Niebel v Information Commissioner is the first Tribunal decision about penalties under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).  Mr.Niebel successfully appealed against a penalty of £300,000.

The First-tier Tribunal stated that the material before them showed that Mr. Niebel and his company, Tetrus, had sent hundreds of thousands of unsolicited text messages seeking out potential claims for the mis-selling of PPI or for accidents.  There was no dispute that he had breached the requirements under PECR regulation 22, relating to the sending of text messages for direct marketing.  Until 26th May 2011 there was no power to impose penalties for such a breach, but with effect from that date the monetary penalty provisions in the Data Protection Act 1998 (sections 55A-E of the Act) had been extended to cover breaches of PECR.

In the present case, the monetary penalty notice was imposed on 26th November 2011, requiring payment of £300,000.  The Tribunal emphasised the importance of a clear statement in the notice identifying the contravention for which a penalty was imposed.  At the very least this should indicate the regulation contravened, the content of the contravention, and its scale, including roughly how many individual acts there were and how many people were affected.

In this case the Tribunal considered that the notice had failed clearly to identify the contravention.  The notice seemed to be confined to 411 cases, involving a total of 732 texts, in which the recipient had complained to the ICO.  However, some parts of the penalty notice referred to contravention on a much wider scale.

A further difficulty was that the ICO subsequently discovered that most of the 732 texts referred to had been sent before 26th May 2011 (the date when the power to issue penalties came into effect); and the ICO accepted that these earlier texts could not properly be taken into account.  The ICO therefore relied at the Tribunal hearing on 286 texts, not 732:  the number of affected individuals was not stated, but the Tribunal indicated (if the ratio of texts to complaints was consistent) that this would be about 160.

The appeal was brought on one short point.  It was argued that the contravention was not of a kind likely to cause substantial damage or substantial distress, since it was now described as relating to just 286 texts; therefore one of the statutory preconditions for a monetary penalty was not satisfied.

The Tribunal proceeded on the basis that the likelihood of damage and distress should be assessed by reference to the 286 texts now relied upon by the ICO as constituting the contravention, rather than by reference to other evidence showing very large numbers of unsolicited text messages.  On this basis, the requirement that the contravention was not likely to cause substantial damage or substantial distress was not satisfied.  As far as damage was concerned, recipients might incur charges for replying “stop”, and there might be a small charge if texts were received abroad, but none of this was likely to cause substantial damage.  As to distress, the Tribunal considered that the effect of the contravention was likely to be widespread irritation rather than substantial distress.  The Tribunal allowed the appeal and cancelled the penalty notice.

The decision leaves open one very important question.  Would the sending of hundreds of thousands of unwanted marketing messages be likely to give rise to substantial damage or substantial distress?  Could one say that, in aggregate, the small costs imposed on a very large number of individuals amounted to substantial damage? Or that the irritation caused to such a large number constituted substantial distress? This issue will no doubt be of great importance in future appeals about monetary penalties under PECR.

Two of my colleagues appeared in this case:  James Cornwell for the ICO, and Robin Hopkins for the Appellant.  Neither of them, of course, bears any responsibility for the content of this blog post.

Timothy Pitt-Payne

As I mentioned in my post last week, the case of T v Secretary of State for the Home Department, which concerns the legality of the current CRB regime, is shortly to be considered by the Supreme Court. The issue in T is whether the blanket requirement that criminal convictions and cautions must be disclosed in the context of an enhanced criminal record check (“ECRC”) undertaken for the purposes of certain types of employment (particularly employment with children or vulnerable adults), even though they are spent, is Article 8 compliant.

But what of cases where an accused has been through the criminal justice system only then to be acquitted of the alleged offenses? Should the data slate in respect of that individual be wiped clean, with the result that the allegations can never surface in the context of an ECRC? Answering that question brings into play the important maxim that, within the criminal justice system, one must be deemed innocent until proven guilty. However, balanced against that maxim, is the recognition that there will be cases where an accused was in fact guilty of the crimes alleged against them, albeit that the Crown was unable to prove that guilt beyond all reasonable doubt. Such individuals may well pose a substantial threat to society, despite their acquittal in the criminal courts. So how should the relevant disclosure bodies balance these competing considerations in the context of the ECRC scheme?

