Bonjour, et maintenant pour un post de Panopticon dans le style de Miles Kington et ‘Franglais’.

Recallez-vous le judgment de la Cour de justice de l’Union européenne dans Google Spain (ici)? Tres bien. Maintenant, il y a une announcement from CNIL (le ICO de France), informing Google that le ‘right to be forgotten’ applies aux search results decouvert en google.fr et google.com, pas seulement google.fr (voila, ici). Ce n’est pas une announcemente populaire avec Google, mais ce n’est pas une surprise. Dans November 2014 le Article 29 Working Party adopted ‘Guidelines on the Implementation’ of Google Spain, which said the same thing, as an aspect of the principle of effective protection of data subjects’ rights. C’est believed que la France est le premier data protection authority to expressly and publicly take this line with Google. Les developments dans le future sont tres interessant.

(That’s enough of that. Another issue which has caused some interest is the approach Google are taking whereby any search result on google.co.uk for an individual name comes back with the rider at the foot that some search results may have been omitted as a result of Google Spain, regardless of whether they have been or not. This raises some interesting possible questions in defamation (could it be defamatory to imply that an individual has exercised their Google Spain rights?), privacy (does the implication itself invade private life and reputation?) and DPA compliance (is the approach justified because only having the notice where the right has been exercised is tantamount to undermining the exercise of the right, and would no notice at all be too secretive?). That will also be interesting to see if anyone follows it up with Google, the ICO and then the courts. For those of you want to see a bit more analysis, and an example of a complaint, listen carefully, I shall say zis only once: Jon Baines’ blog discusses it ici. Eh bien.)

Ce n’est pas ‘goodbye’, mais seulement ‘au revoir’.

Christophe Chevalier

Almost a month ago, I blogged about a decision of the High Court in Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & 6 others [2015] EWHC 1491 (QB), noting that the judgment was not yet available. Since then my postbag has been inundated with letters (sample from a Mrs Trellis of North Wales, “Dear Robin Hopkins, If data protection is so important, why does the postman keep delivering my letters next door?”) haranguing me for further information. Following a suitable period to allow excitement to build, I am happy to oblige. It may now be seen here: Ittihadieh v Cheyne Gdns APPROVED judgment 05 05 15.

It is not necessary to repeat the commentary already provided in the previous post. HHJ Seymour QC did indeed construe the SAR as being directed only to the company – based on the wording of it and the payment of only one £10 fee – but he also held that directors would not have been data controllers themselves, applying Southern Pacific Personal Loans [2013] EWHC 2485 (Admin). The relevance of the domestic purposes exemption in section 36 came about because it was suggested some of the company directors may have expressed views about the Claimant amongst themselves in a personal capacity. This, thought the judge, would fall within section 36. In any event, he would have exercised his general and untrammelled discretion (applying Durant) under section 7(9) not to make any order requiring them to search personal email accounts.

Finally, at [50], comes a reminder that even post Vidal-Hall not every potential breach will sound in damages, as the court noted the claim for distress and expressed severe doubts about it in the following terms:

“It is not necessary or appropriate for me to give lengthy consideration to the prospect that Mr. Ittihadieh has suffered distress, but the material before me does indicate that Mr. Ittihadieh is a person who is accustomed to defending his corner, to put it colloquially, if necessary, or perhaps even if not necessary, by resort to legal proceedings, or threat of legal proceedings, and he certainly seems to engage in the expression of colourful phrases in the English language which are not used in polite society. That use of language suggests that he, himself, may not be a particularly sensitive flower.”

That is not to say that the “sensitive flower” test is one which should be applied generally (one struggles to see Max Mosley, to pick a sadomasochistic example at random, meeting the test), but it is an expression of judicial realism.

UPDATE: As some readers will know, Mr Ittihadieh has been granted permission to appeal to the Court of Appeal against the judgment. The issues in the appeal are to be wide-ranging and it will be a useful and welcome opportunity for the Court of Appeal to grapple with the practical working of the DPA in a way which has not really been seen since Durant. In the meantime, the High Court judgment has a question mark over it.

