Now the immediate dust has settled on last weeks’ judgments of the CJEU in Bara and in Weltimmo it is perhaps briefly revisiting both to note some of the real issues and questions which arise. Answers are harder to come by, but the theme is of a rigid approach by the Court to Directive 95/46/EC which squeezes data controllers until the regulatory pips squeak. The impact of both judgments, not to mention the forthcoming Schrems, could be really significant and, frankly, counter-productive in terms of encouraging the free movement of goods and services. Free movement of data is not a Treaty right, and there are obvious needs to place limits and protections on personal data, but whether the CJEU is adopting an approach which gives businesses sufficient room for practical manoeuvre is another matter.

Some thoughts then on a re-reading of both judgments:

Bara

• Although the context was transfers between public authorities, the principle is not so limited. Any transfer of data to a third party which does not already have express consent will be at risk of unfair processing.
• Just because the two parties to the transfer agree it, and may be obliged to do it (contractually, say), that does not mean the data subject has approved it. Because both making and taking the transfer are acts of processing both data controllers need to have notified the data subject. That is onerous and easy to overlook.
• Not only does the data subject need to have agreed the transfer, they need to know why the transfer is happening (i.e. the purpose). This is much more information being provided to the data subject than one usually sees.
• None of this is any different from the principle adopted in Optical Express; if someone fills in a travel survey with Thomas Cook and aren’t told that their data will be sold to another company who will send them laser eye surgery texts, how can they make an informed choice about what they want to object to? This is essentially the point Bara makes.
• But does anyone actually send DP notices to data subjects? Not, one suspects, very many. Certainly not as many as should do so.
• That also plays into compliance with the third and fourth data protection principles. If your data isn’t up to date, you cannot properly notify the data subjects (DPP4). If you have harvested and kept excessive amounts of data, you have to spend an unnecessary amount of time and money on notifications (DPP3).

Weltimmo

• Weltimmo has a more obvious immediate impact. You don’t get to situate yourself in one (doubtless the most regulatorily convenient) jurisdiction and ignore the regulators in all other Member States if you are targeting your online business to those other States. They can all come after you, and even if they can’t, they can get your home regulator to do so.
• This is a major move away from a one-stop shop system of DP regulation, whilst implying a pan-European consistency that isn’t really there on the ground. The variations in the application of Google Spain is a good example of just how far apart the national regulators can be.
• On any interpretation of the judgment, the outcome is not one which multi-national companies will have expected or wanted. Major online businesses face the prospect of being subject in every detail to regulators of every Member State. Nor can they ignore judgments in cases against them in more tangential parts of the business empire because under the Brussels I regime a civil judgment in one Member State is enforceable in any other.
• How one gets around Weltimmo is going to be tricky to work out. Will it be enough to have a website in English targeting English customers, but not to have any physical presence in England? What about no employees but an English bank account? Essentially, are the factors listed by the CJEU cumulative or distinct (given the need for only a “minimal” activity)?
• Private international lawyers will struggle to classify Article 4 slightly. Is it a jurisdiction issue or a choice of law issue? The CJEU states a conclusion in terms of an applicable law, whilst considering factors which are classically jurisdictional. In reality, it is probably both. The question of where an establishment is to be located is a jurisdictional one, although which law applies to that issue is probably an odd combination of the lex fori and sui generis European concepts as set out in Weltimmo. But once establishment has been, well, established, then that determines the choice of law: it is the law of the place of the establishment. It is just that there may be more than one establishment (i.e. at least Slovakia and Hungary) and therefore more than one applicable law. This is not very doctrinally coherent, particularly when one moves to trying to work out the jurisdictional competence of a court, and then the applicable law, of a private claim for breach of the implementing legislation. How are they meant to match up? Indeed, are they? Is Article 4 entirely divorced from Brussels I? (It might be for the actions of regulators, which would be engaging in administrative activities and outside the scope of Brussels I, but Article 4 applies to actions taken by the data subject too. Is it meant to be a self-contained code? Unclear.)

The fact that answers do not readily appear to all of these issues may itself be a troubling indicator of a lack of wider and/or deeper thought by the CJEU as to how its judgments will actually work in practice. Doubtless some will be worked through in time. But much of this is far too important to real people doing real things to be left to iron itself out over the next five years. Still waters may run deep, but it is the murky ones you drown in.

Christopher Knight

Former rock ‘n’ roll star Liam Gallagher and former pop star Nicole Appleton were married with children and seemed rock steady as a couple but sadly are now getting divorced and left wondering “where did it all go wrong?”  Whatever, some might say, stop crying your heart out about water under the bridge and just roll with it – this is a serious blog whose readers would never ever expect to find stories about celebrity gossip, still less a list of Oasis and All Saints song titles masquerading as a post about information law.

