Monthly Archives: November 2015

Robin Callender Smith: Pictures of celebrities’ children now clearly off limits for media – unless parents consent

In this guest post, originally published on The Conversation UK, Professor Robin Callender Smith, Queen Mary University of London, considers the recent Court of Appeal decision in Weller v Associated Newspapers ([2015] EWCA Civ 1176)

Pictures of bonny Prince George may well become a lot less common following a landmark ruling.  Media pictures of the children of celebrities are now clearly off limits – unless their parents consent to publication.

The Court of Appeal has confirmed a High Court decision last year giving three of Paul Weller’s children total of £10,000 damages for breaching their right to privacy. This will have far-reaching adverse effects on the freedom of the UK media.

Using such pictures is not illegal at the moment but the Weller ruling indicates how expensive it could be for the media if this decision is ignored by picture editors. The ruling clarifies that it is not just very young children of celebrities who are protected but also older, teenage children as well.

This issue has been rumbling for just over ten years, since J K Rowling’s 19-month-old son David was photographed with in Edinburgh while the family were walking to a local café. His parents successfully sued the Sunday Express magazine and the agency that supplied the images on David’s behalf.

A family day out

In the Weller case the three children had been photographed in public with their parents out together on a shopping trip, eating in a cafe in Los Angeles. The photographs had upset the children and – because of the celebrity status of their parents – their publication had security implications. Weller had asked the photographer to stop taking the photographs. But in October 2012 the Mail Online used seven of the pictures under the headline “A family day out”. Taking and publishing such pictures in California is lawful, but in the UK the law was less clear. Weller therefore sued the Mail in the UK.

Children in the UK are presumed to have privacy rights and their rights are given higher protection than those of adults. Use of their images in the media without parental consent and in situations where they have a reasonable expectation of privacy therefore amounts to a misuse of private information. But this ruling has changed what “reasonable expectation of privacy” means, particularly when applied to the children of celebrities.

In April 2014 the original judge (Mr Justice Dingemans) held that the three children did have a legitimate expectation of privacy because, although their activities took place in a public area – shopping and eating in a cafe visible from the street – they were the activities of a family enjoying private family time. Weller’s daughter Dylan, who was 16 when the photos were taken, received £5,000 and her ten-month-old twin step-siblings John Paul and Bowie received £2,500 each.

The 2014 decision was then challenged by Associated Newspapers, the Daily Mail’s publisher, but as of today the ruling stands. This precedent means that celebrity parents now have extra power to control how the images of their children appear in the UK media: all children are protected in situations where they have a reasonable expectation of privacy. What constitutes being “reasonable” is debatable – so there may still be litigation about this in the future.

Price or pixels

Hannah Weller, the twins’ mother and the stepmother of Dylan, is campaigning for a change in the law to protect all children, not just those of celebrities. Her Campaign for Children’s Privacy calls for legislation to protect children’s privacy by preventing the media from publishing photographs of children without consent from parents or a legal guardian. Where a child is identified, and there is no parental consent or public interest, the child’s facial image should be pixellated.

Even so, it is not only the children of celebrities who benefit from this ruling. Picture editors would be foolhardy to ignore it. So it doesn’t matter whether the photographs are of royal children such as Prince George and Princess Charlotte or simply of Jack and Jill throwing snowballs or splashing in the sea. Where the children have a reasonable expectation of privacy and there is no parental consent then pictures which include the children’s faces cannot be published unless their faces are pixellated. This will also put a stop to the media “scraping” children’s photographs from social media sites following disasters or other high-profile events.

From the media’s point of view this decision is going to make the job of picture editors – and photographers generally – more difficult and complex. Demanding to see parental consent forms is not something that fits easily into the cycle of news production – and pixellation generally spoils the look of any picture.

And of course, the law of unintended consequences may result in some celebrities, who would welcome publicity, not having their pictures featured if there is a child in the frame who cannot be photoshopped out.

The ConversationRobin Callender Smith is Visiting Professor in Media Law, Queen Mary University of LondonHis book Celebrity and Royal Privacy, the Media and the Law will be published by Sweet & Maxwell on 31 Dec 2015.

This article was originally published on The Conversation. Read the original article.

Natasha Simonsen and Cian Murphy: Don’t Fast-Track the Investigatory Powers Bill – A reply to Lord Carlile

In this guest post, which originally appeared on the UK Human Rights Blog, Natasha Simonsen & Cian C. Murphy from The Dickson Poon School of Law, King’s College London, urge the government to take its time in scrutinising the Investigatory Powers Draft Bill. For other materials on the Bill, please see our resource page here.

