By way of a (limited) update, the current expected listing for the Supreme Court hearing in Google Inc v Vidal-Hall is May-July 2016. Plenty of time to get your damages claims resolved between now and then…

CK

It is not very often that this blog reports developments north of the Wall, but we like to make occasional forays, to check up on events of cross-border impact (and of course Common Services Agency and South Lanarkshire are just two examples of gifts from our Scottish brethren which just keep on giving). Assuming you’ll have had your tea, readers may wish to briefly glance at the recent judgment of the Inner House (the Court of Appeal for Scottish civil matters) in The Christian Institute v Scottish Ministers [2015] CSIH 64.

The case was a challenge to the Children and Young People (Scotland) Act 2014, an Act of the Scottish Parliament. Constitutionally minded readers will be aware that challenges can be brought against Acts of the devolved legislatures on grounds which would not be countenanced against an Act of the Westminster Parliament. Parts 1 to 5 of the 2014 Act form a comprehensive scheme intended to promote and safeguard the rights and wellbeing of children and young people. Part 3 provides for the preparation of three year “children’s services plans” for local authority areas designed to secure, inter alia, that children’s services are provided in a way which: best safeguards, supports and promotes the wellbeing of children; ensures that any action to meet their needs is taken at the earliest appropriate time; is most integrated from the point of view of recipients; and constitutes the best use of available resources.  Part 4 requires service providers to make available, in relation to each child or young person, an identified individual (“named person”), whose general function is to promote, support or safeguard the wellbeing of the child or young person, on behalf of the service provider concerned.

The challenge was to the creation of the named person, based upon various Convention articles – particularly 8 and 9 – which need not concern us here. That challenge failed. However, there was also a DP challenge: to “the sections of the 2014 Act which deal with the sharing of information are incompatible with the requirement of the European Parliament and Council Directive on Data Protection (95/46/EC), as read and applied in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.  For this reason also the provisions are ultra vires of the Scottish Parliament.  They run contrary to the Data Protection Act 1998.  The fact that data could be shared, when not strictly necessary, rendered the information sharing provisions (2014 Act, ss 26 and 27) incompatible with Article 7 of the Directive (criteria for legitimacy).  There were insufficient safeguards against the unlawful sharing of data.  There was no inbuilt “right to be forgotten”“: at [6].

It may be useful to set out the Inner House’s summary of the relevant provisions, at [12]-[14]:

“A set of provisions, contained in sections 23 to 27 of the 2014 Act, regulates requests to, and giving assistance by, service providers and the associated sharing and disclosure of information.  Distinct provisions apply according to whether: the named person functions are transferring from one service provider to another (s 23); a service provider is requesting help from another service provider (s 25); a service provider is required to provide information to the service provider (s 26(1)), and vice versa (s 26(3)).  A distinction is drawn between information sharing (s 26) and disclosure (s 27), according to the incidence of confidentiality.

A service provider must generally provide the service provider with information which is likely to be relevant to the exercise of named person functions (s 26(1) and (2)).  An equivalent duty is placed upon the service provider in the reverse situation (s 26(3) and (4)).  The views of the child require to be sought (s 26(5)).  The information holder may decide that the information ought only to be provided if the likely benefit to wellbeing outweighs any adverse effect (s 26(7)).  The holder may provide information if it is necessary or expedient for the purposes of named person functions. The sharing of information is not permitted or required where disclosure is otherwise prohibited or restricted, other than in relation to a duty of confidentiality (s 26(11)).  Thus, disclosure may be permitted, notwithstanding a breach of confidentiality, if the criteria in section 26 are otherwise satisfied and there is no other legal bar to it taking place. It is between service providers, and not individual named persons, that the specified information may be shared.  Where information is to be provided in breach of confidentiality, the recipient must be informed of the breach, and must not provide the information to any other person, unless otherwise permitted or required to do so by law (s 27).

In combination, the provisions are calculated to integrate services in order to secure the wellbeing of children and young people.“

The Inner House dealt with the challenge fairly swiftly. It set out the Charter provisions and those of the Directive, before noting that the Directive had been implemented by the “labyrinthine” DPA (not unfair), which was not said to have failed to properly or fully implement the Directive. There was, as a result, no need to go beyond the DPA itself: at [96]. The Court’s reasoning at [97]-[100] is admirably clear.

