Alistair Sloan, Advocate

The Data (Use and Access) Bill: Third time’s a charm?

November 12th, 2024
Data Protection reform has been a consistent theme of government policy over the past couple of years. The previous government had two attempts at reforming the law relating to data protection in the form of the Data Protection and Digital Information Bill and then the (cleverly titled) Data Protection and Digital Information (No 2) Bill. The first attempt was abandoned, and the second attempt did not make it through parliament before the general election held earlier this year. The new government is now having its own attempt having introduced into the House of Lords the Data (Use and Access) Bill on 23 October 2024.

For those who were familiar with the proposals in the bills introduced by the previous government, there is a lot in the Data (Use and Access) Bill that is familiar; however, the government is not going ahead with some of the proposals from the previous government and has introduced some of its own proposals for good measure.

Abolition of the Information Commissioner

Potentially the biggest reform within the bill (and one which has carried over from the previous government’s bills) is to replace the Information Commissioner with a body corporate to be known as the Information Commission. Currently, everything in relation to data protection (and everything else that the ICO does) rests in the hands of one person: the Information Commissioner (currently John Edwards).

The model of a single office holder as the regulator has persisted since the introduction of the Data Protection Registrar in the Data Protection Act 1984. Over the years the Data Protection Registrar has evolved into the Information Commissioner as data protection regulation has evolved and the role gained new responsibilities in other areas (such as freedom of information). The previous government considered, and the present government would seem to agree, that the model was no longer appropriate for a regulator of the size of the Information Commissioner’s Office and with the range of functions that the Commissioner has.

Some of the more controversial elements of the previous government’s proposal for the establishment of a new body have not been carried over by the present government. In particular, the proposal to require the regulator to follow a statement of strategic priorities prepared by the Secretary of State has not been carried forward. This was an element of previous proposals that caused concern about the regulator’s independence from the government. However, the Secretary of State will still be responsible for appointing non-executive members of the commission (who, in turn, will be responsible for appointing the executive members of the commission). The Chair of the Commission will be appointed by The King on the recommendation of the Secretary of State. Given the role of the Secretary of State in the appointment of members of the commission, some concerns may remain about the independence of the new commission from the government. The Scottish Information Commissioner, for example, is appointed by The King after nomination by the Scottish Parliament and that method of appointment has been suggested by some in the past as a method of appointment for the UK Information Commissioner (without any success). There may be, as this bill navigates its parliamentary journey, suggestions that that there ought to be more involvement by parliament in the appointment process for members of the new commission.

Legitimate Interests

The proposal to create a list of “recognised legitimate interests” is being carried over into the current government’s bill; however, the list of “recognised legitimate interests’ is not identical to the list in the previous government’s proposals. In particular “democratic engagement” does not feature, as it would have done under the previous government’s proposals. The list of recognised legitimate interests will be subject to amendment by regulations made by the Secretary of State.

Rights of data subjects

The bill contains some minor changes to the rights of data subjects. It will codify the principle that data controllers have an obligation to carry out reasonable and proportionate searches for personal data in response to subject access requests. This implied obligation currently flows from a decision of the Court of Appeal in England and Wales in respect of cases under the (now repealed) Data Protection Act 1998. Decisions of the Court of Appeal are not binding on Scottish courts, even in relation to UK-wide legislation (and there are examples in other fields of the Scottish courts disagreeing with the English and Welsh courts in relation to UK-wide legislation resulting in the Supreme Court having to step in and sort it out), and so placing it on a statutory footing will provide certainty for controllers and data subjects elsewhere in the UK.

Another change of note is a new right of complaint to the controller by the data subject. Currently there is nothing to stop data subjects making a complaint to a controller about a response that they receive to, for example, a subject access request, but there is no legal obligation on the controller to deal with the complaint. Under the proposals in the Data (Use and Access) Bill, controllers would be required to deal with such complaints. This right is in addition to the right to complain to the Information Commissioner and the right to raise court proceedings seeking a compliance order; however, the Bill does not propose making a complaint to the controller a pre-requisite to doing either of those things.

The time for dealing with, for example a subject access request, will explicitly be stopped where further information is required by the controller. Current ICO guidance is that the days between requesting clarification and that clarification being provided do not count towards the time for responding to the request, but it is now proposed to make this the law.

Financial Penalties

The maximum penalty that the Information Commissioner can impose for contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 will be aligned with the maximum financial penalties under the UK GDPR (increasing it from £500,000 to the greater of £17,500,000 or 4% of global turnover). This is not a new proposal, having been carried over from the previous government’s proposals.

International Transfers

The bill will amend chapter 5 of the UK GDPR, which covers transfers of personal data to other countries and to international organisations. The Secretary of State will still be able to make adequacy decisions by way of regulations; however, a new Article 45A will be inserted into the UK GDPR which will provide that the Secretary of State may only make such regulations where they consider that “the data protection test” is met in relation to the transfers covered by the regulations. The test will be met where the protection provided in relation to the processing of personal data “is not materially lower than the standard of protection provided for data subjects” by the UK GDPR and Parts 2, 5, 6 and 7 of the Data Protection Act 2018. This will likely give the government much more flexibility when it comes to making adequacy regulations.

Interview Notices

The proposal to confer a power on the Information Commissioner to compel a person to attend an interview (including where the Commissioner suspects that a criminal offence has been committed) has been carried over into the Data (Use and Access) Bill. It is a power that is unlikely to be used often but adds to the tools available to the Commissioner should his office face any difficulties during investigations.

Significant proposals that are absent from the Data (Use and Access) Bill

The above proposals are just some of those contained within the Data (Use and Access) Bill; however, there are some significant proposals from the previous government that have not been carried over. These include:
- Replacing the Data Protection Impact Assessment with an ‘Assessment of high-risk processing’,
- Limiting the requirement to maintain a Record of Processing Activity to only high-risk processing; and
- The replacement of data protection officers with “senior responsible individuals”.
There is much more to this bill, both in terms of data protection reform and other data use and access matters, and it will now continue its passage through Parliament (its second reading in the House of Lords is on 19 November 2024). It is, of course, probable that there will be amendments to the bill during its passage; however, given that many of the significant proposals have already been the subject of substantial parliamentary consideration, it may well be that there are no significant amendments to it. We are at the early stages of a parliament in which the government has a sizeable majority, so it can be expected that this Bill will complete its parliamentary journey and become law (in whatever final form it takes).

Disclaimer: This article is for information purposes only and nothing in it should be taken as constituting legal advice.
Disadvantages in FOI appeals back in the Upper Tribunal

May 19th, 2024

When requesters seek to challenge the refusal to release information to them under the freedom of information laws in place throughout the United Kingdom, they do so with one hand tied behind their back. They do not know the contents of the withheld information and that is for a very good and obvious reason: it would defeat the purpose of withholding the information if it was simply, as part of the appeal proceedings, going to be disclosed to the person from whom it was being withheld.

This causes significantly greater difficulties under the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 than it does under the Scottish equivalents. This is primarily because of the appeals process that operates in relation to decisions of the UK Information Commissioner in relation to those pieces of legislation, in particular appeals to the First-Tier Tribunal. Those appeals are de novo (in other words, they are a complete rehearing of the case and the Tribunal is empowered to substitute its own decision for that of the Commissioner if it does not agree with the Commissioner’s decision). As a consequence of this, it is usually necessary for the First-Tier Tribunal to have sight of and consider the material that has been withheld from the requester. In Scotland, as the appeal to the Court of Session against a decision of the Scottish Information Commissioner is on a point of law only, it is not necessary for the Court of Session to have sight of the information at the centre of the dispute.