But don’t go away, because the judgment of of Mostyn J in Appleton v Gallagher [2015] EWHC 2689 (Fam) is an interesting one about the very important issue of what the press can report about private court proceedings.  Little by little, closed family proceedings are opening up: changes to the Family Procedure Rules made in 2009 permitted journalists to attend private court hearings in the Family Division.  The court can make an order excluding them, but only after considering lesser measures such as a reporting restriction order.

In the present case, journalists from the Sun and other newspapers (possibly including the Hindu Times, the judgment does not say) wanted to attend and report on Mr Gallagher and Ms Appleton’s ancillary relief proceedings; Mr G and Ms A wanted to have the press excluded.  For procedural reasons it fell to Mostyn J to decide whether reporting restrictions should be imposed before a separate judge decided whether the press should be excluded altogether.

Confused?  According to Mostyn J at [6], it is an understatement to say that the law in this area is a mess.

As the judge said at at [9], although section 12 of the Administration of Justice Act 1960 explicitly provides that the reporting of proceedings held in private (except for those which wholly or mainly concern children) is not a contempt of court, such reporting is nonetheless prohibited as a result the implied undertaking that attaches to disclosed information.  In the context of private ancillary relief proceedings where there is an obligation to make full and frank disclosure of all financial information that goes far wider than the duty of disclosure in an ordinary civil dispute, the courts have been particularly strict in enforcing this.  As stated by Thorpe LJ in Clibbery v Allen (No 2)[2002] EWCA Civ45, “all the evidence (whether written, oral or disclosed documents) and all the pronouncements of the court are prohibited from reporting and from ulterior use unless derived from any part of the proceedings conducted in open court or otherwise released by the judge.”

The submission on behalf of the press (described by Mostyn J as “very bold”) was that this position is now different as a result of the 2009 rule change.  Mostyn J rejected this saying the purpose of this “was to enable the world to understand how children proceedings, especially public law care proceedings, were conducted”, and referred to what was said in Re Child X (Residence & Contact – Rights of Media Attendance) [2009] EWHC 1728 (Fam) about it enabling the media to exercise a role as “watchdog” on the part of the public at large.  It was not, however, “intended to abrogate [the] core privacy provided by the implied undertaking and the hearing of the proceedings in chambers”, a privacy which he said has been “maintained and endorsed” by Parliament.

In the alternative, the judge said that even if the matter was one of an ordinary balancing exercise, this came down in favour of not allowing reporting, highlighting: (a) the fact that neither party had sought to “yoke the press to his or her cause” or spoken about the divorce and (b) press comments thus far had been limited and there had not been extensive inaccurate speculation.

Some might say [you’ve done this one already – Ed] this judgment will surely be overtaken soon by a comprehensive reconsideration of the law by the Court of Appeal, something urged by Mostyn J at the conclusion of his judgment when he granted permission to appeal.  As such, it remains to be seen whether this judgment will live forever or just slide away [That’s enough – Ed.].

Paul Greatorex

Back in July I posted on the Opinion of the AG in Case C-201/14 Bara v Presedintele Casei Nationala de Asigurari de Sanatate and the CJEU has now handed down its judgment, happily for me in English. The context is that people deriving their income from independent activities were called to pay their contributions to the Romanian National Fund for health insurance, following a tax notice issued by the Romanian health insurance fund. However, that tax notice was calculated on the basis of data on income provided National Tax Administration Agency under an internal administrative protocol. The complaint was that the transfer by the Tax Agency to the Health Insurance Fund of personal data, particularly related to income, was in breach of Directive 95/46/EC because no consent had been provided to the transfer, the data subjects had not been informed of the transfer and the transfer was not for the same purpose as the data was originally supplied.

The CJEU has dealt with the matter in pretty unambiguous terms. Such data sharing was a breach of Article 6 of the Directive, which requires processing to be fair and lawful, because data subjects were not informed of the transfer to another public body or the purpose for the transfer: at [34]. It was a breach of Article 10, which requires the data subject to be provided with information concerning the identity of the controller and the purposes of processing, because no such information had been provided, and the derogations in Article 13 had to be done through legislative measures, whilst the Romanian public bodies simply did it by way of a protocol: at [38] and [41]. Moreover, it was a breach of Article 11, which requires a controller who has not obtained the data from the subject itself to inform the data subject of its identity and the purposes of processing, because neither of the public authorities had told data subjects anything at all: at [43].

All in all, your mother was wrong. Do not share things. Or at least, do not share personal data without providing very clear information to the data subject about what is happening and why. It doesn’t matter if you are a public authority. Go to bed without any supper.

Christopher Knight

One of the great difficulties facing data protection lawyers is how Directive 95/46/EC copes with the internet age. How do you work out where processing has happened? How do you work out who is responsible? Where can you sue them or otherwise take action against them? What law applies (important given that the Directive has been implemented in different ways in different Member States)?

