In 1913, Parliament was debating the Welsh Church Disestablishment Bill.  F. E. Smith described it as “a Bill which has shocked the conscience of every Christian community in Europe”.  This prompted a stinging rebuke from G.K. Chesterton:  was it remotely plausible that, say Breton fishermen, or Russian peasants, had the slightest interest in any of this?

“ Do they, fasting, trembling bleeding

Wait the news from this our city?

Groaning, ‘That’s the Second Reading!’

Hissing ‘There is still Committee!’

If the voice of Cecil falters,

If McKenna’s point has pith,

Do they tremble for their altars?

Do they, Smith?”

A hundred years later, the European Parliament is debating data protection reform.  To suggest that every citizen of the Union is hanging on the words of Jan-Philipp Albrecht or Viviane Reding would invite Chestertonian derision.  But there must be a number of businesses that are trembling (if not perhaps fasting or bleeding, as yet) at talk of fines of up to 100 million Euros (or 5% of global turnover, whichever is the greater) for breach of the new requirements.  And the level of interest among ordinary citizens, at any rate in some countries in the EU, should not be underestimated.

The above reflections are prompted by the news that the LIBE Committee of the European Parliament has adopted an agreed position on the proposed new Regulations and Directive.  This gives a mandate for the rapporteurs – MEPs Jan-Philipp Albrecht and Dimitrious Droutsas – to negotiate with the EU Council on Parliament’s behalf.

The full text of the proposed version of the legislation approved by the LIBE Committee has not been made public.  However, this press release from the Commission indicates that there are some important differences between the Commission’s original proposal in January 2012 and the text being put forward by the LIBE Committee.  Notably, the Committee is proposing maximum sanctions of 100 million euros or up to 5% of annual worldwide turnover, as compared with 1 million euros or up to 2% of annual worldwide turnover.

The Committee also wishes to strengthen the territorial scope of the reforms.  The Commission’s original proposal was that in specified circumstances the Regulation should apply to the processing of personal data of subject residing in the Union, by a controller not established in the Union.  The Committee is proposing that the Regulation should apply to the processing by a controller or processor not established in the Union.

The Commission’s proposal was that this extra-territorial reach of the Regulation should apply where the processing activities were related to the offering of goods and services to data subjects in the Union, or to the monitoring of their behaviour.  The Committee is proposing that the Regulation should apply to the offering of goods or services to data subjects in the Union irrespective of whether a payment of the data subject is required.  So, on the Committee’s text, a social networking site established outside the EU would be caught if it offered membership to individuals in the Union, even if membership was free.   The Committee also proposes that the Regulation should apply to the monitoring of such subjects (not just to the monitoring of their behaviour).

The Committee’s text also would prohibit disclosure outside the EU of personal data processed in the EU, where such disclosure was ordered by a non-EU court or tribunal, unless the transfer was authorised in advance by the relevant EU national data protection authority.  So, it would appear, if a US court ordered disclosure of personal data about UK citizens, then a US company that complied with that order without the prior authorisation of the ICO would be in breach of the Regulation and could be fined.

Media and online comment (see e.g. here and here) has suggested that the European Parliament’s current approach – strengthening the protection for data subjects, in particular in relation to international transfers – is partly a reaction to the revelations by Edward Snowden about the disclosure of personal information to the NSA.

The next step will be for the Council to decide on its position.  There will be a Council discussion between heads of state and government on 24th – 25th October, relating to the digital single market, followed by a meeting of Justice Ministers on data protection reform on 4th – 5th December.  There will then be a “trilogue” between Parliament, the Council, and the Commission.  The President of the European Commission has called for a final text to be agreed before the European Parliamentary elections in May 2014 – though it seems likely that there will be a further 2 years or so before the new legislation comes into effect.

Timothy Pitt-Payne

 Niebel v Information Commissioner is the first Tribunal decision about penalties under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).  Mr.Niebel successfully appealed against a penalty of £300,000.

