The introduction of the controversial draft Data Retention Regulations 2014 has already been discussed by my colleague Robin Hopkins in his excellent post last month. The Regulations now have the force of law, having come into force on 31 July 2014 – see the Regulations here. In his post, Robin made the point that, following the judgment in Digital Rights Ireland, there were two methods for curtailing the infringement of privacy rights presupposed by the existing communications data retention (CDR) regime: either cut back on the data retention requirements provided for under the legislation, so as generally to limit the potential for interference with privacy rights, or introduce more robust safeguards with a view to ensuring that any interference with privacy rights is proportionate and otherwise justified. The Government, which has evidently opted for the latter approach in the new Regulations, will now need to persuade a somewhat sceptical public that the safeguards which have been adopted in the legislation strike the right balance as between the protection of privacy rights on the one hand and the imperative to support criminal law enforcement functions on the other.

Notably, the Explanatory Memorandum issued with the Regulations itself constitutes a clear attempt to allay concerns that the safeguarding arrangements embodied in the legislation are insufficiently robust. Here are some edited highlights:

Meaning of communications data and its uses – ‘Communications data is the context not the content of a communication. It can be used to demonstrate who was communicating; when; from where; and with whom. It can include the time and duration of a communication, the number or email address of the originator and recipient, and sometimes the location of the device from which the communication was made. It does not include the content of any communication: for example the text of an email or a conversation on a telephone. Communications data is used by the intelligence and law enforcement agencies during investigations regarding national security and, organised and serious crime. It enables investigators to identify members of a criminal network, place them in specific locations at given times and in certain cases to understand the criminality in which they are engaged. Communications data can be vital in a wide range of threat to life investigations, including the investigation of missing persons. Communications data can be used as evidence in court.’ (para. 7.1)

The need for legislation which mandates retention – Data needs to be retained by telecoms providers so that they can be accessed and used for criminal law enforcement purposes (para. 7.2). Absent mandatory retention requirements, there can be no guarantee that telecoms providers will themselves retain communications data for a sufficiently lengthy period time. This is because, in the absence of a mandatory obligation, telecoms providers may retain data for only a few months and indeed possibly only a few days, depending on their commercial needs. However, ‘many [criminal law enforcement] investigations require data that is older than the few months that data may be retained for business purposes, particularly in ongoing investigations into offences such as child abuse and financial crime’ (para. 7.3). This is why the original domestic CDR regime embodied in the Data Retention (EC Directive) Regulations 2009 mandated retention for a period of 12 months.

New safeguards – The new Regulations ‘effectively replicate the obligations on providers contained in the 2009 Regulations, and do not provide for the retention of any additional categories of communications data’ (para. 3.3). ‘These Regulations only differ from the 2009 Regulations in that they provide additional safeguards’ (para. 7.4). Two safeguards in particular are highlighted in the Memorandum.

• the 2009 Regulations imposed a blanket 12 month retention period where a relevant notice had been served on a telecoms provider. The new Regulations enable ‘different data types to be retained for shorter periods when appropriate’ (para. 7.4).

• the 2009 Regulations did not embody any statutory duty on the Secretary of State to consult providers prior to issuing a notice, although consultation was in practice undertaken. The new Regulations make prior consultation a statutory obligation (para. 7.4).

The following points are worthy of note in respect of the new ‘safeguards’ embodied in the Regulations.

•  First and perhaps most significantly, the Regulations themselves do not purport to identify the types or categories of data which should to be retained for less than 12 months. They simply posit that 12 months is the maximum retention period (r. 4(2)). This leaves a significant question as to what types of data, if any, will ultimately attract a shorter retention period. The risk which is inevitably inherent in this type of open-ended legislative arrangement is that blanket, indiscriminate 12 month retention continues to be the norm.

• Regulation 5(1) requires the Secretary of State to take into account a variety of matters before issuing a retention notice, including not least the likely number of users who will be affected by the notice. However, such matters would presumably have been treated as relevant considerations as and when the Secretary of State was issuing a notice under the 2009 Regulations. Hence, it is not clear that this particular safeguard will add much of substance to the overall process.

• Similarly the requirement in r. 6 that the Secretary of State must keep any retention notice under review presumably merely codifies an obligation which was already implicitly present in the 2009 regime.

• Regulation 10 makes provision for a statutory code of practice on data retention to be issued by the Secretary of State. It is unclear whether this code may yet shed further light on how the Secretary of State intends to exercise her powers under this highly controversial legislation.

