Readers of this blog will doubtless be well aware of the recent landmark judgment of the Court of Appeal in Vidal-Hall & Ors v Google, where it was held that compensation is available for mere distress caused by  breach of data protection legislation. Interestingly, it is being reported today that the US Supreme Court will in due course be deciding a case on a similar issue, namely whether compensation is available where websites publish inaccurate data concerning individuals but the inaccuracy in the data causes no pecuniary loss. It appears that the issue will be considered by the Court in the context of a class action brought against an internet search engine that compiles publicly available data on people and lets subscribers view that information online – see further AP’s report on the case here. See also the Amicus Brief filed by Ebay, Facebook, Yahoo and Google in support of the appeal being brought by the ISE. That Brief, which rests heavily on in terrorem arguments, asserts not least that:

“Amici are concerned that this decision will substantially and improperly lower the bar for invoking the jurisdiction of federal courts, inviting abusive and costly litigation, including class actions seeking millions or even billions of dollars in statutory damages under FCRA [Fair Credit Reporting Act] and similar statutes. Amici are members of a rapidly growing and transforming technology industry that provides services to hundreds of millions of individuals each day. Users of amici’s services routinely conduct financial transactions, share information and content, and interact with people all over the world on platforms offered by amici. The services amici provide, the information they collect, and the interactions they facilitate arguably could be subject to laws that contain private rights of action and allow for statutory damages”

Of course, in the UK we have yet to see any comparable group litigation emerging in response to inaccurate data processed by data controllers. However, in the wake of Vidal-Hall, it can only be a matter of time before such cases are brought before the English Courts.

Anya Proops

When local authorities provide property search information, can they charge for doing so? On what legal basis? How should such charges be calculated?

A Panopticon post from February 2014 by Robin Hopkins explains the background. To summarise, at one time it was widely believed that the Local Authorities (England)(Charges for Property Searches) Regulations 2008 (“CPSR”) applied, allowing local authorities to charge by reference to staff costs, overheads, and the cost of maintaining information systems.   More recently, it has been recognised that such requests will largely fall within the Environmental Information Regulations 2004 (“EIR”). EIR regulation 8 allows reasonable charges to be imposed for making environmental information available, save that no charge may be imposed for permitting access to public registers or for examining the requested information in situ.

In East Sussex County Council v Information Commissioner and others the applicant requested answers to the questions in CON29, the Law Society’s standard property search form. The Council imposed a fixed charge (based on the CPSR approach) that took account of disbursements, staff time, overheads, office costs, and information system costs. The First Tier Tribunal had to determine whether the charge was permissible under EIR regulation 8. It referred a number of questions to the CJEU for a preliminary ruling on the construction of Directive 2003/4 (“the Directive), to which the EIR give effect.

The case has now been heard in the CJEU, and Advocate General Sharpston issued her opinion on 16^th April 2015.

The case turns on the construction of Articles 5 and 6 of the Directive. Article 5(1) requires that access to any public registers or lists of environmental information, and examination in situ of such information, shall be free of charge. Article 5(2) then allows public authorities to charge for supplying environmental information on request, provided that the charge does not exceed a reasonable amount. By Article 6, Member States must provide for administrative and judicial review of public authorities’ decisions relating to access to environmental information.

The first question addressed is what is meant by “supplying” environmental information in Article 5(2). Advocate General Sharpston states that this means providing access on request, by giving such information to an applicant in the format that he specifies, in circumstances other than those set out in Article 5(1).

What constitutes a “reasonable amount” within Article 5(2)? Advocate General Sharpston refers to this term as having an autonomous EU law meaning. She sets out, in some detail, what this means in practice. She identifies four requirements. First, a reasonable charge is one that is set on the basis of objective factors that are known and capable of review by a third party. Secondly, the charge must be calculated regardless of the requester’s identity or purpose. Thirdly, the charge must be set at a level that does not dissuade people from seeking access or restrict their right of access. Fourthly, the charge must be appropriate to the reason why Member States are allowed to make this charge (that is, that a member of the public has made a request for the supply of environmental information), and must be directly correlated to the act of supplying the information.

