Category: EU Law

ECJ: Advocate General on Damages under the GDPR

Last week the opinion of Advocate General Campos Sánchez-Bordona was published in UI v Österreichische Post AG (Case C-300/21), which is a request for a preliminary ruling from the Oberster Gerichtshof (the Supreme Court of Justice, Austria) in connection with the provisions in the GDPR on damages.

The GDPR (and, in the UK, the UK GDPR) provides for any person who has suffered material or non-material damage as a result of an infringement to be compensated from the controller or processor for the damage suffered.

In the case that has been the impetus for the reference from the Austrian courts, Österreichische Post AG (the company responsible for postal services in Austria) had, from 2017 onwards, collected information on political party affinities of the Austrian population. With the assistance of an algorithm, it defined ‘target group addresses’ according to certain socio-demographic features. UI has claimed €1,000 in damages in respect of inner discomfort. He claims that the political affinity that Österreichische Post AG attributed to him is both insulting and shameful. He also claims that it is extremely damaging to his reputation. Furthermore, he says that the conduct complained of has caused him great upset and a loss of confidence as well as a feeling a public exposure.

At first instance, UI’s claim for compensation was refused. The appellate court upheld the decision to refuse him compensation holding that breaches of the GDPR do not automatically result in compensation. The appellate court also held that the principle in Austrian law that in life, everyone must bear mere discomfort and feelings of unpleasantness without any consequence in terms of compensation.

This decision was again appealed, and the referring court has referred three questions for a preliminary ruling:

  1.  Does the award of compensation under Article 82 also require, in addition to infringement of provisions of the GDPR, that an applicant must have suffered harm, or is the infringement of provisions of the GDPR in itself sufficient for the award of compensation?
  2. Does the assessment of the compensation depend on further EU-law requirements in addition to the principles of effectiveness and equivalence?
  3. Is it compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight that goes beyond the upset caused by that infringement?’

In relation to the first question, the Advocate General comes down very firmly against an interpretation which allows automatic compensation for every infringement. At para 28 of his Opinion, he states that “there is an unequivocal requirement that the natural person concerned must have suffered damage as a result of an infringement”. He states, at para 29, that “an interpretation which automatically associates the notion of ‘infringement’ with that of ‘compensation’, without the existence of any damage, is not compatible with the wording of Article 82 of the GDPR.”

On the second question, the Advocate General takes the view, at para 89, that it “cannot be ruled out that reparation sought for non-material damage may include components other than merely financial components, such as recognition that the infringement occurred, thereby providing the applicant with a certain moral satisfaction.” However, it is important to consider how the provisions on an effective judicial remedy and the right to compensation interact with one another; a difficulty in proving damage where a data subject is alleging financial damage must not result in nominal damages (para 92).

On the third question, which is concerned with whether the GDPR permits member states to refuse damages where the damage does not exceed a particular level of seriousness, the Advocate General concludes that this question could be answered in the affirmative. At paragraph 105 of his opinion, the Advocate General states that he does “not believe, however, that it is possible to infer from this a rule pursuant to which all non-material damage, regardless of how serious it is, is eligible for compensation.” He continues, at para 112, by stating that ” the right to compensation under Article 82(1) of the GDPR does not appear to me to be a suitable instrument for countering infringements in connection with the processing of personal data where all those infringements create for the data subject is annoyance or upset.” However, he goes on to propose an answer to the third question which essentially leaves it to national courts to determine whether, on the facts before them in each case, whether it goes beyond “mere upset”. So, while the Advocate General is clearly of the view that there is some form of de minimis threshold, he does not assist that much with where the line is.

The AG’s opinion is, of course, not a judgment of the court; we await to see whether the court adopts the opinion of the Advocate General and, if so, to what extent. Of course, decisions of the European Court are no longer binding in the UK. That is not to say that they are no longer of any relevance when it comes to UK law that derives from EU law (such as the UK GDPR); the effect of section 6(2) of the European Union (Withdrawal) Act 2018 provides that a court or tribunal may have regard to case law for the European Court which has come about after the UK left the European Union.

