Category: Privacy

Ross O’Carroll-Kelly (pictured left) is in GDPR-trouble again. Last time, he was fired from his job as an estate-agent for failing to report a data breach, when his work lap-top was stolen from his car just as the GDPR came into full effect. This time (as recounted in last Saturday’s Irish Times magazine; audio here), he learns to his great cost the power of the data subject access request under Article 15 GDPR.

The background is well explained by Jennifer O’Connell’s experiences also recounted in last Saturday’s Irish Times magazine. Her story starts with staff members in a hotel asking customers: “If you enjoyed the service, would you minding leaving a TripAdvisor review, and mentioning me by name?” As she explains

It’s not only people in the service industry whose job security now rests on the whims of the terminally irate. If you’re a writer, Goodreads and Amazon reviews are your nemesis. If you’re a driver, it’s Uber. If you rent out your house, it’s Airbnb. If you’re a journalist, it’s the below-the-line comments.

She hasn’t reviewed the hotel waiter yet (she’ll be kind); but “in a Dublin hotel a few months ago, unable to sleep due to the sound of the four-hour, vigorous, live-action porn show on the other side of the cardboard door connecting [her] room with the one next door, [she] lay there plotting [her] TripAdvisor review”.

However, on some of these platforms, reviews go both ways. For example, not only do riders rate drivers on Uber, but, after every trip, drivers can rate riders as well. It is the same with the taxi app being used by Ross’s wife, Sorcha. She’s worried because she has an average “one-stor” customer rating from the drivers, out of five, which the lowest rating that it’s possible to get. This gets Ross worried too, not because he’s concerned for his wife, but

because her one-stor rating is almost certainly down to me, given that I’ve been using her account for the past six months and taxi drivers tend to bring out the worst side of my personality.

He tries to make light of it, but Sorcha is having none of it, revealing that she has already

… made a Data Access Subject Request. … All citizens have the right to access their personal data, Ross. I’m entitled to know why taxi drivers seem to think so little of me, especially given how much I tip.

As Sorcha leaves Ross to check whether the postman had delivered the hardcopy reply, their daughter-from-hell, Honor, arrives, having intercepted the post along the way. Together, they read all the horrible things Ross said to the taxi drivers over the previous six months; and they learn of some co-passengers Sorcha might not like to learn about; so Ross bribes Honor a thousand euros not to say anything to her mother. She agrees. And Ross relaxes, thinking he’s off scot-free. Then:

Sorcha steps back into the kitchen. “Nothing in the post,” she goes.

I’m there, “Like I said, you should just let it go, Babes.”

“No, it’s fine,” she goes, holding up her phone, “because they’ve emailed me the information anyway.”

Honor stands up from the table. She goes, “I’ll leave you to it, Dad. I still want that thousand euros, by the way.”

I wonder if anyone’s left a comment on Jennifer’s TripAdvisor review of the performance in the adjacent hotel room, or perhaps lodged a subject access request to find out more about it?

From the report embedded above (with added links):

Tech companies’ reign over users’ personal data has run largely unchecked in the age of the internet. Europe is seeking to end that with a new law

… the European Union enacted the world’s most ambitious internet privacy law [the General Data Protection Regulation (the GDPR)], even winning support from the CEO of the biggest tech company in America, Apple’s Tim Cook. …

Max Schrems: The default under the European system is you’re not allowed to use someone else’s data unless you have a justification. …

Jeffrey Chester: Americans have no control today about the information that’s collected about them every second of their lives. …

Today, if one of the big tech companies chooses to ignore Europe’s new data protection law it could cost them 4 percent of their global revenues, which for the biggest companies would mean billions of dollars. Those decisions will likely be made here in Dublin, … Ireland’s data protection commissioner Helen Dixon says it’s not going to be business as usual.

Helen Dixon: U.S. internet companies have no doubt that this law is serious, it has serious bite. And all of them are eager to avoid any engagement with that.

Dixon says tech companies are spending tens of millions of dollars hiring lawyers, compliance officers and engineers to make sure they are operating within the law. …

Steve Kroft: You think the big tech companies, the people in Silicon Valley are taking this seriously?

Eoin O’Dell: I think they have to.

Eoin O’Dell is a law professor at Trinity College in Dublin and a leading expert on European privacy law. He says Europe has now established an international standard for internet privacy, and companies like Facebook, Google and Amazon are not about to retreat from a $17 trillion market.

