Defending Data Protection Claims brought under the ECHR

Data protection claims brought under the ECHR are likely to increase over the next five years. The introduction of the extended fixed costs regime on 1^st October 2023 specifically carved out an exception for claims which included a cause of action under the ECHR. Accordingly, there is a costs incentive to pleading such a claim.

This article will address the ECHR jurisprudence on personal data, its collection under Article 8 ECHR and the Strasbourg’s court approach to proportionality. It will focus on the substantive defences to an Article 8 claim, rather than the procedural defences which are often deployed by defendants.

Personal Data

The European Court of Human Rights (“ECtHR” interprets the concept of “personal data” as “any information relating to any identified or identifiable individual” (Amann v Switzerland [GC], 2000, [65]). This covers information indirectly identifying individuals; for example in Benedick v Slovenia (2018, [108 – 109]), internet subscriber information associated with specific dynamic IP addresses assigned at certain times were found to amount to personal data.

However, unlike the GDPR, not all personal data operations fall within the scope of Article 8, or automatically interfere with such rights. Key considerations include the following:

1. If the data in question has been subject to a permanent or systematic recording (Uzun v Germany, Application No. 35623/05).
2. The specific context in which information on an individual has been recorded and retained, the nature of the records, the way in which these records are used and processed and the results that may be obtained (S and Marper v United Kingdom, Application No. 30562/04 and 30566/04).
3. Whether an individual is reasonably entitled to expect protection of their private life (Glukhin v Russia, Application No. 11519/20).
4. Whether the data attracts a certain level of seriousness and the processing causes prejudice to the personal enjoyment of the right to respect for private life (ML and WW v Germany, Applications Nos. 60798/10 and 65599/10).

Therefore, even in circumstances where the information directly or indirectly identifies an individual, there is scope for Defendants to argue that it does not attract any protection under Article 8 ECHR.

Specific Categories of Personal Data

Much like the GDPR, certain sensitive information justifies reinforced protection under the ECHR. This includes data revealing the following:

1. Racial or ethnic origin (S and Marper v United Kingdom, Application No. 30562/04 and 30566/04).
2. Political opinions (Catt v United Kingdom, Application No. 43514/15).
3. Religious or philosophical beliefs (Sinan Isik v Turkey, Application No. 21924/05)
4. Trade union membership (Catt v United Kingdom, Application No. 43514/15).
5. An individual’s health (YY v Russia, Application No. 40378/06).
6. Criminal proceedings, convictions, or related preventative measures (MM v United Kingdom, Application No. 24029/07).

The ECHR takes a broad view of what constitutes the “processing” of personal data. This covers collection (Benedik v Slovenia, Application No. 623517/14), retention and storage (Khelili v Switzerland, Application No. 16188/07), and disclosure (Mockuete v Lithuania, Application No. 66490/09) of personal data. Each aspect will be considered.

Data Collection

It is well established that surveillance of employees falls within the scope of Article 8 ECHR. This includes surveillance of non-professional phone calls from work premises (Halford v United Kingdom, Application No. 20605/92), the monitoring of email and internet usage at work (Copland v United Kingdom, Application No. 62617/00), and the use of internet and internet messaging (Barbulescu v Romania, Application No. 61496/08).

Barbulescu identified that the monitoring of employees’ use of internet monitoring was subject to a proportionality analysis. Courts must take account of a number of interests when identifying whether any interference with Article 8 had been deemed proportionate. These include:

• Whether there was notice of monitoring.
• The extent of the monitoring by the employer and the degree of intrusion into the employee’s privacy.
• Whether there were legitimate reasons to justify the monitoring of the flow of communications.
• What the consequences of monitoring were for the employee, and whether the monitoring was used for its original specified purpose.
• Whether there were adequate safeguards for privacy, particularly where content monitoring was at stake.

Importantly, the European Court of Human Rights has made it clear that these are considerations when assessing proportionality and not a checklist. In Lopez Ribalda v Spain (Applications Nos. 1874/13 and 8567/13), employees of a supermarket had not been informed that there were hidden CCTV cameras placed to detect potential staff theft. Notwithstanding the absence of notification, the Court found that there had been no breach. This was because they were satisfied that the safeguards of the other criteria had all been met.

Accordingly, when defending a claim arising out of employee monitoring, it is critical for the Defendant to provide either (a) evidence of compliance with the Barbulescu considerations or (b) an explanation as to why certain criteria have not been met. In the latter situation, an employer must provide sufficient evidence of (i) the limits on surveillance and/or (ii) the protections afforded to employees.

Data Retention

The retention of data by police authorities involves an assessment between the protection of personal data, including fingerprint and DNA information, and the legitimate interest in the prevention of crime (S and Marper v United Kingdom Application No. 30562/04 and 30566/04). While the original collection of information is intended to link a person with a crime, the purpose of retention is to identify future offenders. The following factors ought to be considered when assessing the proportionality of retention.

