I wonder whether a Tribunal Decision confirming the Commissioner’s views in an obscure FOI Decision Notice indicates how data protection law could impact on the wider Internet? Of course, reliance on such an extrapolation has its dangers – but, the logic the Tribunal applied to this FOI request seems to apply to posting personal details on the Internet.
The FOI case involved access to Court records after a trial. An applicant (who was a relative of an individual prosecuted for a criminal offence) made a FOI request to details of the Court’s own records about the "charges" and "verdict" in order to help that individual anonymously. Note that all the applicant requested was the details that he would have learnt in open court (if the requestor had attended the Court) or in a newspaper (if a journalist had reported the Court proceedings in the local press). The request was denied by the Courts service, a decision that was upheld by the Commissioner and Tribunal.
The Tribunal recognised that there was an anomaly in that if the applicant had attended the Court or if the Court proceedings had been published by the media he would have all the information that was subject to the FOI request. However “to reveal to the whole public whether someone was subject to a court case would be unfair” processing as the release of sensitive personal data (e.g. details of a conviction) into the public domain will only be fair in exceptional circumstances. In addition “even if there was sensitive personal data disclosed in open court at the time of prosecution/sentencing, it would not be in a defendant’s reasonable expectations that there will be a later disclosure to the general public”.
So publishing details, even those that could have been in the public domain, can be unfair.
Now consider publishing on the Internet? Well many postings report matters involving another individual's personal life (e.g. photos of a drunk friend being sick) and these have the potential to be “Googled for ever and ever, amen”. Often, such reports are published after a fairly public event (e.g. an office party) without any reference to the individual concerned. As the domestic purpose exemption cannot be claimed (see Lindqvist), this means the obligations in the Act are engaged.
In other words, if the act of publishing personal details by FOI is unfair, it seems to me that publishing similar details by the Internet would also be unfair. It follows that posting personal data can constitute unfair processing and this prospect should be actionable wherever the European Data Protection Directive applies.
References: Information Tribunal Decision EA/2009/0037 and ICO Decision Notice FS 50165494. The position according to the Tribunal “is supported by the reasoning of the Information Tribunal’s decision of David Armstrong and the Commissioners for Her Majesty’s Revenue and Customs [EA/2008/0026] paragraph 84. The Lindqvist case is a decision of the European Court of Justice in Case C-101/01, made in 2003; see for example, “Baby battle woman can’t claim data protection exemption for YouTube video, warns expert” on http://www.out-law.com/page-8401 ).
See also; Reclaiming Privacy on the Internet; http://www.amberhawk.com/uploads/IPSTREETVIEW.pdf
Interesting direction you take with this. So, at risk of making an arse of myself - I do this regularly, see the foot of http://timtrent.blogspot.com/2009/11/i-blog-therefore-i-am-brand.html - isn;t the law intended to catch corporations, not individuals, when personal data is misused?
Blog services are, presumably, Data Processors for the individual user, as are social networks? So where is the offence should I post a picture of, say, you, in flagrante delicious with a person of your choice? Well, apart from the age old offence of scaring the horses, of course!
Posted by: Tim Trent | 03/11/2009 at 02:36 PM