Article 4 provides some of the answer:

“1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b) the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law;

(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

2. In the circumstances referred to in paragraph 1 (c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.”

The decision of the CJEU Google Spain gave some consideration to these matters, but while it certainly established that one could pursue Google through it having a presence in a Member State, it did not really deal with the smaller fry.

However, the CJEU’s decision today in Case C-230/14 Weltimmo v Nemzeti (judgment of 1 October 2015) provides a bit more clarification. Weltimmo (as Anya’s post on the AG’s Opinion has previously discussed) is a company registered in Slovakia, but which the Hungarian data protection authority wished to fine for breaches of the Directive. Those breaches related to the activities of property dealing websites Weltimmo ran which advertised properties in Hungary and revealed various items of personal data of the property owners. What factors were relevant in working out whether Weltimmo was established in Hungary under Article 4?

Article 4, stressed the Court, was the key to determining the national law applicable: at [23]. The Directive had prescribed a broad territorial scope (see Google Spain): at [27]. In the particular context of the internet, said the Court without particularly expressing why there should be different tests for different types of business, when working out whether Weltimmo was also established in a State where it was not registered, one had consider “both the degree of stability of the arrangements and the effective exercise of the activities” in the light of “the specific nature of the economic activities” concerned: at [29]. (No mention of where there was not a clear economic activity.) An establishment can be shown by “any real and effective activity – even a minimal one – exercised through stable arrangements“: at [31].

What is relevant then? The presence of just one representative can be sufficient if acting with a sufficient degree of stability through the presence of the necessary equipment for the provision of the services (i.e. not necessarily where the servers are): at [30]. Running a website about properties in Hungary, written in Hungarian, which charges advertising fees constituted a real and effective activity in Hungary: at [32]. The presence of a representative in Hungary, who acts as a point of contact with the Slovak company and the data subjects, and a Hungarian bank account, and a Hungarian letter box for the business, were all capable of showing an establishment: at [33]. What is not relevant is the nationality of the data subjects: at [40] (which is consistent with the classic approach to jurisdiction under the Brussels I regime). The processing itself must take place in the context of the activities in Hungary, but the Court had no difficulty with that: at [38]. As a result, Hungarian law applied to Weltimmo: at [39].

This was all fact-specific of course, but it does give some fairly extensive guidance, and certainly indicates that any website aimed at a particular jurisdiction, plus some sort of physical presence of some sort, will be sufficient to amount to an establishment. Company registration elsewhere will not be an escape route.

There was also a second issue, which was technically obiter, about when a national regulator can take action against a data controller who may be subject to foreign laws. The CJEU strongly emphasised that it was the obligation of the regulator under Article 28 to take action within its own territory and to investigate every complaint made to it, irrespective of the applicable law: at [54]. What it cannot do, of course, is try to fine a controller not established in its own State: at [56]. So, if having investigated, the regulator reaches the conclusion that the controller is established elsewhere and subject to a foreign legal regime, it must ask the relevant national regulator to take over the case and impose any penalty based, in part, on the information provided between regulators: at [57]. Cross-border regulation might not yet be at a one-stop shop level, but it is meant to have teeth.

Weltimmo is a genuinely important decision and provides some very helpful guidance. By no means does it answer all of the questions, particularly outside of the internet, and it does not come close to the beginning of the end. But perhaps, following Google Spain, it is the end of the beginning.

Christopher Knight

More breaking news on Schrems – the word on the street is that judgment is due to be given by the CJEU on 6 October. This means we will only have to wait another week before discovering whether the Court has followed the Advocate General’s hugely politically controversial opinion.

I should add that on 6 October judgment is also due to be given by the CJEU in East Sussex v Information Commissioner (case on charging for property search information under the EIR). Of course no one could doubt the importance of the East Sussex case (and I’m not just saying that because I appeared for the Commissioner) but I have a sneaking suspicion that Schrems may yet steal our thunder…

Anya Proops

Breaking news: AG Bot has just delivered his Opinion in Case C-362/14 Schrems v Data Protection Commissioner (the Facebook case) holding that the Commission decision establishing the ‘Safe Harbour’ scheme in the USA does not eliminate or reduce the national authorities’ duties to assess compliance with the Directive 95/46/EC, and in any event, the Safe Harbour decision is invalid in the light of the Snowdon revelations about mass data surveillance in the USA. The full text of the Opinion will be published, and doubtless discussed here, later on but if the CJEU agrees, it is a very significant decision.

I will be on BBC World later this morning discussing the implications of the Opinion.

