Tag Archives: Data Protection

David Erdos: Mind the Gap – The CJEU Google Spain Judgment Profoundly Challenges the Current Realities of Freedom of Expression and Information Online


The European UnionData Protection Directive of 1995 has always had lofty, and in many ways implausible, ambitions. As regards the private sector, it seeks to outlaw the input, storage or other processing on computer of any information relating to a living individual “data subject” (irrespective of whether the information is innocuous and/or widely available in the public domain) unless in each and every case that processing complies with a set of provisions put in place to ensure the protection of “the fundamental rights and freedoms of natural persons, and in particular their right to privacy” (Art. 1 (1)).

Subject to certain qualified and limited exemptions, that code requires that all data “controllers” – that is anyone who either “alone or jointly” determines the “purposes and means” of processing (Art. 2 (d)) – comply with a set of detailed rules designed inter alia to ensure fairness and transparency for the data subject and, in most circumstances, to completely outlaw processing of whole categories of “sensitive” information (for example regarding political opinion, religious belief and criminality) absent the subject’s explicit consent or unless this information is currently being manifestly made public by her (which may be taken as an albeit very tenuous kind of implicit consent) (Arts. 8, 10, 11 and 12).

In terms of legal principle, this code should have deeply structured the entire architecture of publication and dissemination of information on the World Wide Web. And yet, long before even the advent of Web 2.0, it was clear that the Web was largely operating according to an almost diametrically opposed understanding, namely, that information – in particular, publicly-available information – should, except in extraordinary circumstances, be “free”. This ethic is certainly at the heart of Google’s operations – indeed, its public mission is “to organise the world’s information and make it universally accessible and useful”.

The recently handed down Court of Justice of the European Union (CJEU) decision of C-131/12 Google Spain, Google v Agencia Espanola de Protection de Datos (2014) brings into stark relief the chasm between these two different understandings. The case originated from an attempt by a Spanish individual to use Spanish data protection legislation to get Google to delete from its search engine publicly available information relating to his bankruptcy from over ten years previously. His case, along with some 200 or so others, received the backing of the Spanish Data Protection Authority.

Google, however, contested liability on the basis that (i) it was not subject to Spanish law, (ii) it was not a “controller” of the processing and (iii) that making it comply would have a chilling effect on fundamental rights. Whilst many of these arguments received support in the advisory Advocate General Opinion of last June, the CJEU has now strikingly rejected all three. In sum it held that:

* Google search engine was bound to comply with Spanish law since the activities of its advertising subsidiary (Google Spain), unquestionably established on Spanish territory, were “inextricably linked” to the search engine itself (at 56). Therefore, all the processing was carried out “in the context of the activities” of the Spanish subsidiary. (As an aside, this implies that European Data Protection Authorities have been wrong to hold that Facebook is only subject to Irish law and can therefore ignore the data protection provisions of all the other 28 EU Member States).

* Google was clearly determining the “purposes and means” of processing data as it was deciding to create a search engine (at 33). It therefore was a “controller”. It was not relevant that the data in question had “already been published on the internet and are not altered by the search engine” (at 29).

* Far from constituting a chilling effect on fundamental rights, placing responsibilities on Google was essential to securing the “effective and complete” protection of data subjects’ rights and freedoms envisaged by the Directive (at 38). This was particularly the case since inclusion of information on a list of search engine results “may play a decisive role in the dissemination of that information” and “is liable to constitute a more significant interference with the data subject’s fundamental right to privacy than the publication on the web page” (at 87).

What was particularly striking and unexpected was that the Court went out of its way to enunciate both the ambit and substantive duties of Google in an even more expansive way than that suggested by the Spanish Data Protection Authority (DPA). As its Press Release following the judgment indicated, the Spanish DPA’s argument was limited to the idea that it was only on being asked by the data subject to remove material that Google became liable under data protection law. Moreover, Google would only have to accede to a “right to be forgotten” if its dissemination lacked “relevance or public interest” and was “causing harm to the affected individual”. On each of these aspects, however, the understanding of the CJEU was much broader.

Firstly, the Court stated that a search engine would be a controller not as a result of receiving a data subject request but merely because it was “processing” on its own behalf or, in other words, collecting and disseminating information from the web. It followed that:

Inasmuch as the activity of a search engine is … liable to affect significantly, and additionally, compared with that of publishers of websites, the fundamental rights to privacy and to the protection of personal data [as noted above, the Court found that this would often be the case], the operator of the search engine … must ensure, within the framework of its responsibilities, powers and capabilities, that the activity meets the requirements of [Data Protection] Directive 95/46 in order that the guarantees laid down by the directive may have full effect and that effective and complete protection of data subjects, in particular of their right to privacy, may actually be achieved. (at 38)

Secondly, the Court stated that there could be a valid opposition to the search engine’s inclusion of personal data irrespective of whether inclusion in the search engine results “causes prejudice to the data subject” (at 96).

Even more strikingly, the Court found that the simple making of an opposition would “override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding the information upon a search relating to the data subject’s name” (at 97). As a partial caveat, the Court did add that, at least as regards ordinary personal data “that would not be the case if it appeared, for particular reasons such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of inclusion in the lists of results, access to the information in question” (at 97). In stark contrast to the Advocate General’s Opinion, the Court made no mention at all of how the much stricter, sensitive information rules were meant to operate in this context.

The Court was right to find that Google was subject to Spanish law and was indeed a controller of its search engine results. What is surprising and more troubling were the Court’s views on the breadth and depth of search engines’ data protection responsibilities.

