Information law is a fast-moving and diverse area. It encompasses statutory rights of access to information, under the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIR), rights in respect of personal information, under the Data Protection Act 1998 (DPA), the right to respect for private life, under Article 8 of the European Convention on Human Rights, and a number of related statutory and common law rights. Clearly, for anyone interested in internet law, it is of fundamental importance.
Some recent internet issues
The DPA gives effect to Directive 95/46/EC. Both the Act and the Directive have been described as mainframe legislation for a networked world. They both predate the development of the internet as an integral part of business and personal life.
The EU is now considering a draft Data Protection Regulation to replace the Directive. The most eye-catching issue from an internet viewpoint is the so-called “right to be forgotten” and its potential to assist individuals in controlling the use made of their information on social networking sites. A number of commentators have made the point that there are considerable practical difficulties in controlling the dissemination by third parties of information voluntarily disclosed online and that a statutory “right to be forgotten” risks giving a misleading impression as to what legal regulation can effectively achieve.
Meanwhile, the public debate continues (both in the UK and the US) about the recent disclosures concerning the US Prism programme and the alleged provision of information to the National Security Agency by a number of major internet companies. Concerns have been expressed as to the effect of this programme on UK and other EU citizens, though there are many aspects of the scope and practical effect of this programme that remain obscure.
Google has been the focus of two interesting recent Court cases. In the Google Spain case in the Court of Justice of the European Union (CJEU) the issue is whether the Spanish data protection authority was entitled to order Google to remove links to inaccurate or outdated information. Google argues that responsibility rested with the authors or publishers of the relevant websites. At the time of writing, a decision is still awaited.
In Tamiz v Google  EWCA Civ 68 the Court of Appeal declined permission to serve proceedings on Google in California, arising out of alleged defamatory comments on a blog hosted by Google. Significantly, however, the Court did accept that there was an arguable case that Google was the “publisher” of the statements for defamation purposes.
FOI and environmental information
Probably the most important FOIA case this year will be Kennedy v Charity Commission and others, due to be heard in the Supreme Court in October 2013. The case raises the issue of whether the right to receive and impart information under Article 10 of the Convention confers a positive right of access to information held by public authorities. In the Kennedy litigation the Court of Appeal answered this question in the negative (Kennedy v Charity Commission and others  EWCA Civ 317), relying on the decision of the Supreme Court in Sugar v BBC  UKSC 4, but gave permission for a further appeal to the Supreme Court.
On one view Article 10 has nothing to do with rights of access to information held by public authorities; instead it protects the right to receive information from those who wish to impart it. However, there is a recent line of case law from Strasbourg that suggests this is too narrow an approach; hence the Supreme Court will need to consider whether Article 10 now confers a right to obtain information from a public authority that seeks to withhold it. Even if Article 10 does confer a positive right of access, it remains to be seen how this will interact with FOIA. One approach would be to use the Article 10 right as basis for interpreting FOIA (pursuant to section 3 of the Human Rights Act 1998). Alternatively the FOIA and Article 10 rights might come to be seen a two parallel rights of access, with the former enforced via the Information Commissioner and the First-tier Tribunal while the latter is litigated by way of judicial review.
Perhaps of more immediate day-to-day relevance to public authorities is the question of how to deal with requesters who are thought to be abusing the FOIA system. Section 14 of FOIA provides that vexatious requests do not have to be answered, but determining whether or not a particular request is vexatious is not always an easy task. In Information Commission v Devon County Council and Dransfield*  UKUT 440 (AAC) the Upper Tribunal (Judge Wikeley) concluded that the hallmark of a vexatious request was “a manifestly unjustified, inappropriate or improper use of FOIA”. There were four broad issues or themes which might assist in applying this test: the burden placed by the request on the public authority and its staff, the requestor’s motive, the value or serious purpose of the request, and any harassment or distress occasioned to staff. However, these four points should not be turned into a formulaic checklist. The case of Craven v Information Commissioner and Department for Energy and Climate Change  UKUT 442 (AAC), which was heard together with Dranslie, confirmed that the test under the EIR (reg 12(4)(b)) as to whether a request is “manifestly unreasonable” should be approached in the same way.
