Earlier this year, a video went viral. It was a clip of the Ellen DeGeneres talk show in the US, on which she announced – after years of campaigning – that there would be a Finding Nemo 2. The world rejoiced. In an entirely dissimilar way, there is likely to be a strong clamour for the CJEU to produce Fish Legal 2 (although it is likely to be less fun, let alone involve a shark named Bruce). One Fish Legal judgment will not be enough, not for those pesky pescatarians who like judgments to provide answers.

If Julie Andrews has taught us anything, it is that the beginning is a very good place to start. The history of the Fish Legal case, and the AG’s Opinion in it, are covered in my Socratic post here. In short form, the question for the CJEU was whether or not privatised water companies are public authorities such that they owe obligations under the Environmental Information Regulations 2004 (implementing Directive 2003/4).

In its judgment of 19 December 2013, the Grand Chamber of the Court in Case C-279/12 Fish Legal v Information Commissioner opined on this topic. It readily dismissed the suggestions of the case being hypothetical and resolved to deal with the referred questions. At [48] it held that “only entities which, by virtue of a legal basis specifically defined in the national legislation which is applicable to them, are empowered to perform public administrative functions are capable of falling within the category of public authorities that is referred to in Article 2(2)(b) of Directive 2003/4.” It recognised that that did not answer what “public administrative functions” were. In classic CJEU style it set out the tests in the Directive and the facts:

“51        Entities which, organically, are administrative authorities, namely those which form part of the public administration or the executive of the State at whatever level, are public authorities for the purposes of Article 2(2)(a) of Directive 2003/4. This first category includes all legal persons governed by public law which have been set up by the State and which it alone can decide to dissolve.

52      The second category of public authorities, defined in Article 2(2)(b) of Directive 2003/4, concerns administrative authorities defined in functional terms, namely entities, be they legal persons governed by public law or by private law, which are entrusted, under the legal regime which is applicable to them, with the performance of services of public interest, inter alia in the environmental field, and which are, for this purpose, vested with special powers beyond those which result from the normal rules applicable in relations between persons governed by private law.

53      In the present instance, it is not in dispute that the water companies concerned are entrusted, under the applicable national law, in particular the WIA 1991, with services of public interest, namely the maintenance and development of water and sewerage infrastructure as well as water supply and sewage treatment, activities in relation to which, as the European Commission has observed, a number of environmental directives relating to water protection must indeed be complied with.

54      It is also clear from the information provided by the referring tribunal that, in order to perform those functions and provide those services, the water companies concerned have certain powers under the applicable national law, such as the power of compulsory purchase, the power to make byelaws relating to waterways and land in their ownership, the power to discharge water in certain circumstances, including into private watercourses, the right to impose temporary hosepipe bans and the power to decide, in relation to certain customers and subject to strict conditions, to cut off the supply of water.”

It then declined to provide any sort of answer, leaving it to the Upper Tribunal to determine on the case’s return from the stratosphere: at [55]. The key question, at [56], is whether the body is vested under national law with “special powers“. This will not be an easy test to apply. Spiderman and Superman obviously have special powers. Batman does not; he just has a lot of money. Which comic-book hero do privatised industries more closely resemble, and is there a difference of principle between them? Answer came there none.

The second stage of the analysis was whether, because water companies are regulated by Ofwat and the Secretary of State, they are under the control of bodies which are subject to the EIR and so themselves subject. Is an ‘emanation of the State’ in EU law terms (as water companies are) necessarily caught by Article 2(2)(c) of Directive 2003/4? The CJEU gave a fairly strong hint that it normally would be (at [60]), but in the light of the Aarhus Convention basis of the Directive reformulated its analysis:

“68      Those factors lead to the adoption of an interpretation of ‘control’, within the meaning of Article 2(2)(c) of Directive 2003/4, under which this third, residual, category of public authorities covers any entity which does not determine in a genuinely autonomous manner the way in which it performs the functions in the environmental field which are vested in it, since a public authority covered by Article 2(2)(a) or (b) of the directive is in a position to exert decisive influence on the entity’s action in that field.