It is particularly striking that vis-à-vis Google the Court made no mention of freedom of expression even though this is enunciated in both Article 10 of the European Convention on Human Rights and Article 11 of the EU Fundamental Rights Charter. There was therefore no express attempt to balance this right against the data protection provisions set out in the Data Protection Directive and Article 8 of the EU Charter.

Instead, data protection was given priority, subject only to the partial caveat of a rather narrowly construed public interest centred on public figures. This approach can indeed be seen as required in order to secure the “effective and complete” protection of data subjects intended by the founders of European data protection.

However, such a vision is in profound tension with the whole way in which information is disseminated and sought out online including not only by large corporations such as Google but also by hundreds of millions of individuals. Much of the legal debate in the months and years to come will focus on dissecting exactly what the few limits left in play by the Court, which relate not only to public interest but also the “responsibilities, powers and capabilities” of search engines, actually mean.

But, in terms of real implementation, what is likely to matter more is how powerful the ideal of data protection enunciated in this judgment is when placed against the vast cultural, political and economic power of “internet freedom”. Whatever results from this, interesting times are ahead for the future development of this legal framework, with profound implications for the freedom of expression and information of us all.


David Erdos is a University Lecturer in Law and the Open Society and a Fellow of Trinity Hall, University of Cambridge.

 (Suggested citation: D. Erdos, ‘Mind the Gap’ Open Democracy (15th May 2014) (available at OpenDemocracy) OR D. Erdos, ‘Mind the Gap – The CJEU Google Spain Judgment Profoundly Challenges the Current Realities of Freedom of Expression and Information Online’ U.K. Const. L. Blog (15th May 2014) (available at  http://ukconstitutionallaw.org/).










Filed under Comparative law, European Union, Human rights

Hayley J. Hooper: Keep Calm and Carry On?

ON SEPTEMBER 18, 2012 the Upper Tribunal allowed an appeal, reversing decisions of the Information Commissioner relating to the release of “advocacy correspondence” between Prince Charles in his capacity as Heir to the Throne, and seven government departments. The information was originally requested by Guardian journalist Rob Evans and related to a time period between 2004 and 2005. In a piece written by Evans on October 12, 2012 in the Guardian it was reported that the “advocacy correspondence” where Prince Charles allegedly argued for changes in government policy in line with his personal viewpoint had become known as the “black spider memos” in reference to the Prince’s style of handwriting. The information requests have occupied the tribunals’ service for close to four years.

The decision in Evans v Information Commissioner [2012] UKUT 313 (AAC) is something of a novelty in several respects. First, this is likely to be one of the last decisions of its kind because as of January 19, 2011 communications between public authorities and the Heir to the Throne are now the subject of an absolute exemption under the Freedom of Information Act 2000 due to an amendment made by the Constitutional Reform and Governance Act 2010. Secondly, the decision of the Upper Tribunal created the unusual situation whereby a judicial body had to adjudicate on the scope of several constitutional conventions as they related to the Heir to the Throne.  Thirdly, it presents an opportunity to begin debating the proper conception of the public interest in knowing information about the activities of the Heir to the Throne in relation to his preparation for Kingship, and his role in public life generally.

This decision is not to be confused with other the recent FOI decision concerning Prince Charles in his capacity as head of the Duchy of Cornwall. On August 21, 2012 The Information Commissioner decided that information relating to Prince Charles’ legislative veto in relation to the Duchy of Cornwall was not exempt from disclosure under section 42(1) of the Freedom of Information Act 2000, which relates to “legal professional privilege”.

In view of this, this blog post has several aims. I begin by explaining the use of freedom of information law in the context of the case. In the next section I discuss the constitutional position of the Prince of Wales as the Heir to the Throne. Thereafter, I will consider the Upper Tribunal’s discussion of the scope of the relevant constitutional conventions. Finally, I will scrutinise the different consideration given to the concept of the “public interest” by the Upper Tribunal and Parliament in the 2010 Act.

 Exemptions under the Freedom of Information Act 2000

There are two types of exemption from the general right of access to information held by public authorities in the Freedom of Information Act 2000. The first is the “absolute exemption” which prevents to the disclosure of the information under any circumstances. Absolute exemptions historically included communications with the Sovereign, and since January 19, 2011 such an absolute exemption has also applied communications with the Heir to the Throne by virtue of section 37(1). The second type of exemption is a “qualified exemption”. Such an exemption refers to information ordinarily immune from disclosure unless it can be overridden by a public interest test. The public interest test in section 2(1)(b) places a duty on a public authority to decide whether “in all the circumstances of the case, the public interest in maintaining the exclusion of the duty to confirm or deny outweighs the public interest in disclosing whether the public authority holds the information”. Exemptions of this type apply for example to information relating to law enforcement (section 31), legal professional privilege (section 42), prejudice to the effective conduct of public affairs (section 36), environmental information (section 39), and commercial interests (section 43).

The relevant contested provisions before the Upper Tribunal in the Freedom of Information Act 2000 were section 37 and section 40, and section 41. Prior to being amended by the 2010 Act, section 37 imposed an absolute exemption from disclosure upon communications with the Sovereign entitled “Communications with Her Majesty, etc. and honours”. The 2010 Act extended this protection to similar communications with the Heir to the Throne. Section 40 is also an absolute exemption relating to personal information as defined by the Data Protection Act 1998. Section 41 also exempts absolutely information provided in confidence.   In respect of the Environmental Information Regulations 2004, the Department for the Environment, Food, and Rural Affairs DEFRA relied upon Regulation 12(5)(f) and Regulation 13 which related to  the interests of the person supplying the information and personal data, respectively. The Upper Tribunal did not decided whether Prince Charles’ communications amounted to personal data, and concluded that the environmental regulations contained a presumption in favour of disclosure that the Tribunal found no reason to depart from.