Eoin O’Dell: We have safety standards in cars, but that hasn’t stopped us driving cars. We have emissions standards for – for the gas in the cars but that hasn’t stopped us using the gas in the cars . The data companies are – going to comply in the same way as the – car companies have complied

Steve Kroft: To stay in business.

Eoin O’Dell: To stay in business.

Since the European privacy law was passed, at least ten other countries have adopted similar rules. So has the state of California. Perhaps sensing the inevitable, Facebook, Twitter, Google and Amazon are now saying they could support a U.S. privacy law if they were given considerable input. The Internet Association, which lobbies for big tech, and its president Michael Beckerman say they would support giving Americans reasonable access to their information and some privacy rights now enjoyed by the Europeans. …

Produced by Maria Gavrilovic. Associate producer, Alex Ortiz.

The record man said
‘Don’t let it go to your head, I’m gonna make you a star’
… So mama please don’t worry about me, I’m nearly famous now.

1. Introduction
The words above are in the first verse of “I’m Nearly Famous”, the title track of an album released in 1976 by Sir Cliff Richard [Sir Cliff], pictured left rocking Greenwich, UK, in 2017. Six weeks earlier, the South Yorkshire Police [SYP] had admitted that their tip off to the BBC that he was being investigated in respect of allegations of historic sex abuse infringed his privacy (see, eg, Richard v BBC [2017] EWHC 1648 (Ch) (26 May 2017)). On foot of that tip off, the British Broadcasting Corporation [the BBC] gave those allegations and the search of Sir Cliff’s property in Sunningdale, Berkshire prominent and extensive television coverage. Last week, in Richard v BBC [2018] EWHC 1837 (Ch) (18 July 2018) Mann J held that that the BBC’s broadcasts also infringed Sir Cliff’s privacy, and awarded him £210,000 damages. In a previous post, I have considered Mann J’s analysis that Sir Cliff had a reasonable expectation of privacy under Article 8 of the European Convention on Human Rights [the ECHR] in respect of the police investigation. In this post, I will consider whether the BBC nevertheless were entitled under Article 10 ECHR to broadcast the allegations and the search. In a future post, I will consider the quantum of damages awarded.

2. Article 10 ECHR and the BBC’s Freedom of Expression
The concept of media freedom is at the heart of modern democracy (see, eg, András Koltay “The concept of media freedom today: new media, new editors and the traditional approach of the law” (2015) 7(1) Journal of Media Law 36). It is a significant point of difference between Sir Cliff’s case against the SYP and his case against the BBC. Although Mann J held that Sir Cliff’s prima facie reasonable expectation of privacy arose against both the SYP and the BBC, the difference between them arose at the subsequent stage of balancing Sir Cliff’s reasonable expectation of privacy under Article 8 ECHR with the BBC’s freedom of expression under Article 10 ECHR. Mann J undertook that balance pursuant to the speech of Lord Steyn in In re S (A Child) [2005] 1 AC 593, [2004] UKHL 47 (28 October 2004) [17], which he interpreted ([2018] EWHC 1837 (Ch) [276]) in the light of the judgment of the Grand Chamber of the European Court of Human Rights in Axel Springer AG v Germany 39954/08, (2012) 55 EHRR 6, [2012] ECHR 227 (7 February 2012) [89] (see, generally, Rebecca Moosavian “Deconstructing ‘Public Interest’ in the Article 8 vs Article 10 Balancing Exercise” (2014) 6(2) Journal of Media Law 234) He held that factors to be taken into account in balancing Article 8 and Article 10 include (a) the contribution of the publication to a debate of general interest, (b) how well-known is the person concerned and what is the subject of the report, (c) the prior conduct of the person concerned, (d) the method of obtaining the information and its veracity, (e) the content, form and consequences of the publication, and (f) the severity of any sanction imposed.