5295Lord Carlile QC, former Independent Reviewer of Terrorism Legislation, has said that in the aftermath of the Paris attacks, Parliament should fast-track the Investigatory Powers Bill into law. Given his extensive experience in the field, Lord Carlile’s views should not be taken lightly. But Lord Carlile is wrong. To fast-track the Investigatory Powers Bill is undesirable and unnecessary. It would also end a crucial public conversation in a wrong-headed paroxysm of governmental action.

An Undesirable Response

Fast-track national security law is undesirable for (at least) two reasons. First, legislatures tend not to function well in the aftermath of any emergency. If they legislate immediately, the result is often not just overreach, but legislation that is bad in technical terms. Second, these general concerns are of especial significance in this field of law, because existing flaws in our investigatory powers law are a result of failures of scrutiny in the past.

Let’s take the present case. In 2004, after the Madrid bombings, EU Governments sought to retain telecommunications data for use by security services. The European Parliament, with concerns for privacy, held up the draft legislation. However, after the London bombings in 2005, the proposal became law as the Data Retention Directive. The Directive was broad, vague, and weak on oversight – flaws that are often the consequence of quick political agreement in a contentious field.

In 2014, after years of challenges in national courts, the EU Court of Justice struck down the Directive in its Digital Rights Ireland decision. It is of note that the Court of Justice didn’t have a problem with data retention per se, but rather with the poor safeguards in the law.

The response in the UK was to enact the Data Retention and Investigatory Powers Act 2014 (‘DRIPA’) – an emergency law on data retention that will cease to have effect next year. DRIPA is already in trouble in the courts and the Investigatory Powers Bill will entirely replace it. This is a sorry tale of emergency law-making, and of lengthy and costly litigation. We are not made more safe when the energies of the legislature, executive, and judiciary focus on bad laws made in the immediate aftermath of crises. It is an entirely undesirable mode of government.

An Unnecessary Response

The fast-track Lord Carlile is calling for is also unnecessary. The Home Secretary assures us that the purpose of the Investigatory Powers Bill is not to introduce broad new surveillance powers. It is, she claims, to consolidate and update the legal basis for such powers. What powers, therefore, are in the Bill that cannot wait until its enactment next year? And, for the sake of argument, say there are some such powers. Those powers could be laid out in a separate, short, emergency bill which Parliament could then fast-track. A putative Emergency Powers Bill 2015 could fly through Parliament, with a sunset clause to ensure it does not out-live the future Investigatory Powers Act. It would empower the agencies but not disrupt the legislative process for the Bill as a whole.

This would not be without its problems – but it would be better than immediate enactment of a 200-page draft Bill. It’s hard not to see Lord Carlile’s intervention as a call for the swift passage of the Bill because swift passage may now be possible. But this would perpetuate the mistakes of previous legislation – doing in haste what must be done with caution – and with care. As we have set out elsewhere – there is much in the Bill that requires improvement through scrutiny by the Joint Committee on Human Rights and the Intelligence and Security Committee. We must not rush.

Devastation and Deliberation

Our concerns are not just about the quality of the law. Swift legislative action may have a short-term palliative effect on the public mood – and who amongst us is not afraid after the devastation of Beirut and Paris last week? But this Bill, in part, aims to improve public trust of the law enforcement and intelligence agencies. Any short-term public assurance that a fast-track law would bring would soon disappear if emergency law once more proves to be poor law and if the Government is thought to have seen opportunity in crisis.

Most of all, if we fast-track this Bill, we lose the opportunity to react to last week as a mature democracy. We are in the midst of a constitutional conversation about the role of the intelligence services, about communications and privacy, and about whether, and the terms on which, we will barter our freedom and our security.

It is trite to point out that last week’s barbarism is a repudiation of the ideals that underpin our collective commitment to such conversations. In the face of such acts what we need from our political leaders is not reactionary legislation – it is resilience. The Investigatory Powers Bill requires scrutiny and then enactment. And this process must be driven by the cool logic of a careful legislature – not the fear we all feel today. Don’t fast-track the Bill.

Natasha Simonsen & Cian C. Murphy are faculty members at The Dickson Poon School of Law, King’s College London. They can be found on Twitter @natashajanesimo and @cianmurf.