Christopher Knight

So Max Mosley has done a deal with Google in respect of his claim that Google had breached his rights under the DPA 1998 by refusing to block certain images and videos accessible via the Google search engine (see this FT article which suggests that the settlement also applies to claims brought by Mr Mosley in Germany and France). The settlement of the claim, which follows on from Google’s failed strike out application (discussed further below), leaves unanswered a number of really important questions concerning the application of data protection rights in the online world. Not least, the settlement leaves open the question of the extent to which the so-called ‘right to be forgotten’ can operate so as to force internet search engines, not only to de-index individual URLs on request, but also to block access to the offending data globally (i.e. as ISEs already do, for example, where images of child pornography are identified).

This is an important issue for those data subjects who garner significant public attention within the online environment, as was the case with Mr Mosley. The difficulty for such individuals is that online stories or comments about them can proliferate on the internet at such a rate that they cannot practicably achieve the online amnesia they crave. No sooner have they requested that the relevant internet search engine remove a number of privacy-invasive links, than the story has sprung up in a raft of other different locations on the net, with the result that the individual is effectively left trying to capture lightening in a bottle. This raises the question as to whether a right to be forgotten mechanism which is limited to de-indexing only specific those URL’s identified by the data subject is fit for purpose in terms of achieving the outcomes envisaged by the CJEU in Google Spain. Put shortly, if the ISE is the lightening conductor for privacy intrusive data, can it properly be required to stop the lightening at its source and block all access to the data in question? Is this the way in which the right to be forgotten ultimately cashes out in the online world?

Which takes us on to the defences which Google sought to run in the Mosley case because, certainly in the context of the strike out application, Google was not seeking to argue that data in issue (images and video of Mr Mosley engaging in private sexual activity) was not private or that its online dissemination did not cause substantial damage or substantial distress to Mr Mosley for the purposes of s. 10. Nor did Google seek to dispute that the damage or distress suffered by Mr Mosley was ‘unwarranted’ for the purposes of s. 10(1). Instead, its entire case in the context of the strike out was mounted on the basis that it was shielded from all liability under the DPA by virtue of the protections afforded to intermediary ‘internet society services’ (ISSs) under Part IV of the E-Commerce Directive (Directive 2000/31/EC).

For the uninitiated, Part IV of the E-Commerce Directive is designed to afford protections to intermediary ISSs which are genuine data intermediaries in the sense that they merely transmit, cache (i.e. store) or host data generated by others. The idea which lies behind Part IV is that the development of electronic commerce within the information society, one of the key objectives of the E-Commerce Directive (see recital [2]), would be frustrated if entities acting essentially as online data messengers could too readily get shot by third party claimants. Thus, we see:

• in Article 12 a limitation on liability where the ISS is acting as a mere conduit;
• in Article 13 a limitation on liability where the ISS is merely caching the data;
• in Article 14 a limitation on liability where the ISS is merely hosting the data (this was the provision invoked by Facebook in CG v Facebook, as to which see my post here) and, finally,
• in Article 15 a specific exclusion of any general obligation on the part of the ISS to monitor content falling within the scope of Articles 12, 13 or 14.

Google’s case on the strike out was that it was not liable in respect of Mr Mosley’s claim under s. 10 DPA on the basis that: (a) it was merely caching the data in issue (thus Article 13 of the E-Commerce Directive was engaged) and, in any event (b) the order being sought by Mr Mosley would conflict with the requirement of Article 15 of the E-Commerce Directive, as it would result in Google having to engage in general monitoring of cached content.

Mitting J considered both of these arguments in the context of Google’s strike out application (see his judgment here). So far as Google’s case on Article 13 was concerned, Mitting J clearly took the view that, where an individual’s data protection rights are being infringed by virtue of an ISS’s continued processing of privacy-invasive data, there is nothing in Article 13 of the E-Commerce Directive which purports to limit the ISS’s liability to cease processing that data; quite the contrary Article 13(2) specifically leaves the door open to a cease processing order being made in these circumstances (see in particular [47]). This conclusion dovetailed with Mitting J’s more general (albeit provisional) conclusion that the Data Protection Directive and the E-Commerce Directive were intended to work ‘in harmony’ with one another (see [45]-46]). On the Article 15 defence, Mitting J was clearly sceptical about Google’s argument that the order being sought by Mr Mosley would result in the kind of general monitoring which was ostensibly prohibited by Article 15 [54]. However, he accepted that this was an issue which would have to be decided by the trial judge.