The 2014 Act was not a mechanism which trumped the DPA. “Section 26(11) of the 2014 Act expressly provides that, with the exception of rules on confidentiality, the information sharing provisions are not to be held as permitting, far less requiring, the provision of information when it is prohibited or restricted by virtue of an enactment or rule of law.  This makes it clear that the operation of section 26 involves compliance with existing law.  That includes the Data Protection Act 1998 and hence the rights of the Charter and the principles in the Directive.” There might well be breaches in individual cases but they could be resolved on their own facts rather than through an abstract challenge. There “is no need for the 2014 Act to incorporate data protection principles, such as the need for consent or other specific protections, including the destruction of out of date data, within its four walls.  The 2014 Act creates a regime involving child welfare which directs what should happen regarding the sharing of relevant information, but it assumes that the actions of those operating the system will comply with data protection principles.”

The 2014 Act did not, held the Inner House, involve the creation or collection of any new data; personal, sensitive or otherwise. The Court was obviously significantly influenced by the social policy of the legislation, seeking to introduce a system for the co-ordination and sharing of existing data in relation to children and young persons whereby situations involving a potential risk to a child’s or young person’s well-being, as defined, can more readily be identified and the relevant agency alerted. There was not a proportionality exercise taking place expressly, but the reasoning suggests pretty clearly what the answer would have been had there been one. See too at [102]-[103].

The challenge on DP grounds consequently failed, and the judgment is one which is easy to understand and follow. The need for a single, coherent, statutory scheme for child welfare information sharing which nonetheless complied with existing DP requirements was an unsurprisingly powerful pull for the Court of Session. It is a reminder that data protection is an important safeguard, but it is neither something which prevents agencies doing their jobs nor a trump card to be played in any and all situations. Carefully calibrated and structured schemes need not fear the DPA.

Christopher Knight

PECR, long the runt of the information law litter, is beginning to take on a life of its own and, just as importantly, the ICO is beginning to really target spam texters and cold-callers. Recent changes to the enforcement provisions of PECR only assist in this task.

The ICO issued an Enforcement Notice against Optical Express in December 2014. Over 4,600 people registered concerns about Optical Express (Westfield) Limited in just seven months reporting the unsolicited messages to the mobile phone networks’ Spam Reporting Service indicating they had not given permission for the company to use their details for marketing. The Notice obliged OE to cease sending unsolicited texts to individuals without their consent.

OE appears not to have seen any problem with texting people who had never previously dealt with it, believing they had sufficient consent. Whether their laser eye surgery offers would have assisted this possible case of Nelsonian blindness is unclear.

The Tribunal has now delivered a lengthy judgment dismissing OE’s appeal: Optical Express v Information Commissioner (EA/2015/0014). Much of the initial part of the judgment is taken up with dismissing various grounds relating to the ICO’s reasoning process and the extent of the reasons set out in the Notice. That will be of some interest to practitioners, but the diligent reader is referred to the judgment itself for the discussion. In particular, the Tribunal considered that the ICO had perfectly adequately explained itself, and OE understood what was being said and why. The fact of a disagreement over the correct interpretation of PECR did not entitle OE to require a higher level of reasoning.

The Tribunal took a robust line in relation to the evidence upon which the ICO was entitled to rely, and made clear that the burden of proof fell on OE to show that consent had been given once the complaints were identified. The ICO would have no way of working out whether consent had been given – that was something within the knowledge of OE alone. A very considerable number of the complaints clearly identified the texts as spam and unwanted. The ICO had also managed to trace three individual recipients who were able to give witness statements that they had not provided any express consent to OE and were not aware of how OE had their information. When OE complained that only these three could establish a case and such a small number did not warrant enforcement action, the Tribunal dismissed this: the ICO was entitled to rely on the full 4600 and in any event would have been entitled to basis a Notice on just three individuals where their cases showed unlawful processes of obtaining data.

