Biggest ever penalty for GDPR breach – Gerry Facenna QC, Julianne Kerr Morrison and Khatija Hafesji advise regulator

On 16 October 2020 the Information Commissioner’s Office announced that it had imposed on British Airways the biggest ever penalty in the UK for breach of data protection law.

The penalty is the culmination of a two-year investigation by the ICO into a cyber-attack on British Airways’ systems in 2018, which affected the personal data of over 400,000 of its customers. The ICO’s investigation identified a number of weaknesses in BA’s cyber-security measures, which were found to have allowed the attack to take place. The ICO also found that BA failed to detect the attack for several weeks, until it was alerted to the exfiltration of personal data from its systems by a third party. The ICO concluded that BA’s failures cumulatively amounted to a serious breach of the requirement to take appropriate measures against unauthorised or unlawful processing, contrary to Articles 5(1)(f) and 32 of the GDPR.

The final penalty, of £20m, was calculated from a starting point of £30m, with downward adjustments to take into account mitigating factors including BA’s prompt reporting of the breach and cooperation with the ICO, and a further discount of £4m having regard to the economic consequences of the Covid-19 pandemic.

The ICO was acting as “lead supervisory authority” on behalf of other EU regulators, meaning that the decision had to be submitted for approval by all other EU data protection authorities, in accordance with Article 60 GDPR.

The ICO’s decision has been widely reported on, including by the BBC, Financial Times, The Times, The Telegraph and The Guardian, as well as the Register and other specialist tech and data publications. A copy of the penalty notice and decision is available here.

Gerry Facenna QC, Julianne Kerr Morrison and Khatija Hafesji advised the Information Commissioner’s Office throughout the investigation, Article 60 process, and the final penalty decision.

Melanie Hall QC and Harry Gillow secure a victory for local authorities – the provision of sports and leisure facilities in Northern Ireland falls outside the scope of VAT

In a decision released today in a test case concerning the provision of sports and leisure facilities by all local authorities in Northern Ireland, the First-tier Tax Tribunal has ruled in Mid Ulster District Council (formerly Magherafelt District Council) v Comrs. for Her Majesty’s Revenue and Customs TC/2011/687& TC/2012/9253 that the provision of those facilities is not subject to VAT. The case was the designated lead case for Northern Ireland. Chelmsford City Council v HMRC TC/2011/7844 was the lead case for England & Wales and Midlothian Council v HMRC TC/2011/7816 for Scotland.

The decision for Northern Ireland will potentially have far-reaching implications for all UK local authorities providing services pursuant to any statutory duties and powers which can be classified as a special legal regime. The Tribunal found on the evidence that local authorities in Northern Ireland were not in competition with private providers of sports and leisure services. The appeal was therefore allowed.  The question whether the same is true for the rest of the UK will be determined on the evidence at a further hearing if the parties so request.

Melanie Hall QC and Harry Gillow acted for Mid Ulster (formerly Magherafelt) District Council, the successful Appellant. Raymond Hill acted for HMRC. The decision can be read here. The decisions for England, Wales and Scotland can be read here and here.

The case has been covered in the media: The Irish News and Newtownabbey Times

Court of Appeal Rules on Abuse of Process in Competition Damages Claim

The Court of Appeal has dismissed appeals by the Defendants in a series of competition damages claims arising from the European Commission’s 2016 infringement decision relating to trucks. The claims are currently before the Competition Appeal Tribunal which, in March 2020, ruled on a preliminary issue concerning the binding nature of the Commission’s decision. The Tribunal held that:

(1) a number of the Commission’s findings were binding as a matter of EU law; and
(2) in relation to the remainder, it would be an abuse of process for the Defendants to contest findings that the decision recorded them as having accepted in the settlement procedure, unless there was some justification for doing so.

The Tribunal’s conclusion on abuse of process reflected the fact that the Commission’s decision followed a settlement procedure in which the Defendants accepted the infringement.

The Defendants appealed the Tribunal’s decision on abuse of process to the Court of Appeal and on 7 October 2020, following a remote two-day hearing, the Court dismissed the appeals with reasons to follow.

Mark Brealey QC, Tim Ward QC, Ben Lask and Anneliese Blackwood acted for a number of the Claimants before the Court of Appeal. Daniel Beard QC, Paul Harris QC, Ben Rayment, Michael Armitage, David Gregory and Alexandra Littlewood acted for a number of the Defendants.