The First-tier Tribunal stated that the material before them showed that Mr. Niebel and his company, Tetrus, had sent hundreds of thousands of unsolicited text messages seeking out potential claims for the mis-selling of PPI or for accidents.  There was no dispute that he had breached the requirements under PECR regulation 22, relating to the sending of text messages for direct marketing.  Until 26th May 2011 there was no power to impose penalties for such a breach, but with effect from that date the monetary penalty provisions in the Data Protection Act 1998 (sections 55A-E of the Act) had been extended to cover breaches of PECR.

In the present case, the monetary penalty notice was imposed on 26th November 2011, requiring payment of £300,000.  The Tribunal emphasised the importance of a clear statement in the notice identifying the contravention for which a penalty was imposed.  At the very least this should indicate the regulation contravened, the content of the contravention, and its scale, including roughly how many individual acts there were and how many people were affected.

In this case the Tribunal considered that the notice had failed clearly to identify the contravention.  The notice seemed to be confined to 411 cases, involving a total of 732 texts, in which the recipient had complained to the ICO.  However, some parts of the penalty notice referred to contravention on a much wider scale.

A further difficulty was that the ICO subsequently discovered that most of the 732 texts referred to had been sent before 26th May 2011 (the date when the power to issue penalties came into effect); and the ICO accepted that these earlier texts could not properly be taken into account.  The ICO therefore relied at the Tribunal hearing on 286 texts, not 732:  the number of affected individuals was not stated, but the Tribunal indicated (if the ratio of texts to complaints was consistent) that this would be about 160.

The appeal was brought on one short point.  It was argued that the contravention was not of a kind likely to cause substantial damage or substantial distress, since it was now described as relating to just 286 texts; therefore one of the statutory preconditions for a monetary penalty was not satisfied.

The Tribunal proceeded on the basis that the likelihood of damage and distress should be assessed by reference to the 286 texts now relied upon by the ICO as constituting the contravention, rather than by reference to other evidence showing very large numbers of unsolicited text messages.  On this basis, the requirement that the contravention was not likely to cause substantial damage or substantial distress was not satisfied.  As far as damage was concerned, recipients might incur charges for replying “stop”, and there might be a small charge if texts were received abroad, but none of this was likely to cause substantial damage.  As to distress, the Tribunal considered that the effect of the contravention was likely to be widespread irritation rather than substantial distress.  The Tribunal allowed the appeal and cancelled the penalty notice.

The decision leaves open one very important question.  Would the sending of hundreds of thousands of unwanted marketing messages be likely to give rise to substantial damage or substantial distress?  Could one say that, in aggregate, the small costs imposed on a very large number of individuals amounted to substantial damage? Or that the irritation caused to such a large number constituted substantial distress? This issue will no doubt be of great importance in future appeals about monetary penalties under PECR.

Two of my colleagues appeared in this case:  James Cornwell for the ICO, and Robin Hopkins for the Appellant.  Neither of them, of course, bears any responsibility for the content of this blog post.

Timothy Pitt-Payne

As I mentioned in my post last week, the case of T v Secretary of State for the Home Department, which concerns the legality of the current CRB regime, is shortly to be considered by the Supreme Court. The issue in T is whether the blanket requirement that criminal convictions and cautions must be disclosed in the context of an enhanced criminal record check (“ECRC”) undertaken for the purposes of certain types of employment (particularly employment with children or vulnerable adults), even though they are spent, is Article 8 compliant.

But what of cases where an accused has been through the criminal justice system only then to be acquitted of the alleged offenses? Should the data slate in respect of that individual be wiped clean, with the result that the allegations can never surface in the context of an ECRC? Answering that question brings into play the important maxim that, within the criminal justice system, one must be deemed innocent until proven guilty. However, balanced against that maxim, is the recognition that there will be cases where an accused was in fact guilty of the crimes alleged against them, albeit that the Crown was unable to prove that guilt beyond all reasonable doubt. Such individuals may well pose a substantial threat to society, despite their acquittal in the criminal courts. So how should the relevant disclosure bodies balance these competing considerations in the context of the ECRC scheme?