Of course, in light of the recent settlement, it is clear that that issues concerning Google’s Article 15 defence are now unfortunately not going to be decided by the trial judge. Which leaves us all pondering in particular the following important questions:

• First, where right to be forgotten claims are formulated as claims to have data blocked by the relevant ISE, will such claims in practice effectively require a form of general monitoring by the ISE?
• Second, if they do require a form of general monitoring, does that mean that the claims must fail by reference to Article 15 of the E-Commerce Directive or does Article 15 itself have to fall silent in the face of the imperatives of the data protection legislation? (Mitting J made clear in his judgment he was not expressing a view on this issue)
• Third, what about claims for compensation brought against an ISE which refuses to block data? Do E-Commerce principles afforded ISEs a refuge against such claims? (Notably, Mitting J had stayed Mr Mosley’s compensation claim pending the outcome in Vidal-Hall so he did not address this issue).

It is perhaps worth pointing out here that no reference was made in Mitting J’s judgment to the EU Charter of Fundamental Rights (presumably because Charter rights were not specifically relied on in argument). Obviously in the post-Vidal-Hall world, Charter rights – including not least Article 8 (concerning the protection of personal data) – are bound to play a dominating role in discussions concerning the relationship between the E-Commerce Directive and data protection rights. Which all tends to suggest that this is an area which remains rich in litigation potential.

Finally, it should be pointed out that as at today’s date the various images which Mr Mosley was seeking suppress all appear still to be available online via Google. It remains to be seen whether in time these images will in fact quietly sink into the soup of online forgetfulness.

Anya Proops

Does anyone remember compact discs? Isn’t everything downloadable from iTunes, or Napster, or whatever it is that young people are using these days? Well, to the joy of crotchety old people everywhere, the court system still uses CDs. Indeed, the Upper Tribunal records hearings before it on CD, and when a litigant wants access to those recordings the Upper Tribunal may take the view that it is interests of justice to disclose it to them. (We are not yet at the thrilling stage of having Upper Tribunal hearings filmed and made available online, as in the Supreme Court. One cannot imagine why.)

So it was in the case of Mr Edem – he of ‘is a name personal data?’ fame – who did not approve of being given his recordings but under terms which did not permit him to more widely disclose them. Instead, he sought them under FOIA and was met with the fairly predictable reliance by the Ministry of Justice on the absolute exemption for court records in section 32(1)(c). Aha, said Mr Edem, but a CD is not a “document” within the meaning of section 32(1).

This may come as something of a surprise argument to anyone looking at the broad definition of information in section 84, the approach of the Court of Appeal in IPSA (see here), the Upper Tribunal decision in Peninsula Business Services v ICO & Ministry of Justice [2014] UKUT 284 (AAC), and indeed common sense. It is less of a surprise to see the argument fail in Edem v ICO & Ministry of Justice [2015] UKUT 210 (AAC).

Judge Wikeley had little difficulty in accepting that the purpose of section 32(1), to enable the courts to control access to their own files and records, indicates a broader interpretation of document than merely paper files, and the effect of the distinction that an audio record would not be caught but a transcript would be was patently not intended to be the outcome. In any event, a document is simply something which contains information. It does not determine the form or mode of container. Various cases from different contexts (including of course the Kennedy litigation under FOIA) gave support for the conclusion that “document” naturally includes an audio recording which contains relevant information. In so concluding, Judge Wikeley reached precisely the same conclusion as Judge Williams had done in Peninsula. The Upper Tribunal also dismissed the argument that simply because the use of “document” in section 25 (on national security certificates) must mean a written document because of the specific context of a certificate did not require the same interpretation generally: a written document is a document but the reverse is not true. The strike out of the appeal was upheld.

Rupert Paines appeared for the ICO; Rachel Kamm was for the MoJ.

