Biggest ever penalty for GDPR breach – Gerry Facenna QC, Julianne Kerr Morrison and Khatija Hafesji advise regulator

On 16 October 2020 the Information Commissioner’s Office announced that it had imposed on British Airways the biggest ever penalty in the UK for breach of data protection law.

The penalty is the culmination of a two-year investigation by the ICO into a cyber-attack on British Airways’ systems in 2018, which affected the personal data of over 400,000 of its customers. The ICO’s investigation identified a number of weaknesses in BA’s cyber-security measures, which were found to have allowed the attack to take place. The ICO also found that BA failed to detect the attack for several weeks, until it was alerted to the exfiltration of personal data from its systems by a third party. The ICO concluded that BA’s failures cumulatively amounted to a serious breach of the requirement to take appropriate measures against unauthorised or unlawful processing, contrary to Articles 5(1)(f) and 32 of the GDPR.

The final penalty, of £20m, was calculated from a starting point of £30m, with downward adjustments to take into account mitigating factors including BA’s prompt reporting of the breach and cooperation with the ICO, and a further discount of £4m having regard to the economic consequences of the Covid-19 pandemic.

The ICO was acting as “lead supervisory authority” on behalf of other EU regulators, meaning that the decision had to be submitted for approval by all other EU data protection authorities, in accordance with Article 60 GDPR.

The ICO’s decision has been widely reported on, including by the BBC, Financial Times, The Times, The Telegraph and The Guardian, as well as the Register and other specialist tech and data publications. A copy of the penalty notice and decision is available here.

Gerry Facenna QC, Julianne Kerr Morrison and Khatija Hafesji advised the Information Commissioner’s Office throughout the investigation, Article 60 process, and the final penalty decision.

Court of Appeal Rules on Abuse of Process in Competition Damages Claim

The Court of Appeal has dismissed appeals by the Defendants in a series of competition damages claims arising from the European Commission’s 2016 infringement decision relating to trucks. The claims are currently before the Competition Appeal Tribunal which, in March 2020, ruled on a preliminary issue concerning the binding nature of the Commission’s decision. The Tribunal held that:

(1) a number of the Commission’s findings were binding as a matter of EU law; and
(2) in relation to the remainder, it would be an abuse of process for the Defendants to contest findings that the decision recorded them as having accepted in the settlement procedure, unless there was some justification for doing so.

The Tribunal’s conclusion on abuse of process reflected the fact that the Commission’s decision followed a settlement procedure in which the Defendants accepted the infringement.

The Defendants appealed the Tribunal’s decision on abuse of process to the Court of Appeal and on 7 October 2020, following a remote two-day hearing, the Court dismissed the appeals with reasons to follow.

Mark Brealey QC, Tim Ward QC, Ben Lask and Anneliese Blackwood acted for a number of the Claimants before the Court of Appeal. Daniel Beard QC, Paul Harris QC, Ben Rayment, Michael Armitage, David Gregory and Alexandra Littlewood acted for a number of the Defendants.

Tim Ward QC and Andrew Macnab, representing the United Kingdom and HMRC at the CJEU, successfully resist a challenge to scope of VAT exemption for “insurance transactions”

Case C-235/19 United Biscuits (Pension Trustees) Limited and United Biscuits Pension Investments Limited v HM Revenue and Customs, CJEU, 8 October 2020, ECLI:EU:C:2020:801.

The Court of Justice of the European Union has ruled in favour of HMRC in a reference from the Court of Appeal concerning whether pension fund management services supplied to the trustees of a defined benefit occupational pension fund are “insurance transactions” within the meaning of the insurance exemption in Article 135(1)(a) of the VAT Directive (2006/112/EC).