• More generally, there must be serious doubts that the safeguards embodied in the new Regulations are sufficient to meet the deep concerns expressed by the CJEU in the Digital Rights case. Of course it might be said that the real danger to personal privacy arises not in the context of the data retention regime per se but rather in the context of those legislative powers which permit the State to access any communications data which have been retained, most notably the powers provided for in RIPA. However, whatever position you may adopt on that particular line of argument, suffice it to say that the question of whether the State should be entitled, in effect, to create a vast reservoir of potentially accessible communications data still hangs in the balance, the new safeguards in the Data Retention Regulations notwithstanding.

Anya Proops

Readers of this blog will already be familiar with the ways in which data protection legislation is assuming increasing importance in both the media and technology worlds. Certainly if there were any doubt as to the relevance of this legislation to the way in which both the media and technology companies operate, that doubt was firmly laid to rest following the highly controversial judgment of the CJEU in Google Spain. That judgment has led to extensive debates about the so-called right to be forgotten (as to which see here the recent ITN debate on Google Spain, in which I participated along withthe Information Commissioner and Google’s Spain’s Director of Communications for EMEA). However, the judgment was important, not only because of what it said about the right to be forgotten, but also because of the way in which it managed, in effect, to bring the data processing activities of a large US-based corporation, namely Google Inc, within the territorial scope of the EU Directive. In short, the Court held that personal data which is processed by a search engine operated by a US company is still protected under the Directive, particularly because the search engine is itself commercially supported by advertising which had been sold within Europe by EU-based subsidiary companies, including Google Spain.

The CJEU’s judgment in Google Spain has now been specifically relied upon in English High Court proceedings to support an application for service out of the jurisdiction, on Google Inc, of a set of proceedings brought under the Data Protection Act 1998 (DPA): Hegglin v Google Inc & Ors.

According to the Lawtel case report of the Hegglin judgment, Mr Hegglin is an individual who is resident in Hong Kong, but has previously lived in and retained closed connections with the UK. An anonymous person posted abusive and defamatory material concerning Mr Hegglin on a number of websites which were then indexed on Google. Mr Hegglin went on to bring proceedings against Google Inc under the DPA, including claims under s. 10 (right to prevent processing likely to cause substantial damage or distress) and s. 14 (right to rectification). He sought an injunction requiring Google Inc to block specific sites containing the allegations and a Norwich Pharmacal order was made.  Relying specifically on Google Spain, Bean J held that service of the DPA proceedings could properly be effected on Google Inc. He also held that England was the appropriate forum for the dispute and was also suitable for the trial, particularly as the defamatory remarks risked damage to Mr Hegglin’s reputation in England.

Of course, this is not the first time that the court has permitted proceedings to be served on Google Inc under the DPA. In January 2014, the High Court held that proceedings for compensation under s. 13 DPA could properly be served on Google Inc in connection with its act of collating data from Google-users based in the UK: see Vidal-Hall v Google Inc [2014] EWHC 13 (QB) (which you can read about here). However importantly, in Vidal-Hall, which was decided before Google Spain, Google Inc accepted that it was a data controller in respect of the data originating from the claimants’ browsers. It merely disputed that the data in question amounted to ‘personal data’ for the purposes of s. 1 (see paras. 121-122 of the judgment). Thus, territorial jurisdiction was not ostensibly in issue in Vidal-Hall.

What remains to be seen now is how far the Google Spain judgment will now also be relied upon as against other corporations which are based outside the EU but which use EU subsidiaries to provide commercial support for their activities.

Anya Proops

Following on from my post earlier today on Niebel, readers may like to note that Jon Baines’s excellent blog, Information Rights and Wrongs has an interesting and detailed analysis of the Mansfield v John Lewis case – see here. The article suggests that Mr Mansfield’s damages may have garnered him the princely sum of £10!

