The House of Lords are down to hear oral argument at 9am on 29 November in the Michael Durant v the FSA case, as talks between the two sides have so far failed to result in a final settlement of their dispute.
Data protection practitioners, regulators, and other interested observers are once again waiting to see what will happen in the long running Durant v FSA case. Durant will be seeking leave to appeal to the House of Lords in his dispute with the FSA. Durant will also be urging the House of Lords to refer the case to the European Court of Justice in order to obtain clarification of what constitutes 'personal data'.
Michael Durant had petitioned the House for leave to appeal a Court of Appeal decision (Durant v Financial Services Authority  EWCA Civ 1746, 8 December 2003) in which the scope of UK data protection law was restricted. Because this petition had been made outside the official time limits, a special oral hearing was due on 12 October. However, in a shock move, Durant decided to withdraw his petition, denying himself the chance to test before the highest court in the land a Court of Appeal ruling which has been the subject of controversy. That ruling, therefore, remains for the moment as the last word on data protection in the UK.
Whether that particular chapter of litigation is now reopened or not, there is still room for an interesting postscript, as attention focuses on possible proceedings against the UK Government for failure to implement the European Data Protection Directive correctly.
The Court of Appeal ruling in Durant
In 1993 Mr Durant lost in litigation he brought against Barclays Bank plc. The Financial Services Authority (FSA) carried out an investigation into Barclays at Mr Durant’s request but, due to its obligation of confidentiality under the Banking Act 1987, did not inform Mr Durant of the outcome. Though Mr Durant complained about this to the FSA Complaints Commissioner, his complaint was dismissed. As a result, Mr Durant made two subject access requests to the FSA under section 7 of the Data Protection Act 1998 (DPA). In response, the FSA provided Mr Durant with copies of computerised documents relating to him, but did not provide access to any of the manual files. This was on the basis that the information he sought did not form part of a “relevant filing system” within the meaning of the DPA, and that in any case it was not “personal” data for the purposes of the Act.
The Court’s findings:
1. The DPA applies to paper records if they are part of a relevant filing system. The Court of Appeal decided that this did not cover loosely structured files, but rather manual filing systems that have ready accessibility to relevant information: it should be possible at the outset to determine readily whether certain specific information is held about a person, and where in a file such information is located. Organisations whose paper records are only filed in date order, or in a similar way, can assume that these records now fall outside the DPA.
2. Personal data for the purposes of the DPA must “relate to” the individual. This will be the case if either it is biographical to a significant degree, or it focuses on the individual. The Court of Appeal summarised this as information affecting a person’s privacy, whether in his personal or family life, business or professional capacity. The mere fact that a document mentions an individual by name does not make it personal data.
Mr Durant therefore fell at both hurdles: the information he sought was neither his personal data, nor did it come within the definition of relevant filing system – the FSA’s decision not to supply the manual records was correct.
The case caused a stir as it restricted the scope of the DPA by narrowing both the types of paper records it covers and the meaning of personal data. As a result, this would limit individuals’ rights to access data, since those who held the data could rely on Durant to deny access to more records than they might previously have done. This represented a definite tilting of the balance in favour of data controllers, guiding them towards a more restrictive approach in dealing with subject access requests. Moreover, it seemed out of synch with data protection approaches in continental Europe, something that did not go unnoticed at the European Commission.
UK in the dock? Watch this space…
In the summer of 2004, the European Commission sent a letter to the Department for Constitutional Affairs (DCA) expressing concerns about whether the DPA properly implements the European Data Protection Directive. Amongst its queries about UK implementation, the Commission asked the Government to address the impact of Durant. This provided added ammunition to those who are critical of the judgment. Although the letter itself has not been published, the Commission is apparently not concerned with the Court of Appeal’s comments on paper records. It is concerned, however, with the restrictive approach to the meaning of “relate to” in the definition of personal data. The Commission is also enquiring about several other matters such as the adequacy of the Information Commissioner’s powers, the lack of a statutory definition of “consent”, and the UK’s approach to transfers of personal data.
Since the Commission’s letter, there has been an ongoing dialogue between the Commission and the DCA. This process has involved explaining the English legal system, and in particular the interrelationship between the Data Protection Act 1998 and the common law principles of privacy and confidentiality. Communications have taken the form of formal correspondence, additional informal exchanges, and face to face meetings, as the Government seeks to avoid being on the wrong end of official infraction proceedings, especially as the current holder of the EU presidency.
In reality, such proceedings are a long way off. There has been nothing to indicate that the Commission is getting any more threatening, and it is understood that its dealings with the DCA are productive. The Commission operates a six-monthly rolling review of the progress of potential infraction dossiers. The next word is therefore likely to come in the New Year about whether the UK dossier will be dropped altogether, put on hold for further negotiations, or upgraded to a ‘reasoned opinion’, giving the Government three months to put things right or face proceedings in the European courts. Both the Government and the Commission hope to reach an understanding before that move would be necessary. Were any changes to existing legislation required, it is not clear even to the DCA at the moment how exactly to go about it. The Government line is that the definition of personal data continues to have a broad meaning even after Durant.
All of which gives greater relevance to Durant’s last minute decision whether or not to try his luck in the House of Lords. Proceedings in that court would produce a definitive view on the definition of personal data, either from the Law Lords themselves, or indirectly via a referral to the European Court of Justice (ECJ). To the extent that Durant represents a thorn in the Government’s side in terms of its implementation of the Directive, the lack of such a definition (or indeed judicial comment on the Court of Appeal decision) would disappoint the DCA. An ECJ ruling would allow the UK government to avoid this issue, at least in terms of the European Commission’s concerns about Durant.
Whether Durant has reached the end of the line with his litigation or not, some commentators have pointed out that the tenor of the Court of Appeal judgment must be read in its particular, factual context. In the Government’s view “the direct effect of the EU Directive would mean that any UK court considering similar issues in the future would be bound to conclude that a narrow definition [of personal data] was not permissible and could not be lawfully applied.” In this respect, some see it as only a matter of time before a case comes along which would in fact challenge the principles laid down in Durant, be it in the UK or the ECJ. In any event, whether by subsequent case law, or indeed as a result of the European Commission infraction preliminaries discussed above, a wider definition of ‘personal data’ than that in Durant may yet be rehabilitated in the future.
First published in teh