Tim Ward QC and Andrew Macnab, representing the United Kingdom and HMRC at the CJEU, successfully resist a challenge to scope of VAT exemption for “insurance transactions”

Case C-235/19 United Biscuits (Pension Trustees) Limited and United Biscuits Pension Investments Limited v HM Revenue and Customs, CJEU, 8 October 2020, ECLI:EU:C:2020:801.

The Court of Justice of the European Union has ruled in favour of HMRC in a reference from the Court of Appeal concerning whether pension fund management services supplied to the trustees of a defined benefit occupational pension fund are “insurance transactions” within the meaning of the insurance exemption in Article 135(1)(a) of the VAT Directive (2006/112/EC).

The Appellant (“UB”) is the trustee of a defined benefits pension fund. It claimed restitution of sums paid by way of VAT on supplies of pension fund management services provided by undertakings that were not authorised insurance companies (“Non-Insurers”). Supplies of such services by Non-Insurers have always been treated as standard rated under UK law. The two main issues were (1) whether the supplies by Non-Insurers were to be treated as exempt supplies of “insurance”, because (allegedly similar) supplies of pension fund management services by authorised insurance companies (“Insurers”) had were treated as exempt; and (2) if Non-Insurers’ supplies should have been exempt, whether EU law required UB to be given a direct claim against HMRC to recover sums they had overpaid by way of VAT to the Non-Insurers (notwithstanding the Supreme Court’s recent decision in Investment Trust Companies (In Liquidation) v RCC [2017] UKSC 29; [2017] 2 WLR 1200; [2017] STC 985, “ITC SC”).

At first instance, Warren J decided both issues in favour of HMRC and dismissed UB’s claim. On Issue (1), Warren J held that the services were not “insurance transactions” within the meaning of Article 135(1)(a) and were thus properly standard rated. Further, the principle of fiscal neutrality did not require them to be treated as if they were “insurance transactions” (and thus exempt) or to be given the same (incorrect) VAT treatment as supplies of pension fund management services by Insurers. On Issue (2), Warren J held that EU law did not require UB to be given direct claim against HMRC: it was not “impossible or excessively difficult” for UB to vindicate any putative EU law rights it had via the route dictated by UK statute, namely a claim against the Non-Insurer. See United Biscuits (Pension Trustees) Ltd & Anor v Revenue And Customs [2017] EWHC 2895 (Ch) (30 November 2017).

On UB’s appeal, the Court of Appeal (Patten, Henderson and Rose LJJ) referred a question to the CJEU on Issue (1). In answer, the CJEU has ruled that “investment fund management services supplied for an occupational pension scheme, which do not provide any indemnity from risk, cannot be classified as ‘insurance transactions’, within the meaning of [Article 135(1)(a), and thus do not fall within the value added tax (VAT) exemption laid down in that provision in favour of such transactions”. The CJEU confirmed that, as generally understood and according to settled case-law, the essentials of “insurance transactions” referred to in Article 135(1)(a) are that the insurer undertakes, in return for prior payment of a premium, to provide the insured, in the event of materialisation of the risk covered, with the service agreed when the contract was concluded. Since the services supplied to UB did not have those essential features, they were not “insurance transactions”. The CJEU also rejected UB’s arguments, based on statements in the judgments in CPP (C‑349/96, EU:C:1999:93) and Skandia (C‑240/99, EU:C:2001:140), to the effect that the meaning of “insurance transactions” in the VAT Directive was dictated by the EU Directives concerning the regulation of insurance companies; and also held that pension fund management was not “insurance” within the meaning of the insurance directives, but was instead an “operation” relating to insurance.

Tim Ward QC and Andrew Macnab represented the UK in the CJEU and HMRC in the Court of Appeal. Andrew Macnab represented HMRC in the High Court. Read the full decision of the CJEU here (on Bailii), here (on EUR-Lex) or here (on Curia).

Tim Ward QC acts for Uber London Ltd in successful licence appeal

Uber London Ltd (“ULL”) has successfully appealed against the refusal of Transport for London (“TfL”) to grant it a new licence. TfL had refused to renew ULL’s private hire vehicle operator licence for London pursuant to the Private Hire Vehicles (London) Act 1998 on the grounds that it considered that ULL was not a “fit and proper person” to hold such a licence. On ULL’s appeal, Deputy Senior District Judge Ikram concluded that ULL was a fit and proper person. The Judge noted that whilst ULL did not have a “perfect record… I am satisfied they are doing what a reasonable business in their sector could be expected to do, perhaps even more.” The Court ruled that ULL should be granted a licence for 18 months, subject to certain conditions.

