The CJEU ruled on Tuesday that Directive 2002/58/EC (‘the Directive’) precludes national legislation from ordering telecommunication companies to transfer data in a “general and indiscriminate” manner to security agencies, even for purposes of national security. This is following a challenge by Privacy International to UK security agencies over their practices of collecting bulk communications data (BCD).
The ruling could throw up roadblocks to a post-Brexit “adequacy” agreement over the UKs data protection regime. Adequacy is granted to data protection regimes to confirm that they conform to the data protection standards of GDPR, and thus that companies may move data about EU data subjects outside of the EU to those regimes. Recently, the adequacy rating of the US “Privacy Shield” was invalidated by the Schrems II judgment. This ruling could prove to be an analogous issue for the UK’s adequacy rating at the end of the transition period.
The High Court has struck out a claim that the disclosure of certain personal information made by a charity to the claimant’s GP was unlawful. Although only summary, this judgment goes to the heart of what we believe data protection to be about. As you will tell from my somewhat trenchant comments at the end of this post, I find it difficult to accept the main conclusion in this ruling.
The LGBT Foundation provides services including counselling and health advice. The claimant sought to access the charity’s services by completing a self-referral form in 2016. The form gave an option for the self-referring individual to consent to information being disclosed to their GP, and stated that the charity would break confidentiality without the individual’s consent if there was reason to be seriously concerned about their welfare. Mr Scott gave his GP’s details in the form. He also stated in the form that he no longer wished to be alive, detailed a previous suicide attempt, said that he had recently been self-harming and that he continued to suffer problems from drug use.
A sessional health and wellbeing officer at the charity conducted an intake assessment for Mr Scott to ascertain what support would be best for him. She told him of the confidentiality policy, including the provision that any information he disclosed would be passed on if the charity considered him to be at risk. In this interview he gave further details of drug use, self-harm and suicidal thoughts. The health officer paused the assessment and consulted a colleague, who advised her to inform Mr Scott that they would be contacting his GP because they had concerns about his welfare. The charity concluded it was at that time unable to provide him with the services he sought from them because of his ongoing drug use. They passed the information on to Mr Scott’s GP via a telephone call. This information was in due course recorded in his medical records.
This post is the first in a series of five reports by Conor Monighan from this year’s conference held by the Administrative Law Bar Association. We will be publishing the next four posts over the next month every Monday.
This year’s ALBA conference featured an impressive list of speakers. There were talks from a Supreme Court judge, a former Lord Chancellor, top silks, and some of the best academics working in public law.
The conference covered a number of practical and substantive topics. The highpoint was an address given by Lord Sumption, in which he responded to criticism of his Reith Lectures. This post, together with those that follow, summarises the key points from the conference.
The Court of Appeal has ruled that a claimant can recover damages for loss of control of their data under section 13 of Data Protection Act 1998 without proving pecuniary loss or distress. The first instance judge, Warby J, had dismissed Mr Lloyd’s application for permission to serve Google outside the jurisdiction in the USA, so preventing the claim getting under way.
The central question was whether the claimant, Mr Richard Lloyd, who is a champion of consumer protection, should be permitted to bring a representative action against Google LLC, the defendant, a corporation based in Delaware in the USA. Mr Lloyd made the claim on behalf of a class of more than 4 million Apple iPhone users. He alleged that Google secretly tracked some of their internet activity, for commercial purposes, between 9th August 2011 and 15th February 2012.
TM (Kenya) concerned a 40 year old Kenyan woman who faced deportation after her applications for leave to remain and asylum were rejected by the Home Office. She had been detained at Yarl’s Wood Immigration Removal Centre in advance of proceedings to remove her from the country, during which time she had been uncooperative with staff. In light of her behaviour and in advance of her removal to Kenya, she was removed from free association with other detainees. Such detention was authorised by the Home Office Immigration Enforcement Manager at Yarl’s Wood, who was also the appointed “contract monitor” at the centre for the purposes of section 49 of the Immigration and Asylum Act 1999.
She sought judicial review of the decision to deprive her of free association. The initial application was refused. She appealed to the Court of Appeal where she advanced three grounds, including that her detention was not properly authorised.