Christopher Knight

In July of this year, I blogged about a judicial review case involving a challenge to the ICO’s decision that Google had not breached the DPA when it refused a ‘right to be forgotten’ application made by a Mr Khashaba. My post confirmed that the court had refused permission for Mr Khashaba to proceed with his claim on the papers. Mr Khashaba has since gone on to renew his application for permission. That application was also refused. The judge, HHJ Simon Barker QC (sitting as a Deputy), concluded that permission should be refused on the basis that civil proceedings against Google constituted an adequate alternative remedy, even if those proceedings required service out of the jurisdiction. The judge went on to observe that civil proceedings also constituted a more appropriate vehicle for resolving Mr Khashaba’s claim. This was particularly because they would allow the evidence in the case to be more effectively tested, with the result that the judge would be in a position to make a more effective and informed assessment of the reliability of the claimed consequences of continued listing of the relevant webpages (cf. judicial review proceedings where typically there is no cross-examination of witnesses). Mr Khashaba was ordered to pay the ICO’s costs. Christopher Knight represented the ICO.

What is notable about this judgment is that it suggests that the courts are alive to the fact that assertions that particular data ought to be forgotten should not be taken at face value but should instead be rigorously tested. Obviously one is left with the abiding questions of whether Google, as opposed to the authors of the relevant source websites: (a) is itself best placed to undertake that testing exercise and (b) will be sufficiently incentivised in any individual case to mount a defence to the claim. It will in any event be interesting to see whether Mr Khashba does now seek to pursue his case against Google.

Anya Proops

Anyone who has been following the litigation on charging for access to property search information under the EIR may like to know that the judgment in East Sussex v Information Commissioner is due to be given by the CJEU on 6 October 2015 (for further information on the background to the case and the Advocate-General’s Opinion, see here). One of the important issues in the East Sussex litigation has been the risks which charging for environmental information may pose in terms of the potential dissuasive effect on applicants. It will be interesting to see whether the Government has an eye to such dissuasive effects as when it is thinking how to develop its proposals on fees in the GRC (see further Chris Knight’s post on the proposals here).

Anya Proops

An intriguing summary has emerged on Lawtel (subscription required) of a decision of the Chancery Division (John Jarvis QC) in a case called Hallows v Wilson Barca LLP, which suggests that the duties imposed on public bodies by the Freedom of Information Act 2000 (FOIA) can be relevant to the common law doctrine of legal professional privilege.

The decision appears to hold that lawyers who obtain documents from public bodies for the purpose of litigation (which would therefore normally be protected by litigation privilege) need to bear in mind the existence of FOIA and make that purpose clear otherwise they will be taken to have waived privilege.  Whether, on close inspection of the full judgment, this turns out to be a true description of the ratio decidendi remains to be seen, the case seems worth noting in any event.

The issue arose in the context of a claim brought by the claimant (C) against the solicitors (D) who had acted for him to register title to a plot of land.  C alleged that D had failed to register the fact that the land benefitted from certain rights of way which would materially affect the value of any development on the land.  C’s new solicitors in that claim (S) sought the advice from the local planning authority (LPA) on whether planning permission would be likely to be granted for any development on the land.

In making the request, S said it was doing so on a confidential basis, but did not mention it was being made in connection with the litigation between C and D.  The LPA provided the advice sought, which subsequently found its way into D’s hands via a FOIA request by D.  C sought an injunction restraining D’s use of that information in the proceedings between them on the basis that it was legally privileged.

The court agreed that the advice was prima facie protected by litigation privilege but said that requesters like S had to bear in mind that the LPA was subject to duties imposed by FOIA to provide information to the public.  Since no indication had been given that the advice was sought in the context of litigation, the court said that S had accepted that the information could come into the public domain by virtue of the local authority’s duties under FOIA and had therefore necessarily and impliedly waived any privilege which had existed.

In the alternative, the court said that even if it had accepted that privilege could still be maintained, it would not have been appropriate to restrain D from relying on the advice.  The way in which S sought advice was said to have run the risk that any privilege would be waived and D had also not acted improperly in making the request it did under FOIA or in reading the information once it had received it.

As noted above, the full analysis and implications may only become apparent if and when the full judgment becomes available and this was of course a decision in the context of private law proceedings rather than under FOIA.  Nonetheless, legal professional privilege is a common law doctrine and, unlike FOIA, is absolute in the protection it affords against disclosure.  The suggestion that the Act could influence the common law in this way is a very interesting one.

In practical terms, for those involved in planning law the decision sits alongside the decision in Tidman v Reading BC [1994] 3 PLR 72 (that LPAs do not owe a duty of care in providing such advice) as another important point for those making such requests to bear in mind.

Paul Greatorex

In case you have missed this vitally important piece of news (because I certainly did), the European Data Protection Supervisor has come up with an ingenious way of weaning you off playing Angry Birds. Yes, the EU Data Protection mobile app is now available at no charge for all data protection addicts – see here. Now, instead of getting on with some paid work, you can while away your time comparing the latest proposed texts of the draft General Data Protection Regulation. Joy!

Anya Proops