Earlier this year I blogged about two cases where the courts had considered this difficult question in respect of allegations of criminal conduct which had been made, but not proven, as against teachers. In the first case, R (L) v Chief Constable of Cumbria Constabulary [2013] EWHC 869 (Admin), the allegations against the teacher never reached the stage of a criminal prosecution. In the second case, RK v (1) Chief Constable of South Yorkshire (2) Disclosure and Banning Service [2013] EWHC 1555 (Admin), the teacher was acquitted following a criminal trial (see my post here). In both cases, the court held that the inclusion in the relevant ECRCs of information relating to the allegations was unlawful as constituting an unjustified interference with the teacher’s Article 8 rights. A key feature of both of these judgments is that, in the court’s view, the police had acted unlawfully by effectively suggesting that the allegations had been well-founded, despite the lack of any criminal conviction. In a sense, these judgments are unsurprising. After all it cannot be right for the police to suggest that an individual is guilty of an offence when they have not been convicted of any offence following a criminal prosecution.

But does that mean that it will always be unlawful to disclose information about criminal allegations where those allegations have not culminated in a conviction? The recent judgment of the High Court in the case of R(AR) v Chief Constable of Greater Manchester Police & Secretary of State for the Home Department (Case No: CO/13845/2012) indicates that the answer to that question is no.

In AR, an individual who had previously worked as a taxi driver had been accused of raping a particular passenger. He had been acquitted following a criminal trial taking place in January 2011. In March 2012, the Criminal Records Bureau issued an ECRC in connection with an application made by AR for a licence as a private-hire driver. The ECRC made reference to the allegation of rape as against AR. It also confirmed that he had been acquitted following a trial before the Crown Court. AR sought a judicial review in connection with that certificate on the basis that it breached his Article 8 right to privacy. The High Court held that the certificate was unimpeachable. In reaching this conclusion, it is clear that the court was of the view that: (a) the certificate was itself a fairly balanced document and, further, (b) this was a case where the Chief Constable had properly recognised that, whilst the allegations against AR had not been proved to the criminal standard, there was sufficient evidence to suggest that they may yet be well founded and (c) it was reasonable and proportionate to include the allegations in the ECRC given the risk posed to vulnerable passengers if AR had in fact committed the crimes alleged against him.

The court also rejected arguments to the effect that the police’s retention of the data was unlawful under Article 8 and, further, that the police had acted unlawfully by not consulting AR prior to including the information in the ECRC. So far as data retention was concerned, the court held that the police had legitimate reasons for retaining the data both because it may be relevant if further allegations were made against AR and also because other matters could arise involving the complainant. On the procedural challenge relating to the lack of consultation, the court held that this was not well founded both because AR had had an opportunity to put his case in the context of an earlier comparable ECRC and because the police had in any event anticipated all the substantive arguments AR might have wanted to make.

Importantly therefore, an acquittal is not the get out of jail free card it might at first appear to be, certainly in terms of the accused’s data rights.

Jason Coppel QC, who is also acting in the T case, appeared for the Secretary of State.

Anya Proops

It has been a relatively quiet summer on the information law front. However, this has very much been the calm before the storm. Important up-coming hearings include not least:

–       Kennedy in the Supreme Court (application of the Article 10 right to freedom of expression in the context of FOIA; previously discussed on Panopticon here, here and here): hearing listed for 29-31 October;

–       T v Secretary of State for the Home Department in the Supreme Court (whether CRB disclosure regime is compatible with Article 8; Court of Appeal judgment previously discussed on Panopticon here): hearing listed for 9-10 December;

–       Edem v Information Commissioner & FSA in the Court of Appeal (appeal against Upper Tribunal FOIA decision that information comprising an individual’s name taken together with information as to their role within an organisation constitutes ‘personal data’, such that it may fall within the scope of s. 40 FOIA): hearing listed for 14 November;

