Section 13 DPA in the High Court: nominal damage plus four-figure distress award

June 13th, 2014 by Robin Hopkins

Given the paucity of case law, it is notoriously difficult to estimate likely awards of compensation under section 13 of the Data Protection Act 1998 for breaches of that Act. It is also very difficult to assess any trends in compensation awards over time.

AB v MoJ [2014] EWHC 1847 (QB) is the Courts’ (Mr Justice Jeremy Baker) latest consideration of compensation under the DPA. The factual background involves protracted correspondence involving numerous subject access requests. Ultimately, it was held that the Defendant failed to provide certain documents to which the Claimant was entitled under section 7 of the DPA within the time frames set out under that section.

Personal data?

There was a dispute as to whether one particular document contained the Claimant’s ‘personal data’. Baker J noted the arguments from Common Services Agency, and he is not the first to observe (at his paragraph 50) that it is sometimes not a ‘straightforward issue’ to determine whether or not information comes within the statutory definition of personal data. Ultimately, he considered that the disputed document did not come within that definition: it “is in wholly neutral terms, and is indeed merely a conduit for the provision of information contained in the letters which it enclosed which certainly did contain the claimant’s personal data”.

Nonetheless, the DPA had been breached in virtue of the delays in the provision of other information to which the Claimant was entitled under section 7. What compensation should he be awarded?

Damage under section 13(1) DPA

Baker J was satisfied, having considered In Halliday v Creation Consumer Finance Limited [2013] EWCA Civ 333, [2013] 2 Info LR 85 (where the same point was conceded), that nominal damage sufficed as ‘damage’ for section 13(1) purposes: “In this regard the word “damage” in this sub-section is not qualified in any way, such that to my mind provided that there has, as in this case, been some relevant loss, then an individual who has also suffered relevant distress is entitled to an award of compensation in respect of it”.

Here the Court was satisfied that nominal damages should be awarded. The Claimant had spent a lot of time pursuing his requests, albeit that much of that time also involved pursuing requests on clients’ behalves, and albeit that no actual loss had been quantified:

“Essentially the claimant is a professional man who, it is apparent from his witness statement, has expended a considerable amount of time and expense in the pursuit of the disclosure of his and others’ data from various Government Departments and other public bodies, including the disclosed and withheld material from the defendant. Having said that, the claimant has not sought to quantify his time and expense, nor has he allocated it between the various requests on his own and others’ behalves. In these circumstances, although I am satisfied that he has suffered damage in accordance with s.13(1) of the DPA 1998, I consider that this is a case in which an award of nominal damages is appropriate under this head, which will be in the conventional sum of £1.00.”

Distress under section 13(2) DPA

That finding opened the door to an award for distress. The Court found that distress had been suffered, although it was difficult to disentangle his distress attributable to the breaches of the DPA from his distress as to the other surrounding circumstances: “doing the best I am able to on the evidence before me I consider that any award of compensation for distress caused as a result of the relevant delays in this case, should be in the sum of £2,250.00”.

Until this week, Halliday was the Courts’ last reported (on Panopticon at any rate) award of compensation under section 13 DPA. That was 14 months ago. In AB, the Court awarded precisely triple that sum for distress.

For a further (and quicker-off-the-mark) discussion of AB, see this post on Jon Baines’ blog, Information Rights and Wrongs.

Robin Hopkins @hopkinsrobin

Tags: , , , , ,
Posted in INFORMATION LAW | Comments Off on Section 13 DPA in the High Court: nominal damage plus four-figure distress award

Privacy, electronic communications and monetary penalties: new Upper Tribunal decision

June 12th, 2014 by Robin Hopkins

Panopticon reported late last year that the First-Tier Tribunal overturned the first monetary penalty notice issued by the Information Commissioner for breaches of the Privacy and Electronic Communications Regulations 2003. This was the decision in Niebel v IC (EA/2012/0260).