Christopher Knight

The Court of Appeal has today handed down judgment in Dransfield v ICO & Devon County Council; Craven v ICO & Department for Energy and Climate Change [2015] EWCA Civ 454 (Dransfield Craven FINAL JUDGMENT 14 5 15. As people will recall, Dransfield is concerned only with section 14 FOIA, and Craven is concerned with whether the same approach should be adopted under the differently worded regulation 12(4)(b) EIR. For those desperately hoping it would not require completely relearning everything just as everyone was getting used to the Upper Tribunal decisions (on which see Robin’s lengthy screed here), a sigh of relief can be exhaled. Arden LJ gives the only substantive judgment (with which Gloster and Macur LJJ agree), which she helpfully summarises at [5]-[7] and which I set out in full so people with better things to do can stop reading:

“5. The appeals raise different and difficult questions. In my judgment, for the detailed reasons given below, this court should dismiss each appeal.  

6. In Mr Dransfield’s case, the request, taken on its own, is a precise and politely-worded request. There is nothing on the face of this request which could be termed “vexatious”. Nonetheless the UT held that it was vexatious because of the past history of dealings between him and the authority. So the principal issue on his appeal is whether a request can treated as vexatious if it is not itself vexatious but previous requests have been. The FTT thought that the line had to be drawn at previous requests which “infected” the request under consideration (“the current request”). The UT rejected that test and held that there was no line to be drawn. Mr Dransfield seeks to uphold the test applied by the FTT. I do not accept this submission because it involves writing words into FOIA which the court may not do. The UT went on to formulate and apply guidance as to the meaning of “vexatious” which he has not challenged.

7. In Mrs Craven’s case, the principal question is whether the tests under section 14 FOIA and regulation 12(4)(b) have the same meaning (“the two-tests-one-meaning issue”). I conclude that to all intents and purposes they do. The next questions are whether the IC could raise an objection under regulation 12(4)(b) when the authority had not done so, whether section 14 (2) affects the meaning of section 14(1) and whether the costs of compliance could be taken into account under both tests (“the costs of compliance issue”). I agree with the UT on those points too. I would therefore dismiss Mrs Craven’s appeal also.”

And so orthodoxy reigns.

As to the detail of the judgment, although it is relatively long (28 pages), when one strips out the annexed statutory provisions, the factual background and the submissions of the parties, the actual analysis only runs from [61]-[73] on Mr Dransfield’s appeal and [74]-[88] on Mrs Craven’s.

In relation to Dransfield, the issue was the degree to which a prior course of conduct of the requestor could infect a request which in and of itself was inoffensive. Arden LJ agreed that no comprehensive or exhaustive definition should be adopted, but considered that the focus should be “on an objective standard and that the starting point is that vexatiousness primarily involves making a request which has no reasonable foundation, that is, no reasonable foundation for thinking that the information sought would be of value to the requester, or to the public or any section of the public“. The test should be a high one to meet, but all relevant circumstances should be considered. Where a motive can be established, that may be evidence of vexatiousness, although if the request is aimed at disclosure of important information which ought to be publicly available then even a “vengeful” request may not meet the test: at [68]. Motive was relevant here; section 14 is an exception to the ordinary approach that the reason why a right is exercised is irrelevant: at [66]. The FTT’s approach had been wrong; there were no bright lines and attempting them was illogical. Evidence of prior requests was capable of throwing light on the current request and the motivation behind it: at [69]. Had it been necessary to do so, the Court would have accepted that the Upper Tribunal had made an unchallengeable finding that the belligerent and unreasonable tone linked to the present request: at [71]. Because, as stressed at [6], there was no challenge to the Upper Tribunal’s general guidance, the Court of Appeal cast no doubt upon it and it will continue to be a useful source of assistance (with the caveat that protection of public resources cannot lower the high standard of vexatiousness required: at [72]).