Eduardo Ustaran: Life after Safe Harbor – an action plan

In this piece that originally appeared in the Internet Newsletter for Lawyers, ,  partner at Hogan Lovells, considers the implications of the CJEU’s recent decision in the Schrems case and sets out an action plan for companies previously reliant on Safe Harbor for EU to US transfers 

On 6 October 2015, the Court of Justice of the European Union (CJEU) declared the EU–US Safe Harbor framework invalid as a mechanism to legitimise transfers of personal data from the EU to the US. This decision effectively leaves any organisation that relied on Safe Harbor exposed to claims that such data transfers are unlawful and could have serious implications for transfers of personal data both within multinationals and to global service providers.

Background

Safe Harbor was jointly devised by the European Commission and the US Department of Commerce as a framework that would allow US-based organisations to overcome the restrictions on transfers of personal data from the EU. However, since its adoption, Safe Harbor was fraught with challenges. Although the data protection requirements set out in the Safe Harbor Privacy Principles were meant to match the standards of protection of European law, its self-certification nature and the non-European style of its provisions have attracted much criticism over the years. In particular, the revelations triggered by Edward Snowden in 2013 about the US intelligence surveillance operations led the European Parliament to adopt a resolution seeking its immediate suspension. The European Commission had no choice but to reopen the dialogue with the US government to find a way of strengthening the framework and restoring its credibility.

The Schrems case

One particular individual, Austrian law student Max Schrems, decided not to wait for the outcome of the re-negotiation of Safe Harbor. He lodged a complaint with the Irish Data Protection Commissioner requesting the termination of any transfers of personal data by Facebook Ireland to the USA. However, the Irish Commissioner rejected the complaint on the basis that the adequacy of Safe Harbor had already been determined by the European Commission and therefore, it was not open to the Irish Commissioner to challenge the European Commission’s “adequacy finding”. This was not accepted by Schrems who sought judicial review of the Commissioner’s decision by the High Court of Ireland, which then referred the case to the CJEU.

In its ruling, the CJEU confirms that a national data protection authority is always empowered to challenge the adequacy of data transfers. More importantly, the ruling goes beyond this specific question by declaring that Safe Harbor does not in fact provide an adequate level of data protection, because it is unable to prevent large-scale access by the US intelligence authorities to data transferred from Europe.

The practical effect of Schrems

The decision invalidating Safe Harbor has the following immediate consequences:

  • Transfers of personal data from the EU to the US currently covered by Safe Harbor will be unlawful unless they are suitably authorised by data protection authorities or fit within one of the legal exemptions.
  • Multinationals relying on Safe Harbor as an intra-group compliance tool to legitimise data transfers from EU subsidiaries to their US parent company or other US-based entities within their corporate group will need to implement an alternative mechanism.
  • US-based service providers certified under Safe Harbor to receive data from European customers will need to provide alternative guarantees for those customers to engage their services lawfully.

It is also critical to appreciate that the CJEU did not rule on whether the Safe Harbor principles were sufficiently close to the European data protection standards. The CJEU ruled that Safe Harbor is no longer a valid mechanism to legitimise data transfers because it does nothing to address the potentially excessive interference of US law with the fundamental rights to privacy and data protection that exist under EU law. Therefore, any alternative mechanisms being relied on will need to address this specific point by ensuring that they refer to this potential conflict in a data protection compliant way.

Consent

Data transfers can lawfully be made with the consent of the individual. However, consent must be freely given and while it is possible to make consent a condition for the provision of a non-essential service, consent is unlikely to be valid if the individual has no real choice. This is particularly the case in the context of employment where, if an existing employee is required to agree to the international transfer of personal data any consent given is unlikely to be valid if the penalty for not agreeing is dismissal.

Consent must also be specific and informed. This means that the individual must know and understand what such consent will amount to. Individuals should be informed of the reasons for the transfer and, if possible, the countries involved. In addition, any identified risks involved in the transfer should be brought to the individual’s attention. As a result, in practice it will be very difficult to make a valid argument that consent provides a lawful basis to legitimise international data transfers.

