Category: Privacy

Cliff Richard v BBC – Part II – Media speech and publication in the public interest

The record man said
‘Don’t let it go to your head, I’m gonna make you a star’
… So mama please don’t worry about me, I’m nearly famous now.

Sir Cliff Richard OBE in Greenwich 2017 (via Flickr) (element)1. Introduction
The words above are in the first verse of “I’m Nearly Famous”, the title track of an album released in 1976 by Sir Cliff Richard [Sir Cliff], pictured left rocking Greenwich, UK, in 2017. Six weeks earlier, the South Yorkshire Police [SYP] had admitted that their tip off to the BBC that he was being investigated in respect of allegations of historic sex abuse infringed his privacy (see, eg, Richard v BBC [2017] EWHC 1648 (Ch) (26 May 2017)). On foot of that tip off, the British Broadcasting Corporation [the BBC] gave those allegations and the search of Sir Cliff’s property in Sunningdale, Berkshire prominent and extensive television coverage. Last week, in Richard v BBC [2018] EWHC 1837 (Ch) (18 July 2018) Mann J held that that the BBC’s broadcasts also infringed Sir Cliff’s privacy, and awarded him £210,000 damages. In a previous post, I have considered Mann J’s analysis that Sir Cliff had a reasonable expectation of privacy under Article 8 of the European Convention on Human Rights [the ECHR] in respect of the police investigation. In this post, I will consider whether the BBC nevertheless were entitled under Article 10 ECHR to broadcast the allegations and the search. In a future post, I will consider the quantum of damages awarded.

2. Article 10 ECHR and the BBC’s Freedom of Expression
The concept of media freedom is at the heart of modern democracy (see, eg, András Koltay “The concept of media freedom today: new media, new editors and the traditional approach of the law” (2015) 7(1) Journal of Media Law 36). It is a significant point of difference between Sir Cliff’s case against the SYP and his case against the BBC. Although Mann J held that Sir Cliff’s prima facie reasonable expectation of privacy arose against both the SYP and the BBC, the difference between them arose at the subsequent stage of balancing Sir Cliff’s reasonable expectation of privacy under Article 8 ECHR with the BBC’s freedom of expression under Article 10 ECHR. Mann J undertook that balance pursuant to the speech of Lord Steyn in In re S (A Child) [2005] 1 AC 593, [2004] UKHL 47 (28 October 2004) [17], which he interpreted ([2018] EWHC 1837 (Ch) [276]) in the light of the judgment of the Grand Chamber of the European Court of Human Rights in Axel Springer AG v Germany 39954/08, (2012) 55 EHRR 6, [2012] ECHR 227 (7 February 2012) [89] (see, generally, Rebecca Moosavian “Deconstructing ‘Public Interest’ in the Article 8 vs Article 10 Balancing Exercise” (2014) 6(2) Journal of Media Law 234) He held that factors to be taken into account in balancing Article 8 and Article 10 include (a) the contribution of the publication to a debate of general interest, (b) how well-known is the person concerned and what is the subject of the report, (c) the prior conduct of the person concerned, (d) the method of obtaining the information and its veracity, (e) the content, form and consequences of the publication, and (f) the severity of any sanction imposed.

Applying each criterion in turn, Mann J held (a) knowing that Sir Cliff was under investigation might have been of interest to the gossip-mongers, but it did not contribute materially to the genuine public interest in the existence of police investigations in this area ([2018] EWHC 1837 (Ch) [282]); (b) “public figures are not fair game for any invasion of privacy” (ibid, [287]); and (c) Sir Cliff’s public position and stated views do not diminish his right to privacy in respect of allegations of the kind which underpin the BBC’s disclosures (ibid, emphasis in original); (d) the information was accurate (ibid, [289]) but the BBC’s methods of obtaining it were questionable, though this weighed only very lightly in Sir Cliff’s favour (ibid, [292], [296]); and (e) the broadcasts were presented with “a significant degree of breathless sensationalism” which “went in for an invasion of Sir Cliff’s privacy rights in a big way” (ibid, [300], [301]). He left the question of the chilling of effect of any sanction to the discussion of quantum, which I will address in a future post. He also had regard to the BBC’s editorial guidelines (as a “relevant privacy code” within the meaning of section 12(4)(b) of the Human Rights Act 1988).