Earlier this year I blogged about two cases where the courts had considered this difficult question in respect of allegations of criminal conduct which had been made, but not proven, as against teachers. In the first case, R (L) v Chief Constable of Cumbria Constabulary [2013] EWHC 869 (Admin), the allegations against the teacher never reached the stage of a criminal prosecution. In the second case, RK v (1) Chief Constable of South Yorkshire (2) Disclosure and Banning Service [2013] EWHC 1555 (Admin), the teacher was acquitted following a criminal trial (see my post here). In both cases, the court held that the inclusion in the relevant ECRCs of information relating to the allegations was unlawful as constituting an unjustified interference with the teacher’s Article 8 rights. A key feature of both of these judgments is that, in the court’s view, the police had acted unlawfully by effectively suggesting that the allegations had been well-founded, despite the lack of any criminal conviction. In a sense, these judgments are unsurprising. After all it cannot be right for the police to suggest that an individual is guilty of an offence when they have not been convicted of any offence following a criminal prosecution.

But does that mean that it will always be unlawful to disclose information about criminal allegations where those allegations have not culminated in a conviction? The recent judgment of the High Court in the case of R(AR) v Chief Constable of Greater Manchester Police & Secretary of State for the Home Department (Case No: CO/13845/2012) indicates that the answer to that question is no.

In AR, an individual who had previously worked as a taxi driver had been accused of raping a particular passenger. He had been acquitted following a criminal trial taking place in January 2011. In March 2012, the Criminal Records Bureau issued an ECRC in connection with an application made by AR for a licence as a private-hire driver. The ECRC made reference to the allegation of rape as against AR. It also confirmed that he had been acquitted following a trial before the Crown Court. AR sought a judicial review in connection with that certificate on the basis that it breached his Article 8 right to privacy. The High Court held that the certificate was unimpeachable. In reaching this conclusion, it is clear that the court was of the view that: (a) the certificate was itself a fairly balanced document and, further, (b) this was a case where the Chief Constable had properly recognised that, whilst the allegations against AR had not been proved to the criminal standard, there was sufficient evidence to suggest that they may yet be well founded and (c) it was reasonable and proportionate to include the allegations in the ECRC given the risk posed to vulnerable passengers if AR had in fact committed the crimes alleged against him.

The court also rejected arguments to the effect that the police’s retention of the data was unlawful under Article 8 and, further, that the police had acted unlawfully by not consulting AR prior to including the information in the ECRC. So far as data retention was concerned, the court held that the police had legitimate reasons for retaining the data both because it may be relevant if further allegations were made against AR and also because other matters could arise involving the complainant. On the procedural challenge relating to the lack of consultation, the court held that this was not well founded both because AR had had an opportunity to put his case in the context of an earlier comparable ECRC and because the police had in any event anticipated all the substantive arguments AR might have wanted to make.

Importantly therefore, an acquittal is not the get out of jail free card it might at first appear to be, certainly in terms of the accused’s data rights.

Jason Coppel QC, who is also acting in the T case, appeared for the Secretary of State.

Anya Proops

It has been a relatively quiet summer on the information law front. However, this has very much been the calm before the storm. Important up-coming hearings include not least:

–       Kennedy in the Supreme Court (application of the Article 10 right to freedom of expression in the context of FOIA; previously discussed on Panopticon here, here and here): hearing listed for 29-31 October;

–       T v Secretary of State for the Home Department in the Supreme Court (whether CRB disclosure regime is compatible with Article 8; Court of Appeal judgment previously discussed on Panopticon here): hearing listed for 9-10 December;

–       Edem v Information Commissioner & FSA in the Court of Appeal (appeal against Upper Tribunal FOIA decision that information comprising an individual’s name taken together with information as to their role within an organisation constitutes ‘personal data’, such that it may fall within the scope of s. 40 FOIA): hearing listed for 14 November;

 –       Central London Community Healthcare NHS Trust v Information Commissioner in the Upper Tribunal (appeal against the first ever tribunal decision on the imposition of a monetary penalty notice by the Information Commissioner under the DPA; see previous post on this case here): hearing listed for 16 and 17 October;