 –       Central London Community Healthcare NHS Trust v Information Commissioner in the Upper Tribunal (appeal against the first ever tribunal decision on the imposition of a monetary penalty notice by the Information Commissioner under the DPA; see previous post on this case here): hearing listed for 16 and 17 October;

–       East Sussex County Council v Information Commissioner & Anor in the First-Tier Tribunal: hearing listed for 12-13 November 2013. The case in question is the fourth case to come before the tribunal concerning the imposition of charges by local authorities under the EIR for the provision of property search information – see further the tribunal decisions in East Riding of Yorkshire Council v IC, Kirklees Council v IC and Leeds City Council v IC. In the Leeds case, the Tribunal held that the relatively substantial charges which the Council had sought to impose were impermissible under the EIR. In reaching this conclusion, the Tribunal held that, under r. 8 EIR, a public authority was entitled to impose charges only in respect of the costs of transmitting the information to the applicant and was not entitled to charge for other costs such as the costs of searching for, retrieving and redacting the information. The Tribunal held that this conclusion was in keeping with the conclusions which had been reached by the ECJ in Commission v Germany (Case C-217/97) (the decision is discussed in more detail here). In East Sussex, both the Council and the Commissioner will be inviting the Tribunal to refer to the CJEU the question of the scope of a public authority’s power to charge applicants for environmental information, having regard to the relevant provisions in the Directive.

And in other news…

–       This week the First Tier Tribunal heard the first ever appeal against the imposition of a monetary penalty notice under the Privacy and Electronic Communications Regulations 2003. The appeal was brought by Tetrus Telecoms and concerned the sending of unsolicited text messages. You can read the relevant MPN here. A second set of appeals is due to be heard later on this year, this time concerning Nationwide Energy Services and We Claim U Gain Limited. It concerns the sending of unsolicited telephone calls (see the relevant MPN here). It will be interesting to see whether the Tribunal calibrates its approach depending on the type of communication in issue.

11KBW heavily dominates in all of the above cases. No doubt they will all be subject to further comment on Panopticon in due course.

Anya Proops

Panopticon is fairly sure that it can imagine the breakfast table dialogue in most right-thinking households this morning. Namely:

“Who owes obligations under the Environmental Information Regulations 2004? Public authorities: regulation 2.

Who is a public authority? Erm, well, not water companies: Smartsource v IC and a Group of 19 additional water companies [2010] UKUT 415 (AAC).

Are we sure? No and it has been necessary to refer the question to the Court of Justice of the EU to find out: Fish Legal v IC [2012] UKUT 177 (AAC) (again about water companies).

What have the CJEU got to do with the price of fish (legal)? Because the EIR implements Directive 2003/4/EC and so the correct interpretation is a matter on which definitive guidance can be sought from Luxembourg.

And what does the CJEU think? We don’t know yet, but we are a bit closer after Advocate General Villalon delivered the AG’s Opinion in the case yesterday: see Case C-279/12 Fish Legal v Information Commissioner, Opinion of 5 September 2013.

So what does the AG say? The test is posed along the following lines. It is for the national court to establish whether the water companies concerned may impose on individuals obligations for which they did not require the consent of those individuals, with the result that the companies concerned were in a position substantially equivalent to that of the administrative authorities. An individual was under the control of a body if his actions were subject to a degree of control exercised by that body or person which prevented him from acting with real autonomy in private affairs, thereby reducing him to the status of an instrument of the will of the State. Bodies or persons who also performed other, completely separate, non-public activities were not under an obligation to provide the information which they obtained in relation to those activities. [This sounds a bit like hybrid public authorities under s.6 of the Human Rights Act 1998, which has caused no difficulties in application at all. Ahem.] If in doubt, they should have to disclose the information.

And will the CJEU adopt this test? Wait and see. But usually the AG’s Opinion forms a key part of the Court’s analysis. So it is a good pointer, even if not the definitive answer.