In the UK, the most recent authoritative case to grapple with the question of damages for data protection breaches was the Supreme Court’s judgment in Lloyd v Google. That was concerned with damages under the Data Protection Act 1998 and Lord Leggatt, giving the sole judgment of the court, confined his decision to the 1998 Act. However, it would be prudent to note that the reasoning in Lloyd is essentially the same as the reasoning in the Advocate General’s opinion in UI.

When the European Court’s judgment comes in this case, it will likely be a decision of some importance to data protection litigation in the UK, if only to confirm that the reasoning in Lloyd is equally applicable to Article 82 of the UK GDPR.

Don’t throw stones in glass houses

Today the Scottish National Party (SNP) launched a brand new website with the aim of gauging public support for a second referendum on Scottish independence.  Of course Scotland had a referendum on this issue a little under two years ago where those who voted did so 55% – 45% in favour of Scotland remaining part of the United Kingdom.  In May the Scottish people went to the polls to elect the Scottish Parliament; the Scottish Conservative Party fought that election on a strong pro-union message and had its best electoral success in Scotland in many decades.  They pushed Scottish Labour (who the criticisms in this blog equally apply to) into third place to become the official opposition in the Scottish Parliament to the SNP Government (which, incidentally lost its overall majority and is governing, once again, as a minority government).

This afternoon I had a look at the SNP’s new website and immediately spotted some problems with it.  The National Survey website unsurprisingly has a survey for people to complete.  It asks a number of questions such as how people voted in the 2014 independence referendum and in June’s EU referendum.  It also asks for the name and postcode of the person completing the survey as well as whether or not they have children or grandchildren who are under the age of 18 years, all fields which are mandatory.  The website does have a data protection and privacy policy, which is very brief.  The following screenshot was taken from the National Survey website this afternoon:

surveydp

The policy is extremely short, but the key aspect of the policy for the present purposes is “The SNP may…contact you about issues you may find of interest using any details you have supplied.  You can opt out of some or all contact by writing to us.”  I shall return to why this is the key aspect in a moment, but for now it’s on with the story.

The Scottish Conservative Party has apparently taken legal advice on the SNP’s National Survey website and written to both the Electoral Commission and the Information Commissioner; the former being irrelevant for present purposes.  The Scottish Conservatives state that they considered that the SNP’s website breaches the Data Protection Act 1998 (it does, but more on that in a moment).  However, while they are considering the SNP’s National Survey website they might wish to consider their own website.

Unlike the SNP’s National Survey website, the Scottish Conservatives website has a lengthy data protection and privacy policy, but I have taken a screenshot of the relevant bit:

toriespp

The relevant part for present purposes is the bit that reads “[b]y entering your contact details you agree to receive communications from us, from which you can opt-out using the “unsubscribe” link in each email we send or using the contact details at the top of this privacy notice.”

There are problems with both the Privacy Notices above, and they are in fact the same problem.  I will come onto the breaches of the Data Protection Act 1998 in a moment; however, I initially want to discuss the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Both the above privacy notices envisage sending information to those who have provided their E-mail address about campaigns that the respective political parties are engaging in.  These E-mails will essentially be promoting the aims of the respective political party, either generally or in respect of a specific area of policy.  These E-mails will be sent directly to an individual; that makes them direct marketing communications.  The law is very strict on when it is legal to send such communications.  The relevant regulation is Regulation 22, which covers direct marketing by electronic mail.  Regulation 22(2) requires (except in a very limited set of circumstances, not relevant here) that there individuals must give consent to receive such marketing.

The Scottish Conservatives’ privacy policy certainly seems to suggest that they have consent, but in reality they do not.  This is because the consent is actually defined in the 1995 Data Protection Directive and that definition is applicable to the PECR; their privacy policy doesn’t meet that definition.  The definition of consent in the 1995 Data Protection Directive is to be found in Article 2 and is “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”  Consent achieved in the way the SNP and Scottish Conservatives have approached is not “freely given specific and informed”.  Individuals have not positively expressed a desire to receive general communications about the party or its campaigns; they’ve simply filled in a survey expressing their views on the matters asked about in the survey.  In the case of the specific example of the SNP’s National Survey website the privacy policy isn’t visible at the time the personal data is collected; it cannot therefore be said to be an informed expression of the data subject’s wishes.  The Conservatives (both at a UK and Scottish level) have been guilty of this too.