Normally, in proceedings before courts and tribunals, all parties see any document provided to the court or tribunal by every other party to the case. However, as indicated above, in appeals involving FOI requests, it would render the appeal pointless if the person who made the request was, as part of the appeal process, provided with a copy of the information that is in dispute. However, there is an obvious unfairness to the party who is kept in the dark about some of the material which is before the Tribunal. This unfairness and how to minimise it has come before the courts and Tribunals before, in particular in the case of Browning v Information Commissioner [2014] EWCA Civ 1050.

In the First-Tier Tribunal it is common for a “closed session” to take place, where the person who made the request (and their legal representatives, if any) is excluded from the hearing. During such closed sessions, the Tribunal will consider the withheld information. The Tribunal may also hear evidence from witnesses which could not be made in “open” without risking revealing the information in question. Submissions will usually be made on behalf of the Commissioner and the public authority which, again, could not be made without revealing the content of the withheld information. After the closed part of the hearing has concluded and the Tribunal is once again sitting in open session, the party who was excluded from the closed session will be given a “gist” of what happened in the closed session. This will consist of a summary of the closed hearing (including any evidence heard and submissions made), insofar as possible without undermining the purpose of the tribunal proceedings, and anything new which arose during the closed session which it is not necessary to withhold from the excluded party. The gist is necessary to minimise the unfairness faced by the excluded party to the utmost extent.

What is described above is what is happens when the Tribunal holds a hearing, either in person or by remote means. However, the Tribunal does not need to hold a hearing. It can, if the parties’ consent and the Tribunal agrees, consider the case solely on the papers. The issue of what should happen when the Tribunal considers “closed” material in cases where they are determining the appeal on the papers alone arose in the recent decision of the Upper Tribunal in Barrett v Information Commissioner and Financial Ombudsman Service [2014] UKUT 107 (AAC).

The First-Tier Tribunal had indicated in its decision that it was not normal practice to provide a gist of closed material in a case which is decided on the papers. This is not a satisfactory position. As the Upper Tribunal recognises at [103] of its decision, “the requirement to minimise the disadvantages faced by a FOIA appellant is uniform”. In other words, there is no distinction between cases decided after a hearing and cases decided on the papers when it comes to the need to minimise unfairness. A party who does not receive closed material (including closed submissions) in a case decided on the papers should not be in a less advantageous position than someone whose case is being decided at a hearing, simply because their case is being decided on the papers. In the case before it, the First-Tier Tribunal did not provide any gist in relation to the closed material, despite there being three requests for one by the appellant.

In responding to the Upper Tribunal appeal, the Financial Ombudsman Service had sought to rely on the First-Tier Tribunal having provided a further description of the closed material in its reasons. However, the Upper Tribunal held this to be “irrelevant” [101]. By the time the appellant had been given the further description of the closed material, it was too late; the First-Tier Tribunal had already taken its decision to refuse his appeal and therefore the appellant was deprived of an opportunity to make any submissions focussing on anything that arose from that additional information. What the First-Tier Tribunal had said in its reasons was not capable of minimising the disadvantages faced by the appellant in arguing his case.

The Upper Tribunal did not go on to prescribe or give guidance as to how the First-Tier Tribunal should gist closed material in a case being decided on the papers, leaving it to the First-Tier Tribunal to decide this. However, what is clear from the decision of the Upper Tribunal is that the practice of the First-Tier Tribunal of not normally providing a gist of closed material in cases decided on the papers is not proper. The First-Tier Tribunal will now require to alter its procedures for determining cases on the papers to ensure that the panel deciding the case gives adequate consideration to whether a gist should be provided and, if so, what it should contain in those cases.

The other two issues considered by the Upper Tribunal in its decision are also worthy of note. The first relates to whether the First-Tier Tribunal’s Registrar has the power to give a direction under Rule 14(6) of the First-Tier Tribunal’s rules that information must or may be disclosed to the Tribunal on the basis that it will not be disclosed to other persons, or to specified other persons. This is the rule under which the withheld information is kept private from the person who made the FOI request in proceedings before the First-Tier Tribunal. It was not necessary for the Upper Tribunal to decide this point as it had found in favour of the Appellant on the gist issue; however, it is clear that the Upper Tribunal considers that this is not something that the Senior President of Tribunals has delegated to the First-Tier Tribunal’s Registrars.

The other issue was the approach adopted by the Registrar in making the direction under Rule 14(6) (a direction that they probably didn’t have the power to make anyway). The Upper Tribunal considered that the process adopted was flawed. The Registrar refused to allow the Appellant to make submissions on the request for the Rule 14(6) direction because his submissions would cause unnecessary delay because they were pointless. This was, the Upper Tribunal stated at [92] an irrelevant (or a non-existent) consideration. The reasoning adopted by the Registrar for their refusal amounted to a “categorical bar on the appellant making representations” concerning the application made under Rule 14(6). Furthermore, it had the effect of “nullifying” the provisions of Rule 14(8), which requires the Tribunal to notify all other parties if one party applies for a direction under Rule 14(6). The appellant ultimately lost in the Upper Tribunal on this ground of appeal because over the course of the whole proceedings before the First-Tier Tribunal, he did get an opportunity to make submissions on the application of Rule 14(6). However, it is clear, that all parties should be permitted to make submissions in relation to an application for a direction under Rule 14(6) before such a direction is made. Clearly, the party who made the request for information is at a disadvantage in this regard because they do not know what they do not know. Their submissions will likely be less focussed than those of the public authority and the Commissioner, both of whom know the content of the withheld information. However, their submissions are still relevant and can be of value to the Tribunal in considering what direction to make in terms of Rule 14(6). A direction under Rule 14(6) shouldn’t go any further than is necessary to protect the integrity of the proceedings before it.
Scotland’s Hate Crime Act…what is it and what isn’t it?

April 15th, 2024

On 1 April 2024, the Hate Crime and Public Order (Scotland) Act 2021 entered into force. To say that there has been controversy in the two weeks since its coming into force would be an understatement. However, what is clear from the public discourse that’s taken place in the run-up to implementation and in the two weeks since it was implemented is that it is a very misunderstood piece of legislation.

Background to the Act

The concept of hate crime is not new in this country. There has been an offence of stirring up racial hatred in Scotland for more than 35 years. An offence of stirring up racial hatred was inserted into the Public Order Act 1936 by the Race Relations Act 1976. It was then re-enacted in the Public Order Act 1986 and has again, insofar as Scotland is concerned (the 1986 Act offence still applying to England and Wales), in the Hate Crime and Public Order (Scotland) Act 2021.

There have been other “hate crime” provisions within Scots law, such as the offence of racially-aggravated harassment within the Criminal Law (Consolidation) (Scotland) Act 1995.

In addition to those offences there have been statutory aggravations, such as a racial aggravation in the Crime and Disorder Act 1998, religious prejudice under the Criminal Justice (Scotland) Act 2003 and disability, transgender identity and sexual orientation in the Offences (Aggravation by Prejudice) (Scotland) Act 2009.

In 2017 Lord Bracadale (a retired judge of the High Court of Justiciary and the Court of Session and also a prosecutor in his career at the Scottish Bar) was appointed by the then Community Safety Minister to carry out an independent review of hate crime legislation in Scotland. Lord Bracadale published his report in 2018 and the Hate Crime and Public Order (Scotland) Act 2021 largely follows the recommendations made by Lord Bracadale (although, not entirely).

What does the Act do?

The Act does a number of things. Firstly, the Act is consolidating legislation. What this means, essentially, is that it has taken all of the existing provisions in relation to “hate crime” and re-enacted them into one place. It is now no longer necessary to look at lots of different pieces of legislation to locate the legislative provisions on “hate crime” insofar as it relates to Scotland (as can be seen above, the provisions that existed prior to the 2021 Act were scattered across a number of different pieces of legislation).

Section 1 of the Act consolidates the provisions concerning offences aggravated by prejudice. However, it does add in a new characteristic which had not previously been covered by the law: age (this was a recommendation made by Lord Bracadale in his report). With that exception, the law in relation to offences aggravated by prejudice did not change on 1 April 2024.