And will the judgment, when it comes, tell us whether privatised water companies are public authorities? Probably not. That will almost certainly be left to the Upper Tribunal to decide in the light of the CJEU’s Delphic pronouncements.”

Doubtless there will be plenty more litigation to come, not to mention the cases stayed pending Fish Legal, and Panopticon will bring you the CJEU judgment when it appears.

11KBW’s Anya Proops appeared for the Commissioner in the CJEU, and Rachel Kamm did the same before the Upper Tribunal.

Christopher Knight

The First-Tier Tribunal has today issued its decision in the Scottish Borders Council monetary penalty notice case – the decision can be found on the tribunal’s website here (11KBW’s Robin Hopkins acted for the ICO). The background to the case is that the ICO had issued SBC with a monetary penalty notice requiring it to pay a penalty of £250,000. The penalty was issued in circumstances where a data processor, appointed by SBC to digitise its pension records, had ended up placing the hard copies of the records in the post box bins at Tesco and another supermarket. In total about 1,600 files had been disposed of in this way. SBC appealed against the imposition of the penalty to the Information Tribunal. The Tribunal held that the penalty was unlawful and, indeed, that the Commissioner had no power to issue a penalty under s. 55A DPA. This was because, whilst SBC had seriously contravened the DPA, the facts and circumstances of the case were such that the contravention was not of a kind likely to cause substantial damage or distress. Thus, an essential precondition for the engagement of the Commissioner’s power to issue a penalty under s. 55A had not been met. I am reluctant to comment further on this decision as I am shortly to be appearing against Timothy Pitt-Payne QC in the first ever appeal to the Upper Tribunal on the application of the monetary penalty regime (Central London Community Healthcare Trust NHS v IC). However, doubtless one of my colleagues will in due course provide illuminating analysis of this important decision.

Anya Proops

Yesterday I posted about a new and important High Court judgment on the application of the subject access regime. As it happens, yesterday was also the day on which the Information Commissioner published his new ‘Subject Access Code of Practice’. This is an important document which requires careful consideration by anyone working in the DPA field. Points which are particularly worthy of note include the following:

• subject access a ‘fundamental right’ – The Commissioner identifies the data subject’s right to access his or her personal data as a ‘fundamental right’ (p. 7). However, interestingly the code does not examine in any detail why this is such an important right. Instead, it simply says: ‘Enabling individuals to find out what personal data you hold about them, why you hold it and who you disclose it to is fundamental to good information-handling practice. The Data Protection Act 1998 (DPA) gives individuals the right to require you to do this.’  (p. 5). However, it is important that data controllers understand why the subject access right is such a fundamental right. The answer to this question lies very clearly in the recitals to the EU Directive from which the DPA is derived, Data Protection Directive 95/46/EC. Those recitals make clear that the underlying objective of the data protection regime is to ensure that personal data is handled in a way that properly protects the privacy of data subjects. The subject access regime is designed to support the privacy rights of individuals by ensuring that they are, in effect, able to monitor how data controllers are processing their data.

• requests made by social media – applicants are entitled in principle to make subject access requests via the data controller’s Facebook page, its Twitter account or any other social media sites to which it subscribes, although the Commissioner accepts that this may not be the most effective way to deliver a request in a form which will enable the data controller to respond to it easily and quickly (p. 10).

• a child’s right of access – Data about a child belongs to that child, rather than to any parent or guardian. It is therefore the child which enjoys the right of access to their data, albeit that that right may be exercised on their behalf by their parent or guardian. A variety of considerations come into play when a data controller is asked to respond to a request made by a child directly (p. 11).

• purpose of the request not a relevant consideration at the stage when requests are being responded to – The Commissioner continues to take the position that an applicant’s purpose or motive in making a subject access request does not affect the request’s validity or the data controller’s duty to respond to it (p. 20). This is an important consideration because very often subject access requests are not made for the purpose of ensuring that a data controller is processing the data subject’s data in a manner which safeguards their privacy but rather in order to afford a data subject an advantage in litigation which they are conducting, usually against the data controller. It should be noted that the Commissioner’s position on this issue has yet to be tested by the High Court or any appellate court (cf. the Southern Pacific Personal Loans case I blogged about yesterday and compare the conclusion reached by the Court of Appeal in Abadir, which you can read about here). See further the discussion of the Commissioner’s enforcement powers below.