Tim Ward QC acted for ULL.

The case has been covered in the media: BBC, The Guardian, The Times and The Telegraph.

Representative action against YouTube on children’s privacy rights: Gerry Facenna QC and Nikolaus Grubeck act for Claimants

Representing up to 5 million children in England & Wales aged under 13 and their parents, privacy expert Duncan McCann has launched a claim against Google, the owner of YouTube. The claim alleges that YouTube’s methods of targeting underage audiences are in breach of data protection law, including because YouTube does not have parental consent to collect and process children’s personal data, which YouTube uses for targeted advertising.

The claim has been covered, amongst others, by the BBC, the Mail on Sunday, Business Wire, TechCrunch, and Lawyer Monthly.

Gerry Facenna QC and Nikolaus Grubeck are acting for the representative claimants, instructed by Hausfeld.

Challenge to Ofqual’s exam algorithm: Ciar McAndrew acts in proposed judicial review

The Secretary of State for Education and Ofqual have today announced that A-Level and GCSE students unable to sit their exams due to Covid-19 will be awarded their teacher-predicted grades, rather than grades calculated in accordance with a standardisation algorithm developed by Ofqual.

The algorithm had been used by Ofqual to bring thousands of students’ predicted grades into line with the grades historically achieved by students at their school. In practice, this operated to pull down the results of high-achieving students whose schools had no history of achieving high grades. The standardisation effect was disproportionately felt by state school students in large classes: for cohorts of 5 students or less, the standardisation process was disapplied and students were awarded their teacher-predicted grades, giving a boost to the results of students from the independent sector.

Curtis Parfitt-Ford, an 18-year-old A-Level student, sought to challenge the algorithm after it emerged that around 40% of students had seen their predicted marks downgraded following standardisation. In pre-action correspondence sent to Ofqual on 14 August 2020, Mr Parfitt’s representatives argued that use of the algorithm was contrary to Ofcom’s statutory objectives and produced irrational, arbitrary and unfair results. They also proposed to challenge the algorithm on the basis that it breached data protection rules, including those relating to profiling, automated decision-making and algorithmic bias.

At 4pm today, the Secretary of State and Ofqual confirmed that students would be awarded the higher of their teacher-predicted and algorithm-generated grades. The statement from the Chair of Ofqual can be found
here.

The proposed claim has received extensive press coverage, including from the Guardian, the Times and the BBC. It represents the second time in as many weeks that a public body’s use of a decision-making algorithm has been in the spotlight: Nikolaus Grubeck and Ciar McAndrew recently acted for the Joint Council for the Welfare of Immigrants in a judicial review claim which secured the suspension of a visa streaming algorithm used by the Home Office.

Ciar McAndrew acted for Curtis Parfitt-Ford, led by Estelle Dehon of Cornerstone Barristers and David Wolfe QC of Matrix Chambers. They were instructed by Rosa Curling of Leigh Day.

Curtis Parfitt-Ford was supported by Foxglove, a non-profit organisation which focuses on the fair use of technology. The pre-action correspondence can be found on Foxglove’s website.

Court of Appeal rules Automated Facial Recognition breaches data privacy rights: Gerry Facenna QC and Eric Metcalfe act for Information Commissioner in landmark case

In a ground-breaking decision, the Court of Appeal today unanimously held that the use of Automatic Facial Recognition (AFR) by South Wales Police breached privacy and data protection rights due to the lack of a clear legal framework, reversing the Divisional Court’s judgment in September 2019 which had approved its use. That judgment was acclaimed as the first time any court anywhere in the world had considered the lawfulness of AFR.

Gerry Facenna QC and Eric Metcalfe acted for the Information Commissioner, who had been granted permission to make written and oral submissions before both the Divisional Court and the Court of Appeal.

