It is hard to explain to my junior colleagues how seriously we considered the threat to Western Europe from Warsaw Pact invasion in the 1980s. When I was commissioned in the RAF in 1984, its manpower strength was over 93,000 – its strength is currently planned to fall by 2015 to 31,000. A significant proportion of the RAF was located in Germany (as was the British Army), which, together with all air defence stations in the UK, maintained a high degree of readiness. Those of us serving during that period were well used to “no-notice call outs” and alerts, which somehow always seemed to be between 4 – 6 am.
It was in this Cold War environment that spies and spying thrived. This was an age of active mole hunts and speculation over the identities and range of the Cambridge spy ring – “reds under the bed” being the ultimate McCarthyist fear. So any threat to national security that a former spy’s autobiography could present was a critical matter. This was exactly the problem of Peter Wright, a former member of MI5 and Assistant Director who had retired to Tasmania, whose autobiography “Spycatcher: The Candid Autobiography of a Senior Intelligence Officer” (Spycatcher) was to be published first in Australia. It was also published in the United States of America. Disclosure of state secrets by Wright was, not surprisingly, in breach of the Official Secrets Act 1911.
The Government first attempted to bring an action in Australia to restrain publication of Spycatcher, but this ultimately failed (the book was eventually published in Australia in October 1987). Articles on the Australian legal proceedings were published in The Observer and The Guardian. These newspapers were then subject to an interlocutory injunction in June 1986 to restrain them from publishing information obtained by Wright. The Sunday Times also began to serialise Spycatcher, before and in anticipation of its publication in the US in July 1987. The Attorney General obtained further injunctions. These injunctions were discharged on application by the newspapers – the Court of Appeal dismissed that Attorney General’s appeals, so the joined cases reached the House of Lords (Attorney General v Observer Ltd  1 AC 109). The issue for the House of Lords was the question of publication in breach of a duty of confidence – was the duty of confidence outweighed by a countervailing public interest?
This is where the Spycatcher case has immediate relevance. Whilst The Sunday Times was ordered to account for profits it made as a result of its first serialisation of an extract from the book, which was in breach of a duty of confidence. it was recognised by their Lordships that once the book was published in the US and its contents became widely known, so that the information in the book was no longer confidential, injunctions no longer became necessary.
It should also be remembered that although the Attorney General sought injunctions in England (& Wales), the Lord Advocate failed to seek an interdict in Scotland, so that distribution of Spycatcher and reporting on it was at all times legal in Scotland. Even if an interdict had been obtained, there is a more recent Scots Law case that follows the Spycatcher precedent (Lord Advocate v Scotsman Publications  UKHL 7).
Does this sound familiar, given CTB v News Group Newspapers Limited and Imogen Thomas? Will the courts continue to support injunctions against The Sun and Imogen Thomas when as a result of publication abroad, on Twitter or elsewhere, the private information being protected from publication is in the public domain (assuming that there has been no breach of the original anonymised injunction by The Sun or Imogen Thomas)?
If you do not know what the outside of the Royal Courts of Justice on the Strand in London looks like, the picture above may help. However, we expect that if you watch any UK television news, you will also see plenty of TV reporters do pieces to camera from outside the court. This will particularly be the case around the date of this post because the case of CTB v. Twitter Inc. and Persons Unknown (Case No. HQ11X01814) is inevitably going to receive plenty of attention. It has all the topical ingredients that media reporters could wish for: the case has been brought by a Premier League professional footballer (at present known merely as CTB); it references super-injunctions and involves the Llanelli glamour model, Imogen Thomas (plenty of scope for gratuitous library video footage).
However, whilst not denying these interesting elements, what we are interested in is the attempt to bring an action in the High Court in England (& Wales) against “Twitter, Inc. and Persons Unknown”. Some of the background to the case is described in our previous post: Footballer CTB is suing Twitter.
It appears that as the claim form has yet to be served, its details have not yet been made public.
There are a number of questions that arise from the case. How can CTB bring a claim against “Persons Unknown”. Given that these are likely to be anonymous Twitterers, CTB cannot serve upon them any statement of claim or injunction. In circumstances such as these, CTB could seek to obtain a Norwich Pharmacal Order in respect of each of the unknown persons. A Norwich Pharmacal Order requires a third party to disclose the information that would enable unknown persons to be identified for the purposes of civil proveedings. However, this is not appropriate in these circumstances as the person with the relevant identity information, Twitter, is outside of the jurisdiction.