Applying each criterion in turn, Mann J held (a) knowing that Sir Cliff was under investigation might have been of interest to the gossip-mongers, but it did not contribute materially to the genuine public interest in the existence of police investigations in this area ([2018] EWHC 1837 (Ch) [282]); (b) “public figures are not fair game for any invasion of privacy” (ibid, [287]); and (c) Sir Cliff’s public position and stated views do not diminish his right to privacy in respect of allegations of the kind which underpin the BBC’s disclosures (ibid, emphasis in original); (d) the information was accurate (ibid, [289]) but the BBC’s methods of obtaining it were questionable, though this weighed only very lightly in Sir Cliff’s favour (ibid, [292], [296]); and (e) the broadcasts were presented with “a significant degree of breathless sensationalism” which “went in for an invasion of Sir Cliff’s privacy rights in a big way” (ibid, [300], [301]). He left the question of the chilling of effect of any sanction to the discussion of quantum, which I will address in a future post. He also had regard to the BBC’s editorial guidelines (as a “relevant privacy code” within the meaning of section 12(4)(b) of the Human Rights Act 1988).

Taking all these factors into account, Mann J came “to the clear conclusion that Sir Cliff’s privacy rights were not outweighed by the BBC’s rights to freedom of expression” (ibid, [315]). (more…)

I just got to tell someone about the way I feel,
Shout it from the rooftop to the street,
And if I spread the word please tell me who’s it gonna hurt …

1. Introduction
The words above are the opening lines of “Can’t Keep this Feeling In“, released in 1998 by Sir Cliff Richard [Sir Cliff], pictured left in a mellow pose at a concert in Sydney, Australia in February 2013. In August of the following year, arising out of an ongoing investigation into allegations of historic sex abuse, the South Yorkshire Police [the SYP] searched a property belonging to him in Sunningdale, Berkshire; and – on foot of a tip off from the SYP the previous month – the British Broadcasting Corporation [the BBC] gave the allegations and the search prominent and extensive television coverage. Sir Cliff was never arrested or charged; and, in June 2016, the Crown Prosecution Service [the CPS] decided that Sir Cliff would not face any charges. This decision was re-affirmed by the CPS the following September, following a full review of the evidence.

Meanwhile, in July 2016, Sir Cliff commenced legal proceedings against the SYP and the BBC, arguing that SYP’s leak to the BBC in July 2014, and the BBC’s coverage of the raid in August 2014, invaded his privacy and breached his data protection rights. Before the trial, SYP admitted liability and agreed to pay Sir Cliff £400,000 damages, plus costs (see Richard v BBC [2017] EWHC 1648 (Ch) (26 May 2017)). Earlier this week, in Richard v BBC [2018] EWHC 1837 (Ch) (18 July 2018) Mann J held that that Sir Cliff succeeded in his privacy claim against the BBC and awarded him £210,000 in general damages (£190,000 in compensatory damages, and £20,000 in aggravated damages), with some items of special damages to be decided at a future date. Because of the success of the privacy claim, Mann J held that he did not need to consider the data protection point.

There are three areas of interest in Mann J’s judgment: first, whether Sir Cliff had a reasonable expectation of privacy, having regard to Article 8 of the European Convention on Human Rights [the ECHR]; second, whether the BBC nevertheless were entitled to broadcast, having regard to Article 10 ECHR; and third, the quantum of damages awarded. I will deal with the question of Sir Cliff’s reasonable expectation of privacy in this post; and I will deal with the other two issues in subsequent posts [update: the post on the BBC’s Article 10 rights is here].

2. Article 8 ECHR and Sir Cliff’s Reasonable Expectation of Privacy
In the earlier Irish case of Hanahoe v Hussey [1998] 3 IR 69, [1997] IEHC 173 (14 November 1997) Kinlen J awarded Ir£100,000 damages (worth approximately €185,000 or St£165,000 today) against the Commissioner of An Garda Síochána (Ireland’s National Police and Security Service) for a similarly unjustified leak of a similarly high-profile search. Kinlen J held that the leak was an “outrageous interference” with the defendants’ privacy rights ([1997] IEHC 173 [69]) but awarded damages for misfeasance in public office as a species of negligence ([1997] IEHC 173 [67], [73]). The SYP’s settlement, and this week’s judgment by Mann J, show that the direct protection of privacy interests has evolved sufficiently that their indirect protection via other torts is no longer necessary.