The Court of Appeal accepted the submissions of the Commissioner and the Appellant that the legal framework governing AFR failed to comply with the right to private life under article 8(2). The Court observed that it was “not clear who can be placed on the watchlist nor is it clear that there are any criteria for determining where AFR can be deployed” (paragraph 91). The existing policies governing AFR, the Court held, “do not sufficiently set out the terms on which discretionary powers can be exercised by the police and for that reason do not have the necessary quality of law” (paragraph 94).

The Court also agreed with the Commissioner’s argument that the Police’s data protection impact assessment failed to meet the requirements of section 64 of the Data Protection Act 2018 because it “failed properly to assess the risks to the rights and freedoms of data subject” (para 153). In addition, the Court of Appeal held that South Wales Police had breached their public sector equality duty under the Equality Act 2010, on the basis that they had “never sought to satisfy themselves, either directly or by way of independent verification, that the software program in this case does not have an unacceptable bias on grounds of race or sex” (paragraph 199).

Today’s judgment has received widespread media coverage, including the Financial Times, the Daily Telegraph, the Guardian, the Times, and the BBC.

Gerry Facenna QC and Eric Metcalfe acted for the Information Commissioner.

Nikolaus Grubeck and Ciar McAndrew act for JCWI in successful challenge to racially discriminatory Home Office decision-making algorithm

The Secretary of State for the Home Department has today announced that the Home Office will discontinue the use of an algorithm used to categorise visa applicants on racially discriminatory grounds.

The algorithm, known as the Streaming Tool, was used to process a range of applications for visas to enter the UK. The Streaming Tool allocated a Red, Amber or Green risk rating to relevant visa applications. Applications made by people holding ‘suspect’ nationalities received a higher risk score. Their applications received intensive scrutiny by Home Office officials, were approached with more scepticism, took longer to determine, and were much more likely to be refused.

The Joint Council for the Welfare of Immigrants (JCWI), a charity which advocates for the elimination of injustice within the immigration system, sought judicial review of the use of the Streaming Tool. JCWI was supported in its claim by Foxglove, a non-profit organisation which focuses on the fair use of technology. JCWI’s grounds of claim, and the Home Office’s decision to retire the Streaming Tool, can be found on Foxglove’s website.

JCWI argued that, in taking account of a visa applicant’s nationality, the Streaming Tool directly discriminated on the grounds of race, in breach of sections 13 and 29 of the Equality Act 2010. JCWI also argued that the Streaming Tool was irrational, because it created a ‘feedback loop’ in which applicants with ‘suspect’ nationalities were more likely to have their visa application rejected, with a high level of rejections in turn being used to justify keeping that nationality on the ‘suspect’ list. Furthermore, the Streaming Tool promoted confirmation bias in Home Office officials, who were encouraged to rely on the algorithm as a tool to aid their substantive decision-making.

In response to JCWI’s claim, the Home Secretary today confirmed that the Home Office will suspend the algorithm with effect from 7 August 2020, “pending a redesign of the process” which will consider “issues around unconscious bias and the use of nationality” in automatic visa systems. The Home Secretary also undertook to undertake and disclose Equality Impact Assessments and Data Protection Impact Assessments for any new system.

The claim is the first known successful legal challenge to an algorithmic decision-making system. It has received extensive press coverage, including from the Guardian, the BBC, and Sky News.

Nikolaus Grubeck and Ciar McAndrew acted for JCWI, led by Ben Jaffey QC. They were instructed by Rosa Curling and Erin Alcock of Leigh Day.

Upper Tribunal clarifies the scope of “public authorities” under EIRs

In its judgment in Information Commissioner v Poplar HARCA, the Upper Tribunal has clarified the scope of Regulation 2(2)(c) of the Environmental Information Regulations (EIRs), which provides that private entities can be considered to be “public authorities” and subject to the EIRs where they ‘carry out functions of public administration’.

The Upper Tribunal upheld the FTT decision that Poplar HARCA, as a private registered provider of social housing, is not subject to the EIRs. In order to fall within the definition, an entity must be ‘entrusted’ by legislation with performing its functions of public administration, as well as being ‘vested with special powers’ for that purpose. Moreover, the fact that an entity is subject to a regulatory regime laid down in statute is not sufficient to constitute an ‘entrustment’.

Given the widespread practice of out-sourcing by Government, as well as the privatisation of many sectors, the judgment has significant implications for the reach of the access to environmental information regime.

Laura Elizabeth John represented the Information Commissioner.

Read the case note commentary by Harry Gillow and the full judgment is here.