It is important to note that section 1 is not a “standalone provision”; it relates to the aggravation of an offence. In other words, for it to apply there must first have been an offence committed. So, for example, if someone assaulted another person because of their religious affiliation (or perceived religious affiliation) then that person could be charged with an assault and the summary complaint or indictment could also contain an aggravation of religious prejudice. This means that, in this example, if the finder of fact (a Summary Sheriff or Sheriff in the case of a summary complaint or a jury in the case of an indictment) decides that the accused assaulted the complainer they would then need to consider whether the assault was aggravated by religious prejudice. Unlike the assault, the aggravation does not need to be corroborated (in other words the evidence of one witness would be sufficient to enable them to find the aggravation proved); this is not a change in the law either: an aggravation did not need corroboration before 1 April 2024 either.

If the finder of fact found that the assault was aggravated, section 2 of the Act means that the offence must be treated more seriously by the courts: in other words, the court is required to impose a harsher sentence on the accused than would be justified if the assault had not been aggravated by prejudice. If the finder of fact decided that the assault had not happened, then the aggravation also falls away: the aggravation cannot exist without the offence (but the offence can exist without the aggravation).

The aggravations do not just apply to an assault. In theory any offence could be aggravated by prejudice by reference to one of the characteristics listed in section 1. It could be murder, a breach of the peace or the crime of threatening or abusive behaviour under section 38 of the Criminal Justice and Licensing (Scotland) Act 2010.

Section 3 re-enacts the offence that used to be in section 50A of the Criminal Law (Consolidation) (Scotland) Act 1995 of racially-aggravated harassment.

Section 4 is where there has been the most controversy. Section 4 deals with the “stirring up” offences. Section 4 contains, in effect, two separate offences. The first re-enacts the decades old provisions in relation to stirring up racial hatred. This relates to situations where someone acts in a manner, or communicates material to another person, which a reasonable person would consider to be threatening, abusive or insulting and (i) in doing so the person intends to stir up hatred against a group of persons based on the group being defined by reference to race, colour, nationality (including citizenship), or ethnic or national origins OR (ii) a reasonable person would consider the behaviour or the communication of the material to be likely to result in hatred being stirred up against such a group.

The other offence created is stirring up hatred on the grounds of the characteristics of age, disability, religion (or, in the case of a social or cultural group, perceived religious affiliation), sexual orientation, transgender identity or variations in sex characteristics. This is new in Scotland (England and Wales, they do have a stirring up offence in relation to religion and sexual orientation in the Public Order Act 1986). The offence is essentially the same as the religious hatred one, but in relation to the other characteristics “insulting” does not appear – only “threatening or abusive.” The offences are not about causing offence, or being rude or anything like that. The conduct in question has to be more than that; it has to be likely to cause the reasonable person to suffer fear or alarm. The police and courts in Scotland are very much used to dealing with the concept of “threatening or abusive” behaviour given there is an offence of threatening or abusive behaviour”.

However, for the this offence to be committed, it has to go further than merely being threatening or abusive. The accused has to intend stir up hatred against a group of persons by reference to the characteristic of age, disability, religion, sexual orientation, transgender identity or variations in sex characteristics. That being said, behaviour which as merely threatening or abusive and was motivated by prejudice on the grounds of age, disability, race, religion, sexual orientation, transgender identity or variations in sex characteristics a person could be prosecuted for threatening or abusive behaviour under the Criminal Justice and Licensing (Scotland) Act 2010 with the appropriate aggravation under section 1 of the Hate Crime and Public Order (Scotland) Act 2021.

What about free speech?

Article 10 of the European Convention on Human Rights guarantees freedom of expression, including the right to hold opinions and to impart information and ideas. However, it is not an absolute right. It is recognised in the Convention that there may require to be limits on free speech when balancing against other legitimate interests. For example, defamation laws are a restriction on free speech, but it is right and proper that people are able to seek recourse when they have been defamed. There were also already existed restrictions on free speech in the criminal law prior to 1 April 2024: the offence of stirring up racial hatred is, as pointed out earlier in this post, one that has existed for a long time. The offence of threatening or abusive behaviour in section 38 of the Criminal Justice and Licensing (Scotland) Act 2010 can be a restriction on free speech if it relates to things that are spoken or written. A breach of the peace can be a restriction on free speech if it relates to things that are written or spoken. Those are just a few examples, there are others.

There are specific protections within the Hate Crime and Public Order (Scotland) Act 2021 in relation to free speech. Section 9 of the Act sets out certain protections. Furthermore, the police, the Procurator Fiscal, the Lord Advocate and courts are all public authorities for the purposes of the Human Rights Act 1998 and cannot act incompatibly with people’s “convention rights” (being the rights from the European Convention on Human Rights listed within the Human Rights Act 1998). In exercising their powers and authority, each has to ensure that they are acting compatibly with, amongst other things, a person’s right to freedom of expression (and, indeed, their (qualified) right to respect for their private and family life).

What is missing?

It has been suggested that the non-inclusion of sex as one of the characteristics, particularly in relation to stirring up offence, is an omission on the part of the Scottish Parliament.

Lord Bracadale recommended in his report that sex be included, but the Scottish Government, when framing the Bill that became the Act, decided not to include it. That is a policy decision for which they are accountable and whether they were right to take that decision or not is not something that I am going to comment on in this post – it would be opinion rather than analysis of the statute. However, it is worth noting that the Scottish Government has said it is looking at the issue and that section 12 of the 2021 confers a power on the Scottish Ministers to add sex into the Act by way of regulations (so, if the Scottish Government were to decide to add sex in, it could be done relatively quickly without having to pass a new Act).

Is the Act unclear?

Another criticism that has been made of the Act is that it is unclear or vague in some sense. Those criticisms are, again, in my opinion, unfounded. All of the provisions within the Act either already existed within Scots law and have been applied time and again by police, prosecutors and the courts or build upon those provisions which have existed in the law for a long time.

Conclusion

In short, there has been a lot of controversy surrounding the Act. Much of it has been ill-informed (not helped by pronouncements made by Ministers and the police in the run-up to the Act coming into force which did not reflect the wording of the Statute). Little of the controversy has any sound basis in the text of the Act (the words used in the statute are what matter; those words and their meaning cannot be changed by way of statements made by Ministers or police officers – no matter how senior). Being offensive, even deliberately so, is not likely to result in a charge under the 2021 Act. However, if conduct were to be threatening or abusive then this may amount to an offence under other legislation.

A lot of what is contained within the Hate Crime and Public Order Act 2021 is not new, and the bits that are new are, essentially, extensions of what already existed. Those new bits are also based upon recommendations made following an independent review of the law in this area.

It is highly likely that the effects of the Act have been considerably overstated and that, in fact, the numbers of people caught by the 2021 Act will not be much greater than under the laws that went before it (although, recognition has to be given to the bits that are actually new and the likely effect that might have overall on the number of people caught by the 2021 Act). Holding and expressing, for example, gender critical beliefs would not, on its own, pass the criminal threshold. The conduct would have to go further: it would have to go into the realm of being likely to cause the reasonable person (that is, the ordinary man or woman on the street) fear or alarm. Referring to a trans man as a woman or a trans woman as a man, on its own, would not cross the threshold; again, something more would be required. Whether the behaviour is threatening or abusive is an objective test, not a subjective one. While the feelings of the complainer may be relevant, they are not determinative. What matters is whether the conduct would be likely to cause the reasonable person fear or alarm.

Disclaimer: This post is for information purposes only and nothing in it should be taken as constituting legal advice.
Access to justice and the rule of law: the morality of acting for the good and the bad

March 24th, 2023

It has been reported that some 120 or so Barristers in England and Wales are going to sign a “Declaration of Conscience” stating that they will not prosecute people who are accused of crimes in the course of climate activism nor will they give advice which would further the exploration of oil and gas. I think they are wrong to do so and in this blog post I will explain why I think they are wrong to do so.