The court found no conflict in the dual positions held by the manager at Yarl’s Wood. The Home Secretary had legitimately authorised her detention under the principles described in Carltona Limited v Commissioners of Works  2 All ER 560. In addition, there was no obligation to develop a formal policy concerning removal from free association, as Rule 40 of the Detention Centre Rules 2001 was sufficiently clear to meet the needs of transparency. Continue reading →
You would have to be a monk or, at any rate, in an entirely internet-free zone, not to have had your recent days troubled by endless GDPR traffic. The tiniest charity holding your name and email address up to the data behemoths have asked, in different ways, for your consent for them to hold your personal data. You may have observed the frankness and simplicity of the former’s requests and the weaseliness of the latter’s, who try to make it rather difficult for you to say no, indeed to understand what precisely they are asking you to do.
Just in case you have not looked at it, here is the Regulation. It is actually a good deal easier to understand than a lot of the summaries of it.
This lack of transparency in these consent forms/privacy statements had not gone unnoticed by one of Europe’s more indefatigable privacy sleuths. Max Schrems, an Austrian lawyer, who, at 30 years of age, has already been to the EU top court twice (see here and here), moved fast. By the end of GDPR day last Friday, 25 May, he sued global platforms with multibillion-euro complaints. 3 complaints said to be valued at €3.9 billion were filed in the early hours against Facebook and two subsidiaries, WhatsApp, and Instagram, via data regulators in Austria, Belgium and Germany. Another complaint valued at €3.7 billion was lodged with France’s CNIL in the case of Google’s Android operating system.
Privacy International v. Investigatory Powers Tribunal  EWHC EWCA Civ 1868, Court of Appeal, 23 November 2017
As all lawyers know, the great case about courts confronting a no-go area for them is the late 1960’s case of Anisminic.
A statutory Commission was given the job of deciding whether compensation should be awarded for property sequestrated, in the particular case as a result of the 1956 Suez crisis. The Act empowering it said that the
determination by the Commission of any application made to them under this Act shall not be called in question in any court of law.
The House of Lords, blasting aside arcane distinctions, said that this provision was not enough to oust judicial review for error of law.
Fast forward 50 years, and another Act which says
determinations, awards, orders and other decisions of the Tribunal (including decisions as to whether they have jurisdiction) shall not be subject to appeal or be liable to be questioned in any court.
The Court of Appeal has just decided that, unlike Anisminic, this Act does exclude any judicial review.
R (o.t.a P & others) v. Secretary of State for Home Department & others  EWCA Civ 321, Court of Appeal, 3 May 2017 – read judgment
The Court of Appeal has upheld challenges to the system of the police retaining information about past misconduct. It held that the system, even after a re-boot in 2013 in response to an earlier successful challenge, remains non-compliant with Article 8.
The problem is well summarised by Leveson P in the first paragraph of the judgment, namely the interface between a system of rehabilitation of offenders and the minimisation of risk to the public caused by the employment of those with misconduct in their pasts.
This blog has covered a number of claims for damages arising out of the misuse of private information. The Mirror Group phone hacking case is one example (see my post here and the appeal decision here), and the fall-out from the hapless Home Office official who put private information about asylum-seekers on the Internet, being another – (Gideon Barth’s post on TLT here). See also below for related posts.
But this post is to give a bit of context, via the wider and scarier cyber crime which is going on all around us. It threatens the livelihoods of individuals and businesses the globe over – and has given and will undoubtedly give rise to complex spin-off litigation.
So let’s just start with the other week. On 21 October 2016, it seems nearly half the Internet was hit by a massive DDoS attack affecting a company, Dyn, which provides internet services infrastructure for a host of websites. Twitter, Reddit, Netflix, WIRED, Spotify and the New York Times were affected. DDoS, for cyber virgins, is Distributed Denial of Service, i.e. an overloading of servers via a flood of malicious requests, in this case from tens of millions of IP addresses. No firm culprits so far, but a botnet called Mirai seems to be in the frame. It is thought that non-secure items like cars, fridges and cameras connected to the Internet (the Internet of Things) may be the conscripted foot soldiers in such attacks.
And now to the sorts of cases which have hit the headlines in this country to date.