 The Constitutional Position of the Prince of Wales as Heir to the Throne

It should be noted that none of the parties to the litigation contended that Prince Charles’ activities of “advocacy” to government ministers was at any time or would be unconstitutional. The tribunal decided that there was no established constitutional position for the Heir to the Throne. However, it was noted by Counsel for Mr Evans that Prince Charles’s self-perceived role has been described on his behalf as representational, “drawing attention to issues on behalf of us all” and “representing views in danger of not being heard”. For an account of the Prince of Wales’ activities vis-à-vis his role as Heir to the Throne, the Tribunal drew heavily upon a 1995 article in Public Law by the expert witness for the seven government departments, Rodney Brazier, entitled “The Constitutional Position of the Prince of Wales”. In the 1995 article, Brazier pointed to several features of the Prince of Wales’ activity which were, in his view, “novel” or “surprising”. These included the fact that Prince Charles had arrogated for himself the right to communicate directly with Ministers on affairs of government. Also, Professor Brazier’s 1995 piece pointed out that the Prince was insisting upon enjoying the same rights as the incumbent Monarch in respect of the “tripartite convention”.

 Relevant Constitutional Conventions

Writing in 1984, Marshall wrote that the “major purpose of the domestic conventions is to give effect to the principles of governmental accountability that constitute the structure of responsible government.” All parties to the action agreed that there were three conventions which the case engaged. Both sides agreed upon Sir Ivor Jennings’ tripartite test for the existence of a constitutional convention. In The Law and the Constitution (5th ed., 1959) Jennings suggested that a constitutional convention exists if (i) there are precedents underpinning it, (ii) the parties to the relevant practice consider themselves to be bound by it, and (iii) there is a reason for the existence of the convention. Three constitutional conventions were deemed relevant to the dispute. These were the “Cardinal Convention”, which mandates that the Monarch acts on the advice of Ministers. The second was the “Tripartite Convention” which Bagehot famously described  in The English Constitution as being the Sovereign’s right to “…be consulted, the right to encourage, [and] the right to warn”. However, neither side advanced the proposition that either of these conventions applied to Prince Charles at the stage in question – when he was neither King nor Regent.

The tribunal remarked that the third convention, “the education convention”, had been regarded until now “as little more than a footnote.” This convention stated that the Heir to the Throne is entitled to be educated in the business of government. The seven government departments representing Prince Charles’ interests also argued that the scope of the education convention covered “advocacy correspondence” and required absolute confidentiality to ensure its proper operation. The Upper Tribunal ruled that the confidentiality of the education convention did not extend to advocacy correspondence. In so ruling, the Tribunal also rejected the seven departments’ contention that the advocacy correspondence merited additional protection over and above “routine” confidential correspondence because it fell within the scope of a constitutional convention.

Argument about the education convention revolved around the “admittedly new contention” advanced by the seven departments “that the education convention has been extended so that it covers all correspondence between government and the heir to the throne.” The Upper Tribunal rejected this contention, stating that “in the public examples that we have seen, the plain facts are that what Prince Charles is doing is not prompted by a desire to become more familiar with the business of government, and simply is not addressing what his role would be as king.” The conclusion of the Tribunal was that inclusion of “advocacy correspondence” within the education convention would involve “a massive extension” of that convention for which no good reason had been advanced. Moreover, the disclosure of advocacy communication would be a general benefit to the operation of the education convention because “[it] will focus the minds of the parties on the important principle that the education convention does not give constitutional status to advocacy communications.” So, because the “advocacy correspondence” fell outside of the scope of the education convention, the interest in maintaining confidentiality under that convention was not engaged.

 Differing approaches to the Public Interest of The Upper Tribunal and Parliament

The Upper Tribunal was rightly conscious of the politically charged subject matter of the case, noting in its introductory remarks that:

 “[some] will be horrified at any suggestion that correspondence between government and the heir to the throne should be published. They fear, among other things, that disclosure would damage our constitutional structures. Others may welcome such disclosure, fearing among other things that without it there will be no real ability to understand the role played by Prince Charles in government decision-making.”

 Therefore, it was common ground that the legal questions in the case revolved around one issue – the issue of disclosure – and whether or not any breach of confidence or privacy that disclosure involved would be in the public interest. The Tribunal, I think quite properly, made clear that it was not seeking “to weigh the benefits of a constitutional monarchy over those of a republic.” In this respect it successfully approached the issue in their intended manner – “dispassionately”.

The Tribunal is also to be commended for its extensive treatment of the question of public interest, which ran to twenty-one pages and covered eight separate aspects. Reference was also made to the Nolan Principles on Public Life for the purposes of general guidance. The aspects of the public interest identified were: (1) the promotion of good governance, (2) Royalty, government, and constitutional debate, (3) understanding Prince Charles’ influence, (4) the education convention and preparation for Kingship, (5) the public perception of Prince Charles, (6) chilling effects on frankness in communication between Prince Charles and Ministers, (7) maintaining confidences and preserving privacy, (8) and finally an attempt was made to take a general perspective on the overall balance. The Tribunal concluded that all eight aspects contained facets which, on balance, pointed towards disclosure in the public interest.

In the course of its evaluation of the public interest in maintaining confidences the Tribunal noted that there was a strong interest in maintaining confidentiality, following the test laid down in Prince of Wales v Associated Newspapers [2006] EWCA Civ 1776, but in view of their detailed consideration of the seven factors, that the “inherent weighty public interest in the maintenance of confidences” cited by the Information Commissioner was vital, it was outweighed by the public interest in disclosure. In respect of the overall balance the Tribunal made clear that it was not persuaded that correspondence between ministers and Prince Charles warranted “greater protection from disclosure than would be afforded to correspondence with others who have dealings with government in a context where those others are seeking to advance the work of charities or to promote views.”