The legal point of interest was around the approach to consent under PECR. The Tribunal made clear that consent has to be provided to the sender: thus businesses harvesting lists acquired from third parties will not have consent to text the recipient. Here, OE appeared to have acquired the numbers from Thomas Cook customers who had made the mistake of filling in a survey, which told them that their details might be shared but did not say that OE might text them. How, asked the Tribunal, could this constitute OE fairly obtaining the data in DP terms? The customer has not solicited contact from OE, and contact is therefore in breach of PECR. The Tribunal put the point this way at [86]:

“when consent was obtained by Thomas Cook or whomever, it was not stipulated (or at least it has not been shown to have been stipulated) that the personal data would be processed by OE. Neither was the marketing of specific types of product stipulated. In my opinion it should say something about the products to be marketed if they are different from the business of, for example, Thomas Cook. This falls under the “to guarantee fair processing” category. If the data subject doesn’t know what other products might be marketed then how can he exercise his right to object to some of them whilst being happy to receive others?”

Worth a read for the discussion around the consent provisions, Optical Express now joins something of a line of Tribunal decisions roundly condemning spammers, and giving the ICO considerable latitude in how to present its case. This was not, of course, a monetary penalty notice case (doubtless because at the time the Niebel decision effectively barred such an MPN), but MPNs will doubtless follow in the event of future breaches.

It is always a good idea to ensure full and unambiguous consent where PECR is concerned. And if that means putting your glasses on to do so, so be it.

Robin Hopkins appeared for the ICO.

Christopher Knight

We here at Panopticon like to adopt an occasionally light-hearted look at information law developments. Not a ‘sideways look’ you will note, because we aren’t running a smug Radio 4 panel show, but a more gentle touch of humour as a coping mechanism with what can on occasion be a dry topic. So it is with considerable pleasure that we can say that the Upper Tribunal – or at least that part of it that is formed by Judge Wikeley – has followed suit.

In Information Commissioner v Colenso-Dunne [2015] UKUT 471 (AAC), the UT was considering an appeal by the ICO concerning an order of the FTT that it disclose names of journalists that the ICO had seized during a raid on the home of Steve Whittamore in 2003. The raid was known as Operation Motorman, and it is generally supposed that Mr Whittamore, a private investigator, had a list of journalist who used his morally and legally dubious services.

Within the first two paragraphs of his judgment on appeal, Judge Wikeley manages to get in some latin (quis custodiet ipsos custodies?), a Boris Johnson reference and a hat-tip to “some of the more outlandish conspiracy theories that abound on the internet” concerning the ICO, the latter of which in particular suggests that his previous experience of section 14 FOIA cases has left something of an aftertaste… There is also a reference at [26] to a “Grand Tour” with one Mr R Hopkins of the phone-hacking saga, which sounds rather like one of those dubious looking budget cruise holidays advertised on inserts in newspaper magazines which fall out when least expected.

However, more importantly, the ICO argued that the list of names should not released because they were sensitive personal data (because they were information as to the alleged commission of a criminal offence, which was the Commissioner’s evidence to the Leveson Inquiry) and that the ICO had no lawful authority to disclose the names under section 59 of the DPA. Mr Colenso-Dunne argued that the names showed only “a cavalier attitude owards the privacy of those individuals who were the subjects of the inquiries to Mr Whittamore” rather than criminal conduct (not a stance naturally adopted by all Hacked Off members), and that the public interest in disclosure was overwhelming.

The sensitive personal data point was the critical one, because the parties agreed that no Schedule 3 condition applied, and it had to be protected much more carefully. The UT rejected an Orwellian submission that some sensitive personal data were more equal than others because s.2(g) didn’t appear in the Directive, because the commission of criminal offences was selected by Parliament and is just as much part of a life-story as any other category. However, the application of it was fact-specific. The FTT was entitled to find that even if the investigator committed criminal offences, the list of names did not show an instruction to do so or Nelsonian blindness to that effect. Nor was the UT persuaded that release of the list in context would mean that the public would assume the journalists had committed a criminal offence; data controllers are not required to conduct a search of the public domain to see whether anything else could be combined with the data to transform its sensitivity; it has to be apparent from its immediate context: at [45]. The FTT was entitled to find that the data was not sensitive.

As to the balancing exercise under condition 6(1) of Schedule 2, the UT held that the FTT had considered that any reputational damage to journalists was justified in that they would be subject to legitimate criticism for their use of Mr Whittamore. Perhaps worryingly, one only gets the reputational rights one deserves: at [55] (although it is not quite clear in whose eyes these just deserts are to be judged: quis custodiet ipos custards?). The fact that Leveson declined to name the journalists was not determinative, and nor was the fact that the FTT had not followed the precise taxonomy set out in Goldsmith (on which see here and which, for reasons unfathomable, still appears not to have become known as the ‘Knight Principles’). Essentially, the UT was wholly unpersuaded that the FTT’s balancing exercise that the public interest in disclosure and furthering the debate over the ICO’s own role had erred in any way, noting that not all of the 305 names were ordered to be disclosed following the careful analytical exercise undertaken by the FTT.