The Information Commissioner appealed against that decision. The Upper Tribunal gave its decision on the appeal yesterday: see here IC v Niebel GIA 177 2014. It dismissed the Commissioner’s appeal and upheld the First-Tier Tribunal’s cancellation of the £300,000 penalty imposed for the sending of marketing text messages.

I appeared in this case, as did James Cornwell (also of the Panopticon fold), so I will not be offering an analysis of the case just now. With any luck, one of my colleagues will be cajoled into doing so before too long.

It is worth pointing out simply that this is the first binding decision on the meaning of the various limbs of s. 55A of the DPA 1998, which contains the preconditions for the issuing of a monetary penalty notice.

Robin Hopkins @hopkinsrobin

Tags: , , , ,
Posted in INFORMATION LAW | Comments Off on Privacy, electronic communications and monetary penalties: new Upper Tribunal decision

Google Spain and the CJEU judgment it would probably like to forget.

May 19th, 2014 by Akhlaq Choudhury

In the landmark judgment in Google Spain SL and Google Inc., v Agencia Espanola de Proteccion de Datos, Gonzales (13th May 2014), the CJEU found that Google is a data controller and is engaged in processing personal data within the meaning of Directive 95/46 whenever an internet search about an individual results in the presentation of information about that individual with links to third party websites.  The judgment contains several findings which fundamentally affect the approach to data protection in the context of internet searches, and which may have far-reaching implications for search engine operators as well as other websites which collate and present data about individuals.

The case was brought Mr Costeja Gonzales, who was unhappy that two newspaper reports of a 16-year old repossession order against him for the recovery of social security debts would come up whenever a Google search was performed against his name. He requested both the newspaper and Google Spain or Google Inc. to remove or conceal the link to the reports on the basis that the matter had long since been resolved and was now entirely irrelevant. The Spanish Data Protection Agency rejected his complaint against the newspaper on the basis that publication was legally justified. However, his complaint against Google was upheld. Google took the matter to court, which made a reference to the CJEU.

The first question for the CJEU was whether Google was a data controller for the purposes of Directive 95/46. Going against the opinion of the Advocate General (see earlier post), the Court held that the collation, retrieval, storage, organisation and disclosure of data undertaken by a search engine when a search is performed amounted to “processing” within the meaning of the Directive; and that as Google determined the purpose and means of that processing, it was indeed the controller. This is so regardless of the fact that such data is already published on the internet and is not altered by Google in any way.

 The Court went on to find that the activity of search engines makes it easy for any internet user to obtain a structured overview of the information available about an individual thereby enabling them to establish a detailed profile of that person involving a vast number of aspects of his private life.  This entails a significant interference with rights to privacy and to data protection, which could not be justified by the economic interests of the search engine operator.  In a further remark that will send shockwaves through many commercial operators providing search services, it was said that as a “general rule” the data subject’s rights in this regard will override “not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name” (at paras 81 and 97). Exceptions would exist, e.g. for those in public life where the “the interference with…fundamental rights is justified by the preponderant interest of the general public in having…access to the information in question”.

However, the Court did not stop there with a mere declaration about interference. Given the serious nature of the interference with privacy and data protection rights, the Court said that search engines like Google could be required by a data subject to remove links to websites containing information about that person, even without requiring simultaneous deletion from those websites.

Furthermore, the CJEU lent support to the “right to be forgotten” by holding that the operator of a search engine could be required to delete links to websites containing a person’s information. The reports about Mr Costejas Gonzales’s financial difficulties in 1998 were no longer relevant having regard to his right to private life and the time that had elapsed, and he had therefore established the right to require Google to remove links to the relevant reports from the list of search results against his name. In so doing, he did not even have to establish that the publication caused him any particular prejudice.

The decision clearly has huge implications, not just for search engine operators like Google, but also other operators providing web-based personal data search services. Expect further posts in coming days considering some of the issues arising from the judgment.

Akhlaq Choudhury

Tags: , , , , ,
Posted in INFORMATION LAW | Comments Off on Google Spain and the CJEU judgment it would probably like to forget.