Whilst the Upper Tribunal should be commended for its diligent evaluation of the public interest in respect of the areas it covered, the outgoing New Labour government, supported by Parliament were of the view that the public should simply “Keep Calm and Carry On”. Jack Straw, the Minister sponsoring the Bill during a Commons debate on March 2, 2010, claimed that there was a “lacunae” in the original Freedom of Information Act and that:

“We are blessed in this country by a constitutional monarchy of the highest standards. Whatever turmoil there might have been in our body politic, above it all, and held in continuing high respect, is the position of the sovereign… it is of great importance that we protect the political impartiality of the monarchy, the sovereign’s right and duty to counsel, to encourage and to warn the Government and the right of the heir to the throne to be instructed on the business of government in preparation for the time when they assume the monarchy.”

The former Government Minister’s position reminds the reader of Bagehot’s description of the “dignified” portion of the constitution. Bagehot, writing in the Victorian-era, opined:

“The use of the Queen, in a dignified capacity, is incalculable. [The] best reason why Monarchy is a strong government is, that it is an intelligible government. The mass of mankind understand it, and they hardly anywhere in the world understand any other.”

During the same debate Tony Wright MP (Lab) expressed the opinion that: “The question is whether such communications-after all, the amendment that we are being asked to consider is, in a sense, the Prince Charles amendment…”, and furthermore that government should have to make the case for “giving away a public interest test virtually in perpetuity”. Wright developed his case with reference to the example of homeopathic medicine:

“Let us consider homeopathy, which most sensible people think is not entirely supported by evidence. Suppose that Prince Charles, the heir to the throne, were to weigh in to the debate, giving heavy support to the idea that resources should be devoted to homeopathy. If a Government then decided to start allocating resources to homeopathy, people would be entitled to know that that act of lobbying had been extremely successful. We would want to know about it if it had come from any other source.”

However, since January 2011 Parliament has enacted a legal prohibition upon access to such information, and the only explicit justification offered by the sponsoring Minister was that this was the original intention of the Freedom of Information legislation, and protection of the Heir to the Throne had simply been overlooked by the draftsman. Despite this, there are many hypothetical examples above and beyond support for alternative medicine that would legitimately give rise to a public interest in disclosure. The overall conclusion of the Upper Tribunal is instructive:

“The media interest in Prince Charles’s interaction with ministers is substantial. It seems to us that this is not a factor which in itself necessarily favours disclosure. What is relevant is that there is a real debate, generating widespread public interest, on a matter which goes to the heart of our constitution. Sensationalism merely for the sake of it will not generally be in the public interest.”

The Tribunal noted that the 2010 Act represented “a change in legislative policy”. Such a change in policy is something parliament is constitutionally absolutely entitled to carry out. However, it is regrettable that such a fundamental change occurred in the course of a Bill which contained a laundry list of constitutional amendments, resulting in only a fleeting consideration of its potentially wide-ranging impact upon the operation of government. Bagehot’s seminal work first appeared in 1867. It now seems decidedly at odds with our information society that parliament should expect the people to remain ignorant of the persons and factors which might influence government policy.

Hayley J. Hooper is Lecturer in Law at Trinity College, Oxford.

Suggested citation: H. J. Hooper, ‘Keep Calm and Carry On?’   UK Const. L. Blog (16th October 2012) (available at http://ukconstitutionallaw.org)

Editor’s note: this post was revised on 25th October 2012.


Filed under UK government

Carol Harlow: Surveillance and the Superstate

For a society as devoted to secrets and privacy as the British are traditionally supposed to be, however, the law possesses surprisingly few protections for the communications of its citizens. True, phone hacking has become a criminal offence under the Regulation of Investigatory Powers Act 2000 and the creation and retention of citizens’ data is now regulated by the Data Protection Act 1998 but there is no right of privacy per se at common law and resort is consequently to a haphazard and fragmentary set of common law rights of action, which protect person, property and dignity in limited situations [See Lord Bingham, ‘Tort and Human Rights’ in P Cane and J Stapleton (eds), The Law of Obligations (Clarendon Press, 1998)].

Government (a.k.a the Crown) has by way of contrast traditionally been highly privileged, benefiting from the existence of a set of wide and loosely defined prerogative powers in the area of security and defence. There has never been a constitutional ‘right to know’ and access to official information was until recently narrowly restricted by draconian Official Secrets Acts, which made it an offence for any Crown servant or agent or anyone in receipt of information from a Crown servant or agent to disclose such information without authority. Although toned down by the Official Secrets Act 1989, which restricts the categories of protected information, the underlying ethos, that information in the possession of government is its private property, has not been dispelled by the first freedom of information legislation, which came into force only in 2005 and is riddled with so many exemptions as to merit the label of ‘sheep in wolf’s clothing’ bestowed on it by Rodney Austin [‘The Freedom of information Act 2000: a sheep in wolf’s clothing?’ in J Jowell and D Oliver (eds), The Changing Constitution (Oxford University Press, 5th edn, 2004)].

In the last two decades, the relationship between state and citizen in the area of information has been complicated by the rapid evolution of information technology, globalization of communications and the multi-level nature of regulation. Many counter-terrorism measures involving surveillance emanate, for example, from the United Nations, while the European Union is starting to play a significant role in access to information and data protection. On the one hand, ICT has facilitated the accumulation and retention in government data banks of vast quantities of information, relevant and irrelevant, about its citizens. Concern over the uses to which such information would be put fuelled opposition to proposals – ultimately defeated – from Tony Blair’s government for citizen identity cards. On the other hand, easy access to the internet and rapid communication via mobile telephones, Skype, social networking sites, twittering and tweeting have worked to the benefit of citizens and rendered government control harder. This point was poignantly illustrated during the ‘Arab Spring’.