Essentially what this means is that any E-mail communication sent by either the Scottish Conservatives or the SNP that amounts to direct marketing (which is likely to be every e-mail) in reliance upon the consent obtained through their respective privacy policies is unlawful.

Now, to the Data Protection Act issues.  A data controller (which any political party will be) must only process personal data fairly and lawfully (first data protection principle).  For the processing to be lawful a schedule 2 condition must be satisfied (and in the case of sensitive personal data, a schedule 3 condition as well).  One of the conditions in Schedules 2 and 3 is essentially processing to which the data subject has consented; however, neither the SNP nor the Scottish Conservatives can wholly rely on consent because they simply do not have that data controllers consent.  They wouldn’t be able to satisfy any of the other schedule 2 or 3 conditions to legitimise their sending of direct marketing e-mail communications; they would therefore also breach the first data protection principle when sending those E-mails.

Collecting personal data is also a processing activity.  In the case of the SNP’s National survey they are not collecting the personal data fairly.  While they do have their privacy policy (which is quite frankly a sorry excuse for one) it is not prominent on the actual survey itself; people are not told at the time their personal data is collected exactly how the SNP will make use of it.  You can navigate to the privacy police from the survey page, but the link to the policy is in extremely small text at the very foot of the page (so much so that I initially had difficulty in locating its existence at all).

Turning once again to the Scottish Conservatives, they are currently running a petition on their website against the having a second referendum on Scottish independence.  They continue to rely on implied consent for general communications about the Scottish conservative Party and are arguably collecting personal data unfairly as well.  While the link to their data collection and use policy is clearer, it comes after the “sign up” button and still requires individuals to navigate away from the page that they are no in order to see exactly how their personal data is going to be used by the Scottish Conservatives.

One other issue with the SNP’s National Survey website relates to the third data protection principle which states that “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”  All of the fields are mandatory and it is unclear as to why information such as the number of children or grandchildren you have under the age of 18 or indeed what your name or E-mail has to do with gauging support for a second independence referendum.  This is simply an exercise in gathering personal data and that should be made clear from the website and the survey (otherwise it will only add to the breaches of the first data protection principle).  Those fields should, as a very minimum, be made optional.

To conclude, while the Scottish Conservatives have raised legitimate and valid criticisms of the SNP’s National Survey website, they would do well to remember that people in glass houses ought not to throw stones.

 

Can the Scottish Parliament block ‘Brexit’?

There has been some suggestion in the days since the EU Referendum, in which a sizable majority of Scottish voters voted to stay while a smaller majority of voters across the UK as a whole voted to leave, that the Scottish Parliament can in some way block the UK’s exit from the European Union.  That suggestion is, in my view, wrong; the Scottish Parliament cannot block the UK’s exit from the European Union.

Since Devolution there has been a convention operating whereby it has been understood that Westminster would not exercise its power as the sovereign and supreme legislative body for the United Kingdom to legislate in an area for which competence over has been devolved to the Scottish Parliament, without first obtaining the consent of the Scottish Parliament.  This convention is known as the Sewel convention.

Following the 2014 referendum on whether Scotland should become an independent country, a Commission was established by the UK Government to look at the Scottish devolution settlement.  That Commission, the Smith Commission, recommended that the Sewel convention was given legislative force.  Section 2 of the Scotland Act 2016 amends Section 28 of the Scotland Act 1998, which confirms in subsection (7) that Westminster can still legislate on areas of devolved competence, to add a subsection (8) which gives effect to that recommendation.  Section 28(8) provides that “it is recognised that the Parliament of the United Kingdom will not normally legislate with regard to devolved matters without the consent of the Scottish Parliament.”

What this means is that Westminster will not normally legislate on a devolved area without first obtaining the consent of the Scottish Parliament.  However, it can still legislate on an area of devolved competence without the consent of the Scottish Parliament (for example, in a time of emergency and where it wouldn’t be practical to obtain the Scottish Parliament’s consent).