Richardson v Facebook  EWHC 3154 (2 November 2015) – read judgment
An action in defamation and under the right to privacy against Facebook has been dismissed in the High Court. The Facebook entity named as defendant did not “control” the publication so as to allow liability; and even if it did, no claim under the Human Rights Act could lie against FB as it could not be described as any sort of a public authority for the purposes of Section 6 of the Act.
The claimant, acting as a litigant in person, sought damages in respect of the publication in 2013 and 2014 of a Facebook profile and a posting on the Google Blogger service. The Profile and the Blogpost each purported to have been created by the claimant, but she complained that each was a fake, created by an impostor. She claimed that each was defamatory of her, and infringed her right to respect for her private life under Article 8 of the European Convention on Human Rights (ECHR). Continue reading →
Emma-Louise Fenelon is a Pupil Barrister at 1 Crown Office Row
‘Eavesdropping, sir? I don’t follow you, begging your pardon. There ain’t no eaves at Bag End, and that’s a fact.’ (J.R.R Tolkein)
If parliamentarians are seen to be taking a more forensic interest in matters of surveillance in the coming weeks and months, the reason is unlikely to be purely down to the publication of the greatly anticipated surveillance legislation. Last week’s Investigatory Powers Tribunal judgment has sent ripples of discontent through both Houses of Parliament, evidenced in immediate calls for an emergency debate on the subject (scheduled to take place in the House of Commons later today).
R (ota Davis et al) v. Secretary of State for Home Department  EWHC 2092 – 17 July 2015 –read judgment
When a domestic Act of Parliament is in conflict with EU law, EU law wins. And when a bit of the EU Charter (given effect by the Lisbon Treaty) conflicts with an EU Directive, the EU Charter wins.
Which is why the Divisional Court found itself quashing an Act of Parliament on Friday – at the behest of four claimants, including two MPs, the Tories’ David Davis and Labour’s Tom Watson.
The doomed Act is the Data Retention and Investigatory Powers Act 2014 or DRIPA. It was in conformity with an underlying EU Directive (the Data Retention Directive 2006/24/EC or DRD – here). However, and prior to DRIPA, the DRD had been invalidated by the EU Court (in the Digital Rights Ireland case here) because it was in breach of the EU Charter.
All this concerns communications data, which tell us who was sending an email, to whom, from where, and when – but not the content of the email. DRIPA in effect compels telecoms providers to keep communications data for 12 months, and to make it available to public bodies such as intelligence and law enforcement agencies.
Gulati v. MGN Ltd  EWHC 1482 (Ch), Mann J – judgment here
For some years in the early and mid 2000s, a routine form of news-gathering in the Mirror Group was phone hacking – listening to voicemails left for celebrities by their friends, and then dishing up revelations in their papers. And this judgment amounts to a comprehensive pay-back time for the years of distress and upset sustained by those celebrities, as the ins and outs of their private lives were played out for the Mirror Group’s profit. The damages awarded well exceeded those previously payable, as justified in the tour de force of a judgment by Mann J.
Warning – the judgment, compelling though it is, runs to 712 paragraphs. It concerns the assessment of damages in eight cases. The Mirror Group belatedly admitted liability and apologised, not before denying any wrongdoing to the Leveson inquiry. Other claims rest in the wings pending this trial. But with awards between £72,500 and £260,250, the bar has been set high by Mann J.
The claimants (with one exception) were the classic subjects of tabloid columns, namely EastEnders and Corrie stars (or those unfortunate to be married to them), the sometime air hostess girlfriend of Rio Ferdinand, Jude Law’s former wife, Sadie Frost, and, inevitably, Gazza. Seven sued because the hacking led to repeated articles about them. The eighth, Alan Yentob, Creative Director of the BBC, was hacked because of the information derived from the famous people who had left voicemails for him.
Google Inc v Vidal-Hall and others  EWCA Civ 311 (27 March 2015) – read judgment
This case concerned the misuse of private information by an internet provider based in the United States. Google had secretly tracked private information about users’ internet browsing without their knowledge or consent, and then handed the information on to third parties (a practice known as supplying Browser-Generated Information, or ‘BGI’).
The issue before the Court of Appeal was twofold:
Was the cause of action for misuse of private information a tort, specifically for the purposes of the rules providing for service of proceedings out of the jurisdiction?
This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.