There are two fundamental interlinked principles which I think are being undermined here. The first is that equality before the law demands that every person be able to access legal representation and the second is that counsel should not be identified with their client. These two fundamental principles are, in my view, essential to the proper functioning of the administration of justice.

It is common to both the Bars of England and Wales and Scotland that their members are bound by a rule known as the “cab-rank rule”. At a taxi rank the driver at the front of the queue is bound to take the first fare that comes along: no matter who the customer is and no matter the journey. They can’t, for example, decline a fare because it’s too short a journey in the hope that a better fare will come along. At its core, the cab-rank principle, as it applies to the Bar, is that lawyers must accept instructions where they are available, can competently do the work and the client is offering to pay a reasonable fee (and that, certainly so far as Scotland is concerned, includes a client in receipt of legal aid).

The cab-rank rule means that lawyers are unable to decline instructions simply because they don’t like the client or the client’s case is a moral affront to them. Therefore, it becomes wrong to associate the lawyer with their client; they’re not acting because they support the client, they are acting because they have a duty in a society governed by the rule of law to act. It means that lawyers should not be criticised for, for example, acting on behalf of asylum seekers in appeals against decisions of the Secretary of State or acting for the Secretary of State in such appeals; it means that lawyers should not be criticised for defending those who have committed the most depraved crimes and so on. They are, after all, simply doing their job.

It is often said that this approach is, itself, lacking in morality. I disagree, in a democratic society the rule of law is fundamental. The rule of law is what ensures that the state doesn’t become too over-bearing, it is what ensures that consumers are protected in their dealings with companies, it is how employees are protected against bad employers and employers are protected from bad employees, it is how companies are protected in their dealings with one another and so on. The morality rests, in my view, in the need to ensure maintenance of the rule of law.

This feeds into the notion that every person is entitled to representation. The cab-rank rule ensures that this is the case. Representation for lots of people could be declined on the basis of conscious: those accused of abusing children; those accused of acts of terrorism; those accused of murder – especially that of vulnerable groups such as children; those accused of neglecting their children in cases where the State is trying to remove the children and so on. Where would that leave our justice system? Some might say better off, but I disagree. People without representation means that they have to represent themselves. If you consider yourself to be victim-focussed that is a bad thing: it would mean alleged domestic abusers directly cross-examining those they are accused of abusing; it would mean those who have allegedly committed harrowing assaults on children cross-examining those same children where they are old enough to give evidence; it would mean those accused of rape cross-examining those who they are said to have raped.

Furthermore, it risks injustice in the system. Lawyers exist to serve several functions within the justice system. One of those is to ensure that the process is fair and conducted in line with the rules applicable to the case. In the criminal sphere you could have innocence people wrongly convicted because they were at a disadvantage; it also ensures that the public can have confidence that those convicted were done so fairly. Courts make mistakes and that’s why we have appellate courts and ultimately bodies such as the Scottish Criminal Cases Review Commission. Outside of the criminal sphere, again, you could have children wrongly removed from parents because they are at a disadvantage due to a lack of representation. Our society is better off as a result of ensuring that those accused of the most reprehensible things are dealt with fairly.

Now, these lawyers are only talking about refusing prosecution cases in the criminal context, not defence cases. However, as soon as you introduce the concept of lawyers refusing cases on the basis of the lawyer’s own personal principles, you open the gates to other areas of work being refused on the same basis. The system starts to break down and society, as a whole, is poorer for it.

It has also been pointed out that many of those reported to be signing the declaration are unlikely to actually ever receive instructions of that nature, but that is, in my view, an irrelevance. The performative nature of the decision still undermines the fundamental principles I outlined at the start of this post. It opens the door to associating lawyers with their clients, it undermines the principles supported by the cab-rank rule and it opens the door to people actually being refused representation because of the principles of the lawyer.

The legal profession is facing unprecedented and, in my view, unwarranted attacks from government for acting for those deemed unworthy by them, by sections of the media and ultimately sections of the public. Actions like this from members of the profession play right into those narratives, they make it harder for the vast majority of the Bar who stand by the principles at the centre of our profession. They will increase the pressure on counsel to stop acting for other groups deemed unworthy of representation by the government and by parts of society. The decision by these lawyers might have no actual effect on their own practice or on the ability of people to actually obtain representation, but what they are doing is damaging the profession as a whole and risking principles which are fundamental to our democracy.

In short, it is my view that if you feel as though your personal principles mean that you cannot properly do what is expected of you as counsel then, perhaps, the profession is not for you. We don’t expect, for example, doctors not to treat a patient because of who the patient is, what they have done, or the lifestyle choices made by that patient. Sometimes putting our own moral position to one side and serving a higher, more fundamental principle can be the hardest thing to do, but ultimately, we need people to do that to ensure the proper functioning of our democracy. It is not a choice for counsel to do so, it is a fundamental part of the job.

***

This post was updated on 24 March 2023 to add in a missing “not” in the second paragraph.
Appropriate steps and section 166

November 4th, 2022

Last month I highlighted an interesting decision from the First-Tier Tribunal on the much-litigated section 166 of the Data Protection Act 2018 (a section which often results in data subjects being disappointed as to its scope). Yesterday, the Tribunal gave another interesting decision in relation to section 166.

In August 2021, the applicant made a subject access request to a company called Contactout Limited. In November 2021, the applicant complained to the Information Commissioner as the company had not responded to their subject access request. In February 2022, the Commissioner responded to the applicant essentially telling the applicant that there was nothing that the Commissioner could do as the controller was based in the USA. Another fact of key importance is that the applicant was based in the Netherlands and that nothing had been put forward to connect either the applicant or the controller to the UK.

As the Commissioner had provided a response to the applicant, he asked the tribunal to strike out the application as having no reasonable prospect of success. The Tribunal declined to do this (but ultimately dismissed the application). The applicant argued that no adequate explanation had been provided as to why the Commissioner was not the relevant supervisory authority. The Tribunal considered that such an argument had, at least, the potential to fall within the scope of section 166 application [para 14]. The Tribunal was somewhat critical of the Commissioner’s submission which “failed to engage with the applicant’s actual pleaded case.” [para 14] The Tribunal went on to state that it was not going “so far as holding that a sufficiency of reasoning is required in a public law sense, but the applicant must at least know what the outcome is.” [para 14]

The Tribunal found that the wording of the Commissioner’s response letter to the applicant (quoted in its decision), when taken in isolation, risked misleading the reader of the letter that the commissioner was unable to take regulatory action against a controller based in a third country; Article 3 of the UK GDPR and section 207 of the Data Protection Act 2018 create, at least, some scope for such regulatory action. However, the Tribunal decided that the phrase “In relation to your case” within the decision letter from the Commissioner was sufficient to clear-up any misunderstanding. The complaint disclosed that there was nothing linking the applicant, their personal data or the controller to the United Kingdom and it was for that reason that the Commissioner had no jurisdiction. So, with that misunderstanding cleared up there was nothing left that the Commissioner could do that could form the basis for the Tribunal issuing an order under section 166.

The application was dismissed.