Global Witness and the journalism exemption: ICO to have the first go?

April 30th, 2014 by Robin Hopkins

Panopticon has previously reported on the novel and important data protection case Steinmetz and Others v Global Witness [2014] EWHC 1186 (Ch). The High Court (Henderson J) has now given a judgment on a procedural point which will set the shape for this litigation.

The broad background to the case has been set out in Jason Coppel QC’s previous post – see here. In a nutshell, Global Witness is an NGO which reports and campaigns on natural resource related corruption around the world. Global Witness is one of a number of organisations which has recently reported on allegations that a particular company, BSG Resources Ltd (“BSGR”), secured a major mining concession in Guinea through corrupt means. Global Witness is now facing claims brought under the Data Protection Act 1998 by a number of individuals who are all in some way connected with BSGR. The claims include a subject access claim brought under s. 7; a claim under s. 10 requiring Global Witness to cease processing data in connection with the claimants and BSGR; a claim for rectification under s. 14 and a claim for compensation under s. 13.

For its part, Global Witness relies on the ‘journalism’ exemption under s. 32 of the DPA, which applies to “processing… undertaken with a view to the publication by any person of any journalistic, literary or artistic material”. Global Witness says it is exempt from the provisions of the DPA on which the claimants rely.

An unusual feature of the s. 32 exemption is that it provides, at subsections (4) and (5), for a mandatory stay mechanism which is designed in essence to enable the ICO to assume an important adjudicative role in the proceedings (my emphasis):

(4) Where at any time (“the relevant time”) in any proceedings against a data controller under section 7(9), 10(4), 12(8) or 14 or by virtue of section 13 the data controller claims, or it appears to the court, that any personal data to which the proceedings relate are being processed

(a) only for the special purposes, and

(b) with a view to the publication by any person of any journalistic, literary or artistic material which, at the time twenty-four hours immediately before the relevant time, had not previously been published by the data controller, the court shall stay the proceedings until either of the conditions in subsection (5) is met.

(5) Those conditions are—

(a) that a determination of the Commissioner under section 45 with respect to the data in question takes effect, or

(b) in a case where the proceedings were stayed on the making of a claim, that the claim is withdrawn.

So: if the conditions in s. 32(4) are met, then the court must stay proceedings until either the claim is withdrawn or the ICO has issued a determination under section 45. S. 45 effectively requires the ICO to adjudicate upon the application of the journalism/’special purposes’ exemption to the facts of the particular case. Any determination made under s. 45 can be appealed to the Tribunal: see s. 48(4), which confers a right of appeal on the data controller.

Global Witness has invoked s. 32(4) in its defence and has since applied to the Court for a stay under that provision. The claimants disagree that a stay should be granted. They say Global Witness’ reliance on section 32 is misconceived and have made a cross-application to have the s. 32 defence struck out and for summary judgment in the alternative.

The question for Henderson J was whether those rival applications should be heard together (the claimant’s case), or whether Global Witness’ application for a stay should be determined first (Global Witness’ case). Henderson J has agreed with Global Witness on this point. In reaching the view that the stay application should be heard first, it appears that Henderson J had in mind arguments to the effect that requiring the two applications to be heard together would itself risk pre-empting Global Witness’ stay application and may also result in a more cumbersome and costly process (see in particular paragraphs 16-24). Henderson J went on to make the following observation as to the effect of s. 32(4): :

“Subject to argument about the precise nature of a claim sufficient to trigger section 32, Parliament has, in my view, pretty clearly taken the line that issues of this kind should be determined in the first instance by the Commissioner, and any proceedings brought in court should be stayed until that has been done” (paragraph 21).

The stay application will now be heard at the end of June. The matter will then either go off to the ICO or, if the stay application fails, the claimants’ summary judgment/strike-out applications will be considered. The stay application will therefore determine the immediate trajectory of this particular litigation. Whilst the Court declined to order indemnity costs against the claimants, it did award Global Witness close to 100% of its costs.