Judge Wikeley noted that the ICO had been correct to drop an argument that a higher standard of public interest was required to meet the section 59 DPA test, and thus avoid the application of s.44 FOIA. No truck was had with a steps discretion argument – very much in vogue at the moment, although not yet in Vogue – not least because it had not been raised below. Subject to any appeal, the names ordered to be disclosed by the FTT will now have to be disclosed by the ICO. The fall-out from Leveson is not over yet.

Robin Hopkins appeared for the ICO in his capacity as lead tour guide.

Christopher Knight

The right to be forgotten is beginning to generate some litigation, albeit not yet with any blaze of glory. Following on from the attempt to judicially review the ICO for refusing to try and enforce an individual’s complaint that his data rights were being breached (see here), earlier this week a claimant failed to get his right to be forgotten claim to fly before the Nottingham County Court.

The background is that the claimant, Mr Edwards, was convicted in 2007 in connection with his criminal participation in a vast carousel VAT fraud. He was sentenced to six and a half years in prison for the fraud. He was also given a three and a half year sentence for stealing £18,000 from personal injury claimants through a scheme under which he deceitfully pretended to be a solicitor. Additionally, he was subject to a 12 year ban from taking up any company office. Mr Edwards continues to serve his sentence, although he is now out on licence. The length of Mr Edwards’ sentence means that there is no question of Mr Edwards being rehabilitated on an application of the Rehabilitation of Offenders Act. The fact of his conviction, and the circumstances of it, were widely reported by the media. The BBC, the Guardian and the Daily Mail, amongst others, all published stories about these events on their respective websites. Mr Edwards was unhappy about the fact that the stories continued to be available to the public at large, as hosted by the websites of these media organisations. As far as he was concerned, his offences were historic, dating back over a decade. So he brought a right to be forgotten claim against various media organisations, including the BBC, the Guardian and Associated News, relying heavily on the CJEU’s judgment in Google Spain: Edwards v Nottingham Post Media Ltd & Others.

However, after evidence was served by the Defendants in response to the claim, Mr Edwards confirmed that he wished to discontinue his DPA claim against the Defendants. You might have thought that that was the end of the matter but, rather than abandoning his claim altogether, Mr Edwards decided instead to apply to the court to substitute the BBC et al with Google Inc as the defendant. In effect, Mr Edwards wanted to convert his claim from a claim that the data should be deleted at source to a claim that the data should be de-indexed by the intermediary which effectively brought that data to a wide online audience, namely Google.

At a hearing which took place in Nottingham County Court on 29 July, HHJ Godsmark QC refused Mr Edwards’ application to substitute the defendants with Google Inc. He concluded that substitution should not be ordered because the claim against Google had no reasonable prospect of success, with the result that the court would not grant permission for service out of the jurisdiction on Google Inc.

The judge agreed with the submissions on behalf of the media organisations that the claim was hopeless, particularly in the light of the serious nature of Mr Edwards’ offences and the fact that he is continuing to serve his sentence and remains banned from running a company until 2019. The judge held that, in these circumstances, Mr Edwards could have no reasonable expectation of privacy in respect of the data in question and there was no reasonable prospect of him succeeding in his case that his Article 8 right to privacy outweighed the Article 10 justification for the continued publication of the stories. The public interest, the judge concluded, strongly favoured continued publication and indexing by Google.

In response to a query from Mr Edwards about when that balance might alter, the judge is reported to have commented that he could not imagine a court entertaining such an application during the period of the sentence, the license or indeed for a considerable time thereafter.

The claim was marked as ‘totally without merit’. The media organisations were awarded 100% of their costs.

Mr Edwards’ case was not, perhaps, the most promising context in which to rely on Google Spain. However, it is interesting to see that the right to be forgotten is penetrating the litigation consciousness (especially in chokey, where a lengthy CJEU judgment helps while away the time) and harder cases are doubtless around the corner. The balance between the right to a private life, historic information and free expression will not always be so straightforward to weigh.