• scope of the data controller’s search obligations – A key consideration for data controllers when they are responding to subject access requests is how far they have to go when searching their complex, multi-layered information systems for potentially relevant data. The Commissioner has now made clear that considerations of reasonableness and proportionality can properly come into play as and when a data controller is considering how to discharge its search obligations. Thus, the code states that, whilst there are ‘no express limits’ on the search obligation provided for under the DPA, data controllers are: ‘not required to do things that would be unreasonable or disproportionate to the importance of providing subject access to the information’. That said, the code goes on to attenuate the effect of this conclusion by stating that: data controllers should still ‘be prepared to make extensive efforts to find and retrieve the requested information’; any decision as to the scope of the data controller’s search obligations should take into account the fundamental nature of the right afforded under s. 7 and, further, requests cannot be refused simply because they are ‘labour-intensive or inconvenient’ (p. 22). This analysis will give little comfort to small and medium sized businesses where wide-ranging subject access requests may have commercially crippling effects.

• Commissioner’s enforcement functions – The code alludes to the Commissioner’s power to issue an enforcement notice in cases where a data controller has failed to comply with its obligations under the subject access provisions. It makes clear that: a notice will not necessarily be served ‘simply because an organisation has failed to comply with the subject access provisions’; the Commissioner will consider whether the failure is likely to cause or has caused the data subject to suffer damage or distress (as per the requirements of s. 40(2) DPA); whilst he can serve a notice in the absence of  damage or distress, ‘it must be reasonable, in all the circumstances, for him to do so’; and importantly ‘he will not require organisations to take unreasonable or disproportionate steps to comply with the law on subject access’ (p. 53).

• Importantly, the code goes on to allude to the fact that, where an applicant seeks to enforce their subject access rights by going to the court under s. 7(9) DPA, the court may treat the application as an abuse of process if the request has been made against a backdrop of litigation and as a means of accessing information which ought properly to be dealt with through the disclosure process. However, somewhat unhelpfully the code is entirely unclear on whether the Commissioner would regard this as a relevant consideration in the context of the discharge of his statutory enforcement functions. Instead, it simply refers the reader back to the point made in chapter 9 of the code that request cannot be refused based on the purpose for which it was made (p. 59). Of course from the data controllers point of view, it would obviously be entirely unsatisfactory if there were to be an asymmetry in the enforcement regime, with a data subject being able to get a better result if they seek enforcement from the Commissioner under s. 40 as opposed to the result they would get if they went to court under s. 7(9). Query whether the Commissioner ought in the circumstances to be striving to achieve an approach to enforcement which is aligned with the approach adopted by the courts.

Anya Proops

It is a strange feature of the DPA subject access regime that, despite having extremely far reaching legal effects, to date it only rarely been the subject of judicial analysis. This is in no small part because the costs of bringing disputes over the application of the legislation before the courts are generally prohibitive. As readers of this blog will know, there have been some fairly recent county court judgments which have considered the application of the regime (see in particular the posts on the judgments in Elliott and Abadir here and here). However, jurisprudence emanating from the High Court has been decidedly thin on the ground. Today however the High Court has handed down an important judgment on the application of the regime: In the Matter of the Southern Pacific Personal Loans Limited [2013] EWHC 2485 (Admin). Readers will want to note in particular that part of the judgment where the court considered the relevance of the applicant’s purpose or motive in making a subject access request (SAR) – as discussed below.