What can such a charge include? It must be based on the costs actually incurred in connection with the act of supplying information in response to a specific request. Hence the charge cannot include database costs, or overheads such as heating, lighting, or internal services. However it can include the costs of staff time spent on searching for and producing the information requested, and the cost of producing it in the form requested.

It is permissible for national law to provide that a public authority must satisfy itself that a charge levied meets the reasonableness standard. However, Article 6(1) and (2) of Directive 2003/4 requires a Member State to ensure that there can be both administrative and judicial review of whether the public authority’s decision conforms with the autonomous EU law meaning of what is reasonable.

While the issue of search costs for property search information may not set the pulse racing, it is of real importance both for companies carrying on business in this area and for cash-strapped local authorities keen to recover whatever costs they can. It remains to be seen, of course, whether the CJEU will adopt the Advocate General’s opinion.

11KBW’s Anya Proops acted for the Information Commissioner in the proceedings before the CJEU.

Every election, the House of Commons loses some of its most popular and well-respected Members. This year, it is also losing Andrew Lansley, whose reforms whilst Secretary of State for Health have bought such unwavering support from all parts of the political spectrum. Happily, Mr Lansley kept a diary of his momentous period in office. Unhappily, a FOIA request was only made for his Ministerial diary, which records the Secretary of State’s meetings etc, a redacted version of which was released in response to the request. The ICO ordered most of the withheld information to be released, and that was broadly echoed by the First-tier Tribunal in Department of Health v ICO (EA/2013/0087), on which see here, in rejecting reliance on s35(1)(a), (b) and (d) FOIA.

The DoH appealed, and Charles J has now handed down judgment in Department of Health v ICO & Lewis [2015] UKUT 159 (AAC). The appeal was dismissed. There are a number of points of interest in the judgment, not least:

• There is a strong public interest in the press and public having the right, subject to appropriate safeguards, to require public authorities to provide information about their activities: at [10]-[12].
• It is unusual to see a judge refer to his own experience as Treasury Counsel in the development of the law (on public interest immunity): at [18].
• Disclosure under FOIA should be approached on a contents, specific information, basis and not a class basis: at [19]-[21].
• It is right to avoid suggestions of inherent weight (on which see my post here): at [22]-[24].
• A contents based assessment must show that the actual information is an example of the type of information within the class description of an exemption and why the manner in which disclosure of its contents will cause or give rise to risk of actual harm to the public interest, and evidence which does not address this is flawed: at [29]-[30].
• Although generic reasons in support of the public interest may be inevitable, and are not irrelevant, attempts should be made (particularly by the ICO) to identify specific public interests engaged in support of disclosure: at [35]-[38].
• Oral evidence can be useful, particularly where it tests credibility rather than reasoning, but the FTT should ask in each case whether it is needed, why it is needed, what limitations should be placed on it and whether other parties should also give evidence: at [41]-[42], [45].
• Senior civil servants may be taking a line that there should be transparency but only on departmental terms, and their evidence often warrants a ‘Mandy Rice Davies’ sidenote (i.e. he would say that, wouldn’t he): at [48].
• A high degree of deference to either side is very unlikely to be appropriate when assessing the public interest balance; a thorough and critical analysis of the competing reasoning and analysis should be carried out. A judicious recognition of the extent of Government expertise (and Tribunal lack thereof) is appropriate, and proper weight should be given to the views of those who work in the field, but that does not equate to an approach whereby in an unusual case the FTT should accept the Departmental view unless it is irrational: at [57], [59]-[61], [63]-[67].
• The FTT had rightly identified very considerable flaws in the Department’s evidence, such that a risk of harm could not be accepted: at [73]-[79], [81]-[82].
• Charles J’s further reasons on matters not addressed by the witnesses pose clear difficulties for future attempts on the part of (particularly) Government witnesses to assert risk of harm from disclosure without specific evidence: at [80].
• When considering whether information is held under s3(2)(a) FOIA (“otherwise than on behalf of another person”), the intention of Parliament in promoting the purpose of FOIA (first bullet above) means that University of Newcastle upon Tyne v ICO & BUAV [2011] UKUT 185 (AAC) is correct (see here) and that a predominant purpose approach between different types of information is incorrect: at [106].
• Non-Ministerial appointments in the diary were supplied by the Minister to avoid clashes etc, and must be considered as part of the diary as a whole. There was a sufficiently direct connection between the content and the reason why the information was recorded by the Department for it to be held. Whether or not it remained held under FOIA might depend on whether it was still said to be exempt under FOIA (for non-s40 reasons). The diary remained held: at [114], [117], [119]-[121].