The EU authorities’ position

The EU Article 29 Working Party issued a statement following the CJEU decision emphasising that affected businesses should start to put in place legal and technical solutions in a timely manner to meet EU data protection standards. The statement gave a January 2016 deadline for companies to come into compliance with the ruling, at which point EU data protection authorities would be “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”

Therefore, the EU data protection authorities have made it clear that they expect companies to ensure an adequate level of protection for European data at all times. In the meantime, the Working Party will continue to analyse the available transfer tools, such as the Standard Contractual Clauses and Binding Corporate Rules, but these transfer mechanisms can be subject to investigation by data protection authorities to protect individuals in “particular cases,” for instance on the basis of complaints.

Action plan

Before the January 2016 enforcement deadline, companies that previously relied on Safe Harbor for their EU to US transfers should follow this process:

  • Carry out a data transfers assessment to identify which data transfers from the EU to the US had been legitimised by Safe Harbor.
  • Prioritise key transfers for the business by reference to the nature of the data and its use.
  • For intra-group transfers, identify all of the entities involved and assess the most suitable alternative to Safe Harbor. In the short term, this is likely to involve an interim contractual solution whilst more permanent mechanisms – such as BCR – are considered.
  • For transfers to service providers, review any existing contracts for references to Safe Harbor and determine whether the relevant vendor is offering a suitable contractual option or is able to rely on a Processor BCR.
  • US-based service providers should consider the most appropriate legal mechanism to enable customers to continue to use their services lawfully.
  • Finally, whatever the mechanisms used, ensure that they include suitable measures to deal with requests for disclosure of personal data by law enforcement authorities.

Eduardo Ustaran is a partner in the Privacy and Information Management practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email eduardo.ustaran@hoganlovells.com. Twitter @EUstaran. This piece originally appeared on the Internet Newsletter for Lawyers and is shared with the author and publisher’s permission.

Ben Worthy: How much can we know about the private sector – and what next for future transparency?

This post originally appeared on Dr Ben Worthy’s blog, OpenDataStudy. It is based on his contribution to an event on 28th September 2015 co-presented by the Information Law and Policy Centre and the Bingham Centre for the Rule of Law and hosted by Baker and McKenzie LLP, which looked at Freedom of Information and Extending Transparency to the Private Sector (resources here).

The focus of transparency is almost always on government and public bodies. However, over the past ten years, often outside of the headlines, a growing collection of laws, regulations and technological innovations have gradually shone a light on the private sector too. So what can we know and how far does it go, asks Ben Worthy.

Freedom of Information

One of the principle legal routes to accessing information about private bodies is the FOI Act, at least for those companies working on behalf of public bodies. Although it remains a ‘complex’ legal grey area, an FOI can obtain information material ‘held by a private company “on behalf of” a public authority with which it has a contract’. Public sector contracts in the UK are currently worth around £93 billion per year according to the ICO.

Section 5 of the Act also allows government to extend the law to actually cover companies within the scope of the Act itself, something the Public Accounts Committee has urged use of in the past. The last Labour government gave some thought to it in a rather long running consultation between 2007 and 2009. This led to some minor extension to cover ACPO [now called the National Police Chiefs’ Council] and exam bodies. The Coalition and new government took a different approach. Rather than extending the Act under section 5, they have championed the use of new FOI clauses in public sector contracts. It’s not exactly clear how far this is working.

The Scottish government has also consulted on extending its separate FOISA legislation in 2009, and in 2013 local trusts involved in leisure activities were covered. This year they have had a new consultation looking into whether other bodies such as private prisons can now come under FOISA (though this did not include Housing Associations as some hoped).

Alongside government attempts there has been some gradual natural ‘creeping’ outwards of FOI. Network Rail became subject to the Act in March 2015 (see some requests here) and new bodies such as the UK’s Police and Crime Commissioners are also covered (though this report was ‘deeply’ worried about how transparent they were-see page 11-12). The Police Federation is now set to follow. More significant than this ‘creep’ is the influence of decisions from appeal bodies and the courts. An important legal ruling in Fish Legal v Information Commissioner and others [2015] over FOI’s sister Environmental Information Regulations appeared to extend the law to water companies-and this may potentially include other utilities too.

The issue of extension remains a political one. All the major parties remain, at least in principle, supportive of pushing FOI further. The new Labour leadership has also committed [or actually re-committed] itself to extending the Act to private bodies doing public work as well as closing up ‘gaps’ in coverage caused by education and health reform.

Polling by the Scottish Information Commissioner showed that this is a policy that definitely gets the support of the public. A full 76% of Scots asked felt private prisons should be covered with 79% believing that housing associations should be as well. A UK tracker found that 75% of respondents saw extension as an ‘important’ issue and the Information Commissioner has recently offered a range of options to fill the ‘transparency gap’ caused by outsourcing.