Anya Proops appeared for the media organisations, defending the claim. For the BBC’s story see here.

Christopher Knight

Has the announcement of the death of section 13(2) DPA been premature? Might it, after all, be nuzzling up the bars, ready to go ‘Voom’? Perhaps, but the Supreme Court is taking on the role of Burke and Hare because it has today announced that it has given leave to appeal on the following two questions:

1. Whether the Court of Appeal was right to hold that section 13(2) of the Data Protection Act 1998 was incompatible with Article 23 of the Directive.
2. Whether the Court of Appeal was right to disapply section 13(2) of the Data Protection Act 1998 on the grounds that it conflicts with the rights guaranteed by Articles 7 and 8 of the EU Charter of Fundamental Rights.

A further question, on whether it was correct to classify the misuse of private information claims as tortious ones, was refused leave, presumably on the basis that the Supreme Court only wants to think about the super-cool DPA issues.

A hearing is highly unlikely before 2016, but Panopticon will let you know when it knows. In the meantime, section 13(2) is still dead, so get your damages while they are still hot…

Christopher Knight

We all fell for it, didn’t we? If the greatest trick the Devil ever pulled was convincing the world he didn’t exist, then Michael Gove’s may have been to convince everyone that he wasn’t interested in FOIA. His shunting responsibility for FOIA/EIR matters off to the Cabinet Office, and the Cabinet Office’s announcement of the Commission on Freedom of Information (generally staffed by people who publicly don’t much like it), last week has led to a lot of comment and reaction – mostly adverse – from social media, blogs and even the mainstream press.

And that has rather caused everyone to take their eye off the ball, including Panopticon (which was alerted by an informant known only as Deep Throat), because in the midst of kerfuffle over the possible threat to the substance of aspects of FOIA through the new Commission the Ministry of Justice has announced a consultation on a more insidious threat to seekers of information and transparency: the introduction of Tribunal fees.

Contained within a document which is also the Government’s Response to an earlier consultation exercise on raising fees in various aspects of civil litigation (also problematic, but not relevant here) is a consultation is the introduction, for the first time, of fees to use certain parts of the First-tier Tribunal and Upper Tribunal. The Upper Tribunal (Administrative Appeals Chamber) is not within the scope of the proposal – although there is no explanation as to why not – but the First-tier Tribunal (General Regulatory Chamber) is.

The proposal is that there will be a £100 fee for an appeal to be issued, and a further £500 fee if an oral hearing takes place. Cases referred to the Upper Tribunal under rule 19 of the GRC Rules will also be subject to the same fee. There will be a system of remissions in place.

This gives rise to a number of issues. Anyone who has had anything to do with the Employment Tribunals over the last few years will know that since the introduction of fees (and, to be fair, compulsory settlement discussion periods) the workload of the ET has gone through the floor. It seems highly likely that something very similar will happen for FOIA/EIR appeals, where so many of the cases are brought by individuals, many of whom will not be able to afford to spend that kind of money on something which has no prospect, unlike the ET, of ever winning them any money and relates almost inevitably to the public interest rather than their own private interest. There must be a real difference of type between such litigation and private interest litigation elsewhere in the GRC. (To be fair, it is of course the case that judicial reviews brought on a public interest basis still incur fees, but they are the exception to the ordinary use of Part 54, whereas the public interest is at the heart of the vast majority of FOIA appeals, and assessed on that basis.) Why, when the legislation is requestor-blind, should the Tribunal system not be too? Alternatively, one might mount a plausible argument that if a public authority wishes to appeal a Decision Notice then it should have to pay a fee (because it is seeking to avoid transparency) but a requestor should not.

It is pretty likely, although the figures aren’t given in the consultation, that FOIA/EIR appeals make up a large proportion of the GRC’s work. But given their public interest element, are they really the cases to which a fee should be targeted? The GRC also hears appeals concerning the regulation of estate agents, driving instructors, claims management services and exam boards (amongst others). Those are all private interests, as are appeals against fines levied on public authorities for bugging phones without warrants. Is not an appeal about the release of public authority information worthy of greater ring-fencing from fees than an appeal about Defra banning you from micro-chipping a dog? (I may be barking up the wrong tree, but I am not making this up.)