The Appellant (“UB”) is the trustee of a defined benefits pension fund. It claimed restitution of sums paid by way of VAT on supplies of pension fund management services provided by undertakings that were not authorised insurance companies (“Non-Insurers”). Supplies of such services by Non-Insurers have always been treated as standard rated under UK law. The two main issues were (1) whether the supplies by Non-Insurers were to be treated as exempt supplies of “insurance”, because (allegedly similar) supplies of pension fund management services by authorised insurance companies (“Insurers”) had were treated as exempt; and (2) if Non-Insurers’ supplies should have been exempt, whether EU law required UB to be given a direct claim against HMRC to recover sums they had overpaid by way of VAT to the Non-Insurers (notwithstanding the Supreme Court’s recent decision in Investment Trust Companies (In Liquidation) v RCC [2017] UKSC 29; [2017] 2 WLR 1200; [2017] STC 985, “ITC SC”).

At first instance, Warren J decided both issues in favour of HMRC and dismissed UB’s claim. On Issue (1), Warren J held that the services were not “insurance transactions” within the meaning of Article 135(1)(a) and were thus properly standard rated. Further, the principle of fiscal neutrality did not require them to be treated as if they were “insurance transactions” (and thus exempt) or to be given the same (incorrect) VAT treatment as supplies of pension fund management services by Insurers. On Issue (2), Warren J held that EU law did not require UB to be given direct claim against HMRC: it was not “impossible or excessively difficult” for UB to vindicate any putative EU law rights it had via the route dictated by UK statute, namely a claim against the Non-Insurer. See United Biscuits (Pension Trustees) Ltd & Anor v Revenue And Customs [2017] EWHC 2895 (Ch) (30 November 2017).

On UB’s appeal, the Court of Appeal (Patten, Henderson and Rose LJJ) referred a question to the CJEU on Issue (1). In answer, the CJEU has ruled that “investment fund management services supplied for an occupational pension scheme, which do not provide any indemnity from risk, cannot be classified as ‘insurance transactions’, within the meaning of [Article 135(1)(a), and thus do not fall within the value added tax (VAT) exemption laid down in that provision in favour of such transactions”. The CJEU confirmed that, as generally understood and according to settled case-law, the essentials of “insurance transactions” referred to in Article 135(1)(a) are that the insurer undertakes, in return for prior payment of a premium, to provide the insured, in the event of materialisation of the risk covered, with the service agreed when the contract was concluded. Since the services supplied to UB did not have those essential features, they were not “insurance transactions”. The CJEU also rejected UB’s arguments, based on statements in the judgments in CPP (C‑349/96, EU:C:1999:93) and Skandia (C‑240/99, EU:C:2001:140), to the effect that the meaning of “insurance transactions” in the VAT Directive was dictated by the EU Directives concerning the regulation of insurance companies; and also held that pension fund management was not “insurance” within the meaning of the insurance directives, but was instead an “operation” relating to insurance.

Tim Ward QC and Andrew Macnab represented the UK in the CJEU and HMRC in the Court of Appeal. Andrew Macnab represented HMRC in the High Court. Read the full decision of the CJEU here (on Bailii), here (on EUR-Lex) or here (on Curia).

Tim Ward QC acts for Uber London Ltd in successful licence appeal

Uber London Ltd (“ULL”) has successfully appealed against the refusal of Transport for London (“TfL”) to grant it a new licence. TfL had refused to renew ULL’s private hire vehicle operator licence for London pursuant to the Private Hire Vehicles (London) Act 1998 on the grounds that it considered that ULL was not a “fit and proper person” to hold such a licence. On ULL’s appeal, Deputy Senior District Judge Ikram concluded that ULL was a fit and proper person. The Judge noted that whilst ULL did not have a “perfect record… I am satisfied they are doing what a reasonable business in their sector could be expected to do, perhaps even more.” The Court ruled that ULL should be granted a licence for 18 months, subject to certain conditions.

Tim Ward QC acted for ULL.

The case has been covered in the media: BBC, The Guardian, The Times and The Telegraph.

Representative action against YouTube on children’s privacy rights: Gerry Facenna QC and Nikolaus Grubeck act for Claimants

Representing up to 5 million children in England & Wales aged under 13 and their parents, privacy expert Duncan McCann has launched a claim against Google, the owner of YouTube. The claim alleges that YouTube’s methods of targeting underage audiences are in breach of data protection law, including because YouTube does not have parental consent to collect and process children’s personal data, which YouTube uses for targeted advertising.