Concern, evidenced in the campaign against identity cards, has been growing at national level, over the growing use of modern technology to extend surveillance by public authorities – the proliferation of CCT cameras for crime prevention, centralized and systematic police monitoring of cameras used for traffic control for other purposes, and CCT use by the private sector, where it is barely controlled. The courts have shown themselves relatively unwilling to restrict the use of modern surveillance techniques. In Wood v MPC [2009] EWCA Civ 414, for example, the Court of Appeal rejected a claim that the filming of participants in a trouble-free demonstration and subsequent retention of the photographs was unlawful and amounted to a violation by the police of ECHR Article 8, ruling instead that the practice was a justifiable and proportionate measure for the prevention of crime. After the London riots in 2011, the Metropolitan police pressurized broadcasters to hand over videos and pictures they had taken, threatening a court production order under PACE. The press protested vigorously at the threat to freedom of speech (The Guardian 30 August 2011) but the issue remains unresolved. Similar protests met government proposals – not yet fully particularised – to extend rights of access by public authorities to electronic communications between citizens, stimulating a vigorous political response from the junior partners in the coalition government, (BBC News, 10 April 2012).

Strasbourg, interception and data protection

The interception of communications has brought the United Kingdom up against the Strasbourg Court of Human Rights on several occasions. Indeed, of the long line of cases marks the interest of the Strasbourg Court in interception of communications, data protection and surveillance, several involve the United Kingdom [ECtHR, Factsheet on data protection 2012].  In Malone v United Kingdom (1984) 7 EHRR 14, the issue was telephone tapping by the police, which came to light during Malone’s trial for handling stolen goods. When Malone sought a declaration that the practice was unlawful [Malone v. Commissioner of Police of the Metropolis (No. 2) [1979] 2 All ER 620] Megarry J. ruled (i) that the common law recognised no right of privacy on which to found an action (ii) that no actionable tort had been committed and (iii) that a claim based on Article 8 of the ECHR, which specifically protects the privacy of correspondence, must fail because the ECHR was not (at that time) directly applicable in domestic law. In reaching these conclusions, the judge remarked, however, that he found it ‘impossible to see how English law could be said to satisfy the requirements of the Convention’ and that ‘the subject cried out for legislation’. This did not prevent the British Government from arguing in Strasbourg both that the practice of requiring ministerial authorisation for all telephone tapping was sufficient to satisfy the Convention requirement that interceptions must be ‘in accordance with the law’; and also that the practice of ‘metering’ or recording dialled numbers and the time and duration of calls, fell outside the Convention right. The Government lost on both heads and the Interception of Communications Act 1985 followed.

This legislation is now taken up in the Regulation of Investigatory Powers Act 2000. RIPA’s objectives are wide: it provides for ‘the interception of communications, the acquisition and disclosure of data relating to communications, the carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the means by which electronic data protected by encryption or passwords may be decrypted or accessed’ for purposes of national security or investigation of serious crime by the security services and police. A warrant signed by the Home Secretary is required. RIPA also regulates ‘metering’; it requires records to be kept and made accessible on ministerial request of dialled numbers etc. A monitor in the shape of an Interception of Communications Commissioner is provided. More controversially, RIPA permits a wide range of government agencies, including the Charity Commissioners, Financial Services Authority and local authorities to indulge in similar activities, albeit in limited circumstances. Largely on these grounds, it has been widely criticised as a ‘snoopers’ charter’.

Marginal restrictions on the powers of local authorities are contained in the Protection of Freedoms Bill, currently before Parliament. Unsurprisingly, however, the Home Secretary (Theresa May) did not seize the opportunity afforded by the Bill seriously to curtail the snooping activities of public authorities. Instead, proposals to include in the next Queen’s Speech extensions to RIPA’s ambit have been announced to cover more modern forms of communication, including internet-based email, twittering and tweeting, Blackberries, Skype, mobile phone texting, social networking sites like Facebook and even online games. Proposed new legislation would, it is believed, force internet companies to install hardware enabling GCHQ on behalf of government to examine websites accessed and text messages or email sent. The proposals will in short allow police and intelligence officers to monitor a person’s contacts including websites, although the content of communications will not be accessed. Once again, the records will be available to local councils and other agencies, though in limited circumstances.

In S and Marper v. the United Kingdom [2008] ECHR 1581,  the Court ruled on the taking and retention of DNA samples from persons suspected of criminal offences but subsequently acquitted. There is an implicit reproof to the House of Lords, which had ruled to the contrary in R(LS and Marper) v Chief Constable of Yorkshire [2004] UKHL 39, in the ruling that

the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular samples and DNA profiles of persons suspected but not convicted of offences… fails to strike a fair balance between the competing public and private interests and that… the retention at issue constitutes a disproportionate interference with the applicants’ right to respect for private life and cannot be regarded as necessary in a democratic society.

Necessary changes to bring the law into line with the Strasbourg judgment are also contained in the Protection of Freedoms Bill.