Section 166 continues to be a disappointment to data subjects; the limited scope of its terms has been affirmed repeatedly by both the FtT and Upper Tribunal. It does not afford a mechanism for appeal for a data subject who is unhappy with the outcome of their complaint to the Commissioner. It is clear, however, that where there remains scope for the Commissioner to take reasonable steps to address the complaint, then there may be some scope for orders under section 166. There is a fine line between considering whether appropriate steps have been taken to respond and whether the response itself was appropriate. The Tribunal is tasked with casting “a critical eye to assure itself that the complainant is not using the s.166 process to achieve a different complaint outcome.” (Killock and ors v Information Commissioner [2021 UKUT 229 at [87]).
ColourCoat Ltd v Information Commissioner

October 31st, 2022

Last week, the First-Tier Tribunal issued its decision in an appeal by ColourCoat Limited (“CCL”) against a Monetary Penalty Notice (“MPN”) issued by the Information Commissioner in respect of contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

Since 2016, CCL has been installing, as a subcontractor, hydrophobic thermal coatings to combat damp and heat loss in residential properties. In 2019, CCL decided that it would start marketing directly to potential customers and bought lists of names and phone numbers for this purpose.

When calls from CCL were answered, the call operator introduced themselves as being from “Homes Advice Bureau”; the script that they followed had the call operators inform the recipient that they were following up on a Government initiative about loft or cavity wall insulation. The call recipient was informed that they qualified for a free “heat loss and moisture check” which would be carried out by “EcoSolve UK”. If the recipient expressed interest, CCL would thereafter inspect the property and attempt to sell installation services. By the end of October 2019, CCL’s turnover had increased seven-fold.

In February 2020, the Information Commissioner noted that their office had received a number of complaints about unsolicited direct marketing calls from a company calling themselves “Homes Advice Bureau”. CCL was identified by the Commissioner, using statutory powers, as the source of these calls. The Commissioner discovered that CCL had made almost 970,000 calls for the purpose of direct marketing between August 2019 and March 2020. Of these calls over 450,000 were made to numbers registered with either the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS) and had been so registered for more than 28 days.

The Commissioner issued a Notice of Intent and a Preliminary Enforcement Notice in February 2021. After CCL had made representations through its solicitors, the Commissioner served a MPN (in the sum of £130,000) and Enforcement Notice on CCL on 16 June 2021. The Commissioner had found CCL in breach of Regulations 21(1)(a), 21(1)(b), 21(A1) and 24(1)(b) of PECR.

CCL did not dispute that it had breached Regs 21(1)(a) and (b); however, it did dispute the breaches of Regs 21(A1) and 24(1)(b) of PECR; it also appealed the amount of the MPN. However, the FTT held that CCL was in contravention of Regs 21(A1) and 24(1)(b).

In relation to Reg 21(A1), the FTT held that CCL had used mobile numbers from which it could not be identified and that at least one of the numbers used was registered to a pseudonym (“John Smith”).

In relation to Reg 24(1)(b) the FTT found that CCL had failed to provide call recipeints with its name. The FTT said, at para 36, that “[w]hile a company can trade under a trading name, PECR requires anyone making unsolicited direct marketing calls to provide their name – in this case, the registered company name.” The FTT noted that the Commissioner had experienced difficulty in identifying CCL as the source of the call and had only been able to do so by making us of their statutory powers; something that would have been “impossible for the call recipients” [para 36].

CCL had sought to argue that its contravention of Reg 21(1)(a) had been negligent; however, the FTT held that it was deliberate. Names would only go on CCL’s “Do Not Call” list if an individual was particularly forceful or insistent. CCL’s sole director confirmed in oral evidence to the FTT that a call recipient who had told CCL to “go away” would be called again in case they were just in a bad mood or in a rush. [para 39]

In relation to the contravention of Reg 21(1)(b), the FTT held that that was negligent. At paragraph 41 of its decision it states that CCL “knew or ought to have known that there was a risk that calls would be made to” TPS and CTPS registered numbers. The data list invoices received by CCL contained references to TPS and GDPR so although the company lacked actual knowledge of these matters, CCL “could have easily researched the relevant rules and put screening software in place.” [para 41].

In relation to the amount of the MPN, the FTT held, at para 44, “that the Commissioner had taken a careful, detailed and reasonable approach to determining the amount of the penalty” and that it had done so in line with the principles that penalties should be effective, proportionate and dissuasive and whether a fair balance has been struct between means and ends. Furthermore, the decision was in line with the Commissioner’s Regulatory Action Policy and published guidance.

The FTT noted that CCL “had targeted older, and potentially more vulnerable, people and by using a “neutral” trading name and referring to a Government initiative, created the false impression that [CCL] was providing an official or Government authorised service.” [para 48] The FTT also held that during the period of the contraventions that CCL’s turnover had been high and that a “substantial proportion” was likely to have been derived from the marketing campaign. [para 50]

The appeal was dismissed.

The FTT makes some interesting comments in its decision in this appeal that ought to be kept in mind by people undertaking direct marketing and those advising them on the lawfulness and/or privacy aspects of direct marketing. If you’re using a trading name and it is not immediately obvious from that trading name who the actual caller (or instigator, if different) is then that is information that requires to be provided as part of the call.

The FTT also noted what was said by the Upper Tribunal in the Leave.EU appeals that comparisons with other penalties issued by the commissioner is not helpful in assessing whether another penalty is appropriate. While there are principles that underpin how the Commissioner (and FTT) will assess what is an appropriate level of penalty, what that is will vary depending on the facts of each case (although being wildly out of step from other penalties may be an indication that something has gone wrong, but consideration would also need to be given to what material differences exist between each case).
ECJ: Advocate General on Damages under the GDPR

October 10th, 2022
Last week the opinion of Advocate General Campos Sánchez-Bordona was published in UI v Österreichische Post AG (Case C-300/21), which is a request for a preliminary ruling from the Oberster Gerichtshof (the Supreme Court of Justice, Austria) in connection with the provisions in the GDPR on damages.

The GDPR (and, in the UK, the UK GDPR) provides for any person who has suffered material or non-material damage as a result of an infringement to be compensated from the controller or processor for the damage suffered.

In the case that has been the impetus for the reference from the Austrian courts, Österreichische Post AG (the company responsible for postal services in Austria) had, from 2017 onwards, collected information on political party affinities of the Austrian population. With the assistance of an algorithm, it defined ‘target group addresses’ according to certain socio-demographic features. UI has claimed €1,000 in damages in respect of inner discomfort. He claims that the political affinity that Österreichische Post AG attributed to him is both insulting and shameful. He also claims that it is extremely damaging to his reputation. Furthermore, he says that the conduct complained of has caused him great upset and a loss of confidence as well as a feeling a public exposure.

At first instance, UI’s claim for compensation was refused. The appellate court upheld the decision to refuse him compensation holding that breaches of the GDPR do not automatically result in compensation. The appellate court also held that the principle in Austrian law that in life, everyone must bear mere discomfort and feelings of unpleasantness without any consequence in terms of compensation.

This decision was again appealed, and the referring court has referred three questions for a preliminary ruling:
1. Does the award of compensation under Article 82 also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
2. Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
3. Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?’
In relation to the first question, the Advocate General comes down very firmly against an interpretation which allows automatic compensation for every infringement. At para 28 of his Opinion, he states that “there is an unequivocal requirement that the natural person concerned must have suffered damage as a result of an infringement”. He states, at para 29, that “an interpretation which automatically associates the notion of ‘infringement’ with that of ‘compensation’, without the existence of any damage, is not compatible with the wording of Article 82 of the GDPR.”

On the second question, the Advocate General takes the view, at para 89, that it “cannot be ruled out that reparation sought for non-material damage may include components other than merely financial components, such as recognition that the infringement occurred, thereby providing the applicant with a certain moral satisfaction.” However, it is important to consider how the provisions on an effective judicial remedy and the right to compensation interact with one another; a difficulty in proving damage where a data subject is alleging financial damage must not result in nominal damages (para 92).