Fortunately for CTB, there is a procedure to enable him to seek the Court’s permission to serve the claim form and orders out of the jurisdiction (Section IV of Part 6 of the Civil Procedure Rules). The method for service is likely to be one of the methods permitted by the Hague Convention of 1965 on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters, to which the UK and the United States of America are members. It remains to be seen that even if these steps are taken, and Twitter is successfully serviced with the statement of claim or any Norwich Pharmacal Orders, whether Twitter would take any notice of them and submit to the jurisdiction of the High Court.
The next question concerns the nature of the statement of claim. We speculate that it must be an application to commit to prison the persons, including Twitter, for aiding and abetting the breach of the original injunction against The Sun (NGN Limited) and Imogen Thomas (and thus being themselves in contempt of court). Rather than prison, the disobedient parties can be subject to an unlimited fine and the court can order any act to be done at their expense. Until the claim form is in the public domain, we cannot be sure. We are not aware at this point of any ISPs or social media platforms being the subject of this type of application, so we cannot say whether the High Court would be persuaded by the so-called “mere conduit” defence that Twitter could raise. Strictly, this defence arises under the Electronic Commerce (EC Directive) Regulations 2002 (Regulation 17), enabling service providers of an information society service to evade liability for the content of information passing through their networks over which they have no control. Whilst the terms of the regulation give service providers a defence so that they “shall not be liable for damages or for any other pecuniary remedy or for any criminal sanction”, we believe this has not been raised as a defence in contempt of court proceedings.
A “guest” post by Charles Russell partner Nick Armstrong, in our Sports & Media Group:
Twitter Inc. and some of its users are being sued in the High Court in London by the individual who obtained an injunction against The Sun and Imogen Thomas concerning allegations about his private life. In the injunction action (see below), and in the new Twitter action, he is referred to as “CTB”. The full case title of the new action is CTB v. Twitter Inc. and Persons Unknown. It is case no. HQ11X01814.
The action was commenced on 18 May. The “persons unknown” are described as those “responsible for the publication of information on the Twitter accounts” but the latter are listed in confidential appendices. It relates to the widely-reported posting on May 8 of a series of “tweets” purporting to name a number of celebrities who had obtained so-called super-injunctions, and describe the activities covered by the injunctions.
It marks the first concerted attempt to deal legally with way in which social media have of late been used an a vehicle for gossip and supposed ‘information’ in an apparent attempt to undermine or evade the authority of the High Court.
The news comes in the week that sees judicial attempts to inject some clarity into a public debate which in the media at least has featured wild and inaccurate comment about the perceived threat posed by “super injunctions”. For one thing, the injunctions that have caused the debate aren’t super injunctions at all – the term was hijacked in the media to refer misleadingly to the injunctions obtained by celebrities whose identities were anonymised to enable the injunction to be effective. The Neuberger Report (of the Committee on Super-Injunctions) was published on 20 May. It points out that in fact the Super-Injunction is an order which prohibits (i) publishing confidential or private information AND (ii) publicising or informing others of the existence of the order and the proceedings. Super-injunctions are reserved for exceptional cases and are only granted for very short periods, and only where this level of secrecy is necessary to ensure that the whole point of the order is not destroyed. Since January 2010, only two such super-injunctions have been granted, one which was set aside on appeal and the second which was in force for seven days.
That is not the case with the celebrity injunctions, which are termed “Anonymised Injunctions” i.e. the names of either or both of the parties to the proceedings are not stated.
In fact the principles of open justice are respected by Anonymised Injunctions because, since the relevant parties are anonymised, a full judgment can be issued in which the judge sets out his reasons for applying the balancing factors imposed by the Human Rights Act 1998 (right to freedom of expression v right to respect for private and family life) in making the order. This strikes the balance between open justice, and appropriate protection of privacy where the judge has found that to be required on the basis of the evidence put before him.
This happened this week when Eady J published his judgment in the CTB ‘Anonymised Injunction’ case itself. It should be read by anyone thinking of commenting about the issue of Anonymised Injunctions, as it puts in context much ill-informed comment which has obscured many of the real issues involved in the developing (and still very young) law of privacy enacted by Parliament in 1998 and applied by the judiciary.