Anya Proops acts for Global Witness.

Robin Hopkins @hopkinsrobin

Tags: , , ,
Posted in INFORMATION LAW | Comments Off on Global Witness and the journalism exemption: ICO to have the first go?

Interfering with the fundamental rights of practically the entire European population

April 10th, 2014 by Robin Hopkins

In the Digital Rights Ireland case, the Grand Chamber of the CJEU has this week declared invalid the 2006 Directive which provides for the mass retention – and disclosure to policing and security authorities – of individuals’ online traffic data. It found this regime to be a disproportionate interference with privacy rights. Depending on your perspective, this is a major step forward for digital privacy, or a major step backwards in countering terrorism and serious crime. It probably introduces even more uncertainty in terms of the wider project of data protection reform at the EU level. Here is my synopsis of this week’s Grand Chamber judgment.

Digital privacy vs national security: a brief history

There is an overlapping mesh of rights under European law which aims to protect citizens’ rights with respect to their personal data – an increasingly important strand of the broader right to privacy. The Data Protection Directive (95/46/EC) was passed in 1995, when the internet was in its infancy. It provides that personal data must be processed (obtained, held, used, disclosed) fairly and lawfully, securely, for legitimate purposes and so on.

Then, as the web began to mature into a fundamental aspect of everyday life, a supplementary Directive was passed in 2002 (2002/58/EC) on privacy and electronic communications. It is about privacy, confidentiality and the free movement of electronic personal data in particular.

In the first decade of the 21st century, however, security objectives became increasingly urgent. Following the London bomings of 2005 in particular, the monitoring of would-be criminals’ web activity was felt to be vital to effective counter-terrorism and law enforcement. The digital confidentiality agenda needed to make space for a measure of state surveillance.

This is how Directive 2006/24 came to be. In a nutshell, it provides for traffic and location data (rather than content-related information) about individuals’ online activity to be retained by communications providers and made available to policing and security bodies. This data was to be held for a minimum of six months and a maximum of 24 months.

That Directive – like all others – is however subject to the EU’s Charter of Fundamental Rights. Article 7 of that Charter enshrines the right to respect for one’s private and family life, home and communications. Article 8 is about the right to the protection and fair processing of one’s personal data.

Privacy and Digital Rights Ireland prevail

Digital Rights Ireland took the view that the 2006 Directive was not compatible with those fundamental rights. It asked the Irish Courts to refer this to the CJEU. Similar references were made during different litigation before the Austrian Courts.

The CJEU gave its answer this week. In Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others (C‑293/12) joined with Kärntner Landesregierung and Others (C‑594/12), the Grand Chamber held the 2006 Directive to be invalid on the grounds of its incompatibility with fundamental privacy rights.

The Grand Chamber accepted that, while privacy rights were interfered with, this was in pursuit of compelling social objectives (the combatting of terrorism and serious crime). The question was one of proportionality. Given that fundamental rights were being interfered with, the Courts would allow the European legislature little lee-way: anxious scrutiny would be applied.

Here, in no particular order, are some of the reasons why the 2006 Directive failed its anxious scrutiny test (quotations are all from the Grand Chamber’s judgment). Unsurprisingly, this reads rather like a privacy impact assessment which data controllers are habitually called upon to conduct.

The seriousness of the privacy impact

First, consider the nature of the data which, under Articles 3 and 5 the 2006 Directive, must be retained and made available. “Those data make it possible, in particular, to know the identity of the person with whom a subscriber or registered user has communicated and by what means, and to identify the time of the communication as well as the place from which that communication took place. They also make it possible to know the frequency of the communications of the subscriber or registered user with certain persons during a given period.”

This makes for a serious incursion into privacy: “Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.”

Second, consider the volume of data gathered and the number of people affected. Given the ubiquity of internet communications, the 206 Directive “entails an interference with the fundamental rights of practically the entire European population”.