The judgment is a lengthy one, but contains more nuggets than a KFC bargain bucket (other purveyors of fried chicken are available). Our very own secret blend of eleven herbs and spices, Robin Hopkins, appeared for the ICO.

Christopher Knight

“The world is full of obvious things which nobody by any chance ever observes.” Sherlock Holmes, The Hound of the Baskervilles.

What else can there possibly be to say about Evans not covered in Robin’s excellent post from Thursday? One can contemplate the possible amendments the Government might make (how much clearer could Parliament have made the purpose of section 53), and what other changes might be made at the same time, especially in the light of the PM referring to FOIA as one of the “buggerations” of Government in the Times magazine yesterday. One can analyse the dissenting judgments, which is certainly worthy of time. One can remark again on the constitutional importance of the Supreme Court emphasising the rule of law.

Most information law practitioners probably think there isn’t really anything in Evans that is going to be very relevant to their daily lives. Even central Government FOIA officers have onlyseen seven vetos in ten years, so Evans isn’t going to make much of a practical difference.

But. Almost in passing, there is one passage in the judgment of Lord Neuberger (if not the majority judgment, at least the leading judgment) which is worthy of notice.

As has been previously pointed out on this blog, the Upper Tribunal in Defra v ICO & the Badger Trust [2014] UKUT 526 (AAC) set the cat amongst the FOIA pigeons (if that is not too much of a mixture of animal metaphors) by suggesting at [44]-[48] that it was an open question whether the public interest balance was to be assessed at the time of the request/response or afresh at the time of the Tribunal hearing. That baton is now being taken up in the  latest round of the interminable APPGER litigation.

However, it is possible that the Supreme Court has beaten them to it. The time of the assessment of the balancing exercise was a point of some relevance to the reasoning of Lord Neuberger, because a (powerful) objection to the reasoning of the Court of Appeal (including from me) was that the two permitted exceptional categories, particularly the reliance on fresh evidence, did not leave much room for application of the veto where the public interest was adjudged at or around the time of the request. Lord Neuberger, unlike the Court of Appeal, sought to address the point. In doing so, he noted at [72] that:

“It is common ground, in the light of the language of sections 50(1), 50(4) and 58(1), which all focus on the correctness of the original refusal by the public authority, that the Commissioner, and, on any appeal, any tribunal or court, have to assess the correctness of the public authority’s refusal to disclose as at the date of that refusal.”

As the text sets out, no contrary point was argued, but Lord Neuberger does not express any dissent about it and sets out the legal basis for it in the statutory language. Moreover, he went to reiterate the point, and the exceptions to it, at [72]:

“However, although the question whether to uphold or overturn (under section 50 or sections 57 or 58) a refusal by a public authority must be determined as at the date of the original refusal, facts and matters and even grounds of exemption may, subject to the control of the Commissioner or the tribunal, be admissible even though they were not in the mind of the indivdual responsible for the refusal or communicated at the time of the refusal to disclose (i) if they existed at the date of the refusal, or (ii) if they did not exist at that date, but only in so far as they throw light on the grounds now given for refusal“.

It is difficult to see how the obiter musings of the Upper Tribunal in Badger Trust can withstand this, fairly prolonged, piece of Supreme Court reasoning. Arguments may be made that it was common ground, and possibly that was obiter itself, but it will self-evidently persusive that such experienced and eminent counsel agreed such a standpoint, and that the leading judgment relies upon it.

Perhaps the debate door is shut only shortly after being opened? Perhaps Evans has something to say to FOIA lawyers outside the scope of the veto power after all? Perhaps, perhaps, perhaps…

Christopher Knight

PS A prize (kudos only though) for the first person to spot the link between opening and closing of this post.