69      The manner in which such a public authority may exert decisive influence pursuant to the powers which it has been allotted by the national legislature is irrelevant in this regard. It may take the form of, inter alia, a power to issue directions to the entities concerned, whether or not by exercising rights as a shareholder, the power to suspend, annul after the event or require prior authorisation for decisions taken by those entities, the power to appoint or remove from office the members of their management bodies or the majority of them, or the power wholly or partly to deny the entities financing to an extent that jeopardises their existence.

70      The mere fact that the entity in question is, like the water companies concerned, a commercial company subject to a specific system of regulation for the sector in question cannot exclude control within the meaning of Article 2(2)(c) of Directive 2003/4 in so far as the conditions laid down in paragraph 68 of the present judgment are met in the case of that entity.

71      If the system concerned involves a particularly precise legal framework which lays down a set of rules determining the way in which such companies must perform the public functions related to environmental management with which they are entrusted, and which, as the case may be, includes administrative supervision intended to ensure that those rules are in fact complied with, where appropriate by means of the issuing of orders or the imposition of fines, it may follow that those entities do not have genuine autonomy vis-à-vis the State, even if the latter is no longer in a position, following privatisation of the sector in question, to determine their day-to-day management.”

On this topic at least the CJEU may not have answered the question – it again left it for the Upper Tribunal to determine – but it made its feelings as to the likely outcome pretty clear.

In relation to hybrid public authorities, the CJEU was distinctly unkeen on the importation of such an uncertain test: at [76]. The rejection of hybridity in Smartsource is therefore approved. Instead, it concluded that “Article 2(2)(b) of Directive 2003/4 must be interpreted as meaning that a person falling within that provision constitutes a public authority in respect of all the environmental information which it holds. Commercial companies, such as the water companies concerned, which are capable of being a public authority by virtue of Article 2(2)(c) of the directive only in so far as, when they provide public services in the environmental field, they are under the control of a body or person falling within Article 2(2)(a) or (b) of the directive are not required to provide environmental information if it is not disputed that the information does not relate to the provision of such services“: at [83]. So there can be limits in particular types of case (control cases), but otherwise all environmental information is accessible.

Quite what the result of the judgment is going to be is unclear. Hybridity is dead, and there is some greater clarity on when a body can be said to be under the control of a public authority, but the more general test of when public administrative functions are being exercised remains distinctly murky. It is not likely to be very long before a further reference is sought from somewhere, although it probably will not be announced on the Ellen show.

11KBW’s Anya Proops appeared for the Commissioner in the CJEU, and Rachel Kamm did the same before the Upper Tribunal.

A Merry Christmas to all Panopticon’s readers, and may your 2014 bring you boundless information law litigation.

Christopher Knight

Mr Brown became a well-known figure in litigation circles when he sought to unseal the Will of Princess Margaret in the belief that it might reveal information showing him to be her illegitimate son. In the course of his unsuccessful litigation, it was revealed that there existed what had been described orally during the court proceedings as a “Practice Direction in respect of the handling of Royal Wills” (although there is dispute over precisely what form this document takes), produced by the-then President of the Family Division following liaison with the Royal Household.

Having failed to unseal the Will, Mr Brown requested a copy of the document from the Attorney General. He was refused, under section 37 FOIA. The First-tier Tribunal upheld that refusal (on which see Robin’s blog here). Mr Brown appealed to the Upper Tribunal on the grounds of inadequacy of the Tribunal’s reasons and a failure to properly apply the public interest test. The Upper Tribunal refused permission at an oral hearing.

Under the revised CPR procedure in rule 54.7A, Mr Brown sought permission to judicially review the refusal of permission to appeal by the Upper Tribunal. Following an oral hearing, Phillips J granted permission. It will now be a matter for the Attorney General (as respondent/defendant in the proceedings) to decide whether to defend the judicial review at a substantive hearing, or simply to defend the substantive appeal in the Upper Tribunal.

For a news report on the decision, see here.