I was asked a couple of days ago to prepare an email alert for clients on a commercial law update circulation list to describe compliance steps required for the new cookies law. This turns out to be virtually impossible. Much as it pained me, the advice really comes down to the cliché lawyers’ answer of, “It depends”.
Together with my colleague Mark Alsop, we finally went with this:
When we issue email alerts on an imminent change in law that is likely to have a wide impact on normal business activities, we seek to give clear guidance on what steps must be taken for compliance with the new law.
A cookie is a small file of letters and numbers placed by a website onto a user’s computer when he or she accesses the website. They allow a website to recognise a user’s computer and to adjust the user’s experience of the website accordingly – cookies can be used for authentication, storing preferences, managing shopping baskets, tracking web-browsing and many other things. A website may place several cookies onto a user’s computer.
This Directive has been amended so that, as well as giving users information on exercising an opt out, usually by changing their browser settings to reject any cookies, no cookies can now be used lawfully unless the user has given his or her consent to their use.
The change is practically difficult to implement without spoiling the user’s browsing experience. It had been thought (hoped) that having browser settings which permit cookies would amount to consent, but this has been rejected as a means of obtaining consent.
The UK Government did consult on appropriate amendments to the UK Regulations to make them easier to comply with, but that came to nothing when the Ministry of Justice announced that in future all Regulations implementing EU legislation will simply faithfully reproduce the revised EU Directive wording.
There are reports that the Government is working with browser suppliers to bring in browsers that can give compliant consent. This will be a big step forward, but as the guidance points out, there will remain the problem of users who do not upgrade to such browsers.
Two final observations. First, the ICO expects websites to deal with the more intrusive cookies first. Second, in terms of enforcement, the guidance acknowledges that there is no prospect of full compliance by 26th May, i.e. less than 3 weeks after the guidance was issued. Instead, the ICO indicates that, for the time being, it is concerned to ensure that website owners have a realistic plan to achieve compliance.
The ICO states that further guidance will be issued “if appropriate, in future”.
On 10 May 2011 the Information Commissioner imposed a £1,000 monetary penalty on Andrew Crossley, trading as ACS Law, for a serious breach of security that permitted over 6,000 individuals’ details to be accessible on an unsecured website. Already, there is much discussion on the internet as to the fairness of this penalty. Has justice been done?
Internet comment is not likely to be objective in the case of ACS Law, given that it was the law firm targeted by hackers for a distributed denial of service attack as retribution for its perceived aggressive approach to internet users claimed to be illegal copyright infringers (see the Wikipedia entry for ACS:Law). Andrew Crossley was reported to have made a profitable business pursuing copyright infringement cases – claiming he would be buying a Ferrari F430 Spider for cash. The monetary penalty of £1,000 amounts to less than 17p for each individual’s details that ACS Law left unsecured on its website as part of its recovery from the DDOS.
However, the Information Commissioner has made it clear that had ACS Law still been trading, he would have imposed a monetary penalty of £200,000 (the maximum that could have been imposed was £500,000). Clearly the Information Commissioner was satisfied by the written representation sworn on oath by Andrew Crossley to reduce the fine to the token £1,000 – much to the chagrin of many on the internet less willing to accept Crossley’s pleas of reduced financial circumstances.
Other data controllers ought to reflect on the factors considered by the Information Commissioner in making the monetary penalty. In particular, the lack of investment in appropriate security measures was a major factor, as was the lack of appropriate IT trained personal in the organisation. In addition, whilst spending serious money to remedy the security breach (in ACS Law’s example, spending £20,000 to fix the problem) was considered as a mitigating factor, it was obviously not that significant given the level of the final penalty.
Lawyers and law firms also ought to take particular note that as far as the Information Commissioner is concerned, they cannot expect any leniency for any breach by them of the Data Protection Act 1998 – “Data controller is a lawyer and should have been fully aware of his obligations under the Act.”
An article in yesterday’s EducationGuardian caught my eye, and not because of the parental anger at schools pressure selling private tuition. What concerns me is the blatant direct marketing of a third party’s services by a school.