As readers of this blog will know, the application of the Government’s criminal records scheme has been subject to extensive litigation of late (see further not least my post on an appeal involving a teacher and my post on an appeal involving a taxi-driver). Perhaps most importantly, in the case of T & Anor v Secretary of State for the Home Department, questions have been raised about whether the scheme as a whole is compatible with Convention rights and, in particular, the Article 8 right to privacy. Last year, the Court of Appeal concluded that the scheme was incompatible (see further Christopher Knight’s analysis of the Court’s judgment here). In a judgment given yesterday, the majority of the Supreme Court has agreed with that conclusion (Lord Wilson dissenting). The judgment will no doubt be subject to further analysis on Panopticon over the next few days. However, in short, the Supreme Court held that:

(a)    warnings and cautions given to the appellants by the police engaged their Article 8 right to privacy

(b)    the disclosure of those warnings and cautions in enhanced criminal records certificates (ECRCs) issued under the scheme amounted to an interference with the appellants’ right to privacy,  particularly as it affected their ability to enter a particular chosen field of endeavour, for example their ability to secure particular jobs and

(c)    the interference could not be justified under Article 8(2), particularly because the indiscriminate manner in which such information was provided under the scheme was not ‘in accordance with law’ for the purposes of Article 8(2), was not ‘necessary in a democratic society’ and was not otherwise proportionate.

On the latter point, the majority of the Supreme Court was clearly concerned about the fact that, in the context of ECRCs, warnings and cautions could be included in the relevant certificate irrespective of the nature of the offence, how the case had been disposed of, the time which had elapsed since the offence took place, the relevance of the data to the employment sought and the absence of any mechanism for independent review of a decision to disclose data. The majority of the Supreme Court evidently regarded the case of T as perfectly illustrative of the dangers inherent in such an indiscriminate scheme. In T, an ECRC was issued in respect of T containing information concerning police warnings which T had received when he was 11, in connection with the theft of bicycles. In the majority’s view, it was entirely unnecessary for such information to be disclosed when T applied, aged 17, for a job which involved working with children and also when he applied, aged 19, to attend university. The majority also refused the appeal against the Court of Appeal’s declaration of incompatibility in respect of the relevant primary legislation, namely the Police Act 1997.

What we see with this judgment, as with many judgments concerning the application of Convention rights, is a reluctant to favour blanket, administratively convenient solutions over more nuanced individual-centred schemes.

11KBW’s Jason Coppel QC acted for the Secretary of State. Tim Pitt-Payne QC appeared on behalf of Liberty.

Anya Proops

The spamming industry is a decidedly irritating but sadly almost unavoidable feature of our networked world. There is no question but that spamming (i.e. the sending of unsolicited direct marketing electronic communications) constitutes an unlawful invasion of our privacy (see further regs 22-23 of the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) (PECR), implemented under EU Directive 2002/21/EC). The question is what can be done to stop it, particularly given that individual citizens will typically not want to waste their time litigating over the odd spam email or text?

Well one way to address this problem would be to have an effective penalties regime in place, one that effectively kicked the spammers where it hurts by subjecting them to substantial financial penalties. No surprise then that, in 2009, the EU Directive which prohibits spamming was amended so as to require Member States to ensure that they had in place penalties regimes which were ‘effective proportionate and dissuasive’ (see Article 15a of the Directive). This provision in turn led to amendments to PECR which resulted in the monetary penalty regime provided for under s. 55A of the Data Protection Act 1998 being effectively incorporated into PECR. Readers of this blog will be aware of recent litigation over the application of s. 55A in the context of cases involving breaches of the DPA (see further the current leading case on this issue Central London Community Healthcare NHS Trust v Information Commissioner [2014] 1 Info LR 51, which you can read about here). But is the DPA monetary penalty regime really fit for purpose when it comes to dealing with spamming activities which are prohibited by PECR? If the recent decision by the Upper Tribunal in the case of Information Commissioner v Niebel is anything to go by, the answer to that question must be a resounding no.

The background to the Niebel case is as follows. Mr Niebel had sent out unsolicited text messages on an industrial scale. The texts sought out potential claimants in respect of misselling of PPI loans. The Information Commissioner, who had received hundreds of complaints about the texts, went on to issue Mr Niebel with a monetary penalty of £300,000. So far so unsurprising you might say. However, Mr Niebel has since managed to persuade the First-Tier Tribunal (FTT) to quash the penalty in its entirety (see its decision here) and now the Upper Tribunal (UT) has decided that the penalty should be left firmly quashed (see the UT’s decision here).

So how has Mr Niebel been able to avoid any penalty despite the patently unlawful nature of his activities? To answer that question one first has to understand the ostensibly high threshold which must be cleared if the power to impose a penalty is to be engaged. In short, the legislation only permits a penalty to be issued if there is ‘a serious contravention’ of the legislation (s. 55A(1)(a) and that contravention was ‘of a kind likely to cause substantial damage or substantial distress’ (s. 55A(1)(b) – there is also a knowledge requirement (s. 55A(1)(c)) however that requirement will typically be made out in the case of unlawful spammers). But can it really be said that the sending of relatively anodyne spam text message is ‘of a kind likely to cause recipients substantial damage or substantial distress’? Both the FTT and the UT have now firmly answered this question in the negative.