The claim has been covered, amongst others, by the BBC, the Mail on Sunday, Business Wire, TechCrunch, and Lawyer Monthly.

Gerry Facenna QC and Nikolaus Grubeck are acting for the representative claimants, instructed by Hausfeld.

Challenge to Ofqual’s exam algorithm: Ciar McAndrew acts in proposed judicial review

The Secretary of State for Education and Ofqual have today announced that A-Level and GCSE students unable to sit their exams due to Covid-19 will be awarded their teacher-predicted grades, rather than grades calculated in accordance with a standardisation algorithm developed by Ofqual.

The algorithm had been used by Ofqual to bring thousands of students’ predicted grades into line with the grades historically achieved by students at their school. In practice, this operated to pull down the results of high-achieving students whose schools had no history of achieving high grades. The standardisation effect was disproportionately felt by state school students in large classes: for cohorts of 5 students or less, the standardisation process was disapplied and students were awarded their teacher-predicted grades, giving a boost to the results of students from the independent sector.

Curtis Parfitt-Ford, an 18-year-old A-Level student, sought to challenge the algorithm after it emerged that around 40% of students had seen their predicted marks downgraded following standardisation. In pre-action correspondence sent to Ofqual on 14 August 2020, Mr Parfitt’s representatives argued that use of the algorithm was contrary to Ofcom’s statutory objectives and produced irrational, arbitrary and unfair results. They also proposed to challenge the algorithm on the basis that it breached data protection rules, including those relating to profiling, automated decision-making and algorithmic bias.

At 4pm today, the Secretary of State and Ofqual confirmed that students would be awarded the higher of their teacher-predicted and algorithm-generated grades. The statement from the Chair of Ofqual can be found
here.

The proposed claim has received extensive press coverage, including from the Guardian, the Times and the BBC. It represents the second time in as many weeks that a public body’s use of a decision-making algorithm has been in the spotlight: Nikolaus Grubeck and Ciar McAndrew recently acted for the Joint Council for the Welfare of Immigrants in a judicial review claim which secured the suspension of a visa streaming algorithm used by the Home Office.

Ciar McAndrew acted for Curtis Parfitt-Ford, led by Estelle Dehon of Cornerstone Barristers and David Wolfe QC of Matrix Chambers. They were instructed by Rosa Curling of Leigh Day.

Curtis Parfitt-Ford was supported by Foxglove, a non-profit organisation which focuses on the fair use of technology. The pre-action correspondence can be found on Foxglove’s website.

Court of Appeal rules Automated Facial Recognition breaches data privacy rights: Gerry Facenna QC and Eric Metcalfe act for Information Commissioner in landmark case

In a ground-breaking decision, the Court of Appeal today unanimously held that the use of Automatic Facial Recognition (AFR) by South Wales Police breached privacy and data protection rights due to the lack of a clear legal framework, reversing the Divisional Court’s judgment in September 2019 which had approved its use. That judgment was acclaimed as the first time any court anywhere in the world had considered the lawfulness of AFR.

Gerry Facenna QC and Eric Metcalfe acted for the Information Commissioner, who had been granted permission to make written and oral submissions before both the Divisional Court and the Court of Appeal.

The Court of Appeal accepted the submissions of the Commissioner and the Appellant that the legal framework governing AFR failed to comply with the right to private life under article 8(2). The Court observed that it was “not clear who can be placed on the watchlist nor is it clear that there are any criteria for determining where AFR can be deployed” (paragraph 91). The existing policies governing AFR, the Court held, “do not sufficiently set out the terms on which discretionary powers can be exercised by the police and for that reason do not have the necessary quality of law” (paragraph 94).

The Court also agreed with the Commissioner’s argument that the Police’s data protection impact assessment failed to meet the requirements of section 64 of the Data Protection Act 2018 because it “failed properly to assess the risks to the rights and freedoms of data subject” (para 153). In addition, the Court of Appeal held that South Wales Police had breached their public sector equality duty under the Equality Act 2010, on the basis that they had “never sought to satisfy themselves, either directly or by way of independent verification, that the software program in this case does not have an unacceptable bias on grounds of race or sex” (paragraph 199).