Enter the European Union

But data processing, retention and protection are no longer a purely domestic matter. They are the subject of a major new initiative under the direction of EU Commissioner, Viviane Reding. This is both a necessary and welcome development in view of the vast data banks that have been built up in the EU from material contributed by member states and often widely accessible to member state authorities and officials. Until the Lisbon Treaty came into force, winding up the ‘Third Pillar’ and bringing justice and home affairs into the ambit of the Community, this was a dark and windowless area of EU law and policy. In the Community pillar, some of the sketchy and piecemeal regulation, such as the Telecommunications Data Protection Directive (Council Directive 97/66 of 15 December 1997) or Data Retention Directive (Directive 2006/24/EC of 15 March 2006), had shown a capacity to bite. In Case C-518/07 Commission v Germany [2010] ECR I-1885, for example, the Commission successfully brought Germany before the Court of Justice because its domestic data supervisory authority was insufficiently independent. But Directive 95/46 on data protection, the generally applicable legislation, contains exceptions in Article 13, which authorises Member States to restrict the scope of the rights and obligations provided in the Directive when ‘such a restriction constitutes a necessary measure to safeguard national security, defence and public security’. Similar exceptions apply to the prevention, investigation, detection and prosecution of criminal offences. The consequence was policy-making marked by a serious democratic deficit and information shortfall, culminating in the highly suspect Prüm Convention, which provided for the establishment of DNA profile databases and allows access to partner countries’ fingerprint databases, which the other contracting parties will be able to check on request not only for the purpose of preventing terrorist attacks and serious criminal activity but also in case of political demonstrations and ‘other mass events’. Similarly controversial was the agreement with the United States on the transfer of passenger name record data (PRN), successfully attacked in the Court of Justice Case C-301/06 Ireland v Council and European Parliament (10 February 2009), but now the subject of a new agreement foisted on a not-entirely willing Parliament (see http://www.statewatch.org/pnrobservatory.htm).

Coupled with the EU Charter of Fundamental Freedoms, the Lisbon Treaty (TFEU Article 16) provides a new basis for, and mandates, EU lawmaking, from which the European Parliament can no longer be excluded. A proposal from the Commission for a legislative text would provide a Europe-wide framework for data protection. This would have a major impact on private generators of electronic data, which would in future have to prove either consent of the data subject to retention or that retention was necessary. A second proposal  for a directive covers processing of personal data by law enforcement authorities for purposes of crime prevention, investigation, etc. and ‘the free movement of such data’.  The Commission is also reviewing the Data Retention Directive, which requires companies to store communication traffic data for a period of between six months and two years. In fact, some member states and notably Sweden have already implemented this measure.

The European Data Supervisor has, however, expressed ‘serious disappointment’ with the provisions in the law enforcement area [Opinion of the European Data Protection Supervisor on the data protection reform package]. While welcoming the fact that the directive would cover domestic processing, he regrets that the level of data protection in this area would not be increased:

The main weakness of the package as a whole is that it does not remedy the lack of comprehensiveness of the EU data protection rules. It leaves many EU data protection instruments unaffected such as the data protection rules for the EU institutions and bodies, but also all specific instruments adopted in the area of police and judicial cooperation in criminal matters. [para. 443, emphasis mine]

The UK Information Commissioner has expressed similar views. He sees the Commission proposals as less ambitious than the current UK Data Protection Act and hopes that ‘the provisions will be strengthened as negotiations progress’. Clearly, we cannot rely on the European Union to halt the march towards a surveillance state.

Carol Harlow is Emeritus Professor of Law at the London School of Economics

1 Comment

Filed under European Union, Human rights

Tom Hickman: Data Over-Protection

When my central heating boiler stopped working the other day I was expecting exorbitant costs, cold nights huddled around a hot water bottle and possibly a few hours holding on the phone to British Gas. I was not expecting an encounter with the Data Protection Act.

It happened when I was arranging an appointment with a gas boiler ‘engineer’. I was asked for my mobile telephone number so that the engineer could call me if he couldn’t find the house. I duly supplied it. At the conclusion of the call I asked the woman from British Gas if she could read my mobile telephone number back to me to check she had written it down right. “I am sorry” she replied “we can’t give out mobile telephone numbers because of data protection”. I pointed out that I had just given the number to her, but no amount of reason would prevail. The most she would do was read back the last three numbers.

This is by no means my only experience of the irrational effects of data protection laws. Many readers of this blog will have similar tales. But such experiences must not be dismissed as lighthearted examples of corporate idiocy. They are symptoms of a genuine underlying problem that can have consequences far more serious than a boiler engineer failing to turn up for an appointment.

The British Government no less than British Gas is apt to invoke data protection as a reason for not supplying information in obviously sensible circumstances. When the All Party Parliamentary Group on Extraordinary Rendition requested data about the transfer of British-captured insurgents from British forces to Afghan authorities and third nations (but not the names of the individuals concerned), as part of a project to review compliance with diplomatic assurances, the Group was met with a refusal based on the Data Protection Act. The refusal was particularly unfortunate given that the request was made to further the interests of the individuals on whose behalf the British government was invoking data protection concerns.

Yet more extraordinary was that until the morning of a hearing before the Upper Tribunal the Ministry of Defence was asserting that disclosure could not be made without the ‘explicit consent’ of each individual detainee or former detainee because the information sought was ‘sensitive personal data’ on the ground that it would be possible to infer the religious beliefs of those captured from the information: they would almost certainly be Muslim.

Then there is the case of Mr Rahmatullah. Mr Rahmatullah was captured by British forces in Iraq and handed-over to the Americans before being unlawfully rendered to Bagram airbase detention facility, where he remains. The legal charity Reprieve sought to identify him after it was discovered a British captured detainee was held at Bagram, in order to commence habeas corpus proceedings in the US. But the UK Government refused to provide his name or details because, in the absence of him having given his consent, it would breach his rights under the Data Protection Act. And so he languished in incommunicado detention. Fortunately his identity was eventually worked-out by a combination of luck and good detective work by Reprieve. [1]

Even when cases do get on foot, data protection can rear its head to make rights enforcement more difficult. It is recurring problem in litigation against both public authorities and companies that disclosable material will be redacted on ‘data protection grounds’. Moreover, in Smith [2008] EWHC 694 (Admin), Collins J depreciated the practice of public authorities in inquest proceedings to “routinely redact” the names of “any person” shown in documents which “makes it very difficult and sometimes impossible for interested parties to make preparations to deal with the evidence of a particular witness or to understand how that witness fits in to the whole picture.” He went on to note that such redaction is “taken to absurd lengths” such as by the redaction of correspondence with the family or their representatives.

