to respond to that address and not insist on doing so via some other sort of address (posting a letter when the request was in an email, for example).

The case is fact-specific, and does not necessarily preclude a request being made from a Twitter account with a ‘real name’ in the handle, at least where the information can be properly responded to in tweet form. However, the emphasis on provision of the requestor’s real name – to enable the proper consideration of the use of sections 12 and 14 the FTT held – is problematic. What if an email request is made from an email address which does not clearly show a name, or it is a name but the public authority has no way of checking whether dave.smith@email.com is really a Mr David Smith or is in fact called David Jones? What proof of the real name is required? What if a request is made from a company which does not provide its full registered company name? The judgment might suggest public authorities can too readily answer that the request is invalid, and the reading in of “real” into section 8(1)(b) may be a word too far. There is an argument that the FTT has switched the focus too much onto the requestor rather than the request. Whether Twitter is a suitable method of communication may also be open to argument in some requests, although it plainly would be difficult to properly respond in others and there is no legal obligation on the public authority to publish its answer and link to it (not least because that would reveal the ‘real name’ of the requestor). It will be interesting to see if the issue is re-litigated in other circumstances.

In the meantime, it appears the FTT is fighting back against the social media age. No #ff for the First-tier Tribunal.

Christopher Knight

Since the CJEU gave judgment in Google Spain, there has been much discussion on the conference  circuit about whether the judgment rides rough shod over free speech rights. Certainly the lack of any procedural protections for the media within the right to be forgotten regime has been the subject of much heated debate. For those of you wishing to understand how Article 10 rights are likely to fare under the new General Data Protection Regulation, you would do well to start with this excellent article by Daphne Keller, Director for Intermediary Liability at Stanford Law’s Center for Internet and Society (and notably former Assistant General Counsel to Google).

As Daphne makes clear, the GDPR does not offer the media much by way of solace. Quite the contrary, what we see with the new Regulation is a continuing failure on the part of European legislators to accommodate free speech rights within the data protection regime in a structured and systematic manner. To a large extent this lack of protection for Article 10 rights is a product of the fact that historically data protection and the media have rarely crossed swords. Certainly within our own jurisdiction, it is only over the last 18 months or so that an awareness of the potentially very substantial areas of tension have begun to surface (see further not least the discussion of the Steinmetz case on this blog). However, the reality is that the European quest to place data privacy rights centre-stage, in the online world and beyond, now  poses serious challenges for the media. This is something which will hopefully start to register at least with those EU regulators who will in due course be charged with applying the GDPR.

Anya Proops

Like everyone else who operates in the field, this blog may have touched once or twice on the issues arising out of Schrems. Both Robin (here) and Tim (here) have provided some summaries of the sorts of alternatives data controllers will need to think about, and the guidance issued by the Article 29 Working Party as a result. But what, everyone has been asking, does the European Commission have to say about all this?

Happily, the heavy lids of ignorance may be lifted as the Commission has awoken. (Whether it more closely resembles the Force or a Kraken is perhaps a matter of personal preference.) It has produced a lengthy document which is actually both helpful and readily understandable. Not adding umpteen recitals probably helps. It draws together a lot of the practical issues and much of the existing guidance from the Article 29 WP already discussed for a sort of cheat-sheet document to help you navigate the ongoing choppy waters. You can find and download it here.

By way of precis, it informs us that the Commission has now “intensified” discussions with the US about a new Safe Harbour agreement, and that it hopes to have an outcome in three months. That would indeed require a considerable intensification, but there is nothing like ongoing illegality to concentrate the mind.

In the meantime, the Commission reminds us that Binding Corporate Rules are an option only for internal group company data transfers (something often overlooked), summarises what the Article 29 WP have suggested need to be included and, rather optimistically, noted that the process has been facilitated and sped up by inter-Data Protection Authority liaison. Unfortunately, the reality is that in the UK, the ICO has always warned that BCR approval can take 12 months, and many readers will have had the experience of it taking considerably longer. The ICO has a lot of balls to juggle and not many hands, and there has been a deafening silence from the multinationals who want BCRs of suggestions of paying for the resources to get them more quickly.