In the calculations of the Government, the GRC costs them £1.6m a year. At best, they expect to recover £0.4m in fees, and that will reduce if the caseload drops as a result of fee introduction (which, bizarrely, they apparently do not anticipate). One might think that that was a relative drop in the ocean, although of course every penny counts, but fees won’t pay the GRC’s way (and Gambling disproportionately contributes already given the very high fees and the very low number of cases).

But aside from the issues of principle, there are also real problems of practice, particularly around the hearing fee. The proposal says “The claimant may alternatively elect for an oral hearing, in which case a further fee of £500 would be payable.” But this doesn’t reflect the reality of the GRC Rules. Rule 32 requires the GRC to hold a hearing where one party requests it: what if the ICO or the public authority request one? What if both do? Who pays then? What if the Tribunal itself lists a hearing, against the wishes of the parties, because it thinks it cannot do justice without one under rule 32(1)(b)? Who pays for that decision? The proposal appears to anticipate that the appellant will still have to pay the fee, presumably on the basis that that it is their ‘fault’ that the appeal exists at all, but that seems very unfair. What about directions hearings – does the fee apply to those, and who has to request one for it to be triggered? The proposal seems remarkably un-thought through and the consultation will need to point that out.

Why is it the GRC which is being targeted by fees rather than the appellate stage in the Upper Tribunal? Surely having a second bite on appeal is more worthy of a financial penalty, and a discouragement to unnecessary appeals on the facts? If fees still apply to rule 19 transfers, will it not be in the interest of every litigant to try and get a case transferred to the UT on the basis that if he has to pay, he may as well get the best court he can for his buck?

The consultation paper and the impact assessment on tribunal fees are both online. Panopticon strongly encourages readers to respond to the consultation, which closes on 15 September 2015.

Christopher Knight

The spectre of Jimmy Saville casts a long shadow and now it extends to data protection, the Data Protection Act 1998 being the latest august and uniformly popular institution (following the BBC, Broadmoor and Margaret Thatcher to name just some) to suffer as a result of his actions. The perennial sight of investigations and public inquiries into historic sex abuse of children in local authority, chiefly arising out of the wider ramifications of Operation Yewtree, has provided a very ready explanation for local authorities for the need to retain child protection data.

The fifth data protection principle says data should not be kept longer than necessary for the purposes for which it is processed, whereas the reality will often be that the information of greatest significance (accusations of abuse or records of care) will only become significant after the expiry of a lot of time and the child’s growth into an adult able to confront the abuse they have suffered.

As a result, there is no consistent practice across the country. The High Court in R (C) v Northumberland County Council & ICO [2015] EWHC 2134 (Admin) was informed that authorities adopt an approach which ranges from retention until the 21^st birthday, to six years after the 18^th birthday, to 75 years from the date of birth, to 35 years from the closure of a case: at [10]. This obviously poses concerns about compliance with the DPA and Article 8 ECHR.

C sought the destruction of his child protection held by Northumberland CC and considered that it had been retained under the 35 year policy applicable in Northumberland for too long. C considered that a period of six years after his 18^th birthday would have been the cut-off point, and the ICO agreed intervening (although the ICO copped a lot of flak from Simon J for having issued a section 42 DPA determination indicating it was ‘likely’ the Council had complied with the DPA and had subsequently changed its mind).

The judgment of Simon J is not always the easiest to follow. It appears that the key question before the Court was whether the retention for 35 years (which clearly engaged Article 8) was in accordance with the law, and if it was, whether it was proportionate. Although the judgment does not actually reason expressly in this way, it seems as though the analysis revolves around the fifth principle: if data retention does not breach the longer than necessary test, it will be in accordance with the law and it will be proportionate. This is not actually what the judgment says; it must be broadly how the analysis goes (see at [9]), and it is open to some debate whether those assumptions are correct in law or in analysis of the judgment.

Simon J held that the purpose for retaining child protection records was not limited to defending litigation, and so an adoption of six years – based on the limitation period – did not read across. The purpose was broader: it was to protect other children, to allow data subjects access in later life, and to make the information available to subsequent investigation: at [33]. The Judge was clearly influenced by the difficulty of seeing the importance of information at the time, and its significance only becoming clear through a more historical lens: at [37]. The clearest examples are, of course, Saville-esque: at [49]-[53]. A six year cut off period would, in the view of Simon J, restrict the ability of people over 24 from making a request and learning about their child protection file contents: at [45]-[47]. Simon J concluded that the Council was not required to adopt a “cumbersome and time-consuming predictive exercise” and retention would help to identify risks only seen with hindsight: at [56]. Regular review, every seven years, was considered a disproportionate use of labour: at [58]. 35 years “fell within the bracket of legitimate periods of retention”: at [61].