What relevance does this have to blocking the UK’s exit from the European Union?  It would appear to me to be of no relevance whatsoever.  Firstly, we are not in a situation where the UK Parliament is going to be legislating.  The UK’s withdrawal from the EU is an exercise by the Executive of the prerogative power to conduct foreign affairs.  The Executive might well seek a vote in the UK Parliament on exercising the prerogative power (in the same way that appears to be becoming convention with the prerogative power to declare war), but that is not a legislative act by the UK Parliament.  Secondly, the United Kingdom’s relationship with the European Union is a specifically reserved matter in Schedule 5 to the Scotland Act 1998.  We are not, therefore, dealing with a devolved matter; we are dealing with a reserved matter.  Section 28(8) of the Scotland Act 1998 only relates to devolved matters.

It might be the case that, when the UK Parliament comes to give legislative effect to whatever relationship the UK is to have with the EU in the future, the Scottish Parliament may be able to invoke Section 28(8) of the Scotland Act 1998.  If that legislation were to affect a devolved area the Scottish Parliament could very well refuse to consent to the legislation; however, that would not necessarily equate to it being blocked.  The UK Parliament might have to rely on the word “normally in section 28(8) to legislate anyway so as to give effect to, what will be by then, the UK’s international law obligations.

The Scottish Parliament is still free to debate and vote on any issues that it chooses to do so.  We could therefore see in the coming days or weeks a debate and vote in the Scottish Parliament on whether the Parliament agrees with the UK’s withdrawal from the European Union.  However, it cannot invoke what is now Section 28(8) of the Scotland Act 1998 in relation to this issue.  Moreover, even it if it could invoke Section 28(8) of the Scotland Act 1998, that would not necessarily have the effect of blocking the action it refused to give consent to.

A problem with the Scottish EIRs

The Environmental Information (Scotland) Regulations 2004 (“Scottish EIRs”) give individuals the right to request and obtain, subject to certain well defined exceptions, information in relation to the environment from Scottish public authorities.  They implement into the law of Scotland Directive 2003/4/EC of the European Parliament and of the Council on public access to environmental information (“the Directive”).  The Directive in turn implements the Convention on Access to Information, public participation in decision-making and access to justice in Environmental Matters done at Aarhus, Denmark on 25 June 1998 (“the Aarhus Convention”) into EU law.

In Scotland, like the rest of the UK, the Scottish EIRs are an adjunct to Freedom of Information.  The Scottish EIRs sit alongside the Freedom of Information (Scotland) Act 2002 (“FOISA”) and the Scottish Information Commissioner has the same powers of enforcement in respect of the Scottish EIRs as she does in respect of FOISA.  By virtue of Regulation 17 of the Scottish EIRs, Part 4 of FOISA applies to the Scottish EIRs.  The Regulations make certain amendments to Part 4 of FOISA for when it is being read in respect of the Scottish EIRs.

Section 48 of FOISA provides that no application can be made to the Scottish Information Commissioner in respect of three scottish public authorities: (1) the Commissioner herself; (2) a Procurator Fiscal; and (3) the Lord Advocate, where the information relates to his role as head of the systems of prosecution and the investigation of deaths in Scotland.  Essentially, this means that the Scottish Information Commissioner is prohibited from accepting any application for a decision by anyone that relates to the handling of a request for information under FOISA and the Scottish EIRs made to the Commissioner’s Office and the Crown Office and Procurator Fiscal Service (“the COPFS”).  I’m not a fan of this section and think it ought to be repealed in its entirety, but that is a subject for another time.  As far as the Scottish EIRs are concerned this section is a problem.  Essentially, once the Commissioner’s Office and the COPFS have conducted an internal review there is nowhere else for the requester to go if they remain dissatisfied with the response.

Article 6(2) of the Directive provides that:

In addition to the review procedure referred to in paragraph 1, Member States shall ensure that an applicant has access to a review procedure before a court of law or another independent and impartial body established by law, in which the acts or omissions of the public authority concerned can be reviewed and whose decisions may become final. Member States may furthermore provide that third parties incriminated by the disclosure of information may also have access to legal recourse.