In relation to Craven, Arden LJ dealt with a slightly wider range of issues. She made further comments on section 14 itself, noting that vexatiousness could not mean a requirement for persistent requests, still less for persistent requests to a range of different authorities, which would not be readily discoverable: at [77]. Section 14(2), on repeat requests, is a separate power which does not assist in interpreting section 14(1): at [82]. A key question in Craven was whether there should be any difference between the two regimes. Arden LJ held that there was not, particularly because section 14 was primarily an objective analysis, which accorded with the natural meaning of “unreasonable“. The word “manifestly” simply means that it must be clearly shown, and does not require detailed investigation by the authority into things it does not know: at [78]. There was no suggestion that the answer would have been any different under section 14: at [79] (although of course CJEU case law may develop in a different direction). One notable aspect of Craven is that it was a single request which was particularly burdensome and costly to deal with, but there was no section 12 equivalent in the EIR, and on this Arden LJ agreed with the Upper Tribunal’s approach: cost of compliance can be taken into account, although those costs would have to be balanced against the benefits of disclosure: at [83]. An unconcluded view was expressed that a higher hurdle might apply to rely on the costs burden under the EIR than FOIA, but no decision was reached: at [84]. The Court was satisfied that a costs burden could indeed apply to section 14: at [85].

We are, as a result, more or less where we were before the Court of Appeal’s judgment. Indeed all it has probably added is the weight of authority in some places and a bit of confusion (mostly around section 14 being objective, which is unhelpfully expressed but not, it appears, substantively different) in others. People can sensibly continue to guide themselves by the much more detailed guidance of the Upper Tribunal, subject to the caveats noted here. All the important clarifications made by the Upper Tribunal survive, and one suspects very limited changes will be required to the ICO’s Guidance. Repeat requestors should beware, particularly if they are unreasonable ones, and those making single but large requests should too.

The ICO was represented in both appeals by Tom Cross; Devon CC by Rachel Kamm and DECC by James Cornwell.

Christopher Knight

I have just had my attention drawn to this interesting article from the Japan Times about how the right to be forgotten is beginning to gain traction in Japan. Just goes to show that Europe is not the only environment within which this highly controversial right can potentially gain a foothold.

Anya Proops

Just two short but important pieces of news. First, I can now confirm that Google has applied for permission to appeal to the Supreme Court in respect of the Court of Appeal’s landmark judgment in Vidal-Hall v Google. The SC’s judgment on the application is awaited. Second, it would appear that the case of CG v Facebook which I blogged about earlier this year (see here) is also currently on appeal in Northern Ireland, with a cross-appeal being brought by CG on the question of whether the court erred when it concluded that Facebook fell outside the territorial scope of the DPA 1998. For further news on these important cases, watch this space.

Anya Proops

On a day when the country goes to the polls (or, if you a UKIP supporter, to the Poles), it is nice to be able remind people of the more important things in life than mere democratic-right exercising. The chief of these is, surely, developments under the Data Protection Act 1998. Happily, Panopticon can assist, with a quick note on an ex tempore judgment of HHJ Seymour QC in Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & 6 others (QBD, 5 May 2015). There is no transcript yet available, but a headnote is now reported on Lawtel, and this summary is taken from that.

Unfortunately, without the full reasoning, one does not get the sense of what looks likely to have been a more involved argument than the bare findings relate. The case concerned an SAR made to a company, which the Claimant asserted had been an SAR to both the company and the six individual directors of that company, all of whom were data controllers. Only the company had responded, with 400 pages of documents. One might have thought the argument that directors were also data controllers would face significant difficulties in the light of Southern Pacific Personal Loans [2013] EWHC 2485 (Admin) (see here). However, Judge Seymour QC appears to have resolved the matter on the facts: the Claimant’s statements had been that he believed only the company was the data controller, he had only paid one £10 fee and the proper construction of the SAR was that it was only made to the company. The claims were accordingly struck out against the individuals.

However, even had they not been, the Judge indicated that the individuals would most likely have been able to rely upon the domestic purposes exemption in section 36 DPA, and that he would have refused relief in his discretion to require them to search their personal email accounts in order to prove the application of section 36. That is quite an interesting little comment on the extent of section 36, and its interaction with ‘personal’ emails, and it will be useful to see the full reasoning in due course.