The story, if you did not click on the link, concerned parents’ anger at receiving letters signed by school headteachers on school headed notepaper marketing a DVD home tuition scheme of the Student Support Centre, a trading name of The Student Support Centre (UK) Limited (who, incidentally, fail to give their company name anywhere on their website, as far as I can see). EducationGuardian discovered that the Student Support Centre pays schools an administrative fee for this marketing, but the article is unclear about what this fee is. Anthony Lee, founder and chairman of the Student Support Centre, is quoted as saying he makes a “small token payment of up to £160″.
From a data protection point of view, the most obvious question is, do the schools that cooperate with the Student Support Centre or other home tuition companies include direct marketing as a purpose in their data protection notices? Personal data, which in these circumstances must include the parents’ names and addresses for school pupils, must be processed in a fair and lawful manner. To be fair and lawful, the person who “owns” the personal data must give their details and the purposes for which the data will be processed (see paragraph 1 of Part I – the First Data Protection Principle – and paragraph 1 of Part II of the Data Protection Act 1998, Schedule 1). Also, personal data cannot be processed in any manner incompatible with any stated (and notified) purpose or purposes (paragraph 2 of Part I, the Second Data Protection Principle).
Schools may wish to consider whether receipt of a small token payment is enough of an incentive to breach the Data Protection Act 1998, for which monetary penalties of up to £500,000 can be imposed by the Information Commissioner for serious breaches.
I’ve always had more than a passing interest in the Ofcom Sitefinder, because prior to re-qualifying as a lawyer I was a communications engineer. I was also a specialist radiation safety officer. Sitefinder allows you to search any location or postcode in the UK to discover the location of any mobile phone base station, together with details about its operator, operating frequencies and maximum transmitter power (e.i.r.p. per channel). From this site I can see that the nearest base station to my house in Portsmouth is about 600m away. It’s details on Sitefinder show:
Name of Operator
Operator Site Ref.
Whilst there is still ongoing discussion and medical research about what are safe levels of exposure to non-ionsing radiation, the maximum exposure levels recommended by the International Commission on Non-Ionizing Radiation Protection are widely followed. The safe exposure levels for members of the public for 10GHz, which are lower than that for 2.1GHz, are easily understood as it is set at 10W/m². As 3 transmits from the Cosham base station at 24.46 dBW, or 279.3W, and as all mobile phone (UHF) radio waves use direct radio propagation so that the power falls proportionally to the square of the distance from the transmitter, I would be perfectly safe under ICNIRP guidelines, assuming that I have roughly a 1m² profile, at a distance of 5.3m from the antenna (which would be difficult, as its 21m high).
Sitefinder is interesting from a legal point of view as it is the subject of a request for information under the Environmental Information Regulations 2004 (“EIRs”) to Ofcom, which was refused. The applicant for the information then made an appeal to Ofcom for an internal review, who upheld the initial decision to refuse the request. The applicant then appealed to the Information Commissioner, who was minded to order the disclosure of the relevant information (Case Ref: FER0072933, 11 September 2006). This was then appealed to the Information Tribunal (now known as the First-Tier Tribunal (Information Rights)), who also ordered disclosure (EA/2006/0078, 4 September 2007). Ofcom appealed to the High Court, where the appeal was dismissed ( EWHC 1445 (Admin), 8 April 2008), then to the Court of Appeal ( EWCA Civ 90, 20 February 2009) and the Supreme Court ( UKSC 3, 27 January 2010), who referred a question to the Court of Justice of the European Union (“CJEU”) (Case C-71/10). The Sitefinder case will therefore be the first EIRs case to go the full distance. On 10 March 2011 Advocate General Kokott gave her opinion. The story should therefore, after over 6 years, soon come to an end.
Initial Request and Internal Review
The EIRs provide for wider access to information that falls within the wide definition of environmental information included in the EIRs, than the Freedom of Information Act 2000 (“FOIA”) permits. Consequently, the information request made by an information officer from Health Protection Scotland on 11 January 2005 requesting national datasets of the full details of each mobile phone base station within the Sitefinder database under the FOIA, was correctly processed by Ofcom (being a request for information on factors such as radiation – EIRs, reg.2.1(b)) under the EIRs. The request was made because Sitefinder itself only permits users to research details within postcode areas, with no national or regional lists or exact details of base station grid references.