One can readily sympathise with the position of the Council in a case like C, which will be (with other linked agencies) between a rock and a hard place on child protection data. If they delete too quickly they risk being castigated by history for not being able to answer questions; if they don’t delete they are hoarders of sensitive and traumatic data. Simon J clearly sympathised very strongly with this. However, the structure of the reasoning is regrettably unclear. The reader is left uncertain whether Simon J has found the fifth principle complied with (probably, on the basis of a wider reading of its purposes), whether that has meant the interference with Article 8 was in accordance with the law (presumably, but query how that works where it only falls within a legitimate bracket), and how the structured proportionality analysis has been carried out. It may well not matter on the conclusions of the judgment, but it does mean it will be harder to advise on and apply in related contexts. Nor does it give much guidance as to other periods adopted; is 6 years too short and is 75 years too long? Doubtless further case law will explore the undiscovered country. In the meantime, some national guidance wouldn’t go amiss…

Paul Greatorex appeared for C, Karen Steyn QC for Northumberland and Robin Hopkins for the ICO.

Christopher Knight

The apparently endless APPGER litigation has produced yet another decision of the Upper Tribunal for seasoned FOIA watchers, which amongst some very fact-specific issues, also contains two important clarifications of law: APPGER v ICO & FCO [2015] UKUT 377 (AAC).

As anyone who has ever done any information law ever will know, the APPGER litigation concerns requests under FOIA for information related to alleged British involvement in extraordinary rendition. Some information has been released, some has been released following earlier rounds of litigation, some remains withheld under various exemptions.

Following previous hearings staying various points, the present round of litigation concerned the application of section 23 (the security bodies exemption) and section 27 (international relations). There were two points of wider interest discussed in particular. One is the time at which the public interest is assessed (relevant to section 27), and one is the breadth of the “relates to” limb of section 23.

The time point was one which only really arose because of the Upper Tribunal’s desire to throw a mangy cat amongst the pigeons by suggesting in Defra v ICO & Badger Trust [2014] UKUT 526 (AAC) at [44]-[48] that the correct time to assess the public interest might be the date of Tribunal hearing. As some wise and learned commentators have pointed out, this rather seemed to have been overtaken by the Supreme Court’s – technically obiter – reasoning in R (Evans) v Attorney General [2015] UKSC 21 at [72]-[73] that the time was at the point of the authority’s refusal.

The Upper Tribunal in APPGER (containing at least one member of the panel in Badger Trust) issued a mea culpa and accepted that Evans was right: at [49]-[57]. It did not reach any more specific decision on situations where, for example, the authority has been late in complying. Doubtless the difference in time will often not matter very much. But the principle of the point now seems resolved.

Section 23(1) was not a point answered by Evans, and an argument was run by the requestor that “relates to” should be construed narrowly, as in the DPA. The Upper Tribunal disagreed: at [15]-[19]. The ordinary meaning of the language was broad, it was consistent with the aim of shutting the backdoor to the security bodies, it was consistent with authority, and met the contextual aim of FOIA where the contextual aim of the DPA was very different. The idea of requiring a “focus or main focus” was rejected.

Whilst agreeing that it should not attempt to gloss the statutory language, the Upper Tribunal nonetheless sought to assist future cases by indicating that asking whether the information requested had been supplied to a security body for the purposes of the discharge of its statutory functions (a test attributed to Mitting J) would have considerable utility. It would enable a clear explanation, it would allow differentiation within and without the scope of the exemption, and it was less likely to require a detailed line-by-line approach to redactions: at [33]. The language remains broad, but the practical application of it appears to have been ‘guided’ into a slightly narrower pigeon-hole than might have otherwise been the case.

The judgment as a whole is worth reading on the application of those exemptions to the particular information and the treatment of the evidence by the Upper Tribunal, but those two points of principle are the keys to take away. And about time too.

Timothy Pitt-Payne QC and Joanne Clement appeared for APPGER; Karen Steyn QC appeared for the FCO; Robin Hopkins appeared for the ICO.

Christopher Knight