Admittedly, the 2006 regime does not undermine “the essence” of data protection rights (because it is confined to traffic data – the contents of communications are not retained), and is still subject to data security rules (see the seventh data protection principle under the UK’s DPA 1998).

Nonetheless, this is a serious interference with privacy rights. It has objective and subjective impact: “it is wide-ranging, and it must be considered to be particularly serious… the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.”

Such a law, said the Grand Chamber, can only be proportionate if it includes clear and precise laws governing the scope of the measures and providing minimum safeguards for individual rights. The 2006 Directive fell short of those tests.

Inadequate rules, boundaries and safeguards

The regime has no boundaries, in terms of affected individuals: it “applies even to persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime”.

It also makes no exception for “persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy”.

There are no sufficiently specific limits on the circumstances in which this can be accessed by security bodies, on the purposes to which that data can be put by those bodies, or the persons with whom those particular bodies may share the data.

There are no adequate procedural safeguards: no court or administrative authority is required to sign off the transfers.

There are also no objective criteria for justifying the retention period of 6-24 months.

The Grand Chamber’s conclusion

In summary, the Grand Chamber found that “in the first place, Article 7 of Directive 2006/24 does not lay down rules which are specific and adapted to (i) the vast quantity of data whose retention is required by that directive, (ii) the sensitive nature of that data and (iii) the risk of unlawful access to that data, rules which would serve, in particular, to govern the protection and security of the data in question in a clear and strict manner in order to ensure their full integrity and confidentiality. Furthermore, a specific obligation on Member States to establish such rules has also not been laid down…”

There was also an international transfer aspect to its concern: “in the second place, it should be added that that directive does not require the data in question to be retained within the European Union…”

This last point is of course highly relevant to another of the stand-offs between digital privacy and national security which looms in UK litigation, namely the post-Snowden litigation against security bodies.

Robin Hopkins @hopkinsrobin

Tags: ,
Posted in INFORMATION LAW | Comments Off on Interfering with the fundamental rights of practically the entire European population

Steinmetz and Others v Global Witness: latest developments

April 2nd, 2014 by Robin Hopkins

Panopticon devotees will have noted that important DPA litigation is afoot between a group of businessmen (Beny Steinmetz and others) and the NGO Global Witness. The Economist has recently reported on the latest developments in the case: see here.

I particularly like the article’s subtitle: “Libel laws have become laxer. Try invoking data protection instead”. This is an observation I (and others) have made in the past: see here for example. The point appears to be gathering momentum.

Robin Hopkins @hopkinsrobin

Tags: ,
Posted in INFORMATION LAW | Comments Off on Steinmetz and Others v Global Witness: latest developments

Data protection and compensation: the “irreversible march” towards revolutionary change

March 21st, 2014 by Robin Hopkins

At 11KBW’s Information Law conference this past Tuesday, I talked a bit about the progress of the draft EU Data Protection Regulation. I omitted to mention last week’s development (my reason: I was on holiday in Venice, where data protection seemed less pressing). In a plenary session on 12 March, the European Parliament voted overwhelmingly in support of the Commission’s current draft of the Regulation. This is all explain in this Memo from the European Commission. Here are some key points.

One is the apparently “irreversible” progress towards getting the Regulation onto the EU statute books. “The position of the Parliament is now set in stone and will not change even if the composition of the Parliament changes following the European elections in May. As a reminder, the remaining stage is for the European Council to agree to the proposal. Its ministers are meeting again in early June. So far, they have been broadly supportive.

Another point is about business size and data protection risk: SMEs will not need to notify (so where will the ICO get its funding?), they won’t need to have data protection officers or carry out privacy impact assessments as a default rule. “We want to make sure that obligations are not imposed except where they are necessary to protect personal data: the baker on the corner will not be subject to the same rules as a (multinational) data processing specialist.”