As a result of the initial request and request for internal review dated 25 February 2005, a number of exemptions under EIRs came into play, particularly:
the public safety and national security exemption at reg.12(5)(a) – the public interest in safeguarding the location of all TETRA sites, and hence all police and emergency services communications, outweighed any public interest in disclosure of the sites’ data; and;
the intellectual property rights (‘IPRs’) exemption at reg.12(5)(c) – disclosure would affect the rights of the network operators. The raw national dataset could be used by competitors to discover the design of each mobile network. The IPRs in question were:
the operators’ database right in the Sitefinder database (applying the ruling in CJEU Case C-203/2 British Horseracing Board –v- William Hill, the Commissioner agreed that operators had made the necessary “substantial investment in obtaining, verifying or presenting the contents of the database” (Copyright and Rights in Databases Regulations 1997, reg 13(1)) to create a database right – Ofcom estimated that each operator took up to 50 man hours every 3 months to collate information for Sitefinder as well as 3-5 man-days per month to attend and contribute to Sitefinder policy and development groups);
copyright in the operators’ data; and
an obligation of confidence (the World Intellectual Property Organisation Convention 1967, Art. 2(viii), includes “rights relating to…works …protection against unfair competition and all other rights resulting from intellectual activity in the industrial, scientific, literary or artistic fields” – the Commissioner did not find that the appropriate obligation of confidence existed in the data supplied by the operators).
Appeal to Information Commissioner
The case was appealed to the Information Commissioner on 22 April 2005. The Commissioner considered the application by Ofcom of the EIRs, reg.12(5) exemptions, carefully applying his Awareness Guidance No. 20, which details how the Commissioner considers the adverse affect test for EIRs, re.12(5) should operate. Essentially, this is a harm test. The Guidance states: “the adverse affect test provides exceptions only in those cases where an adverse affect would arise. In other words, so far as environmental information is concerned, in order to engage an exception, some harm must be certain rather than merely likely. This is a significant difference.” As Ofcom did not present the Commissioner with evidence of harm to public safety or national security, or the operators’ IPRs, disclosure was ordered.
In coming to this view, the Commissioner took account of the balance of interests under EIRs’ cases: Recital 16 of the EU Directive on public access to environmental information (Council Directive 2003/4/EC), upon which the EIRs are based, states that exceptions must “be interpreted in a restrictive way”. It was quite possible for Ofcom to disclose the requested information subject to the operators’ database rights and copyright, so that the requester could not use the disclosed database. A public authority cannot prejudge use of disclosed environmental information. The EIRs, as with the FOIA, do not require a requester to state the purpose of the request. For both copyright and database right, it was ruled that use of the disclosed database by the requester would require a licence from the operators, which by implication they could refuse to grant.
Appeal to Information Tribunal
Ofcom appealed to the Information Tribunal on 10 October 2006, and T-Mobile was permitted by the Tribunal to be joined to the appeal on 29 November 2006. The case before the Tribunal was a messy one – it was not simply an appeal of the Commissioner’s decision. However, amongst other rulings, the Information Tribunal in considering the EIRs, reg.12(5)(b) public safety exception, did consider that there was a slightly increased risk that the disclosure of the site information requested, being more accurate than that already in the public domain, may adversely affect public safety. However, the Tribunal did not consider that this increased risk outweighed the public interest in the site information, given its importance as identified in the Stewart Report and for epidemiological investigations.
The Tribunal was also not convinced that the IPR exemption at EIRs, reg.12(5)(c) applied. The Tribunal decided that the exemption can only be applied if there is sufficient adverse effect to trigger the exemption, followed by a consideration of whether there the actual or potential harm in the disclosure is sufficiently great to outweigh the public interest in disclosure. The Tribunal considered that the test to find adverse effect should not be set with a particularly high threshold – the exemption could apply to any case where there was more than a mere technical or minimal infringement of the relevant IPR. The Tribunal considered the degree of harm that disclosure of the Sitefinder dataset would cause. For example, it considered the potential loss of revenue claimed by the operators from their inability to license their site data and the adverse effect that the disclosure of the Sitefinder information would result in the implied disclosure of each operator’s network design.