The Supreme Court has today handed down a judgment which has very significant ramifications for the operation of the veto regime by the Government in connection with FOIA and EIR cases: R(Evans) v Attorney General. It marks a great victory for the Guardian in its 10 year struggle to gain access to correspondence written by HRH Prince Charles to various government departments. But more than this, it marks an important milestone in the development of FOI jurisprudence, as our highest court makes clear that, when it comes to the application of FOIA, Government cannot trump the decisions of the courts merely because it takes a different view of the facts of the case.

In short, the Supreme Court has held: (a) by a 5:2 majority that the veto issued under FOIA by the AG in respect of the Upper Tribunal’s order that the correspondence should be disclosed was unlawful and (b) by a 6:1 majority that provisions in the EIR which permit the Government to issue a veto in cases falling within the scope of the environmental information access regime were invalid, as they are incompatible with the EU Directive on public access to environmental information (2003/4/EC). The Supreme Court’s Press Summary, which contains a useful summary of the judgment, can be found here.

Posts containing careful analysis of the judgment will undoubtedly follow on Panopticon. 11KBW’s Karen Steyn QC appeared for the Attorney General. Timothy Pitt-Payne QC appeared for the ICO.

Anya Proops

The Catt and T cases are both concerned with this important question: to what extent may the police lawfully retain records relating to individuals who have not in fact been arrested or charged in connection with any criminal offence. The Supreme Court has now had its say on this question – see the judgment here.

The background to the appeal is very helpfully set out in this earlier post. In short, Mr Catt (C) is a peaceful protestor who participated in an anti-arms trade protest conducted by a group called Smash-EDO. Smash-EDO is associated with violent crime. The police overtly recorded information about individuals attending Smash EDO demonstrations, including C. The police went on to retain information about C, including his name, address and information confirming his presence at a particular protest. The data was stored on the police’s Domestic Extremism Database. T is an individual who is alleged to have made a homophobic comment to a neighbour’s friend. The police sent her a ‘Prevention of Harassment’ letter warning her that she could be liable to arrest and prosecution should she commit any act amounting to harassment. The letter was originally retained on the police’s files in accordance with its policy that such correspondence should be retained for 7 years. However, in point of fact, the letter sent to T was destroyed after only two and half years.

The High Court dismissed claims made by C and T that the police’s act of retaining their data constituted a breach of their Article 8 rights. The Court of Appeal allowed the claimants’ appeal, reversing the High Court’s judgment. Now the Court of Appeal’s judgment has itself been reversed by the Supreme Court which, in summary, held that whilst retention of the data interfered with the claimants’ Article 8 rights, the retention was justified under Article 8(2). The core question which the Supreme Court had to address was the proportionality of the retention, particularly having regard to the fact that neither claimant had actually been arrested or charged with any offence.

Mr Catt’s case – The judgment in C’s case was a majority judgment, with Lord Toulson dissenting. In terms of the majority (Lords Sumption, Mance and Neuberger and Lady Hale), it is clear that the judges were of the view that the retention of C’s data was not disproportionate because:

• the level of intrusion with C’s privacy rights was minimal, particularly given that:
  • the information in question is not intimate or sensitive;
  • it related to C’s activities in a public forum – the recorded facts were in that sense in the public domain;
  • there are tight constraints on the uses to which the data may be put (essentially they may only be used for police purposes and are subject to a strict review/deletion policy
• moreover, it would require disproportionate effort for the police to have to weed out this type of record from its other records.
• by way of contrast, the benefits to be obtained from retaining the data were potentially substantial and included enabling the police to develop a detailed intelligence picture of organisations prepared to engage in violent crime

Lord Toulson took a different view of the proportionality issues. In essence, he concluded that the information in question was unlikely to add much value in terms of meeting policing objectives and, further, that the weeding exercise would not be unduly onerous, particularly given that the police regularly had to undertake such weeding exercises in any event.