The review procedure under paragraph 1 is essentially the internal review procedure provided for by Regulation 16 of the Scottish EIRs.  In respect of every other scottish public authority covered by the Scottish EIRs there exists a right to make an application to the Scottish Information Commissioner and have a decision notice issued by her office together with the ability to appeal (on a point of law only) that decision notice to the Inner House of the Court of Session, and then on to the Supreme Court of the United Kingdom.  There is a decision of a third party that is capable of becoming final.  Therefore, Article 6(2) of the Directive is complied with.  However, these appeal rights do not apply in respect of requests made to the Commissioner’s Office and the COPFS.

It should be theoretically possible to judicially review the internal review response of both the Commissioner and the COPFS.  At a first glance that might be thought to satisfy the requirements of Article 6(2) of the Directive; however, the wording of the Directive suggests that Judicial Review may not be sufficient.  Judicial Review is not an appellate procedure; it is a review procedure.  The Court of Session cannot substitute its own decision for that taken by the public authority.  The Court of Session could, in a judicial review, determine that irrelevant factors had been taking into consideration in respect of assessing the public interest where a qualified exception has been applied; it could not determine that the public interest does or does not support the maintaining of an exception.   Essentially, all the Court can do is uphold the decision of the Commissioner’s Office or the COPFS, or it can quash the decision – it cannot re-take the decision (something that the Commissioner effectively has the power to do when considering an application under section 47(1) of FOISA).  Therefore, judicial review cannot be a “review procedure… in which the acts or omissions of the public authority concerned can be reviewed” because it can only do so to a limited extent.  Therefore, for all practical purposes the decision of the public authority is final, not the decision of a court or another independent and impartial body established by law.

Furthermore, judicial review is expensive and comes with considerable risk in relation to expenses.  While it is theoretically possible for an applicant to represent themselves in the Court of Session, in all likelihood it will necessitate the instruction of a solicitor and at least junior counsel (if not junior and senior counsel); that is expensive.  Even if an applicant manages to represent themselves in the Court of Session; the court fees will be prohibitively expensive to many people.  These fees, payable at various stages throughout the process, will total hundreds of pounds.  The public authority in question will be represented by Counsel and if a requester loses, they may find themselves responsible for paying the public authority’s expenses (although, the Court does retain an inherent discretion in whether to make an award of expenses and to what extent the losing party shall pay the winner’s expenses).  This is relevant because the Aarhus Convention, upon which both the Directive and the Scottish EIRs are based, requires the review processes to be free of charge or inexpensive or not prohibitively expensive (Article 9).  The Court of Justice of the European Union found that the UK had failed to properly implement the Directive when looking at the costs under the English judicial system (see European Commission v United Kingdom).

The problem for the Scottish EIRs gets bigger once consideration is given to the Scotland Act 1998Section 57(2) of the Scotland Act provides that the Scottish Ministers have “no power to make any subordinate legislation, or to do any other act, so far as the legislation or act is incompatible with any of the Convention rights or with EU law.”  The Scottish EIRs are regulations and are therefore subordinate legislation.  By applying section 48 of FOISA to the Scottish EIRs the Scottish Ministers have made subordinate legislation that is ultra vires – it is outside of their competence.  For the Scottish EIRs to be compatible with EU law, section 48 of FOISA cannot apply to them; while it does, the Scottish EIRs do not fully implement Article 6 of the Directive.

This problem is easily resolved.  The Scottish Ministers simply need to amend the Scottish EIRs so as to disapply section 48 of FOISA in respect of the Scottish EIRs.  This would enable the Commissioner to consider applications made to her under section 47(1) of FOISA concerning requests for information made to either her office, or the COPFS that engage the Scottish EIRs.  Of course, the Scottish Ministers could introduce legislation into the Scottish Parliament to repeal section 48 of FOISA altogether (and that would kill two birds with one stone).

If the Scottish Ministers do not choose to make the relevant amendments they could be forced to.  All it would take is for someone to go through the process of making a request for environmental information to either the Commissioner or the COPFS, getting a refusal notice which is then upheld at internal review, and making an application to the Scottish Information Commissioner so as to get a notice from the Commissioner stating that no decision falls to be made.  This can then be appealed to the Court of Session for them to make what appears to be an inevitable decision: the Scottish Ministers acted ultra vires when applying section 48 of FOISA to the Scottish EIRs – an expensive process, but one that someone will eventually go down some day.