The reasons for this state of affairs are more complicated than that the data protection laws are too tightly drawn. The problems also stem from the fact that the law itself is Byzantine.

Lawyers are accustomed to experiencing a sinking feeling when data protection rears its head in a case; and the first strategy is usually to try and find a way of not having to address it. The Data Protection Act is one of the most poorly drafted pieces of legislation on the statute book. It has tied the UK Courts up in knots. The consequence of the House of Lords’ judgment in Common Services Agency v IC [2008] UKHL 47, for example, is that the disclosure of information about individuals under the Freedom of Information Act constitutes processing personal data and is prima facie unlawful even if the documents are redacted so that no individual is identifiable from the information disclosed (the reason for this being that the disclosing public authority could—obviously—identify the persons from the disclosed redacted material by matching it up with the original material, which in fairness to the House of Lord is, literally, what the legislation says).

In the All Party Parliamentary Group on Extraordinary Rendition case ([2011] UKUT 153) the Upper Tribunal simply refused to follow the majority of the House of Lords in Common Services Agency on the basis that it just couldn’t possibly be right and it wasn’t absolutely on point. In a subsequent case, the High Court preferred to give such close scrutiny to the leading speech in the House of Lords that it was found to mean precisely the opposite of what it actually says: R (Dept of Health) v IC    [2011] EWHC 1430 (Admin). These cases prompt one to reflect that if our highest Courts cannot make head or tail of the data protection laws then the British Government and British Gas ought perhaps to be more lightly censured.

Another problem is that the exceptions permitting processing of personal data are open-textured so that organizations cannot be sure when they are on the right side of the line. Taken together with the risk of criminal sanctions (which always leads to robust corporate compliance) and one has a recipe for irrationality and over-protection.

Let us not forget that data protection laws are supposed to enhance our human rights. They are presented as bulwarks against the surveillance society, by which I mean the ever-greater ability of companies and governments to monitor and analyse information about us.

Such is the status of data protection that the Lisbon Treaty elevated the right of data protection in the EU to the status of treaty right embedded in the EU Charter of Fundamental Rights and Freedoms.

It is thus a perverse effect of data protection laws that they often have opposite effects: negating freedom of information and reducing accountable government.

The EU Commission is currently re-drafting EU data protection laws with the aim of increasing the protection currently afforded to personal data. The restrictions on lawful processing (including disclosure) will become even more tightly framed.

It is proposed to narrow further Article 7(f) of the Data Protection Directive allowing disclosure where “necessary” for the “legitimate the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed” by removing reference to third parties (such as the All Party Parliamentary Group on Extraordinary Rendition or Reprieve). Restrictions are also proposed to the provision allowing processing in the public interest, which will only be lawful where the controller is exercising functions prescribed in legislation (draft Regulation Article 6(1)(e), (f), (3)). The exception relating to disclosure “necessary” to protection the “vital interests” of the data subject is retained but this has been interpreted very narrowly to mean life and death situations such as use of medical records after a life-threatening accident. It is not given any wider compass in the proposals. The upshot will be that work of human rights groups and human rights lawyers working to protect the interests of data subjects will be made even more difficult.

The Information Commissioner has drawn attention to some of these problems in its initial analysis of the Commission’s proposals (February 2012). The IC has stated that the terms of the draft Regulation may,  “stand in the way of processing that is desirable, unobjectionable and helpful to citizens.” And the IC has called for “explicit recognition in the Regulation that processing may take place where it is clearly in the data subject’s interests and does not override his or her fundamental rights and freedoms.” It is to be hoped that such well-founded criticisms will be addressed.

In the current climate of concern about the surveillance society it is important to appreciate that the side effects of the over protection of personal data are not confined to farcical exchanges with public utilities companies: data over-protection can undermine the effective protection of human rights.

 Tom Hickman is a barrister at Blackstone Chambers.

[1] http://www.reprieve.org.uk/press/2011_06_22_Fox_Hague_Yunus/. Presently the subject of habeas corpus proceedings: R (Rahmatullah) v SSFCA  [2012] EWCA Civ 182 on appeal to the Supreme Court. The detective work is described in a witness statement of Clive Stafford-Smith dated 14/04/10


Filed under European Union, Human rights

Paul Bernal: Between a European Rock and an American Hard Place?

Europe and the US have had very different approaches to privacy – and in particular data privacy – for a very long time. Data protection, the centrepiece of European data privacy law, is currently undergoing a reform – and that reform is highlighting the differences in attitude, approach and understanding of privacy and its place in the delicate balance with free expression and business.

The issue that is causing the most contention is the much discussed ‘right to be forgotten’, one of the central planks of the suggested new Data Protection Regulation. It’s being strongly pushed by Commissioner Viviane Reding – but isn’t exactly getting a good press in the US. Apocalyptic pronouncements like “the right to be forgotten could close the internet” and that it is the “biggest threat to free speech on the internet” have appeared in such august journals as the Stanford Law Review.

What is perhaps just as interesting to UK people is the distress that the whole affair is causing to the UK government. They don’t seem to know what to do, or where they stand.