T’s case – In T’s case, the majority (Lady Hale, Lord Toulson and Lord Mance) were of the view that the retention policy in issue was lawful. Lady Hale and Lord Toulson both made the point that retention of such information over an extended period of time was important, particularly in terms of dealing effectively with domestic abuse cases. By way of contrast, Lord Sumption was of the view that such a lengthy retention period was disproportionate, particularly given the trivial nature of the incident in question. However, on the facts relating to T’s case, he held that it was not disproportionate for the police to have retained the letter for the relatively short period of 2.5 years. Thus, he concurred with the conclusion that the appeal should be allowed.

A key point emerging from the judgment, and indeed the litigation history of these appeals, is that there is no perfect science when it comes to applying the proportionality principle. Instead, the exercise of assessing proportionality is inherently impressionistic, as is illustrated by the wide divergence of views expressed by the judges in the High Court, Court of Appeal and the Supreme Court. It is understood that the claimants will now seek to have the case referred to the European Court of Human Rights. So we may yet see another reversal of fortunes in this interesting and important litigation.

Jason Coppel QC and Robin Hopkins appeared for the Secretary of State for the Home Department, who intervened in the appeal.

Anya Proops

It is not uncommon for data controllers to be faced with subject access requests under s. 7 of the Data Protection Act 1998 the motivations for which appear to have nothing whatever to do with the purposes of the DPA.

The DPA seeks to protect individuals’ privacy rights with respect to data which is processed about them. The subject access provisions help people check up on that data and its processing (see for example YS v Minister voor Immigratie (Cases C-141/12 & C-372/12)). In practice, however, a subject access request is a fishing expedition with an eye on prospective litigation.

How does this affect the individual’s right to have his subject access complied with? The general answer is that, at least as regards applications to the Court under s. 7(9) DPA for the enforcement of a subject access request, the remedial discretion is wide enough to take the requester’s motive and purposes into account.

Kololo v Commissioner of Police for the Metropolis [2015] EWHC 600 (QB) – a judgment of Dingemans J handed down yesterday – looked set to consider the relevance of a requester’s motive (albeit that the context was not the commonplace pre-litigation fishing expedition). In the end, the judgment was largely fact-specific. Nonetheless, it is an interesting illustration of a Court engaging with a requester’s motive and that place of that motive in the statutory scheme.

The judgment is here: Kololo. There is also some press coverage in the Telegraph.

Mr Kololo is on death row in Kenya. He is challenging his conviction and sentence for robbery, kidnapping and murder of British nationals. He has never been to the UK, but officers of the Metropolitan Police were involved in the investigation of the crimes in Kenya and in evidence given at the trial.

His lawyers made subject access requests to the Foreign Office and the Metropolitan Police. The former provided data, but the Police refused. It said his request was an abuse of process.

The predominant purpose of the request was to assist with Mr Kololo’s appeal in the Kenyan Courts. The subject access request itself had said that the information sought “could prove crucial to Mr Kololo’s case”.

In his witness statement to the Court, however, Mr Kololo said that he also wanted to know what information the Police held on him “and what they are doing or have done with it”. He said he was worried about how information about him and his family may be used by the Police.

Dingemans J considered such worry to be speculative. Mr Kololo’s principal aim was plainly to obtain information which might assist with his appeal. But Dingemans J took this view (para. 31): “However, in order for any data which Mr Kololo might obtain from the Commissioner to be of any assistance to Mr Kololo on his appeal, it is likely that Mr Kololo will want to try and point to inaccuracies in the data” (if any such inaccuracies existed).

Therefore, Mr Kololo’s purpose was at least in part aligned with the purposes of the DPA: “a purpose for which Mr Kololo is making the subject access request is to determine whether there are inaccuracies in the data. This means that Mr Kololo (or his legal representatives) is making the subject access request to verify the accuracy of the data. This is so even though verifying the accuracy of the data is unlikely to be of assistance to Mr Kololo for his appellate proceedings. However if the data is not accurate Mr Kololo (or his legal representatives) may seek to correct any inaccuracies in the data. This might, depending on the inaccuracies, be of assistance to Mr Kololo for his other purposes” (para. 35).

Dingemans J noted that the Court’s discretion under s. 7(9) DPA was “’general and untrammelled’ but it is also common ground that such discretion should be exercised to give effect to the purposes of the DPA and be proportionate” (paragraph 32). On the facts, however, one of Mr Kololo’s purposes did accord with the purposes of the DPA. Therefore, his request was held not to be an abuse of process, and the Police were ordered to comply with it.