As with the phone hacking cases (see Mann J at first instance; see also the Court of Appeal), Sir Cliff’s case was commenced in the Chancery Division of the High Court, presumably reflecting the fact that the modern English protection of privacy interests began, under the impetus of Article 8 of the European Convention on Human Rights, by pressing the equitable claim for breach of confidence into service. The process continued by shearing that claim of limitations that affected its ability to protect privacy interests, before transmuting it into a claim for misuse of private information separate from breach of confidence. This claim is now characterised as a tort. So, in the present case ([2018] EWHC 1837 (Ch) [264]), Mann J referred to “the English tort which essentially gives effect” to Article 8 ECHR. This tort turns on on whether the claimant has a reasonable expectation of privacy that has been infringed by the defendant (more…)

In today’s Irish Times, this week’s instalment (audio here) in the ongoing mis-adventures of Ross O’Carroll-Kelly (pictured left) intersected with this blog. Ross is a hapless dad and clueless (if ruthless) estate-agent, who has been described as “Ireland’s most eligible married man” and “the greatest Irish [rugby] player never to actually make it in the game”, and the scene opens with our hero being summoned by the boss:

It’s, like, just before midday when Lauren tells me she wants to talk to me in her office. … She goes, “What do you know about GDPR, Ross?”

I’m like, “Quite a lot, actually.”

Oh, that shocks her – such is my reputation for being as stupid as a goose.

She’s like, “Okay, tell me what you know about GDPR.”

“First,” I go, “you make sure the patient is comfortable by putting some kind of cushion under their head and loosening any tight clothing. Then, you place the heel of your hand on the patient’s breastbone, with your other hand on top of it, interlocking your fingers …”

“That’s CPR, Ross.”

And so it goes on for a while, until Dave – “from Human Resources (formerly Payroll)” – arrives, and asks Ross where his laptop is. Poor Ross. We know from last week’s column (audio here) that he had left his car unlocked at a filling station, from which someone stole his “laptop bag, a briefcase and three Donnybrook Fair shopping bags out of the boot”. So, Ross eventually comes clean to Lauren:

I’m there, “Okay, I’m going to be finally honest with you. They were stolen from the boot of my cor when I pulled in to get petrol. Was there any sign of the three shopping bags from Donnybrook Fair that were also taken? There was six tins of individually, line-caught, white tuna fillets in there that cost 11 yoyos per pop.”

“Why didn’t you tell me about this?”

“Er, why would I tell you about it? It was my laptop. They were my client files.”

“I’m the Managing Director of this estate agency, Ross. It’s my responsibility to report breaches to the Data Protection Commissioner as soon as they’re discovered. Do you know what the penalties for this could be?”

“Chill out, Lauren. There’s no real damage done.”

And that’s when she says it. She fixes me with a look and goes, “You’re fired, Ross.”

As he will no doubt quickly learn, GDPR stands for the EU’s General Data Protection Regulation. It, and its incorporating Irish legislation, came into effect on Friday 25 May 2018. And the theft of the laptop and files (and, let’s not forget, tuna fillets and other overpriced groceries) came to light in the column published on Saturday 26 May. If the Saturday column is real-time reportage, or if it is reporting something that happened on Friday, then the data breach happened after the GDPR and Irish legislation came into force, and Lauren does indeed have to report it to the Data Protection Commission. However, if the column is reporting something that happened earlier in the week, then the GDPR was not in force, and the Rossmeister might just get away with it – again.

New politics certainly make for interesting times. Minority governments are no strangers to defeats, even to two defeats in one day, but yesterday marked another milestone, when the government lost not merely two votes, but votes on two successive legislative amendments. They both related to the protection of children in the Data Protection Bill, 2018. The first will make it an offence to process the personal data of a child for the purposes of direct marketing, profiling or micro-targeting; the second will set the digital age of consent at 16. In fact, seeing the writing on the wall, rather than suffer the indignity – surely unique, even in this era of new politics – of four defeats in one evening, the Minister accepted a third amendment and declined to press a fourth of his own. The third amendment that he accepted will permit not-for-profit bodies to seek damages on behalf of data subjects; and the amendment that he withdrew would have undercut the effect of the third successful amendment. (The three successful amendments are amendments 14, 15 and 115 here (pdf), amending this version (pdf) of the Bill, and debated here). Earlier versions of all three successful amendments had been defeated by the government at every previous stage of the Bill. Time will tell if any of them proves significant, but the one that has generated the most coverage so far is the amendment to the digital age of consent.