–       East Sussex County Council v Information Commissioner & Anor in the First-Tier Tribunal: hearing listed for 12-13 November 2013. The case in question is the fourth case to come before the tribunal concerning the imposition of charges by local authorities under the EIR for the provision of property search information – see further the tribunal decisions in East Riding of Yorkshire Council v IC, Kirklees Council v IC and Leeds City Council v IC. In the Leeds case, the Tribunal held that the relatively substantial charges which the Council had sought to impose were impermissible under the EIR. In reaching this conclusion, the Tribunal held that, under r. 8 EIR, a public authority was entitled to impose charges only in respect of the costs of transmitting the information to the applicant and was not entitled to charge for other costs such as the costs of searching for, retrieving and redacting the information. The Tribunal held that this conclusion was in keeping with the conclusions which had been reached by the ECJ in Commission v Germany (Case C-217/97) (the decision is discussed in more detail here). In East Sussex, both the Council and the Commissioner will be inviting the Tribunal to refer to the CJEU the question of the scope of a public authority’s power to charge applicants for environmental information, having regard to the relevant provisions in the Directive.

And in other news…

–       This week the First Tier Tribunal heard the first ever appeal against the imposition of a monetary penalty notice under the Privacy and Electronic Communications Regulations 2003. The appeal was brought by Tetrus Telecoms and concerned the sending of unsolicited text messages. You can read the relevant MPN here. A second set of appeals is due to be heard later on this year, this time concerning Nationwide Energy Services and We Claim U Gain Limited. It concerns the sending of unsolicited telephone calls (see the relevant MPN here). It will be interesting to see whether the Tribunal calibrates its approach depending on the type of communication in issue.

11KBW heavily dominates in all of the above cases. No doubt they will all be subject to further comment on Panopticon in due course.

Anya Proops

Panopticon is fairly sure that it can imagine the breakfast table dialogue in most right-thinking households this morning. Namely:

“Who owes obligations under the Environmental Information Regulations 2004? Public authorities: regulation 2.

Who is a public authority? Erm, well, not water companies: Smartsource v IC and a Group of 19 additional water companies [2010] UKUT 415 (AAC).

Are we sure? No and it has been necessary to refer the question to the Court of Justice of the EU to find out: Fish Legal v IC [2012] UKUT 177 (AAC) (again about water companies).

What have the CJEU got to do with the price of fish (legal)? Because the EIR implements Directive 2003/4/EC and so the correct interpretation is a matter on which definitive guidance can be sought from Luxembourg.

And what does the CJEU think? We don’t know yet, but we are a bit closer after Advocate General Villalon delivered the AG’s Opinion in the case yesterday: see Case C-279/12 Fish Legal v Information Commissioner, Opinion of 5 September 2013.

So what does the AG say? The test is posed along the following lines. It is for the national court to establish whether the water companies concerned may impose on individuals obligations for which they did not require the consent of those individuals, with the result that the companies concerned were in a position substantially equivalent to that of the administrative authorities. An individual was under the control of a body if his actions were subject to a degree of control exercised by that body or person which prevented him from acting with real autonomy in private affairs, thereby reducing him to the status of an instrument of the will of the State. Bodies or persons who also performed other, completely separate, non-public activities were not under an obligation to provide the information which they obtained in relation to those activities. [This sounds a bit like hybrid public authorities under s.6 of the Human Rights Act 1998, which has caused no difficulties in application at all. Ahem.] If in doubt, they should have to disclose the information.

And will the CJEU adopt this test? Wait and see. But usually the AG’s Opinion forms a key part of the Court’s analysis. So it is a good pointer, even if not the definitive answer.

And will the judgment, when it comes, tell us whether privatised water companies are public authorities? Probably not. That will almost certainly be left to the Upper Tribunal to decide in the light of the CJEU’s Delphic pronouncements.”

Doubtless there will be plenty more litigation to come, not to mention the cases stayed pending Fish Legal, and Panopticon will bring you the CJEU judgment when it appears.

11KBW’s Anya Proops appeared for the Commissioner in the CJEU, and Rachel Kamm did the same before the Upper Tribunal.

Christopher Knight