Additionally, Dingemans J briefly considered the Crime (International Co-operation) Act 2003 for an overseas court or prosecuting authority to request assistance from UK authorities. The existence of that mechanism also did not render Mr Kololo’s subject access request an abuse of process.

Anya Proops and Chris Knight appeared for the Commissioner of Police for the Metropolis.

Robin Hopkins @hopkinsrobin

The extent to which privacy and data protection rights can effectively resonate within the online environment is an acutely important issue for all information law practitioners. Moreover, it is an issue which seems to be gaining ever increasing traction in the litigation context, as is illustrated not least by the following developments.

• As most readers of this blog will know, last year the CJEU sent shock waves through the information law community when it held, in Google Spain, that EU data protection legislation operated so as to enable the so-called ‘right to be forgotten’ to be asserted against Google. (That principle is due to receive further consideration from our domestic courts in the forthcoming case of Max Mosley v Google – see Robin’s post on the Mosley case here).
• Then we had the judgment of the High Court in Vidal-Hall v Google, where the court concluded, in the face of a jurisdictional defence mounted by Google, that claims brought against Google concerning its tracking of the internet browsing habits of users could properly proceed. (An appeal against the High Court’s judgment in that case is due to be heard by the Court of Appeal on 2^nd or 3^rd March – the ICO is intervening in support of the claimants’ case).
• Now the High Court in Northern Ireland has given judgment in an important case involving a compensation claim made against Facebook: CG v Facebook & Anor [2015] NIQB 11.

Key aspects of the CG judgment are as follows:

• The claim was brought by a convicted paedophile in respect of a series of postings placed on Facebook by third parties, one of whom had been named as second defendant to the claims. The postings not only included data amounting to vituperative name-calling but also repeated incitements to violence in respect of the claimant.
• The High Court held that Facebook was liable in respect of the postings, particularly on the basis that it had misused the claimant’s private information by failing to delete the postings after Facebook’s attention had been drawn to their existence.
• The High Court rejected Facebook’s assertion that its liability in respect of the postings was excluded on an application of the Electronic Commerce (EC Directive) Regulations 2002. On this issue, the court held that: (a) the Regulations only immunise the relevant information society service (ISS) against liability if the ISS has no actual or constructive knowledge of the unlawful activity on its site or, if it has acquired that knowledge, it acts expeditiously to remove or disable access to the relevant information and (b) Facebook could not rely on the Regulations in the present case because, after being notified of the relevant postings, Facebook had failed to remove or disable access to them.
• The second defendant, an individual who was responsible for one of the disputed postings, was liable for misuse of the claimant’s private information in his capacity as primary publisher. He was also liable for harassment under the Protection from Harassment Act.
• As for the claim under the DPA 1998, which was brought only against Facebook and not against the second defendant, that claim could not proceed because, on an application of s. 5 DPA 1998, the claim fell outside of the territorial ambit of the legislation. (Notably no reference was made in this context to the CJEU’s approach to territorial ambit under the data protection Directive in the Google Spain case).
• Whilst no DPA claim was pleaded against the second defendant, the court made the following points about the application of the journalistic exemption contained in s. 32 DPA:
  • The court noted that the Claimant had conceded that the second defendant’s activities in posting material on Facebook might about to ‘journalism’.
  • However, the court went on to conclude there was no scope for the second defendant to rely on the journalistic exemption contained in s. 32 DPA 1998. This was particularly because the second defendant could not have had any ‘reasonable’ belief that his publications were in the public interest for the purposes of s. 32(1)(b).
•  The claimant was awarded £20,000 in compensation in respect of his claim for misuse of private information.

What is interesting and important about the CG judgment is that it reinforces the point that organisations which operate merely so as to facilitate online freedom of expression can no longer safely assume that they are always operating in the stratosphere, far above the mire of the privacy litigation battlefield. Instead, they must appreciate that those rights are sufficiently flexible and powerful that they can potentially draw such organisations firmly into the fray.

Anya Proops