Outside of the BCR context, the Commission stresses its own approved contractual solution between controllers: the Standard Contract Clauses. There are currently four approved sets: two as between controllers and two as between controller and processor. They include obligations as regards security measures, information to the data subject in case of transfer of sensitive data, notification to the data exporter of access requests by the third countries’ law enforcement authorities or of any accidental or unauthorised access, and the rights of data subjects to the access, rectification and erasure of their personal data, as well as rules on compensation for the data subject in case of damage arising from a breach by either party to the SCCs. The model clauses also require EU data subjects to have the possibility to invoke before a DPA and/or a court of the Member State in which the data exporter is established the rights they derive from the contractual clauses as a third party beneficiary. What the Commission adds is to point out that Commission decisions are binding in Member States, and SCCs are a result of Commission decisions. The presumption is, therefore, that the SCCs provide adequate protection (although they can be challenged in a court and referred to the CJEU if necessary). DPAs will want to check any boutique amendments to the SCCs for compliance.

The Commission points out that under the new Regulation the proposal is that neither SCCs nor BCRs will require further authorisation by a national authority.

The third option is, of course, the derogations in Article 26(1). The Commission goes through each, highlighting the existing guidance on them and attempting the balance of making them look like workable solutions whilst stressing the need to construe them strictly. It may well be that much of the routine transfer businesses have used – because of banking transfers or international travel – will be covered by the contractual derogations providing, of course, that the transfer is necessary. The Article 29 Working Party considers that there has to be a “close and substantial connection”, a “direct and objective link” between the data subject and the purposes of the contract or the pre-contractual measure as an aspect of the necessity test. The derogation cannot be applied to transfers of additional information not necessary for the purpose of the transfer, or transfers for a purpose other than the performance of the contract (for example, follow-up marketing). If consent is relied upon it must be “unambiguous”, and so cannot be implied.

What the Commission does not really discuss is the ability of controllers to carry out their own adequacy assessment and rely on that. It is theoretically possible, but inevitably it is a risky route to adopt in this new-found atmosphere of data protection litigation.

The Commission also accepts that all of its other adequacy decisions are open to challenge in courts, but does not consider any to be at immediate risk.

By way of update on global reactions, readers may be aware that the German DPA has taken the most restrictive post-Schrems line; it has declined to approve any new BCRs or amended SCCs for the time being, although it has not said it will invalidate existing agreements. It has also taken a very restrictive line on consent. In Ireland, the remittal by the CJEU to the Irish Courts has led to the start of the domestic process of investigation into adequacy, but those proceedings are at a very early stage still. The passing of the Judicial Redress Bill by the US House of Representatives is being seen as one step closer to the possibility of remedying one hole in the Safe Harbour scheme, which was the difficulty of EU citizens vindicating their rights in the US. Under the new Bill they could, in theory, be designated so that vindication was more plausible, but that is a long way from resolving all of the issues. There are also likely to be implications for the TTIP negotiations, although the sense is that data protection will be carved out of TTIP altogether and left to the new Regulation. However, it is also of interest that the impact has been wider than just the EU-US relationship. Israel – currently subject to an adequacy decision itself – has revoked its own decision giving prior authorisation for the transfer of data from Israel to US companies signed-up to the Safe Harbor, doubtless to ensure that the EU-Israel adequacy decision is not undermined by proxy.

None of this is likely to be the last word, or post, on the subject. January 2016, by which time a solution has to have been found or the DPAs will start enforcing, seems awfully close…

Christopher Knight

This is not a lengthy analytical post; it is by way of quick update on the much overlooked younger sibling of the proposed General Data Protection Regulation: the Data Protection Directive for the police and criminal justice sector. Most practitioners are understandably focussing on the Regulation: that is the instrument which will affect most of us most of the time. But the EU is proposing to harmonise the rules across sectors and, at the same, implement a new Directive applicable to the police and criminal justice sectors. The existing Directive does not, of course, apply to that arena by virtue of article 3(2) (although the DPA 1998 is unlimited in its scope, so the point has rarely been of much relevance domestically). Read the rest of this entry »