Taking all these factors into account, Mann J came “to the clear conclusion that Sir Cliff’s privacy rights were not outweighed by the BBC’s rights to freedom of expression” (ibid, [315]). (more…)

Cliff Richard v BBC – Part I – Police investigations and reasonable expectations of privacy

I just got to tell someone about the way I feel,
Shout it from the rooftop to the street,
And if I spread the word please tell me who’s it gonna hurt …

Sir Cliff Richard OBE in Sydney 2013 (element)1. Introduction
The words above are the opening lines of “Can’t Keep this Feeling In“, released in 1998 by Sir Cliff Richard [Sir Cliff], pictured left in a mellow pose at a concert in Sydney, Australia in February 2013. In August of the following year, arising out of an ongoing investigation into allegations of historic sex abuse, the South Yorkshire Police [the SYP] searched a property belonging to him in Sunningdale, Berkshire; and – on foot of a tip off from the SYP the previous month – the British Broadcasting Corporation [the BBC] gave the allegations and the search prominent and extensive television coverage. Sir Cliff was never arrested or charged; and, in June 2016, the Crown Prosecution Service [the CPS] decided that Sir Cliff would not face any charges. This decision was re-affirmed by the CPS the following September, following a full review of the evidence.

Meanwhile, in July 2016, Sir Cliff commenced legal proceedings against the SYP and the BBC, arguing that SYP’s leak to the BBC in July 2014, and the BBC’s coverage of the raid in August 2014, invaded his privacy and breached his data protection rights. Before the trial, SYP admitted liability and agreed to pay Sir Cliff £400,000 damages, plus costs (see Richard v BBC [2017] EWHC 1648 (Ch) (26 May 2017)). Earlier this week, in Richard v BBC [2018] EWHC 1837 (Ch) (18 July 2018) Mann J held that that Sir Cliff succeeded in his privacy claim against the BBC and awarded him £210,000 in general damages (£190,000 in compensatory damages, and £20,000 in aggravated damages), with some items of special damages to be decided at a future date. Because of the success of the privacy claim, Mann J held that he did not need to consider the data protection point.

There are three areas of interest in Mann J’s judgment: first, whether Sir Cliff had a reasonable expectation of privacy, having regard to Article 8 of the European Convention on Human Rights [the ECHR]; second, whether the BBC nevertheless were entitled to broadcast, having regard to Article 10 ECHR; and third, the quantum of damages awarded. I will deal with the question of Sir Cliff’s reasonable expectation of privacy in this post; and I will deal with the other two issues in subsequent posts [update: the post on the BBC’s Article 10 rights is here].

2. Article 8 ECHR and Sir Cliff’s Reasonable Expectation of Privacy
In the earlier Irish case of Hanahoe v Hussey [1998] 3 IR 69, [1997] IEHC 173 (14 November 1997) Kinlen J awarded Ir£100,000 damages (worth approximately €185,000 or St£165,000 today) against the Commissioner of An Garda Síochána (Ireland’s National Police and Security Service) for a similarly unjustified leak of a similarly high-profile search. Kinlen J held that the leak was an “outrageous interference” with the defendants’ privacy rights ([1997] IEHC 173 [69]) but awarded damages for misfeasance in public office as a species of negligence ([1997] IEHC 173 [67], [73]). The SYP’s settlement, and this week’s judgment by Mann J, show that the direct protection of privacy interests has evolved sufficiently that their indirect protection via other torts is no longer necessary.