The case also contained a reminder that just because someone pleads section 13, even after Vidal-Hall, it is no guarantee of damages. The Judge considered that there was no indication of any identifiable class of damage, and the Claimant had not bothered to try and quantify his claim. As a result, it was difficult to contemplate that he would be able to demonstrate having suffered damage or distress. The company itself had adequately complied with its obligations (although the headnote does not explain what adequate compliance consists of, or how it fits with the language of section 7) and no further order was required. The section 13 claim was transferred to the County Court.

No pretence that Ittihadieh is going to blow your mind over your cornflakes (other breakfast comestibles are available), but there are a couple of little nuggets of interest and it will be worth keeping an eye out for the full transcript as and when it hits the shelves. We DP lawyers are not yet so overwhelmed by jurisprudence that we can afford to look a section 7(9) judgment in the mouth. And with that allusion to Ancient Greece, it falls only to this blog to remind you all of your civic duty to grasp what the Prime Minister so unnervingly insists on referring to as the “stubby pencil” and vote.

Robin Hopkins (who he?) appeared for the seven defendants.

Christopher Knight

I have today been speaking at the IAPP conference at A&O alongside David Smith (UK Deputy Information Commissioner), Bruno Gencarelli (European Commission, Head of Data Protection Unit) and Wojciech Wiewiórowski (Assistant European Data Protection Supervisor). The conference yielded a number of really interesting insights, a number of which I highlight below.

First and perhaps most importantly, Mr Gencarelli made clear that, so far as the draft General Data Protection Regulation was concerned, the firm expectation within Europe was that the GDPR would be agreed by the end of this year. This is obviously important given that the apparently endless European wranglings over the shape of the GDPR had led some to question whether the GDPR would be finalised within the foreseeable future. Mr Gencarelli also pointed out that we could expect that, over the ensuing two year transition period, the GDPR principles would be further refined and developed, as the European Commission engaged in a trilogue with the European Data Protection Authorities and industry bodies. This inevitably suggests that the conclusion of the formal negotiations over the GDPR will not in any sense bring the process of developing European data protection principles to an end.

Mr Gencarelli also highlighted the significant impact which the EU Charter had had on the legal approach to data protection. As he put it, the fact that data protection rights were given specific protection under the Charter meant that data protection rights now had a greater legal resonance and significance than was previously the case. Notably, Mr Gencarelli’s observations on this issue obviously chime closely with the approach to the application of Charter rights adopted by the Court of Appeal in its recent judgment in Vidal-Hall v Google.

Mr Wiewiórowski also provided some fascinating insights into the European perspective on data protection. He reflected in particular upon the role being played by the CJEU in terms of pushing the privacy agenda within Europe under the existing Directive. Mr Wiewiórowski made clear that, in his view, this was a judicial trend which was itself born out of discussions on the new privacy-preoccupied agenda embodied in the Commission’s proposals for the GDPR. Thus, in effect, the EU judiciary was working in a highly dialectical relationship with the EU legislature to produce a new cultural approach to privacy rights within Europe.

Mr Wiewiórowski also made the interesting point that developments in the UK data protection jurisprudence had a disproportionately large impact on the development of data protection law within Europe as a whole. As he observed, this was not because UK lawyers and judges were seen as being cleverer than their European counterparts. Rather it was simply a product of the somewhat prosaic fact that UK judgments are in English, with the result that they are more readily comprehensible to our EU colleagues. Thus, he suggested that the Court of Appeal’s judgment in Vidal-Hall was now being discussed very widely within Europe, particularly because it was a judgment which could be accessed and understood by practitioners across the European piste.

Mr Wiewiórowski also made some very interesting observations about the approach taken within the GDPR to the ‘journalistic exemption’. As many readers of this blog will know, there is currently a debate going on within Europe as to whether the approach to the exemption proposed by the Council of Europe gives enough protection to classic journalistic freedoms. This debate has arisen particularly because the Council’s proposed text removes any reference to journalism per se. This has prompted many within the media to raise concerns that Europe is unacceptably seeking to dilute protection for journalists in a way that fundamentally offends against Article 10 of the European Convention on Human Rights and Article 11 of the EU Charter. Mr Wiewiórowski expressed the view that the scope of the journalistic exemption was perhaps one of the most challenging issues to arise under the draft GDPR and he was not at all confident that this issue would be satisfactorily resolved by the time the GDPR was finalised. These are obviously really important observations, not least because they suggest that existing questions as to how data protection rights are to be reconciled with Article 10 rights are unlikely to be finally resolved merely as a result of the enactment of the GDPR.