In the course of its decision, the UT considered the following arguments advanced by the Commissioner.

–        First, when deciding whether the contravention was ‘of a kind’ likely to cause substantial damage or substantial distress, it was possible to take into account not only the scale of the particular texts in issue but also the scale of Mr Niebel’s overall spamming operation. This was an important argument in the context of the appeal because, whilst there was no doubt that over time Mr Niebel had sent out hundreds of thousands of unsolicited communications, the Commissioner had identified ‘the contravention’ as relating only to 286 text messages in respect of which he had received complaints. (He had accepted that some 125 other complaints could not be taken into account as they related to communications sent prior to the coming into force of the penalties regime). The issue was therefore whether the wider context could be taken into account when deciding whether the contravention was ‘of a kind’ likely to cause substantial damage or substantial distress.

–        Second, the word ‘substantial’ in this context must be construed as meaning merely that the damage or distress was more than trivial. This is because the penalties regime was plainly intended to bite on unlawful spammers who caused low level damage or mere irritation, and such individuals would not be caught by the legislation if the word ‘substantial’ was construed as carrying any greater weight.

–        Third, the FTT had otherwise erred when it concluded that the 286 texts in issue were not of a kind likely to cause substantial damage or substantial distress.

On the first argument, the UT accepted that the scale of the contravention could be taken into account when deciding whether it was of a kind likely to cause substantial damage or substantial distress. However, it rejected the argument that Mr Niebel’s wider spamming activities were relevant to the analysis. The UT concluded that activities these did not form part of the ‘contravention’ relied upon by the Commissioner and were not therefore relevant to the analysis when it came to deciding whether s. 55A was engaged (para. 38).

On the second argument, the UT accepted Mr Niebel’s argument that it was not appropriate to try and deconstruct the meaning of the word ‘substantial’ and that the FTT had not erred when it had concluded simply that the question whether the substantial element was made out was ‘ultimately a question of fact and degree’ (paras. 42-51).

On the third argument, the UT held that the FTT’s decision that the 286 texts in issue were not of a kind to cause substantial damage was ‘simply unassailable’. The FTT had been entitled to conclude that the mere fact that recipients might have felt obliged to send ‘STOP’ messages to Mr Niebel did not amount to ‘substantial damage’ (para. 54). On the question of substantial distress, the FTT had been right to conclude that not all injury to feelings would amount to ‘distress’ and that irritation or frustration was not the same as distress. It concluded that there was nothing in the recent judgments in Halliday v Creation Consumer Finance or Vidal-Hall v Google which required a different result. Moreover, the UT was not prepared to accept that the FTT had failed to take into account evidence before it arguably suggesting that individual complainants were in fact substantially distressed by the messages. In the UT’s view the FTT had plainly been mindful of this evidence when it reached its conclusions (paras. 67-73).

Perhaps the most telling line in the judgment is to be found in paragraph 65 where the UT, having noted that the Commissioner had probably done all he could to draw Mr Niebel into the cross-hairs of the legislation, went on to conclude that the most profitable course would be for ‘the statutory test to be revisited with a view to making it better fit the objectives of the 2002 Directive (as amended). So, for example, a statutory test that was formulated in terms of e.g. annoyance, inconvenience and/or irritation, rather than “substantial damage or substantial distress”, might well have resulted in a different outcome. What cannot be doubted is that, absent a successful appeal against the UT’s decision, this legislation will need to be revisited so as to avoid a situation where the spammers end up laughing all the way to the bank whilst the penalties regime descends into obsolescence.

However, I should add that the picture is not altogether rosy for the spammers of this world. According to recent media reports, John Lewis has recently had to pay out damages to Roddy Mansfield, Sky News producer, after it sent him an unsolicited marketing email (see the Sky News report of the matter here – the report does not confirm the quantum of the damages). This rather raises the question of whether, in the face of an apparently deficient monetary penalty regime, the best cure for the disease of unlawful spamming might be to mount a group action.

The Niebel case was another 11KBW affair with Robin Hopkins acting for Mr Niebel and James Cornwell acting for the ICO.

Anya Proops