As with the phone hacking cases (see Mann J at first instance; see also the Court of Appeal), Sir Cliff’s case was commenced in the Chancery Division of the High Court, presumably reflecting the fact that the modern English protection of privacy interests began, under the impetus of Article 8 of the European Convention on Human Rights, by pressing the equitable claim for breach of confidence into service. The process continued by shearing that claim of limitations that affected its ability to protect privacy interests, before transmuting it into a claim for misuse of private information separate from breach of confidence. This claim is now characterised as a tort. So, in the present case ([2018] EWHC 1837 (Ch) [264]), Mann J referred to “the English tort which essentially gives effect” to Article 8 ECHR. This tort turns on on whether the claimant has a reasonable expectation of privacy that has been infringed by the defendant (more…)

We’ve reached peak GDPR when Ross O’Carroll Kelly gets fired for a data breach

In today’s Irish Times, this week’s instalment (audio here) in the ongoing mis-adventures of Ross O’Carroll Kelly intersected with this blog. Ross is a hapless dad and clueless (if ruthless) estate-agent, who has been described as “Ireland’s most eligible married man” and “the greatest Irish [rugby] player never to actually make it in the game”, and the scene opens with our hero being summoned by the boss:

It’s, like, just before midday when Lauren tells me she wants to talk to me in her office. … She goes, “What do you know about GDPR, Ross?”

I’m like, “Quite a lot, actually.”

Oh, that shocks her – such is my reputation for being as stupid as a goose.

She’s like, “Okay, tell me what you know about GDPR.”

“First,” I go, “you make sure the patient is comfortable by putting some kind of cushion under their head and loosening any tight clothing. Then, you place the heel of your hand on the patient’s breastbone, with your other hand on top of it, interlocking your fingers …”

“That’s CPR, Ross.”

And so it goes on for a while, until Dave – “from Human Resources (formerly Payroll)” – arrives, and asks Ross where his laptop is. Poor Ross. We know from last week’s column (audio here) that he had left his car unlocked at a filling station, from which someone stole his “laptop bag, a briefcase and three Donnybrook Fair shopping bags out of the boot”. So, Ross eventually comes clean to Lauren:

I’m there, “Okay, I’m going to be finally honest with you. They were stolen from the boot of my cor when I pulled in to get petrol. Was there any sign of the three shopping bags from Donnybrook Fair that were also taken? There was six tins of individually, line-caught, white tuna fillets in there that cost 11 yoyos per pop.”

“Why didn’t you tell me about this?”

“Er, why would I tell you about it? It was my laptop. They were my client files.”

“I’m the Managing Director of this estate agency, Ross. It’s my responsibility to report breaches to the Data Protection Commissioner as soon as they’re discovered. Do you know what the penalties for this could be?”

“Chill out, Lauren. There’s no real damage done.”

And that’s when she says it. She fixes me with a look and goes, “You’re fired, Ross.”

As he will no doubt quickly learn, GDPR stands for the EU’s General Data Protection Regulation. It, and its incorporating Irish legislation, came into effect on Friday 25 May 2018. And the theft of the laptop and files (and, let’s not forget, tuna fillets and other overpriced groceries) came to light in the column published on Saturday 26 May. If the Saturday column is real-time reportage, or if it is reporting something that happened on Friday, then the data breach happened after the GDPR and Irish legislation came into force, and Lauren does indeed have to report it to the Data Protection Commission. However, if the column is reporting something that happened earlier in the week, then the GDPR was not in force, and the Rossmeister might just get away with it – again.

New politics and the digital age of consent

An Interesting Game

An Interesting Game (1881)
Frederick Arthur Bridgman (1847-1928)
via Brooklyn Museum
New politics certainly make for interesting times. Minority governments are no strangers to defeats, even to two defeats in one day, but yesterday marked another milestone, when the government lost not merely two votes, but votes on two successive legislative amendments. They both related to the protection of children in the Data Protection Bill, 2018. The first will make it an offence to process the personal data of a child for the purposes of direct marketing, profiling or micro-targeting; the second will set the digital age of consent at 16. In fact, seeing the writing on the wall, rather than suffer the indignity – surely unique, even in this era of new politics – of four defeats in one evening, the Minister accepted a third amendment and declined to press a fourth of his own. The third amendment that he accepted will permit not-for-profit bodies to seek damages on behalf of data subjects; and the amendment that he withdrew would have undercut the effect of the third successful amendment. (The three successful amendments are amendments 14, 15 and 115 here (pdf), amending this version (pdf) of the Bill, and debated here). Earlier versions of all three successful amendments had been defeated by the government at every previous stage of the Bill. Time will tell if any of them proves significant, but the one that has generated the most coverage so far is the amendment to the digital age of consent.