A third point has great consequences for international transfers: “Non-European companies, when offering services to European consumers, will have to apply the same rules and adhere to the same levels of protection of personal data. The reasoning is simple: if companies outside Europe want to take advantage of the European market with more than 500 million potential customers, then they have to play by the European rules”.

Fourth, the “right to be forgotten” is still very much on the agenda. “If an individual no longer wants his or her personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system” (subject to freedom of expression). This “citizen in the driving seat” principle, like the consistency aim (the same rules applied the same away across the whole EU) and the “one-stop shop” regulatory model has been part of the reform package from the outset.

A final point is that the Parliament wants regulators to be able to impose big fines: “It has proposed strengthening the Commission’s proposal by making sure that fines can go up to 5% of the annual worldwide turnover of a company (up from 2% in the Commission’s proposal)”. Monetary penalties will not be mandatory, but they will potentially be huge.

On this last point about money: as under the current law, a regulatory fine is one thing and the individual’s right to be compensated another. At out seminar on Tuesday, we discussed whether there would soon be a sweeping away (see for example the Vidal-Hall v Google litigation) of the long-established Johnson v MDU principle that in order to be compensated for distress under section 13 of the DPA, you need first to prove that you suffered financial loss. That may well be so for the DPA, in which case the short- and medium-term consequences for data protection litigation in the UK will be huge.

But it is important to be clear about the longer term: this is going to happen anyway, regardless of any case-law development in UK jurisprudence. Article 77 of the current draft of the Regulation begins like this “Any person who has suffered damage, including non-pecuniary damage, as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to claim compensation from the controller or the processor for the damage suffered”.

If we are indeed irreversibly on track towards a new Regulation, then data protection litigation – notably, though not only about compensating data subjects – is guaranteed to be revolutionised.

Robin Hopkins @hopkinsrobin

Tags:
Posted in INFORMATION LAW | Comments Off on Data protection and compensation: the “irreversible march” towards revolutionary change

The EU’s Data Protection Regulation: where are we?

January 20th, 2014 by Robin Hopkins

The replacement of Directive 95/26/EC – the bedrock of data protection in Europe – with a new Regulation is intended as a radical overhaul, making protections for personal data fit for the digital world. It has now been over two years since the first substantive draft of that Regulation was made public. I dimly recall Tim Pitt-Payne and I summarising it – see here.

The Regulation is yet to emerge. As a number of Panopticon readers have asked: where have we got to? Here are five points by way of summary.

1. Two members of the trinity are on board

Following seemingly interminable negotiations, the European Parliament’s civil liberties committee (LIBE) now endorses the European Commission’s position on the modified draft. This means that two of the three key bodies at the EU level appear to be of one mind. The next step is for the third body, the European Council, to be persuaded during negotiations. See this blog post by the ICO’s Deputy Commissioner, David Smith.

2. In search of the cardinal virtues – consent, consistency, proportionality

In a very illuminating summary of the major principles at issue, the ICO tells us that it welcomes the following features of the current draft: a stringent approach to consent (or, in low-risk situations, a ‘legitimate interests’ condition justifying the processing of personal data); consistency and an EU-wide ‘one-stop shop’ model; ensuring that processing conditions are proportionate to risk (by, for example, requiring data subjects to be notified ‘without delay’ rather than within 24 hours, as was originally proposed).

The ICO remains concerned, however, that the draft Regulation continues to suffer from some vices: its use of the ‘pseudonymisation’ concept muddies the distinction between personal and non-personal data; the approach to profiling is insufficiently nuanced, and the international transfer rules may be unrealistically stringent.

3. The Regulation is dead!

Peter Fleischer, Google’s global privacy counsel, considers that the stalled progress of 2013 effectively means that “the old draft is dead”. His view, however, is that this delay will provide an opportunity for a more realistic re-think: “Whatever comes next will be the most important privacy legislation in the world, setting the global standards. I’m hopeful that this pause will give lawmakers time to write a better, more modern and more balanced law.”