Today’s judgment has received widespread media coverage, including the Financial Times, the Daily Telegraph, the Guardian, the Times, and the BBC.

Gerry Facenna QC and Eric Metcalfe acted for the Information Commissioner.

Nikolaus Grubeck and Ciar McAndrew act for JCWI in successful challenge to racially discriminatory Home Office decision-making algorithm

The Secretary of State for the Home Department has today announced that the Home Office will discontinue the use of an algorithm used to categorise visa applicants on racially discriminatory grounds.

The algorithm, known as the Streaming Tool, was used to process a range of applications for visas to enter the UK. The Streaming Tool allocated a Red, Amber or Green risk rating to relevant visa applications. Applications made by people holding ‘suspect’ nationalities received a higher risk score. Their applications received intensive scrutiny by Home Office officials, were approached with more scepticism, took longer to determine, and were much more likely to be refused.

The Joint Council for the Welfare of Immigrants (JCWI), a charity which advocates for the elimination of injustice within the immigration system, sought judicial review of the use of the Streaming Tool. JCWI was supported in its claim by Foxglove, a non-profit organisation which focuses on the fair use of technology. JCWI’s grounds of claim, and the Home Office’s decision to retire the Streaming Tool, can be found on Foxglove’s website.

JCWI argued that, in taking account of a visa applicant’s nationality, the Streaming Tool directly discriminated on the grounds of race, in breach of sections 13 and 29 of the Equality Act 2010. JCWI also argued that the Streaming Tool was irrational, because it created a ‘feedback loop’ in which applicants with ‘suspect’ nationalities were more likely to have their visa application rejected, with a high level of rejections in turn being used to justify keeping that nationality on the ‘suspect’ list. Furthermore, the Streaming Tool promoted confirmation bias in Home Office officials, who were encouraged to rely on the algorithm as a tool to aid their substantive decision-making.

In response to JCWI’s claim, the Home Secretary today confirmed that the Home Office will suspend the algorithm with effect from 7 August 2020, “pending a redesign of the process” which will consider “issues around unconscious bias and the use of nationality” in automatic visa systems. The Home Secretary also undertook to undertake and disclose Equality Impact Assessments and Data Protection Impact Assessments for any new system.

The claim is the first known successful legal challenge to an algorithmic decision-making system. It has received extensive press coverage, including from the Guardian, the BBC, and Sky News.

Nikolaus Grubeck and Ciar McAndrew acted for JCWI, led by Ben Jaffey QC. They were instructed by Rosa Curling and Erin Alcock of Leigh Day.

Upper Tribunal clarifies the scope of “public authorities” under EIRs

In its judgment in Information Commissioner v Poplar HARCA, the Upper Tribunal has clarified the scope of Regulation 2(2)(c) of the Environmental Information Regulations (EIRs), which provides that private entities can be considered to be “public authorities” and subject to the EIRs where they ‘carry out functions of public administration’.

The Upper Tribunal upheld the FTT decision that Poplar HARCA, as a private registered provider of social housing, is not subject to the EIRs. In order to fall within the definition, an entity must be ‘entrusted’ by legislation with performing its functions of public administration, as well as being ‘vested with special powers’ for that purpose. Moreover, the fact that an entity is subject to a regulatory regime laid down in statute is not sufficient to constitute an ‘entrustment’.

Given the widespread practice of out-sourcing by Government, as well as the privatisation of many sectors, the judgment has significant implications for the reach of the access to environmental information regime.

Laura Elizabeth John represented the Information Commissioner.

Read the case note commentary by Harry Gillow and the full judgment is here.

Monckton team scores victory for Apple in €13bn State aid and tax case

The EU General Court has today upheld Apple’s appeal against the EU Commission decision finding that Apple’s tax treatment in Ireland constituted unlawful State aid. The Commission decision has been annulled in full: all three bases on which the Commission sought to show that Apple had paid less tax than was properly payable in Ireland have been found by the Court to be wrong.