Another issue that appears humdrum but that creates severe difficulties in practice is determining when information is “held” by a public authority for the purposes of FOIA or the EIR and therefore potentially subject to disclosure under those regimes. In particular, what about electronic records that have been deleted but are potentially recoverable? In Keiller v Information Commissioner and University of East Anglia EA/2011/0152 the First-tier Tribunal held that an email was “held” by the University, despite the fact that the person who generated it had deleted it. It had been backed-up on to a University server and this remained in the University’s control despite the fact that it was currently in the hands of the police. The Tribunal considered that restoration from back-up records should usually be attempted, where it is a simple task. The issue that remains in doubt is this: how difficult must the task of restoration be before one can say that the information is no longer held by the public authority for FOIA or EIR purposes?
In general the DPA generates less case law than FOIA or the EIR. The range of issues under the DPA that can go to the First-tier Tribunal is limited: in particular, individuals who are dissatisfied with the outcome of a subject access request (for their own personal data) cannot appeal to the Tribunal though they can apply to the ordinary Courts for a remedy. Most individuals with a dispute about subject access do not risk the costs and complexities of civil litigation.
One area where the Tribunal has an important role to play, however, is in respect of the Information Commissioner’s power to impose monetary penalties for certain serious breaches of the DPA (see DPA section 55A). This is a very significant regulatory power: penalties of up to £500,000 can be imposed. So far there has only been one decided appeal under the penalty regime: in Central London Community Healthcare NHS Trust v Information Commissioner EA/2012/0111 the Tribunal upheld a penalty of £90,000 against a NHS body that had faxed sensitive patient information to an incorrect fax number. The case is being appealed to the Upper Tribunal.
The Tribunal also has the power to entertain appeals against other forms of regulatory action by the Information Commissioner. In Southampton City Council v Information Commissioner EA/2012/0171 the Tribunal upheld an enforcement notice regarding the use of audio recording in taxis. The Council had adopted a policy that all taxis licensed by it should be fitted with equipment for continuous audio-recording of passengers; the recordings could only be accessed by specified Council officers in connection with the investigation of crime or the resolution of complaints against drivers. Despite these limitations on access the Commissioner considered that the audio recording scheme was disproportionate and in breach of the first data protection principle; the Tribunal agreed. It appears that the Commissioner and Tribunal might well have taken a different approach to a more restricted scheme, eg where recording was triggered by the use of a panic button or confined to times when the risk of taxi-based crime was at its highest.
In a number of important judicial review cases, Article 8 has been used to control the disclosure and retention of personal information.
In Catt v ACPO and others  EWCA Civ 192 the Court of Appeal found that the recording and retention by the police of information about an individual’s participation in public protests was a breach of his Article 8 rights. This was so notwithstanding that the information recorded was about activities carried out in public. There was no suggestion that the individual has broken the law at any demonstrations; his information had been recorded merely because he was present and it appeared that the information would be retained indefinitely. The Court of Appeal considered that the interference with Article 8 rights was disproportionate to any legitimate aim pursued by the police.
In R(T and others) v Chief Constable of Greater Manchester and others  EWCA Civ 25 the Court of Appeal held that the statutory provisions governing CRB checks (now referred to as DBS checks) were incompatible with Article 8. These provisions required the disclosure of criminal convictions in connection with certain applications for employment but without any filter for old or minor convictions and without any consideration of whether the information disclosed was relevant to the purpose for which disclosure was sought.
Although neither case is specifically about the online disclosure of information, many bodies and organisations routinely publish a substantial amount of personal information on the internet. Where public authorities publish personal information by this route, Article 8 will be of crucial importance in determining whether what they do is lawful.
Timothy Pitt-Payne QC was called to the Bar in 1990 and appointed QC in 2010. He practises at 11KBW in London, specialising in information law, public and employment law. He co-edits 11KBW’s highly-regarded information law blog, Panopticon.
* corrected 25/02/2014