The aim of the Bill is to incorporate the General Data Protection Regulation (Regulation (EU) 2016/679) into Irish law. Article 6(1) GDPR sets out six bases for lawful processing of personal data, the first of which, specified in Article 6(1)(a), is that “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” [on consent, see ICO | WP29]. A child can, in principle, provide such consent; but a minimum age at which children as data subjects can consent to having their personal data processed is not specified in the GDPR. Article 7 GDPR provides that the controller must be able to demonstrate this consent, and the younger the child is, the more difficult it will be for the controller to do so. To these flexible general rules relating to the consent of children, Article 8 GDPR provides a bright-line exception, which has become known as the digital age of consent. (more…)

From Mute to Dysaguria

Alexander Skarsgard in MutePictured left is Alexander Skarsgård (imdb | wikipedia) in the new Duncan Jones (imdb | wikipedia | blog) movie Mute (imdb | Netflix).

Skarsgård plays Leo, a mute bartender searching for girlfriend who has inexplicably disappeared in Berlin in 2052. In an interview in last Sunday’s Observer, he takes up the story:

… [Leo’s] search takes him deep into a neon-saturated underworld, populated by gangsters and a pair of anarchic American field surgeons (Paul Rudd and Justin Theroux) … “It’s very dystopian, but not that far-fetched unfortunately, because it’s a society run by corporations,” says Skarsgård. “You subscribe to a corporation and then they will provide everything for you – housing, healthcare, food – but they basically own you. …”. …

So we could be looking at the future then? Skarsgård looks a little traumatised and then sighs: “Hopefully not.”

I’m looking forward to the movie; but I’m not sure I agree that the best adjective to describe it is “dystopian”. It is entirely appropriate when a state goes bad; but it is not a good adjective to describe “a society run by corporations”. In fact, we don’t have a word for when a corporate society goes bad, so I’ve suggested “dysaguria”, as a noun meaning “frightening company”, and “dysagurian” as the adjective to describe that frightening company and the associated society run by frightening companies (see here | here | here). We can’t easily discuss a phenomenon until we have the proper words to describe it:

In his speech on leaving the US Presidency in January 1961, Eisenhower warned against the growing power of the military-industrial complex. In modern surveillance terms, we might term this the security-corporate complex. And we already have a word for when the military/security state goes bad, … That word is “dystopia”.

However, we don’t have a word for when the industrial/corporate society goes bad, … I think it’s beyond time we had one … I suggest that we need a word for “frightening company”, and that we can devise one by following the lead provided by More and Mill [in coining “dystopia” as a counterpoint to “utopia”] provides a guide. … Let’s keep “dys” [meaning “bad”] as the prefix, and look for a suitable word to which to add it. Greek provides “aguris”, which means “crowd” or “group” … Hence, from “dys” meaning “bad”, and “aguris” meaning “crowd” or “group”, I suggest “dysaguria”, as a noun meaning “frightening company”, and “dysagurian” as the adjective…

In my view, therefore, “dysagurian” is the perfect word to describe the society in Mute‘s Berlin in 2052.

Update: Mute did not find favour with Donald Clarke in the Irish Times. Further update: I’m with Donald on this; for all the production values, the movie is curiously flat.

Compensation for breach of the proposed ePrivacy Regulation [Ongoing updates]

Last major update: 15 January 2018

Note: a line was added at the end on 7 June 2018.