Anya Proops appeared for Mr Brown before the High Court and Upper Tribunal. Jonathan Swift QC and Joanne Clement appeared for the Attorney General. Robin Hopkins appeared for the Commissioner at first instance.

Christopher Knight

The Upper Tribunal has just issued judgment in Central London Community Healthcare NHS Trust v Information Commissioner [2013] UKUT 0551. This significant decision is the first time the Upper Tribunal has considered an appeal against a monetary penalty notice (“MPN”), issued by the Commissioner under section 55A Data Protection Act 1998 (“DPA”).

The Commissioner is empowered to issue an MPN under section 55A DPA, where he is satisfied that there has been a serious contravention of the data protection principles by a data controller, the contravention was of a kind likely to cause substantial damage or distress, and other relevant conditions are met. The amount of an MPN may be up to £500,000. In this case, the Trust had repeatedly faxed sensitive medical details of patients to a member of the public by mistake, believing that it was faxing them to a hospice. The Trust had “self-reported” its own contravention to the Commissioner, who had issued an MPN of £90,000.

The Trust appealed against the MPN under section 49 DPA, first to the First-Tier Tribunal, which rejected the appeal, and then to the Upper Tribunal. The grounds of appeal were fourfold: (1) the Commissioner failed to recognise he had a discretion as to whether to issue a MPN, and failed to consider how it should be exercised; (2) the Tribunal should have concluded that the Commissioner was barred from serving an MPN, because the Trust had self-reported its breach; (3) the Commissioner had acted unlawfully in offering the Trust a discount of £18,000 for early payment of the MPN, but refusing to allow the Trust to benefit from the discount if it decided to appeal; and (4) the quantum of the award was unsustainably high.

The Upper Tribunal rejected all four grounds of appeal. Along the way, it made some useful general observations about the way in which the MPN regime works. In particular, it stated as follows:

(1)    The fact that a public authority has self-reported a breach does not prevent the Commissioner from issuing an MPN. Among other matters, the logical implication of that argument would be that a data controller responsible for a deliberate and very serious breach of the DPA could avoid an MPN simply by self-reporting. That could not be correct.

(2)    As a matter of principle, the Commissioner has discretion whether to issue an MPN where the statutory conditions for its issue are met, as well as discretion as to the amount. On appeal, the First-Tier Tribunal (“FTT”) must conduct a full merits review of the Commissioner’s exercise of his discretion. The nature of the FTT’s jurisdiction on an appeal under section 49 DPA was akin to the nature of its jurisdiction in an appeal against a decision notice of the Commissioner under section 58 Freedom of Information Act 2000 (“FOIA”). In other words, the FTT’s function under section 49 DPA was to decide whether the Commissioner’s decision to issue an MPN and the amount of the penalty was right.

(3)    It was permissible for the Commissioner to operate a scheme which gave a discount for early payment, if and only if the public authority did not appeal. There was a strong public policy argument justifying such a scheme – the early payment and early resolution of the issue. The proper analogy was with discount schemes operated for fixed penalty notices e.g. for minor motoring contraventions.

(4)    The Upper Tribunal did in principle have the power to increase a penalty under section 55A DPA, although that issue did not arise on the facts of this case.

The decision is an important validation of the way in which the Commissioner presently approaches the issuance of MPNs, and usefully clarifies the nature of appeals against MPNs.

Timothy Pitt-Payne QC of 11KBW acted for the Trust; Anya Proops of 11KBW acted for the Commissioner.

Julian Milford 

The most eagerly awaited Information Law hearing of 2013 starts today.  The Supreme Court will be considering the appeal against the decision of the Court of Appeal in Kennedy v Charity Commission and others [2012] EWCA Civ 317.  The case raises the issue of whether Article 10 of the European Convention on Human Rights confers a right of access to information held by public authorities.  It also requires the Court to construe section 32(2) of the Freedom of Information Act 2000 (an absolute exemption applicable to information held for the purpose of an inquiry).  The Supreme Court is being asked to reconsider aspects of its judgment in BBC v Sugar (No 2) and as a result the appeal has been listed before a panel of seven Justices.