On the third question, which is concerned with whether the GDPR permits member states to refuse damages where the damage does not exceed a particular level of seriousness, the Advocate General concludes that this question could be answered in the affirmative. At paragraph 105 of his opinion, the Advocate General states that he does “not believe, however, that it is possible to infer from this a rule pursuant to which all non-material damage, regardless of how serious it is, is eligible for compensation.” He continues, at para 112, by stating that ” the right to compensation under Article 82(1) of the GDPR does not appear to me to be a suitable instrument for countering infringements in connection with the processing of personal data where all those infringements create for the data subject is annoyance or upset.” However, he goes on to propose an answer to the third question which essentially leaves it to national courts to determine whether, on the facts before them in each case, whether it goes beyond “mere upset”. So, while the Advocate General is clearly of the view that there is some form of de minimis threshold, he does not assist that much with where the line is.

The AG’s opinion is, of course, not a judgment of the court; we await to see whether the court adopts the opinion of the Advocate General and, if so, to what extent. Of course, decisions of the European Court are no longer binding in the UK. That is not to say that they are no longer of any relevance when it comes to UK law that derives from EU law (such as the UK GDPR); the effect of section 6(2) of the European Union (Withdrawal) Act 2018 provides that a court or tribunal may have regard to case law for the European Court which has come about after the UK left the European Union.

In the UK, the most recent authoritative case to grapple with the question of damages for data protection breaches was the Supreme Court’s judgment in Lloyd v Google. That was concerned with damages under the Data Protection Act 1998 and Lord Leggatt, giving the sole judgment of the court, confined his decision to the 1998 Act. However, it would be prudent to note that the reasoning in Lloyd is essentially the same as the reasoning in the Advocate General’s opinion in UI.

When the European Court’s judgment comes in this case, it will likely be a decision of some importance to data protection litigation in the UK, if only to confirm that the reasoning in Lloyd is equally applicable to Article 82 of the UK GDPR.
When no complaint is found

October 3rd, 2022

Section 166 of the Data Protection Act 2018 has produced a reasonable amount of litigation arising out of what appear to be repeated fundamental misunderstandings by data subjects as to what section 166 provides them with. The Upper Tribunal has authoritatively, on more than one occasion, sated that the right afforded by section 166 of the 2018 Act is limited and does not provide a route for an unhappy data subject to appeal the outcome of their complaint to the Information Commissioner.

A recent FTT decision on section 166 took a slightly different approach, striking out the appeal on the grounds that the applicant had not even made a complaint to the Commissioner and so the Commissioner’s obligation to provide information as to the progress of the complaint was not even engaged.

On 25 May 2021, the applicant copied the Information Commissioner’s Office into an E-mail that had been sent to various other organisations. In that E-mail, the applicant raised a number of issues, none of which seem to have engaged the data protection legislation. There was, attached to the E-mail, an annotated copy of an E-mail that she had received days earlier from the Home Office.

On 8 June 2021, a case officer at the ICO wrote to the applicant to inform her that none of the issues she had raised fell within the jurisdiction of the Commissioner and advised her to complete one of the ICO’s complaint forms if she wished to raise a complaint under the data protection legislation.

The Commissioner argued that as no valid complaint had been made to his office there was no complaint to progress and therefore the application under section 166 of the Data Protection Act 2018 had no reasonable prospect of success.

Judge O’Connor agreed with the Commissioner and concluded that there was no reasonable prospect that the applicant could establish the contrary. Therefore, the application was dismissed. Judge O’Connor did go on to state that even if he was wrong on this, the Commissioner’s letter dated 8 June 2021 was a response and so the Tribunal would have had no jurisdiction under section 166 of the Act in any event.

This case is rather different to the usual section 166 cases that have been seen until now. It suggests that the Information Commissioner is taking a robust approach to what is and what is not a complaint. It has been the case for many years that the ICO would not typically respond to E-mails where they have simply been copied in. The Tribunal appears to be willing, at least in this case, to conclude that no complaint in terms of Article 77 of the UK GDPR or section 165 of the Data Protection Act 2018 has been made to the Commissioner where that is appropriate, and strike out section 166 applications which follow on the back of correspondence not amounting to a proper complaint.
#IndyRef2 and the Supreme Court

July 13th, 2022

On 28 June 2022, the Lord Advocate lodged a reference with the UK Supreme Court under paragraph 34 of Schedule 6 to the Scotland Act 1998. The reference concerns whether the Scottish Parliament has legislative competence to legislate for a referendum, specifically in relation to a draft Bill. The question, set out at paragraph 21 of the Lord Advocate’s reference, the Supreme Court is invited to answer is:

“Does the provision of the proposed Scottish Independence Referendum Bill that provides that the question to be asked in a referendum would be “Should Scotland be an independent country?” relate to reserved matters? In particular, does it relate to: (i) the Union of the Kingdoms of Scotland and England (para.1(b) of Schedule 5); and/or (ii) the Parliament of the United Kingdom (para.1(c) of Schedule 5)?”

The UK Government is reportedly asking the Supreme Court to dismiss the reference. Firstly, on the substantive question, that the Scotland Act does not confer legislative competence on the Scottish Parliament to legislate for a referendum on independence. Secondly, on a more technical basis, that the reference is premature on the basis that the Scotland Act 1998 makes express provision for scrutiny of Bills by the Supreme Court, which begins after the Bill has completed its passage through the Scottish Parliament. The UK Government’s position is not unexpected, and they are doing nothing improper in seeking to argue that paragraph 34 of Schedule 6 does not confer jurisdiction on the Supreme Court to determine the legislative competence of a proposed Bill.

Those who have been following the legal wranglings over the Scottish Parliament’s competence in this area will be familiar with the case brought by Martin Keatings, in which the Lord Advocate’s predecessor and the Advocate General for Scotland were at one in arguing that Mr Keatings’ case was premature. Both succeeded in the Outer House (before Lady Carmichael) and in the Inner House (before the First Division comprising the Lord President, Lord Menzies and Lord Doherty).

Schedule 6 to the Scotland Act 1998 is concerned with what are known as “Devolution Issues” and consists of 38 paragraphs divided into 5 parts. For present purposes, only paragraphs 1 and 34 are of relevance.

Paragraph 1 defines what constitutes a “devolution issue” for the purposes of the whole schedule. The Lord Advocate relies on paragraph 1(f), which states “any other question about whether a function is exercisable within devolved competence or in or as regards Scotland and any other question arising by virtue of this Act about reserved matters.”

Paragraph 34 provides that “[t]he Lord Advocate, the Attorney General, the Advocate General or the Advocate General for Northern Ireland may refer to the Supreme Court any devolution issue which is not the subject of proceedings.” Schedule 6 is mostly concerned with devolution issues which arise in the context of ongoing cases before the courts in Scotland, England and Wales and Northern Ireland; however, this one paragraph provides a power for one or more Law Officers to refer directly to the Supreme Court any devolution issue which is not the subject of ongoing litigation in the courts.

When the reference was first announced, a number of commentators queried whether paragraph 34 covers the question raised by the Lord Advocate in her reference.

Paragraph 1(f) is drawn in apparently wide terms; however, it must be read in context. It forms part of a list of other things which are devolution issues, this includes “a question whether an Act of the Scottish Parliament or any provision of an Act of the Scottish Parliament is within the legislative competence of the Parliament.” Importantly, that list of things only refers to Acts and makes no reference to Bills. The Scotland Act 1998 provides elsewhere for the scrutiny of Bills for legislative competence by the Supreme Court. Those provisions are to be found in section 33, which provides that the Lord Advocate, Advocate General and Attorney General for England and Wales may refer a Bill, or any part of a Bill, to the UK Supreme Court in the 4-week period following it being passed by the Scottish Parliament. This has been done three times before in relation to Bills passed by the Scottish Parliament: the UK Withdrawal from the European Union (Legal Continuity) (Scotland) Bill; the European Charter of Local Self-Government (Incorporation) (Scotland) Bill and the United Nations Convention on the Rights of the Child (Incorporation) (Scotland) Bill. In all three cases those references were made by the UK Law officers (the Advocate General and Attorney General).

