Thursday, 19 July 2018

Sir Cliff Richard's expectation of privacy

I hope that the law on privacy is drifting away from its origins in the law on breach of confidence, if only for the selfish reason that I don't enjoy trying to lecture on or write about privacy as if it were part of the intellectual property world. Too often it seems to be concerned with little-known celebrities (spot the oxymoron) seeking to cover up their failings. But the chances of it appearing in exam papers just got a lot bigger than they already were.

Richard v The British Broadcasting Corporation (BBC) & Anor [2018] EWHC 1837 (Ch) (18 July 2018), a case which involved a genuine celebrity and a grievance that everyone should be able to acknowledge, suggests to me that the right to privacy is diverging from the law on breach of confidence, and I hope it will work out well for both areas of law. The claim was brought on the basis of Article 8 of the European Convention on Human Rights and also invoked the Data Protection Act 1998. Article 8 of course has to be balanced against Article 10, freedom of expression. So the questions for the court were, did Sir Cliff have a reasonable expectation of privacy in respect of the events reported, and was there a public interest in publishing the facts such that the BBC's Article 10 rights would prevail?

It's hard to imagine a more egregious (yes, that's my word of the day) invasion of one's privacy than to have the One O'clock News showing aerial footage of police officers swarming all over your house. But that's not what the court had to consider: only if Sir Cliff had a reasonable expectation of privacy would that have matter. Mann J held that he did indeed have such an expectation, so he went on to balance the BBC's rights against that. The judgment contains a lengthy review of the various factors to be taken into account, but concludes that Sir Cliff's rights were, in effect, stronger than the BBC's. My reading of the judgment is that a highly persuasive part of this was the egregious nature of the breach. Some invasions of privacy can be regarded as minor, no doubt, but this was not one of them.

The judgment contains a long section devoted to the application of the rules about damages, and also a lot about contributions between the defendants. Life is not too short, but it is too full, to read all that at the moment. It contains nothing more about data protection, other than to mention it as part of the pleadings: damages would not be recovered twice over if there were a data protection breach, so perhaps the point is pretty well moot anyway, but I can't immediately see anything in the facts that would be actionable. What personal data were involved? What did the BBC or South Yorks Police do with any such data? Data protection legislation is obviously an important part of the scheme of protection for an individual's privacy, but this doesn't seem to be a case in which it adds anything.

Yesterday at Prime Minister's Questions, Anna Soubry MP (whom I knew quite well, many years ago) asked for government support for a bill she had introduced (if it's a new one, it seems to be in the same terms as one she introduced in 2010) to protect the privacy of people being investigated by the police. She proposed that it be known as Cliff's Law. Sorry, Anna, but the Copyright and Duration of Rights in Performances Regulations 2013 (SI 2013/1782) got there first.

The Prime Minister made the point (which has also been made by others, including The Guardian here) that revealing names can encourage other victims to come forward. (It can also, of course, encourage non-victims to take a chance too, but that's another issue.) That's hard to argue with, but in the context of the Richard case surely one could say that the suspect's reasonable or legitimate expectation of privacy, which is intact while the police are searching his house for evidence, is not nearly so strong when the police have begun to assemble a case, particularly if the case is a strong one. If there is (say) a reasonable chance that there are more victims who have not come forward, that further dilutes the expectation of privacy. I am no human rights lawyer, but this situation seems to be covered by Article 8.2, a carve-out for law enforcement purposes, and Article 10 is not the right provision on which to rely for this purpose - although I suppose the media would have to be able to rely on it even if 8.2 allowed the police to name names.


Data protection and the redistribution of public funds

Data protection. You can't get away from it. I am spending nearly all my working hours at present helping clients comply with the General Data Protection Regulation - a piece of legislation that, however well-meaning, is crazily technical and obscure (as I remarked in a post a little while ago). Even my morning scan of The Guardian's website has thrown up a data protection story this morning.

The story (and I don't use the word to suggest that it is made up!) says that the ICO has fined the independent inquiry into child sexual abuse £200,000 for revealing a number of email addresses from which individuals could be identified - the email was sent to 90 participants in the inquiry, 52 of whom were identified by name in their address, and "vulnerable people were placed at risk", although the report doesn't say how - it depends in part on where the email went, I suppose. One complainant was reported to be very distressed, which I don't think requires any explanation. This all seems to me to be exactly what data protection law is there to deal with.

How did this disclosure come about? By a failure to use the bcc box for email addresses. So simple, so damaging, so expensive. It doesn't seem the most egregious breach of the law, but the potential consequences are probably completely out of proportion to the mistake, and equally out of proportion to the ease of making sure it didn't happen. Human error can be largely avoided if humans are trained in how to do their jobs - but I've come across so many instances where people have been ignorant of the importance of using bcc.

A further twist is that the IICSA hired an external provider - a data processor in the terminology of the Data Protection Act 1998, which although now repealed and replaced was the governing law at the time - to handle its mailing list, and in doing so breached its own privacy notice. There's an object lesson in the importance of keeping these things under review and making sure you aren't doing things with people's data that you haven't told them you are doing.

The IICSA is a statutory inquiry under the Inquiries Act 2005, although it started life as a panel inquiry and has had a chequered history, which I think it's fair to say just became even more chequered. In the year ending 31 March 2017, according to its financial report, it spent £20.8 million. The data protection penalty will therefore be a substantial part of its spending, although the report says that its "full year budget" for the financial year ending 2017 was £30.94 million, which I must say sounds rather odd but I don't feel I need to look into it for the purpose of this blog. My point is that it's a lot of public money, and even when it is just being redistributed to another emanation of the state it is a pretty appalling state of affairs. Even if the inquiry isn't spending its entire budget, I'd prefer that its money was going on looking into the important matters that it was set up to deal with rather than filling the coffers of the Information Commissioner.

One final point: under the new legislation, the very wonderful General Data Protection Regulation, the ICO is able to levy much larger financial penalties. Perhaps, with a little effort, the Information Commissioner could appropriate the entirety of the UK's public spending! Only if public bodies continue to make such appalling errors, and I hope the lesson is not lost on them.
 

blogger templates | Make Money Online