For details of the extensive 11KBW involvement in the hearing, see here.

Timothy Pitt-Payne QC

In 1913, Parliament was debating the Welsh Church Disestablishment Bill.  F. E. Smith described it as “a Bill which has shocked the conscience of every Christian community in Europe”.  This prompted a stinging rebuke from G.K. Chesterton:  was it remotely plausible that, say Breton fishermen, or Russian peasants, had the slightest interest in any of this?

“ Do they, fasting, trembling bleeding

Wait the news from this our city?

Groaning, ‘That’s the Second Reading!’

Hissing ‘There is still Committee!’

If the voice of Cecil falters,

If McKenna’s point has pith,

Do they tremble for their altars?

Do they, Smith?”

A hundred years later, the European Parliament is debating data protection reform.  To suggest that every citizen of the Union is hanging on the words of Jan-Philipp Albrecht or Viviane Reding would invite Chestertonian derision.  But there must be a number of businesses that are trembling (if not perhaps fasting or bleeding, as yet) at talk of fines of up to 100 million Euros (or 5% of global turnover, whichever is the greater) for breach of the new requirements.  And the level of interest among ordinary citizens, at any rate in some countries in the EU, should not be underestimated.

The above reflections are prompted by the news that the LIBE Committee of the European Parliament has adopted an agreed position on the proposed new Regulations and Directive.  This gives a mandate for the rapporteurs – MEPs Jan-Philipp Albrecht and Dimitrious Droutsas – to negotiate with the EU Council on Parliament’s behalf.

The full text of the proposed version of the legislation approved by the LIBE Committee has not been made public.  However, this press release from the Commission indicates that there are some important differences between the Commission’s original proposal in January 2012 and the text being put forward by the LIBE Committee.  Notably, the Committee is proposing maximum sanctions of 100 million euros or up to 5% of annual worldwide turnover, as compared with 1 million euros or up to 2% of annual worldwide turnover.

The Committee also wishes to strengthen the territorial scope of the reforms.  The Commission’s original proposal was that in specified circumstances the Regulation should apply to the processing of personal data of subject residing in the Union, by a controller not established in the Union.  The Committee is proposing that the Regulation should apply to the processing by a controller or processor not established in the Union.

The Commission’s proposal was that this extra-territorial reach of the Regulation should apply where the processing activities were related to the offering of goods and services to data subjects in the Union, or to the monitoring of their behaviour.  The Committee is proposing that the Regulation should apply to the offering of goods or services to data subjects in the Union irrespective of whether a payment of the data subject is required.  So, on the Committee’s text, a social networking site established outside the EU would be caught if it offered membership to individuals in the Union, even if membership was free.   The Committee also proposes that the Regulation should apply to the monitoring of such subjects (not just to the monitoring of their behaviour).

The Committee’s text also would prohibit disclosure outside the EU of personal data processed in the EU, where such disclosure was ordered by a non-EU court or tribunal, unless the transfer was authorised in advance by the relevant EU national data protection authority.  So, it would appear, if a US court ordered disclosure of personal data about UK citizens, then a US company that complied with that order without the prior authorisation of the ICO would be in breach of the Regulation and could be fined.

Media and online comment (see e.g. here and here) has suggested that the European Parliament’s current approach – strengthening the protection for data subjects, in particular in relation to international transfers – is partly a reaction to the revelations by Edward Snowden about the disclosure of personal information to the NSA.

The next step will be for the Council to decide on its position.  There will be a Council discussion between heads of state and government on 24th – 25th October, relating to the digital single market, followed by a meeting of Justice Ministers on data protection reform on 4th – 5th December.  There will then be a “trilogue” between Parliament, the Council, and the Commission.  The President of the European Commission has called for a final text to be agreed before the European Parliamentary elections in May 2014 – though it seems likely that there will be a further 2 years or so before the new legislation comes into effect.

Timothy Pitt-Payne