The nature of the data stored. The European Court has called into question the broad scope of a data storage system which fails to draw distinctions between the nature and degree of the seriousness of offences linked to conviction (MK v France, Application No. 19522/09), or depending on whether the victim had been convicted or acquitted. Indeed, in S and Marper, the European Court was concerned that there was a risk of stigmatisation where persons who have not been convicted of any offence are treated in the same way as convicted persons. Indeed in MK, the fact that a person who has benefited from a discharge after being suspected of an offence justified a difference in treatment with someone who had been convicted.

The Data Retention Period. The length of the period is especially important, albeit not decisive when considering proportionality. For example, in S v UK concerned indefinite storage of fingerprints and DNA data on persons who were suspected of an offence but which ended with discontinuance and acquittal. The European Court of Human Rights found a violation, taking account of the indefinite nature of the storage. In many cases it will be proportionate to retain crime reports of offences for long periods of time, particularly where the offences raise public protection issues. This is because generally the interference with the subject’s Article 8 rights is likely to be modest; whereas there is likely to be a compelling public interest in retention.

For example, CL v Chief Constable of Greater Manchester [2018] EWHC 2333 (Admin) concerned allegations against a schoolchild of exchange of sexual images and coercion. The storage of data was challenged principally on the fact that the Claimant was a child. However, the court identified a number of factors which militated in favour of the Defendant:

• Multiple incidents of alleged criminal behaviour.
• The need to identify patterns of behaviour in relation to the future investigation, prevention and detection of crime.
• The best interests of other young people.

Safeguards concerning the destruction or deletion of data stored. One point which does run through the judgments however is the importance of compliance with authorised professional practice by the College of Policing. This authorised professional practice includes for example trigger reviews every ten years to review the records. It forms part of the legal framework: Catt at [11] – [17]. Compliance with the authorised professional practice can substantially fortify a chief constable’s claim that their policy is proportionate. Alternatively, non-compliance with the authorised professional practice is likely to undermine any such claim.

For example, AB v Thameside [2022] EWHC 2749 (KB) concerned whether a recorded allegation of sexual assault (but one which was later found not to be correct) should continue to be retained. This was particularly in circumstances when allegations under the Sexual Offences Act are normally kept until the alleged offender reaches the age of 100. Mr. Justice Johnson found that the factual assessment of proportionality by the judge was not to be interfered with. He noted in passing that there had been systematic failures of the police authority in failing to conduct reviews of the data. The mere fact that there was lack of resources was insufficient.

Ultimately, the critical point for any proportionality assessment is evidence. Reliance on guidance from the College of Policing is important in order to build up the evidence base. Significantly makes it more likely that a challenge would fail.

Disclosure

The Role of Consent. In order to be valid, the victim’s consent must be informed and unequivocal (Konovalova v Russia, Application No. 37873/04).  So in MS v Sweden (1997), the mere fact that the victim had brought an action for damage did not mean that she had waived her right to data confidentiality. It could not be inferred from her request for compensation that she had unequivocally waived her right to respect for private life with regard to the medical records.

Of course, obtaining the data subject’s consent is not always feasible. In Mosley v United Kingdom (Application No. 48009/08), the Court ruled that there was no legally binding requirement that a person should be notified before publishing information on their private life.  

The typical example is the use of footage from CCTV cameras. In Peck v United Kingdom (Application No. 44647/98), a local authority disseminated images of an individual attempting to commit suicide in a public place. Since the footage had focused on and identified one individual, enquiries could have been made of the police to establish the identity of the individual and request consent to disclosure. If consent was refused, then the local authority could have considered other options, such as masking the images before dissemination. The failure of the authority to do this meant that there was a violation of Article 8 ECHR.

Disclosure for protection of public health. A person’s right to respect for medical data must be considered in relation to other legitimate rights and interests. For example, the dissemination of a patient’s health condition within a health system may be relevant and necessary not only to guarantee appropriate medical treatment – but also to ensure the protection of those involved in treatment.

This was well illustrated in Y v Turkey (Application No. 648/10). The Court rejected as “manifestly ill-founded” an application brought on the basis that the victim’s HIV-positive status had been disseminated among various healthcare providers in hospital. Even though the claimant had not given his consent, the Court found that such dissemination was justified on the basis of security of hospital staff and the protection of public health. Indeed, the Court attached importance to the fact that healthcare providers had been required to maintain the confidentiality of such medical data. 

Conclusion

Claims alleging a breach of the ECHR are not identical to those brought under the GDPR. At the heart of any such claim is the proportionality assessment. Practitioners faced with such a claim must build up their evidence to justify their approach to data security. Where there is guidance (such as from the College of Policing), compliance with such a policy is a powerful tool to justify the data measures in question. A failure to identify the necessary evidence at the outset makes it more likely that such a data breach claim will succeed.