The Inner House in Keatings concluded that Section 33 was the only way in which Bills could be scrutinised before becoming an Act of the Scottish Parliament. In his opinion, the Lord President states the following, at paragraphs 60 and 61:

[60] It is important in limine to make a clear distinction between an Act of the Parliament and a Bill. Only a provision of an Act can be outwith legislative competence (1998 Act, s 29(1)). The contents of a Bill cannot be, since a Bill has no legislative force. The 1998 Act makes express provision for both the person in charge of a Bill and the Presiding Officer to express their views on legislative competence. The phraseology is careful and is designed to ensure that such an expression does not amount to a decision which is subject to the supervisory jurisdiction of the court. The Act goes on to provide expressly for the scrutiny of Bills at a stage after a Bill has been passed by the Parliament but prior to it receiving Royal Assent. It has confined that scrutiny to the Supreme Court of the United Kingdom and then only on the application, within a limited window of time, of the principal law officers of Scotland and the United Kingdom (1998 Act, s 33(1)). This is the only method of scrutinising a measure for legislative competency prior to Royal Assent.
[61] If it were otherwise, there would be the potential for conflict between applications which challenge competency made by other persons to the Court of Session or a sheriff court in advance of Royal Assent. Put another way, “the coexistence of two systems, overlapping but varying in matters of detail… would be a recipe for chaos” (R (Child Poverty Action Group), Lord Dyson at para 35 citing Unisys [2003] 1 AC 518 Lord Millett at para 80). The time frame for applications to the UK Supreme Court would be rendered somewhat redundant, if an application from one of the law officers could be made prior to the passing of the Bill by the Parliament. The idea that the law officers are able to seek such scrutiny only after the passing of a Bill would be rendered nugatory if they could do so during the Bill’s passage through Parliament.

It should be noted that the opinion was given without the court having been addressed on paragraph 34 of Schedule 6 or, seemingly, it ever having been brough to the attention of the Court. However, that aside, there appears to be a logic to the Court’s position (a position which was advanced by both the Advocate General and the Lord Advocate). Section 33 would more or less be redundant if the principal law officers could simply refer Bills at any stage.

The problem with a court giving a judgment on legislative competence before a Bill completes its passage through the Scottish Parliament is that a Bill can be amended in any number of ways at various points through that process. Those amendments could conceivably take a Bill, or part of a Bill, outwith competence that had, until the point it was amended, been within competence. You could also end up with a situation where, for example, the Advocate General for Scotland refers a Bill upon its introduction and while the Supreme Court is hearing that reference, the Scottish Parliament debates and amends the Bill (or debates the Bill and decides, at Stage 1, not to progress the Bill any further), which leaves the court assessing an outdated position and rendering its judgment academic. It therefore doesn’t address the core issue and wouldn’t prevent challenges under section 33 (prior to Royal Assent) or through judicial review(after Royal Assent) in respect of any changes made to the Bill.

The logic of the opinion of the First Division of the Inner House, appears to hold true when applied to paragraph 34 of Schedule 6. It is certainly arguable that paragraph 34 of Schedule 6, given its wide terms, confers a power on the Lord Advocate to make this reference, but for what it is worth, my view is that it is unlikely that the Supreme Court will accept that is the position. I suspect that the Supreme Court will approve of the essential conclusions reached by the Inner House in paragraphs 60 and 61 of Keatings and dismiss the reference, leaving open the option for the Advocate General, Attorney General or Lord Advocate to refer a Bill after it has been passed.

What that will mean for the proposed Bill will remain to be seen. It appears from the reference that other parts of the Lord President’s opinion in Keatings causes some issues for the Lord Advocate in being able to sign-off on the Bill being within competence. At paragraph 4 of the reference, the Lord Advocate refers to comments made by the Lord President at paragraph 66 of his opinion in Keatings. In particular, where the Lord President expresses the view that “it may not be too difficult to arrive at a conclusion, but that is a matter, perhaps, for another day.” When read in context, it certainly appears that the Lord President is of the view that such a Bill would be outwith the competence of the Scottish Parliament; however, he stopped short of stating that and, in any event, as the decision in the case had been reached for other reasons any views expressed on the substantive merits is obiter (something expressed in a judgment that is not essential to the decision and therefore not binding as precedent).

When a Bill is introduced into the Scottish Parliament, section 31 of the Scotland Act 1998 requires the person in charge of the Bill (in the case of a Bill introduced by the Scottish Government, this would be one of the Scottish Ministers) and the Presiding Officer to decide whether or not in their view the provisions of the Bill would be within the legislative competence of the Scottish parliament and to state their view.

However, the Scottish Ministerial Code goes further; it requires that, before a Minister states that it is their view that the provisions would be within competence, they must get the statement cleared by the Law Officers (i.e. the Lord Advocate and/or the Solicitor General for Scotland). This raises another potential problem with the reference; it essentially flows from a condition imposed on the Scottish Ministers by the First Minister through the Scottish Ministerial Code rather than the Scotland Act 1998. It is, of course, a good idea for Scottish Ministers to get a view from the Law Officers on legislative competence, but in law, the burden rests on them. It would also be reckless for them to introduce a Bill against legal advice which expressed a clear view that the provisions, in the opinion of the Law Officers, would be outwith competence.

The Lord Advocate has not stated, at least publicly, that it is her view that the provisions are outwith legislative competence. Indeed, it must (in my view) be inferred from the reference that the Lord Advocate considers it at least statable that there is legislative competence. The Lord Advocate talks about lacking the “necessary degree of confidence”; nobody really knows what that is. It’s not set out in the Scotland Act or in the ministerial code and may well differ from Lord Advocate to Lord Advocate. Some might settle for a statable case, some might want there to be one with a real prospect of success (still a low hurdle, but higher than merely statable) while another might require something more certain than that.

Whether, in the event that the Supreme Court disagrees with the Lord Advocate’s view on the extent of paragraph 34 of Schedule 6, the Lord Advocate then decides to clear the statement and allow the Bill to be introduced (and no doubt passed) is, of course, a matter for her; as is whether she then refers any Bill passed under section 33. The Scottish Ministerial Code, like its counterpart, is not really law. It sets out how (in this instance) the First Minister expects Scottish Ministers and Junior Scottish Ministers to conduct their duties and the expected standard of conduct.

Lord Advocate’s apparent change of position

It will be clear to anyone who has been following this saga (and hopefully to anyone who has read what I have said up until this point) that the position adopted by the present Lord Advocate appears to be rather different in some respects to that of her predecessor.

It is, of course, not uncommon for two lawyers to take different views on what the correct answer is to a particular legal problem. At paragraph 13 the Lord Advocate deals, in some way, with Keatings by saying:

“The observations of the Lord President in Keatings should be read subject to para.34 and para 1(f) of Schedule 6 SA. In the context such a qualification was not suggested on behalf of the Lord Advocate in Keatings, and to that extent, the present Lord Advocate departs from that position. The Lord Advocate’s position on Keatings will be more fully explained in her Written Case for this Reference.”

We await to see the written case of the Lord Advocate to see how this position is developed. However, it would appear that a probable line of argument will be that there are material difference between the Lord Advocate’s position and that of Mr Keatings (assuming the interpretation of paragraph 34 of Schedule 6 put forward by the Lord Advocate is correct).

If the Lord Advocate’s position that she has a power under paragraph 34 of the Scotland Act 1998 to refer a proposed Bill to the Supreme Court is correct, it would place her in a very different position to that of Mr Keatings. While some of the same issues arise in relation to amendment etc, the Lord Advocate would be relying upon a statutory power conferred by Parliament rather than the common law. Therefore, the Supreme Court would, irrespective of any reservations it might have with giving such a judgment, be required to answer the substantive question posed by the Lord Advocate in the reference as that is what the UK Parliament had decided that it should do.