The background to the case is somewhat unusual. In summary, a company which is a member of the Lehman Brothers group of companies, Southern Pacific Loans Limited (C), had gone into voluntary liquidation. Prior to the liquidation proceedings, C had been in the business of offering loans to customers, secured by means of a second mortgage on the customer’s property. C had used a third party company (A) to process data relating to certain of the loans and indeed A continues today to hold data relating to tens of thousands of redeemed loans (“the data”). C had received and was continuing to receive numerous subject access requests in respect of the data. The requests had principally been made by claims handling companies which were using the SARs as a device to obtain data relevant to claims which might potentially be brought by C’s customers. In effect therefore the data was being sought in order to advance the customers’ position in the context of prospective litigation rather than for the purposes of ensuring that the customers’ privacy was being properly protected in the context of the processing of their data by C. The costs to C of dealing with the requests was very substantial, averaging at least £40,000 per month (or £455 per request). The liquidators were concerned that a continuation of such costs would potentially have a material impact on the distribution of funds to creditors of C in the liquidation. In a sense this raised the question of whether the right of data subject’s under the DPA could trump those of creditors in a liquidation. The liquidators, seeking to protect the position of the creditors, made an application to the court for declaratory relief which would have the effect of: (a) enabling further subject access requests to be refused and, further, (b) enabling the liquidators to dispose of the data, which were no longer required by C for business purposes.

The following important points emerge from the ratio of the judgment of David Richard J:

• liquidators cannot be regarded themselves as ‘data controllers’ in respect of data processed by a company in liquidation. This is because liquidators do not act as ‘principals’ in respect of the data but rather as ‘agents’ acting on behalf of the company in liquidation. This is the case irrespective of whether liquidators are acting in the context of voluntary of compulsory liquidations. Thus, liquidators are not personally responsible for ensuring compliance with s. 7 DPA (paras. 17-35)

• so far as the disposal of data is concerned, regard should be had to the fifth data protection principle which obliges data controllers to ensure that data is not processed longer than is necessary for the purposes for which it was processed. Looked at from a DPA perspective, this meant data should be ‘disposed of as soon as possible’ (para. 39). The question was therefore whether there were any legal requirements which, in the present case, acted as impediments on the disposal of the data. There were two impediments potentially in play in the present case:

• first, data could not be disposed of if retention of that data was required in order to enable C to fulfil its statutory subject access obligations in respect of extant SARs (s. 8(6) DPA)

• second, data could not be disposed of if retention of that data was necessary in order for the liquidators to be able to discharge properly their statutory duties as liquidators. In the present case, that meant that particular data could not be disposed of if retention of the data was required in order to deal with claims which may be lodged against C.

Importantly, however: ‘The liquidators are not under a duty to retain data so that it can remain available to be mined by former customers or claims handling companies with a view to making claims against third parties’ (para. 40). The liquidators were at liberty to dispose of all the data, subject to the two qualifications outlined above (para. 41).

The court also made a number of obiter comments which are particularly worthy of note

• data subjects are not entitled to use the SAR to demand disclosure of documents. Their entitlements extend merely to data rather than to documents (para. 43). (This is of course an important consideration as and when applicants are using the SAR regime to obtain advantages in litigation against the data controller or a third party)

•  properly understood, the Court of Appeal’s judgment in Durant v Financial Services Authority is not authority for the proposition that requests under s. 7 DPA may be refused by the data controller if they are being made for the purposes of furthering the data subject’s position in litigation, as opposed to protecting their privacy. The question of whether SARs could lawfully be refused in these circumstances was a question for another day. However, following Durant, the question of the applicant’s purpose was a factor which was relevant to the exercise of the court’s discretion in the context of an application for enforcement made by the applicant under s. 7(9) DPA (para. 46). This last point will come as some relief to the data controller who is facing a heavily litigation-preoccupied data subject.

The court expressly declined to consider the question of the impact of s. 8(2) DPA (the ‘disproportionate effort’ provision). Thus, it did not examine the question previously considered in Ezsias v Welsh Ministers as to whether data controllers can lawfully limit their searches for personal data by reference to what is reasonable and proportionate in all the circumstances (paras. 47-49).

11KBW’s Robin Hopkins acted for the Information Commissioner.

Anya Proops