In terms of the domestic regulatory perspective, David Smith’s presentation very helpfully illuminated how the ICO was approaching the right to be forgotten regime.

On this regime, Mr Smith made clear that, since Google Spain was decided, the ICO had received approximately 200 complaints from data subjects in response to refusals by Google to delete particular links. Of those 200 complaints, roughly 150 had been decided in Google’s favour, with the remaining 50 being decided in favour of the data subjects. Mr Smith indicated that the ICO was now engaged in discussions with Google about this latter set of cases.

Mr Smith also made clear that the ICO had been impressed with Google’s overall approach to the right to be forgotten regime and that there were generally no significant differences of approach between the ICO and Google in terms of how the regime was to be applied. He did however indicate that one area of disagreement was as to whether Google should be notifying publishers when they receive requests from individual applicants. Google’s position on this issue is that typically publishers should be notified. By way of contrast, the ICO’s position is that notification should take place only in exceptional cases. Obviously, this divergence of view takes us back to the important and, as yet, unresolved question as to how data protection rights should be reconciled with Article 10 freedom of expression rights. Clearly as matters currently stand, Google is preferring a more pro-Article 10 approach than the ICO. Query whether Google will continue to adopt such a stance in future.

Notably, Mr Smith also made clear that the ICO’s view was that google.com should be treated as caught by the CJEU’s judgment in Google Spain. Again this is an important point. As matters currently stand, Google’s position is that google.com is not caught by the judgment. This has the result that users within Europe can potentially avoid all the amnesiac effects of the Google Spain judgment simply by setting their default browsers to google.com. Evidently the ICO regards this as an illegitimate loophole which Google should now look to close.

In terms of the wider question of whether the CJEU’s judgment in Google Spain had had a damaging effect on the internet as a whole, Mr Smith made clear that in his view that this was not the case. He pointed out that Google had now delivered important results for data subjects in hundreds of thousands of cases. By way of contrast, he said the ICO had received only a handful of complaints about deletion. Mr Smith pointed out that obviously the introduction of the right to be forgotten regime had not resulted in the internet grinding to a halt, and that it had not sounded the death-knell of Article 10 rights. Instead, what it had done in his view was deliver real tangible results for data subjects in a wide range of cases. As Mr Smith put it, what the judgment in Google Spain had achieved was the practical recognition within the online world of important human values, including values relating to the autonomy of the individual and the need for forgiveness.

Additionally Mr Smith made clear that, whereas once the ICO’s voice may not have been seen as an important voice in litigation on data protection issues, now the ICO was increasingly being recognised by the courts as an important contributor in legal debates on those issues. He used the ICO’s involvement in the recent case of Vidal-Hall as an illustration of this important development. As Mr Smith put it the effect of these developments was that the ICO could now be more active and assertive when it came to litigation on key data protection issues.

Finally, it is worth pointing out that Mr Smith, Mr Gencarelli and Mr Wiewiórowski all agreed that, so far as the concept of ‘personal data’ was concerned, the GDPR did not expand the existing definition. Instead, all it did was clarify the existing law, as adopted in the Directive. Notably, this is consistent with the approach taken to the definition by the ICO in the case of Vidal-Hall.

So much food for thought emerging from the conference. Incidentally, those who are interested in future IAPP events may like to note that the IAPP is holding its European Data Protection Congress in Brussels in December 2015. No doubt the congress will offer an important opportunity to debate some of the issues referred to above.