The case concerned the amounts of tax paid in Ireland by two Apple group companies, one of which was Apple Sales International (the company that sells Apple products worldwide outside the USA and therefore receives most of Apple’s worldwide revenues). Both of those companies were incorporated in Ireland and carried out some practical functions through people based in Ireland, but their profits were attributable mostly to their use of Apple group IP and global marketing strategies developed in Cupertino, California. Most of the companies’ directors were based in California, not Ireland, and were involved in developing, in California, Apple IP and global marketing strategies.

Irish tax law required the companies to pay tax in Ireland on the profits of their ‘Irish branches’, i.e. an amount of their profits attributable to their functions performed in Ireland, not on their total worldwide profits. The companies, believing they were complying with the law, ascertained their profits in Ireland using formulae which essentially captured amounts of profits that were attributable to the operations they actually carried out in Ireland. Those Irish operations were comprised of routine operational functions, not the development of Apple IP.

The companies therefore did not pay tax in Ireland on a majority of their profits, since their total profits were driven mainly by their use of Apple IP. That IP was developed not in Ireland but in California. The companies had the right to use the IP pursuant to ongoing cost sharing agreements (‘CSAs’) under which Apple group companies contributed to the costs of IP development on an ongoing basis, and had the right to use the IP. The CSAs were agreed on behalf of the companies by their directors in California, and not in Ireland.

The Commission, by its decision in 2016, found that Ireland had granted unlawful State aid to Apple by issuing tax opinions which approved the formulae used by the companies for calculating their amounts of profits subject to tax in Ireland, and/or by accepting the companies’ annual tax returns. According to the Commission, the companies should, on a correct application of the Irish tax legislation in the light of EU State aid law, have paid tax on their total worldwide profits, since they had no employees anywhere outside Ireland. (The companies’ directors were not employees of the companies.) In other words, the Commission’s position was that, since the only place where the companies had employees was Ireland, all of their worldwide profits should be attributable to their ‘Irish branches’ by default. This was the Commission’s primary case.

Had the Commission’s primary case been upheld, then the amount of back-taxes Apple would have been required to pay in Ireland could have exceeded €13bn. This made the Apple case the highest value State aid case in history.

The Commission’s decision also advanced two other (effectively ‘fallback’) bases for finding Apple to have received State aid: the ‘secondary line’ and the ‘alternative line’. By the secondary line, the Commission found that the methodology used by the companies to calculate the profits of their Irish branches was inappropriate, and that a correct methodology would have led to more tax being paid in Ireland. By its alternative line, the Commission found that the Irish tax regime allowed too much discretion to the Irish tax authority in relation to approving methodologies for calculating profits of international companies’ Irish branches, and that this led to Apple receiving an advantage.

The General Court has, by its judgment today, found that the Commission’s primary case was wrong, and that its secondary line and alternative line were also wrong. In order for the Commission properly to find that an enterprise has received State aid, the Commission needs to show that the enterprise received from an EU Member State a ‘selective advantage’, such as by being permitted by to pay less tax than was properly due. The Court found that the Commission simply did not have a realistic case for showing that the companies had received a selective advantage, and therefore the Commission failed at the first hurdle (there being no need to consider whether other elements necessary for a finding of State aid were also present).

In relation to the Commission’s primary case, the Court found that there was no reason to attribute the companies’ rights to use Apple IP to their Irish branches. Given that neither the IP itself, nor the companies’ rights to use the IP, were attributable to any functions carried out in Ireland, it followed that the profits generated by the IP were not taxable in Ireland. The fact that the companies did not have employees outside Ireland did not show otherwise, since not everything that is done by companies which generates profits is done by employees.

The Court also found the secondary line and alternative line to be without sound evidential foundation. Even if the methodologies used by the companies, and approved by Ireland’s tax authority, were imperfect, this could not itself suffice to show that the companies received a selective advantage.

Apple was represented by Monckton members Daniel Beard QC, Alan Bates, Ligia Osepciu and James Bourke, instructed by Freshfields Bruckhaus Deringer (Brussels and London).

A copy of the judgment is available here.