Compensation and ePrivacy (via edri)Parallel to my interest in compensation for breach of the General Data Protection Regulation [GDPR; Regulation (EU) 2016/679], I am also interested in the question of compensation for breach of the proposed ePrivacy Regulation (hereafter: pePR; see, eg, the EU Commission’s proposal for a Regulation on Privacy and Electronic Communications; on which see Flash Eurobarometer 443 Report on e-Privacy (pdf download)).

Article 22 of the Commission’s proposal provides:

Any end-user of electronic communications services who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the infringer for the damage suffered, unless the infringer proves that it is not in any way responsible for the event giving rise to the damage in accordance with Article 82 of Regulation (EU) 2016/679.

The emphasised words appear in exactly the same form in Article 82(1) GDPR. The remainder of Article 82 provides circumstances where an infringer is not responsible for the event giving rise to the damage and thus not liable for breach of the GDPR, and those circumstances apply mutatis to an infringer who would not be liable for breach of the pePR. This is not surprising: Article 22 of the pePR appears in a list of Articles (from 18 to 24) in which the supervision and enforcement of the pePR, and remedies for its breach, are integrated with those provided by the GDPR. The effect of Article 22 is to provide for compensation for breach of the pePR on the same basis as compensation is available for breach of the GDPR.

(more…)

The UK’s Data Protection Bill 2017: repeals and compensation – updated

UK Data Protection image, via UK gov websiteIn the UK, the Department of Digital, Culture, Media and Sport (DCMS) has today published the Data Protection Bill 2017, to incorporate the General Data Protection Regulation (GDPR) and to implement the Police and Criminal Justice Authorities Directive (PCJAD) (respectively: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC; and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; aka the Law Enforcement Directive). The progress of the Bill through Parliament can be tracked here.

In Ireland, when the Department of Justice published the the General Scheme of the Data Protection Bill 2017 (scheme (pdf)), I expressed two concerns, both of which are equally applicable to the UK Bill. (more…)

Compensation for breach of the General Data Protection Regulation

I have just posted a paper on SSRN entitled “Compensation for breach of the General Data Protection Regulation”; this is the abstract:

Article 82(1) of the General Data Protection Regulation (GDPR) provides that any “person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. As a consequence, compliance with the GDPR is ensured through a mutually reinforcing combination of public and private enforcement that blends public fines with private damages.

After the introduction, the second part of this article compares and contrasts Article 82(1) GDPR with compensation provisions in other EU Regulations and Directives and with the caselaw of the CJEU on those provisions, and compares and contrasts the English version of Article 82(1) GDPR with the versions of that Article in the other official languages of the EU, and concludes that at least 5 of the versions of Article 82(1) GDPR are unnecessarily ambiguous, though the CJEU (eventually, if and when it is asked) is likely to afford it a consistent broad interpretation. However, the safest course of action at this stage is to provide expressly for a claim for compensation in national law. The third part of this article compares and contrasts the compensation provisions in the Irish government’s General Scheme of the Data Protection Bill 2017 with existing legislation and case-law in Ireland and the UK, and with incorporating legislation and Bills in other EU Member States, and concludes that the Heads of the Scheme do not give full effect to Article 82(1) GDPR. Amendments to the Scheme are therefore proposed.

To ensure that any person who has suffered such damage has an effective remedy pursuant to Article 47 CFR, Member States will have to provide, pursuant to Article 19 TEU, remedies sufficient to ensure effective legal protection in the fields of privacy and data protection. In particular, they will have to provide expressly for a claim for compensation, incorporating Article 82(1) GDPR into national law. Claims for compensation are an important part of the enforcement architecture of the GDPR. Private enforcement will help to discourage infringements of the rights of data subjects; it will make a significant contribution to the protection of privacy and data protection rights in the European Union; and it will help to ensure that the great promise of the GDPR is fully realised.

As I was working on this paper, I published several posts on this blog (here | here | here) including discussions of the literal meaning of Article 82(1) GDPR in each of the EU’s 24 official languages and the current status of GDPR incorporation in the EU’s 28 Member States. Thanks to everyone who has engaged with these posts – the analysis in my paper has improved immeasurably. All comments on the current version gratefully received.