Other Laws

It’s not only FOI. A succession of other laws have opened up different parts of the private sector. One recent headline grabbing reform, launched by the Prime Minister in 2013, has been the promise to create a Beneficial Ownership Register under the Small Business and Enterprise Act 2015. What this means is that as of April 2016 Companies House will publish, as Open Data, a list of the ‘Person[s] With Significant Control’ of all UK registered companies. Another eye catching reform has been over Extractives Transparency covering companies involved in natural mineral extraction such as oil or gas. The transposing of EU laws and joining of the International EITI network (see this paper) means all UK registered companies involved in this area will report tax payments, licences and contracts as of next year. Similar small pieces of transparency can be found across many other new laws and regulations. The recent Consumer Rights Act 2015, for example, ‘imposes a duty on letting agents to publish their fees and other information’.

The government has also pushed British dependencies and overseas territories to follow suit and publish Beneficial Ownership information. David Cameron sent a letter in 2014 on the subject to various tax havens. Although Grant Schapps appeared a little cooler on it during a visit to the Caymans, Cameron then pushed the issue again recently in Jamaica as did the new anti-corruption champion Eric Pickles, who appeared to threaten legislation.

Technology

Alongside legal mechanisms, there has been a growing use of online tools to open up companies. The government recently rebooted its Contracts Finder site that details its tenders and contracts with the private sector while other innovators, such as spendnetwork, have created new apps.

There have also been specific ‘transparency’ pushes after problems or controversies. This year David Cameron committed to publish data on property ownership following claims of large amounts of ‘dirty money’ swilling around the London property market and promised new data on gender pay gaps in all companies employing over 250 workers (this one is a bit of a sleight of hand as it was mandatory under the Equalities Act 2010 but was never implemented). These moves, as Jo Bates points out, may have all sorts of political implications. Nor is it clear what effect they may have. Despite hopes publishing salaries online will help lower inflated pay packets evidence indicates that disclosure makes them go up rather than down.

The Politics of Private Sector Transparency

Opening up is often piecemeal. Any politician pushing for any large scale opening up, such as using section 5 of the FOI Act, faces three main problems.

First, there is a potential reluctance to publish and it may be a struggle to get companies to cooperate. Our study of FOI and local government found that most companies do comply with FOI requests. However, any sceptical business can argue it is (i) unnecessary as so much information is published anyway (ii) a costly burden-see this analysis here.

Second, added to this may be the complexity of any change, that will take time and energy. Any large scale opening up only works with international cooperation. So, for example, UK Beneficial Ownership is slightly stymied by the fact that the EU equivalent will only be partially open. The devil, as someone warned of extractives, is in the detail.

Third, given these problems there needs to be a lot of political will, energy and attention to follow through. Any politician or party pushing large scale openness needs either a very good reason or very strong principles. Most likely it will only happen when there is a very obvious problem to solve or a very obvious political benefit (or both if possible).

What Next?

Accident and change will open up different areas. Legal changes, designations or rulings will continually shift the boundaries. Network Rail was re-designated for accounting purposes and FOI coverage was, in that sense, a ‘side product’. The laws in place will already keep opening up new areas through use and Martin Rosenbaum has shown how FOI has opened up not just MPs’ expenses but also restaurant hygiene ratings and MOT tests.

It is often pushed by scandal or concern in a specific area such as over tax avoidance (Beneficial Ownership), gender pay or corruption. It was the poor performance of G4S, for example, that led to recent calls to extend the FOI Act.

 

opencorporates

Finally, experimentation with open data and technology may move openness across the private sector. Chris Taggart, designer of Open Corporates, has created a prototype site Who Controls It? to use the new Beneficial Ownership data. As he points out, apps and websites alone won’t bring change but benefits may ‘be revealed when the beneficial ownership data is combined with other datasets, including government procurement, licences, environmental citations, and other public data.’

It’s unlikely there will be a clear ‘big’ opening up of the private sector comparable to FOI across government. It will probably happen, as many things do, gradually, through a mixture of accident, law, politics and experiment.

To find out more you can read the full IRM report of the UK’s Open Government Partnership commitments here see especially commitments 7 (Beneficial Ownership), 12 (Contracts) and 21 (Extractives).

Ben Worthy is Lecturer in Politics, Birkbeck College, University of London and blogs at OpenDataStudy.