In each case, the Tribunal was not convinced that there would be actual or potential harm under each of the headings submitted by Ofcom and T-Mobile, but considered that there was sufficient adverse effect from the combination of the various factors.
The Tribunal also considered a further public interest in withholding the Sitefinder data. The operators’ had warned Ofcom that as their supply of base station data was not a statutory requirement but was made by them voluntarily, they would refuse to supply any further data if the Tribunal ruled in favour of disclosure. There was clearly a public interest in maintaining Sitefinder. The Tribunal did not consider that it could base its decision on any actual or implied threat of future non-cooperation by the operators.
In addition, the Tribunal did not accept Ofcom’s view that the EIRs required it to consider whether the aggregate public interest in maintaining the exemptions outweighed the public interest in favour of disclosure.
Appeal to the Administrative Court
In the Administrative Court the question of how to apply the EIRs exemptions was considered. In essence, the Court reviewed whether a public authority should consider the public interest in disclosure outweighed the public interest in withholding the requested information for each separate exemption that could apply, and only if all exemptions resulted in the public interest in disclosure being outweighed should the information not be released. The contrary argument was that the public authority should consider the aggregate public interest, was dismissed by the Court. In reviewing the IPRs exemptions, the Administrative Court considered that the Tribunal could consider whether the use of the data to be disclosed (i.e. for epidemiological research) was in the public interest, even if that meant a breach of the operators’ rights. This was important as strictly a person requesting information under the EIRs or FOIA does not have to state a purpose (however, I have always advised applicants that the purpose should be stated, for exactly this reason – it colours the public interest test – see the chapter I have co-authored in the Law Society’s Freedom of Information Handbook).
Appeal to the Court of Appeal
The Court of Appeal reviewed the Administrative Court’s view on aggregation of public interest, and determined that the Administrative Court had erred in not following this approach. However, the Court of Appeal agreed that the purpose to which the data disclosed was to be put could be considered in any public interest test.
The issue for the Supreme Court was therefore the same: how should a public authority apply more than one exemption? Is each exemption to be addressed separately, by considering whether the interest served by it is outweighed by the public interest in disclosure? Or can the interests served by different exemptions be combined and then weighed against the public interest in disclosure? The Supreme Court quickly realised that this involved discerning what was intended by Directive 2003/4/EC, and so made the following reference to the CJEU:
Under Council Directive 2003/4/EC, where a public authority holds environmental information, disclosure of which would have some adverse effects on the separate interests served by more than one exception (in casu, the interests of public security served by article 4(2(b) and those of intellectual property rights served by article 4(2)(e)), but it would not do so, in the case of either exception viewed separately, to any extent sufficient to outweigh the public interest in disclosure, does the Directive require a further exercise involving the cumulation of the separate interests served by the two exceptions and their weighing together against the public interest in disclosure?
Advocate General Opinion
Julianne Kokott has carried out her usual thorough analysis, and has suggested to the CJEU that they answer:
Under Council Directive 2003/4/EC on public access to environmental information, where a public authority holds environmental information, disclosure of which would have some adverse effects on the separate interests served by more than one exception under Article 4(2), but it would not do so, in the case of either exception viewed separately, to any extent sufficient to outweigh the public interest in disclosure, the directive requires a further exercise involving the cumulation of the separate interests served by the two exceptions and their weighing together against the public interest in disclosure.
If this is followed by the CJEU, then the matter will be referred back relatively quickly to the First-Tier Tribunal (Information Rights), where I would expect the aggregation of exemption interests will be found to outweigh the public interest in disclosure, so that Sitefinder will be saved, and we can all go home.
(PS For legal readers: I did describe the case up to the Information Tribunal, as it then was, in the Freedom of Information Journal. I intend to write-up a more legal analysis of the whole saga for publication, once the CJEU has made its ruling.)
The contents of this blog are licensed by Charles Russell LLP under a Creative Commons Licence, subject at all times to our disclaimer below.
Disclaimer Information on this blog, including any of our responses to comments, is general information only and does not constitute advice on any specific legal matter or mean that we treat any person as a client. If you require advice on any specific legal problem or matter, please contact one of our lawyers listed on our Author's Page or on our website. No liability can be accepted by Charles Russell LLP for any action taken or not taken as a result of any information or comments on this blog.