4. Long live the Regulation!

EU officials are, however, optimistic about the current draft being spurred on to finality in 2014. Peter Hustinx, the outgoing European Data Protection Supervisor (curiously, no successor has yet been appointed), hopes that Greece’s imminent turn in the presidency seat will provide a fresh impetus for productive negotiation. Importantly, he sees Germany (often characterised as setting very stringent standards for data protection) as being in the driving seat: “The new German government can tackle this subject with the necessary drive and energy and thereby gain acceptance of the German position at European level and lead Europe to a higher level of data protection.”

5. Are the Americans Safe?

The processing of EU citizens’ data by US-based companies sits outside the direct reach of the envisaged Regulation, as with the current Directive. Since 2000, transfers of personal data to the US have been governed by the Safe Harbour Agreement, under which approximately 3,300 companies have been certified as safe (in the sense of being EU compliant in their data protection standards).

The European Council and Parliament have, however, expressed concern about the fitness for purpose of the Safe Harbour scheme. They have observed that “Web companies such as Google, Facebook, Microsoft, Apple, Yahoo have hundreds of millions of clients in Europe and transfer personal data for processing to the US on a scale inconceivable in the year 2000 when the Safe Harbour was created”. They area also concerned about the ongoing revelations about surveillance: “divergent responses of data protection authorities to the surveillance revelations demonstrate the real risk of the fragmentation of the Safe Harbour scheme and raise questions as to the extent to which it is enforced”.

Progress by the US Department of Commerce is now sought – by March 2014 – on improving transparency, the application of EU principles and enforcement. The arrangements will be further reviewed in 2014.

Robin Hopkins @hopkinsrobin

Tags:
Posted in Uncategorized | Comments Off on The EU’s Data Protection Regulation: where are we?

The Google/Safari users case: a potential revolution in DPA litigation?

January 16th, 2014 by Robin Hopkins

I posted earlier on Tugendhat J’s judgment this morning in Vidal-Hall and Others v Google Inc [2014] EWHC 13 (QB). The judgment is now available here – thanks as ever to Bailii.

This is what the case is about: a group of claimants say that, by tracking and collating information relating to their internet usage on the Apple Safari browser without their consent, Google (a) misused their private information (b) breached their confidences, and (c) breached its duties under the Data Protection Act 1998 – in particular, under the first, second, sixth and seventh data protection principles. They sought damages and injunctive relief.

As regards damages, “what they claim damages for is the damage they suffered by reason of the fact that the information collected from their devices was used to generate advertisements which were displayed on their screens. These were targeted to their apparent interests (as deduced from the information collected from the devices they used). The advertisements that they saw disclosed information about themselves. This was, or might have been, disclosed also to other persons who either had viewed, or might have viewed, these same advertisements on the screen of each Claimant’s device” (paragraph 24).

It is important to note that “what each of the Claimants claims in the present case is that they have suffered acute distress and anxiety. None of them claims any financial or special damage. And none of them claims that any third party, who may have had sight of the screen of a device used by them, in fact thereby discovered information about that Claimant which was detrimental” (paragraph 25).

The Claimants needed permission to serve proceedings on the US-based Google. They got permission and served their claim forms. Google then sought to have that service nullified, by seeking an order declaring that the English court has no jurisdiction to try these particular claims (i.e. it was not saying that it could never be sued in the English courts).

Tugendhat J disagreed – as things stand, the claims will now progress before the High Court (although Google says it intends to appeal).

Today’s judgment focused in part on construction of the CPR rules about service outside of this jurisdiction. I wanted to highlight some of the other points.

One of the issues was whether the breach of confidence and misuse of private information claims were “torts”. Tugendhat J said this of the approach: “Judges commonly adopt one or both of two approaches to resolving issues as to the meaning of a legal term, in this case the word “tort”. One approach is to look back to the history or evolution of the disputed term. The other is to look forward to the legislative purpose of the rule in which the disputed word appears”. Having looked to the history, he observed that “history does not determine identity. The fact that dogs evolved from wolves does not mean that dogs are wolves”.