The right to be forgotten

The central thrust of the so called ‘right to be forgotten’ is the idea that people should be able to delete information about them held on the internet. One of the key reasons for its development was the difficulty that people have had in deleting their accounts from social networking sites like Facebook – and the sense that the data being held about people is in some senses ‘theirs’, and that as a consequence they should have the right to delete it. Exactly what the right would mean in practice is somewhat unclear. What kind of data would be covered by the right, and who the right could be enforced against – and how it would or could be enforced in practice – still seems very much up for discussion, and will probably remain so for some time.

From the perspective of the proponents of the right, it is a logical extension of the existing principles of data protection. People already have rights to access information held about them and to correct it when it is erroneous – and to ask for it to be removed if it is being held inappropriately. The ‘right to be forgotten’ takes this a step further – changing the balance so that unless there is a ‘good’ reason for data to be held, the data subject should have the right to delete it. Looked at from this perspective, it is a right that empowers people against the ‘big players’ of the data world – challenging the establishment, and helping to shift the balance of power back towards the individual.

The US perspective

From the US perspective there’s something very different going on: the right to be forgotten seems to be seen primarily as a threat to free speech. The very name ‘the right to be forgotten’ raises a spectre of censorship, or of the rewriting of history – and when Americans look across the Atlantic and back into history and see figures from Stalin and Hitler to the likes of Berlusconi, that impression might be reinforced. It’s for that reason that I’ve been arguing for a while that it would be better to call it the ‘right to delete’ rather than the right to be forgotten – but the latter seems to be what we’re stuck with.

Does the right to be forgotten really threaten free speech? European Commissioner Viviane Reding has done her best to reassure audiences both sides of the pond that it doesn’t. There are exemptions, she has said, for the media, and for free expression:

“It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media.”

Those words haven’t reassured many American writers. Jeffrey Rosen in the Stanford Law Review is one of the most often quoted: he has gone into the detail of what has been presented about the right so far, and found enough ammunition to be able to suggest that it might be used precisely as a tool of censorship. Is he right? Well, the way it looks at the moment, at the very least we are in for some protracted arguments from both sides.

What about business?

All of this, however, may well be somewhat beside the point. Some of the more cynical of privacy advocates – myself included – suspect that the US position isn’t quite as principled as it might appear. Free speech is of course fundamental to the US constitution, and prioritised over almost everything else – but free enterprise is in some ways every bit as fundamental to the US, and when looked at in detail the right to be forgotten is far more challenging to free enterprise than it is to free speech. Businesses all over the world – but in the US in particular – have been building business models relying upon the gathering, holding and using of vast quantities of personal data. It is those business models that are under threat. Not only might they have to build in mechanisms to allow people to see and then delete the data held about them but the potential they have for exploiting this data might be much reduced. Those businesses are not likely to be unhappy to have the much-respected advocates of free expression do the hard work of opposing the right to be forgotten for them…

And the UK?

The UK seems to have neither Europe’s enthusiasm for privacy nor the US’s passion for free speech. What it does have is a desire to support business – and not to let anything else get in the way of the freedom for businesses to find ways to make money.  Back when the proposal for the right to be forgotten first started doing the rounds, UK politicians were doing their best to oppose it.

In May 2011 Justice Secretary Ken Clarke gave a speech to the British Chamber of Commerce in Belgium, counselling against too much data protection. He suggested that the right to be forgotten was effectively unworkable, and implied that it should be abandoned. His words weren’t heeded – Viviane Reding in particular has continued to push and push for the right to be forgotten – and the UK government looks as though it’s been squirming ever since.

It’s not the first time that the UK Government has been put in a position of confusion over digital issues, trying to ‘support business’. Back in November 2010, Ed Vaizey came out first against the idea of net neutrality, thinking he was supporting business, and then almost immediately in favour of it when he saw the reactions his first statements produced. In a similar vein, the confusion shown by the Information Commissioner’s Office over the notorious ‘cookies’ directive has been rumbling on for many months and shows no sign of real resolution.

This time, though, the UK Government has taken it a step further. It appears that the UK Government would much rather the ‘right to be forgotten’ disappeared. The Ministry of Justice is undertaking a consultation, ostensibly a ‘Call for Evidence on EU Data Protection Proposals’. The language used is nicely neutral, but the purpose appears clear.  In Hawktalk, the blog of the Amberhawk, the leading information law training providers, headlined their report on the consultation:

“MoJ asks for arguments to oppose the European Commission’s Data Protection Regulation”

Amberhawk suggested that by the nature of their call for evidence – the questions asked, the information provided, and the groups to which the call for evidence was sent – the MoJ was setting up a ‘numbers game’, wanting to say that the vast majority of respondents are opposed to the changes.

Will it work? Will the UK be able to block the regulation, or at least water it down in such a way as to neuter it? Given the persistence with which Commissioner Reding has pushed for the right so far, it seems unlikely. US opposition appears more likely to have an effect, not just because of the power of the US in the internet as a whole, but because their stance is more consistent and principled. Even that, however, cannot be taken for granted, as the US is now taking baby steps towards recognising the importance of privacy on the internet, with Obama putting forward his new  ‘Consumer Bill of Rights’ for privacy on the net.

The UK looks distinctly out of step – seemingly unable to influence Europe and unwilling to accept the views that are coming out of Brussels. For this author at least, the European view is distinctly more palatable, putting the rights of individuals at the heart of their proposals. It would be good if the UK Government began to do the same – and they might find their way out of the awkward position they now find themselves in.

Paul Bernal is a lecturer in the UEA Law School and a member of media@UEA. He blogs at The Symbiotic Web Blog (link tohttp://symbioticweb.blogspot.com/) and tweets as @paulbernalUK.


Filed under Comparative law, Human rights