Anya Proops

It has been said in the recent past that FOIA is sexy. We at 11KBW know all too well how difficult it can be to maintain a constant level of supreme attractiveness. Like all sexy beasts, even FOIA can have a day on which even its own mother would struggle would struggle to describe it as worthy of a second glance. The decision of the Court of Appeal in The Independent Parliamentary Standards Authority v ICO & Leapman [2015] EWCA Civ 388 might be thought to be one of FOIA’s off-days.

For those avid readers who remember my post on the Upper Tribunal decision (here for those hard of sleeping), the issues will be vividly recalled. For everyone else, a short recitation may be useful.

Section 1 FOIA gives us a right to request information from listed public authorities, but what does “information” mean? Information is defined by section 84 of FOIA (“‘information’ (subject to sections 51(8) and 75(2)) means information recorded in any form”). This somewhat opaque definition has generally been treated as meaning that a request is for information. It is not for copies of documents. If the public authority wants to type out the document in a different format, they can, so long as the information contained within that document is provided.

Mr Leapman had made a request to IPSA for receipts and invoices provided by particular MPs in support of their expenses claims. IPSA provided him with transcribed versions of those receipts and invoices. Mr Leapman was not satisfied; he wanted the originals. The ICO agreed, as did the FTT and the UT on appeal. IPSA appealed to the Court of Appeal. Mr Leapman, formerly of the Daily Telegraph, did not participate in the Court of Appeal, doubtless being otherwise engaged in his detention at Her Majesty’s pleasure for offences of rape and downloading child abuse images.

Richards LJ gave the only judgment and it is fair to say that while it is of practical importance, the issue does not stir the blood. Nonetheless, the Court remained awake long enough to dismiss the appeal on all grounds. On the main issue, Richards LJ agreed with the ICO. Information was to be construed broadly and there would be cases where it is necessary in practice to disclose the record itself in order to communicate the entirety of the information contained in it: at [36]. There was no collapse in the distinction between the record and the information contained within it. The request had not been for copies as opposed to the information, but rather for all the recorded information contained on the receipts/invoices. Without the copies themselves, there was an inevitable shortfall in the information provided: at [39]. Counsel for ISPA conceded that some presentational elements may reveal recorded information, and that, Richards LJ held, indicated that there was no clear line between presentational elements and recorded information, even if it was sometimes difficult to spot where the line was: at [43]. If something is on the face of the document it is more readily about the information itself, rather than the form of the record (whereas the weave of the paper would go only to the record): at [42]. What is important is that the material sought is informative in the sense that tells you something, which may be visual or linguistic: at [44]. The fact that such information may go to an assessment of genuineness is a factor (but not the only factor) in assessing whether it is relevantly informative, without infringing the motive-blind approach of FOIA: at [45].

IPSA also managed to achieve the seemingly challenging feat of advancing a ground even less enthralling than the meaning of information, namely the scope of the section 11 duty to communicate information by reasonably practicable means. Here Richards LJ indulged IPSA in dealing in full with an argument which failed at the first hurdle. Section 11 is not an aspect of the section 1 obligation on public authorities; it cannot cut down the twin duties in section 1 to confirm or deny, and to release subject to exemptions. Section 11 poses a separate, additional, duty where a preference as to the means of communication is specified: at [52]-[53]. Although unnecessary to do so, Richards LJ gave the tentative view that in the light of the informal nature of requests they should not be  interpreted like contracts (something of a relief to all one would imagine), and their interpretation was a question of fact, or at least a mixed question of fact and law: at [58]. The only point on which IPSA made any ground was one of total irrelevance, namely that had the analysis got to section 11(2), the wording of “in all the circumstances” was appropriately broad enough to encompass the cost consequences of future compliance, rather than limited to the consequences of responding  to the specific request.

So, three appeals later, we end at exactly the point we started; namely that the ICO’s DN was a model of sensible reasoning and common sense. Information includes visual aspects to a document which may be informative, even if they cannot be readily transcribed by a reluctant public authority. That does not mean FOIA is now a route of documentary disclosure, any more than the DPA is. But it does call for a holistic approach to the information in issue. It requires dealing with substance and appearance, taking the information as a whole and examining it carefully. Hang on… Maybe it is a little bit sexy after all.

Robin Hopkins appeared for the ICO.

Christopher Knight