The aim of the Bill is to incorporate the General Data Protection Regulation (Regulation (EU) 2016/679) into Irish law. Article 6(1) GDPR sets out six bases for lawful processing of personal data, the first of which, specified in Article 6(1)(a), is that “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” [on consent, see ICO | WP29]. A child can, in principle, provide such consent; but a minimum age at which children as data subjects can consent to having their personal data processed is not specified in the GDPR. Article 7 GDPR provides that the controller must be able to demonstrate this consent, and the younger the child is, the more difficult it will be for the controller to do so. To these flexible general rules relating to the consent of children, Article 8 GDPR provides a bright-line exception, which has become known as the digital age of consent. (more…)

Pictured left is Alexander Skarsgård (imdb | wikipedia) in the new Duncan Jones (imdb | wikipedia | blog) movie Mute (imdb | Netflix).

Skarsgård plays Leo, a mute bartender searching for girlfriend who has inexplicably disappeared in Berlin in 2052. In an interview in last Sunday’s Observer, he takes up the story:

… [Leo’s] search takes him deep into a neon-saturated underworld, populated by gangsters and a pair of anarchic American field surgeons (Paul Rudd and Justin Theroux) … “It’s very dystopian, but not that far-fetched unfortunately, because it’s a society run by corporations,” says Skarsgård. “You subscribe to a corporation and then they will provide everything for you – housing, healthcare, food – but they basically own you. …”. …

So we could be looking at the future then? Skarsgård looks a little traumatised and then sighs: “Hopefully not.”

I’m looking forward to the movie; but I’m not sure I agree that the best adjective to describe it is “dystopian”. It is entirely appropriate when a state goes bad; but it is not a good adjective to describe “a society run by corporations”. In fact, we don’t have a word for when a corporate society goes bad, so I’ve suggested “dysaguria”, as a noun meaning “frightening company”, and “dysagurian” as the adjective to describe that frightening company and the associated society run by frightening companies (see here | here | here). We can’t easily discuss a phenomenon until we have the proper words to describe it:

In his speech on leaving the US Presidency in January 1961, Eisenhower warned against the growing power of the military-industrial complex. In modern surveillance terms, we might term this the security-corporate complex. And we already have a word for when the military/security state goes bad, … That word is “dystopia”.

However, we don’t have a word for when the industrial/corporate society goes bad, … I think it’s beyond time we had one … I suggest that we need a word for “frightening company”, and that we can devise one by following the lead provided by More and Mill [in coining “dystopia” as a counterpoint to “utopia”] provides a guide. … Let’s keep “dys” [meaning “bad”] as the prefix, and look for a suitable word to which to add it. Greek provides “aguris”, which means “crowd” or “group” … Hence, from “dys” meaning “bad”, and “aguris” meaning “crowd” or “group”, I suggest “dysaguria”, as a noun meaning “frightening company”, and “dysagurian” as the adjective…

In my view, therefore, “dysagurian” is the perfect word to describe the society in Mute‘s Berlin in 2052.

Update: Mute did not find favour with Donald Clarke in the Irish Times. Further update: I’m with Donald on this; for all the production values, the movie is curiously flat.

Last major update: 15 January 2018

Note: a line was added at the end on 7 June 2018.

Parallel to my interest in compensation for breach of the General Data Protection Regulation [GDPR; Regulation (EU) 2016/679], I am also interested in the question of compensation for breach of the proposed ePrivacy Regulation (hereafter: pePR; see, eg, the EU Commission’s proposal for a Regulation on Privacy and Electronic Communications; on which see Flash Eurobarometer 443 Report on e-Privacy (pdf download)).

Article 22 of the Commission’s proposal provides:

Any end-user of electronic communications services who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the infringer for the damage suffered, unless the infringer proves that it is not in any way responsible for the event giving rise to the damage in accordance with Article 82 of Regulation (EU) 2016/679.

The emphasised words appear in exactly the same form in Article 82(1) GDPR. The remainder of Article 82 provides circumstances where an infringer is not responsible for the event giving rise to the damage and thus not liable for breach of the GDPR, and those circumstances apply mutatis to an infringer who would not be liable for breach of the pePR. This is not surprising: Article 22 of the pePR appears in a list of Articles (from 18 to 24) in which the supervision and enforcement of the pePR, and remedies for its breach, are integrated with those provided by the GDPR. The effect of Article 22 is to provide for compensation for breach of the pePR on the same basis as compensation is available for breach of the GDPR.

(more…)