The outcome (paragraphs 68-71): misuse of private information is a tort (and the oft-cited proposition that “the tort of invasion of privacy is unknown in English law” needs revisiting) but breach of confidence is not (given Kitetechnology BV v Unicor GmbH Plastmaschinen [1995] FSR 765).

Google also objected to the DPA claims being heard. This was partly because they were raised late; this objection was dismissed.

Google also said that, based on Johnson v MDU [2007] EWCA Civ 262; (2007) 96 BMLR 99, financial loss was required before damages under section 13 of the DPA could be awarded. Here, the Claimants alleged no financial loss. The Claimants argued against the Johnson proposition: they relied on Copland v UK 62617/00 [2007] ECHR 253, argued for a construction of the DPA that accords with Directive 95/46/EC as regards relief, and argued that – unlike in Johnson – this was a case in which their Article 8 ECHR rights were engaged. Tugendhat J has allowed this to proceed to trial, where it will be determined: “This is a controversial question of law in a developing area, and it is desirable that the facts should be found”.

If the Johnson approach is overturned – i.e. if the requirement for financial loss is dispensed with, at least for some types of DPA claim – then this could revolutionise data protection litigation in the UK. Claims under section 13 could be brought without claimants having suffered financially due to the alleged DPA breaches they have suffered.

Tugendhat went on to find that there were sufficiently serious issues to be tried here so as to justify service out of the jurisdiction – it could not be said that they were “not worth the candle”.

Further, there was an arguable case that the underlying information was, contrary to Google’s case, “private” and that it constituted “personal data” for DPA purposes (Google say the ‘identification’ limb of that definition is not met here).

Tugendhat was also satisfied that this jurisdiction was “clearly the appropriate one” (paragraph 134). He accepted the argument of Hugh Tomlinson QC (for the Claimants) that “in the world in which Google Inc operates, the location of documents is likely to be insignificant, since they are likely to be in electronic form, accessible from anywhere in the world”.

Subject to an appeal from Google, the claims will proceed in the UK. Allegations about Google’s conduct in other countries are unlikely to feature. Tugendhat J indicated a focus on what Google has done in the UK, to these individuals: “I think it very unlikely that a court would permit the Claimants in this case to adduce evidence of what Mr Tench refers to as alleged wrongdoing by Google Inc against other individuals, in particular given that it occurred in other parts of the world, governed by laws other than the law of England” (paragraph 47).

Robin Hopkins @hopkinsrobin

Tags: , , , ,
Posted in INFORMATION LAW | Comments Off on The Google/Safari users case: a potential revolution in DPA litigation?

High Court to hear Safari users’ privacy claim against Google

January 16th, 2014 by Robin Hopkins

Panopticon has from time to reported on Google’s jurisdictional argument when faced with privacy/data protection actions in European countries: it tends to argue that such claims should be dismissed and must be brought in California instead. This argument is not always successful.

The same jurisdictional argument was advanced before Mr Justice Tugendhat in response to a claim brought by a group calling itself ‘Safari Users Against Google’s Secret Tracking’ who, as their name suggests, complain that Google unlawfully gathers data from Safari browser usage.

This morning, Mr Justice Tugendhat dismissed that jurisdictional argument. The case can be heard in the UK. Matthew Sparkes reports in the Daily Telegraph that the judge said “I am satisfied that there is a serious issue to be tried in each of the claimant’s claims for misuse of private information” and that “the claimants have clearly established that this jurisdiction is the appropriate one in which to try each of the above claims”.

The same article says that Google will appeal. This follows Google’s announcement yesterday that it will appeal a substantial fine issued by the French data protection authority for unlawful processing (gathering and storing) of user data.

Panopticon will continue to gather data on these and other Google-related matters.

Robin Hopkins @hopkinsrobin

Tags: , , ,
Posted in Uncategorized | Comments Off on High Court to hear Safari users’ privacy claim against Google

« Older Entries
Newer Entries »