Wednesday, 29 October 2014

Data Protection: A Litigation View

Data protection is normally presented from a risk/compliance point of view and, indeed, it is an essential part of a firm's responsibility to their clients. Information professionals should be involved with these compliance duties and be familiar with processes and principles. However, what about the litigation point of view? Yesterday David Glen of 1 Brick Court took us though some recent legal developments but any errors in law or omissions in sense are all mine!

Background
 
The Data Protection Act 1998 was formed out of the EU Data Protection Directive (also known as Directive 95/46/EC). For the first decade of its existence, it caused a stir as a new area of law but then, litigation-wise, essentially discarded. Data protection has been seen as a secondary cause, offering a peripheral remedy after remedies that libel and misuse of information offer.

David believed that this is shifting and we will be seeing a change in the future. He suggested that people are far more aware of their personal data protection rights because of increased discussion in the press. The increased willingness of the judiciary to apply the data protection thresholds is also key; Tugendhat J. has turned it into a radical issue. The final case (below) that he discussed applies the DPA's already broad issue of fairness in an even wider way.


A Problem with the Legislation?

He stated that the DPA was bad legislation to begin with. When EU directives are transposed into UK law, usually they are carefully distilled into a more usable form. Unfortunately this act was a regurgitation of the directive and it is easy to get lost in the morass of definitions, schedules and euro-speak. Despite the drafting, however, it remains an important piece of legislation.
 
It ensures a reasonable expectation of data privacy, and people whose data has been processed unfairly, unlawful, or unnecessarily have rights. Where the data is sensitive and covers race, sex, medical information, the controls are even tighter.

The definition of data is extremely broad and nearly every computer filing system is subject to the act. Not only is data caught, but also opinion and intentions of the data controller. It is possible for a potential litigant to make a subject access request under s.7 of the act, when pre-action disclosure may be difficult. By getting information in this way, the person can then assess any potential claim.

Compensation and Rectification

One of the reasons for the secondary nature of data protection is the level of compensation offered. This is covered in s.13 and case law has proven that it is hard to recover damages under this act. As Johnson v Medical Defence Union (No.2) (CA) shows, proving actual financial loss is difficult. David said this is shifting more in favour of claimants and damages might be more generous in future.

Data subjects have a right to rectification if the data being processed is wrong. Therefore if data breaches the act, data controllers are obliged to delete, destroy or amend it. This is where data protection differs from libel; if something was true five years ago, for instance, it might not be now.  Under data protection laws there is an on going obligation to amend and force the controller to keep data update. If they disclose it to third parties, they still have to ensure that the data is amended.
Principle 5 states that 'personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes'. This is becoming increasingly significant as our lives become more dependent on the web. The recent ECJ judgment in Google Spain v AEPD and Mario Costeja González is a potentially important case and given that the status of the ECJ, David couldn't see a higher court to which Google could make an appeal.

Google Spain v AEPD and Mario Costeja González

In 1998 a Spanish regional newspaper published a legally required official notice concerning the bankrupt González's property auction. A decade later and searches continued to direct users to these online notices about his bankruptcy. He approached the Spanish equivalent of the ICO and asked them to remove it. Given that the announcements were lawfully published, the information commissioner had no rights against the newspaper. He then contacted Google Spain asking that the links to the announcements be removed.

It was held that the search engine is processing data. Although Google is automated, they were not too far removed from the process. Astonishingly the court decided that the publishers were free to leave the information online, but Google had to remove the links. So if you know where the information is, you can go find the announcements yourself.

Much has been written about the right to be forgotten and I have no wish to repeat what others have already said. However David was keen to stress that this judgment was flawed; Google is due a kicking and the legislation at the heart of the matter is outdated (from 1995). The UK courts would have approached it in a different, possibly more balanced way. It is important to recognise that information changes over time and it may become unlawful or unfair - how do you balance public interest with the right to be forgotten? Cases which will test this include the Max Mosley videos case. I would hope that the innocent man charged with 'possessing extreme porn' also has a right to be forgotten.

Exceptions

There are journalistic carve out/exceptions, and he noted that data protection and journalists do not mix - recent ICO guidelines offer assistance to traditional journalists. The recent Robert Peston link removal debacle demonstrates the dangers of the Google case. If something is in the public interest, then it should and will be exempted. However where does this leave bloggers and citizen journalism? According to a recent debate,
'The rise of blogging and search engines has allowed people to do their own digging and publish their own reports on matters of (to them) public interest. The work often has real value and yet, as matters stand, such bloggers are not entitled to the protection afforded by s 32 Data Protection Act.'


I would suggest that this leaves bloggers and citizen journalists in a difficult position.

The Future?

David ended by discussing AB v A Chief Constable [2014] EWHC 1965. It said that a police force should not be permitted to send a further reference to the new employer of one of its former senior officers, which advised the new employer of the officer's extended absence record and of unproven disciplinary allegations outstanding at the time of his departure. The court accepted that there was a strong public interest in providing full and frank references. But, as the officer had a legitimate expectation that outweighed the public interest in disclosure, to disclose the second reference would breach the first data protection principle of the Data Protection Act 1998 (DPA 1998), as it would be unfair and unlawful.

This will have far reaching implications and certainly is indicative that the courts are taking a more generous view of DPA breaches. As for damages for injury of feelings, or defamation general style damages, the new draft data regulation recommends damages for non pecuniary loss,

Any damage, including non pecuniary damage , which a person may suffer as a result of unlawful processing should be compensated by the controller or processor.

Not only damages but companies face hefty fines for breaching these new regulations. Where will this leave Google and other search engines?

No comments:

Post a Comment