This is certainly an interesting reference and even if we do not get an answer to the substantive question at this time, it will likely result in the Supreme Court giving its judgment on the extent of paragraph 34 of Schedule 6. Hopefully the UK Government will publish its response to the reference and both parties will, in due course, publish their written cases. The case has already attracted a considerable degree of public comment, being able to see and understand the parties’ respective positions would be of great assistance.
A New Commissioner, a New Approach?

January 31st, 2022

Earlier this month John Edwards, former Privacy Commissioner and Barrister in New Zealand, replaced Elizabeth Denham as Information Commissioner. The job of Information Commissioner is a significant one with many challenges. He has began what he calls a “listening exercise”. I have completed the survey, which didn’t give much room for comment. I thought I would place a more detailed outline of my thoughts here; more as an exercise for expressing my own frustrations with the ICO and to perhaps give others some ideas about what they can include in their own response to the Commissioner’s survey.

Freedom of Information

Under this heading, for the sake of clarity, I’m not simply referring to the Freedom of Information Act 2000, but also to both the Environmental Information Regulations 2004 and the more obscure INSPIRE Regulations 2009 (which are concerned with spatial data).

FOI, especially the Freedom of Information Act 2000 and the Environmental Information Regulations 2004, is, as the Commissioner has himself acknowledged, critical to our democracy. They are a means for individuals to find out what is going on in areas that interest or directly affect them and to obtain information which they can use to help keep public bodies and officials accountable.

There are two main areas of concern, from my perspective, with the ICO in respect of FOI: (1) length of time taken to deal with regulatory complaints; (2) the apparent reluctance of previous commissioners to make full use of their enforcement powers in this area.

Turning first to the issue of delay; currently it is taking around 6 months for complaints, once received, to be allocated for investigation. That means that for up to six months the complaint is just sitting there, with absolutely nothing happening. The last decision notice I received from the Commissioner, was issued 11 months and 18 days after the complaint had been made to the ICO. This is unhelpful, and quite frankly, unacceptable. In many cases, these delays at the ICO are compounding already significant delays by some public bodies. There are some public authorities with well-known compliance issues in this area, where requests can take upwards of 6 months to be dealt with by the authority; meaning from request to ICO decision it can be upwards of 18 months.

FOI is a critical tool in helping individuals, community groups, journalists and others hold public bodies and officials to account. In a great many cases the value of the information sought diminishes over time; if information is being sought to help oppose, for example, changes to the provision of services in local communities, the delays at the ICO significantly hamper (and indeed damage) the usefulness of FOI in this area. If information is only, finally, being released several years after it was first requested it has almost certainly come far too late to be of any use to those requesting it.

The length of time that it takes for a FOI request to be dealt with is, in some respects, hampered by the legislation itself, with provisions for open-ended extensions for consideration of the public interest test and no statutory timescales (beyond the statutory Code of Practice) in relation to internal reviews. These have both been highlighted to Parliament on several occasions, but no legislative action has been forthcoming to deal with these issues. However, I will return to this in a moment.

What is completely within the control of the Commissioner is how long it takes his office to deal with matters once complaints have been made. A priority for the Commissioner should be looking to significantly reduce the backlog; and put in place systems that ensure complaints are being dealt with promptly once they end up with his office. The Scottish Commissioner (who, granted, has a much smaller office and a much smaller scope of responsibility in that he only deals with FOI complaints concerning Scottish public authorities) has an average closure time of just 4.37 months (2020-21), with 60% of all complaints to his office being dealt with within 4 months (the Freedom of Information (Scotland) Act 2002 makes provision for the Scottish Commissioner to deal with all such complaints within 4 months, but there is flexibility). It is not a like-for-like comparison due to the significant differences in volumes of work; however, the ICO needs to put more effort and resources into trying to resolve complaints much more quickly.

Turning to the issue of enforcement; some public authorities have a horrendous reputation for compliance with FOI, especially around the timeliness of responses. For some authorities these issues have existed for a decade or more. Previous Commissioners have seemed not just reluctant but almost wholly disinterested in exercising the significant enforcement powers that they possess to tackle problems here. Some public authorities have been having their compliance closely monitored by the ICO for years with no discernible improvement. Yet, no formal enforcement action has been taken to force these public authorities to make significant improvements.

Enforcement must be proportionate; formal enforcement powers should not, in most cases, be a first resort. However, they must be utilised if the ICO is going to be taken seriously as a regulator. Other authorities watch what the ICO is doing; there is currently no real incentive to engage with the ICO over poor FOI performance. The threat of formal enforcement action effectively doesn’t exist because of the apparent reluctance of the ICO to use its enforcement powers. The ICO needs to adopt a much more robust approach to regulation, which can be achieved in a way that is consistent with the relevant provisions of the Legislative and Regulatory Reform Act 2006.

Data Protection

Some of the problems that exist with the ICO’s FOI function also exist in relation to its Data Protection function. When it comes to Data Protection, the ICO is too business friendly and has often acted more like a think-tank than a regulator in this field.

As I have already said, enforcement must be proportionate. However, the ICO needs to remember that it is a regulator first and foremost. It is not a professional adviser for data controllers; there are lawyers and data protection consultants out there who can (and should) be fulfilling the professional advisor role. The balance between the informal methods of encouraging compliance and the formal methods of enforcing compliance have been all wrong. The ICO is obliged to have guidance in place, but it is not its sole purpose to produce and promulgate guidance.

The Regulators’ Code [pdf] (which applies to the ICO) does require regulators to carry out their activities in a way that supports those they regulate to comply and grow. It provides that “[r]egulators should avoid imposing unnecessary regulatory burdens through their regulatory activities and should assess whether similar social, environmental and economic outcomes could be achieved by less burdensome means.” However, it appears that the ICO has historically taken this to a degree that is inappropriate.

The Regulators’ code also provides that “[i]f a regulator concludes, on the basis of material evidence, that a specific provision of the Code is either not applicable or is outweighed by another relevant consideration, the regulator is not bound to follow that provision, but should record that decision and the reasons for it.” The balance is all wrong with the ICO; it appears to focus too much on the provisions of section 1 of the Regulators’ Code and not enough on forcing compliance where other, less burdensome, means have obviously failed.

In short, the ICO needs to re-orientate its relationship with those it regulates so that it is in a much stronger position to deploy its considerable enforcement powers when needed. When it comes to data protection, the most powerful tool at the ICO’s disposal is not the fines that it can levy but rather the power to issue Enforcement Notices; these can be used to force controllers to stop processing personal data altogether, or in certain ways, and they can be used to require data controllers to take certain specified steps to bring them into compliance.

The recent Enforcement Notice [pdf] issued to the Ministry of Justice is an example of formal enforcement action coming far too late; the MoJ has a backlog of many thousands of Subject Access Requests. The ICO records in its Enforcement Notice that it first became aware that the MoJ’s backlog had grown again (following an Enforcement Notice in 2017) in January 2019. It then records a shift in the ICO’s enforcement activities as a result of the COVID-19 pandemic, but that was more than a year after the ICO first became involved with the MoJ, for a second time, over its compliance with the right of subject access. An Enforcement Notice was then issued in January 2022, almost 2 years to the day after it started to get involved with the MoJ for a second time. This is, in my opinion, an example of a failure in regulation. The ICO watched as the MoJ continued to fail in a basic and important aspect of data protection law; much earlier formal intervention ought to have been taken (especially given that this was the second time the ICO had to get involved with the controller over the same issue).

Conclusion

The overriding issue with the ICO, in my opinion, is that it has got the balance wrong between soft and hard regulation. The ICO needs to adopt a much more robust approach to regulation; neither the 2006 Act nor the Regulators’ Code prohibits this. However, the ICO seems to have become paralysed in its regulatory activity in a way that the neither the 2006 Act, nor the Code which flows from it, intended.