Sir Cliff Richards v BBC: is publicity the soul of justice?

Sir Cliff Richards v BBC: is publicity the soul of justice?

You don’t have to be a privacy or media lawyer to have heard of the sex abuse allegations levied against celebrities in the entertainment industry over the last few years. The investigations concerning Sir Cliff Richard, a famous British musician, included a widely-televised raid on his estate in Berkshire by South Yorkshire Police. Nearly four years after the BBC first named and shamed Sir Cliff in what is now considered to have been “sensationalist” journalism, the High Court has determined that his rights of privacy were infringed.

What makes this case so interesting is that it does not focus on defamation —that is, the publication (or voicing) of a statement which adversely affects another person’s reputation. Instead, Sir Cliff won his case on the basis that the BBC’s wrongful disclosure of his private information was an invasion of his privacy. 

In Sir Cliff Richard v BBC and South Yorkshire Policethe Court considered if suspects who have not been formally charged by police have a reasonable expectation of privacy in respect of the criminal investigation. How are an individual’s rights to privacy balanced against the freedom of expression enjoyed by media organisations? That the suspect in this case is a celebrity only complicates matters, as it calls into question the importance publishing private details in the name of public interest.

Prosecutors said in 2016 that there was not enough evidence to justify criminal charges against Mr. Richard, one of Britain’s best-known entertainers, with a career spanning some 60 years. However, the BBC stands by their reportage of the allegations, and I suspect the BBC will indeed appeal this decision.

As if written for the stage, the Justice Mann’s 120-page judgement begins with a summary of key characters and the plot as it unfolded…

Related image
Daniel Johnson, in front of Sir Cliff’s Berkshire estate

Daniel Johnson, an investigative journalist for the BBC, received a tip-off from a police insider in June 2014 that Sir Cliff was under investigation for historic sex offences against a child. In a manner some would consider blackmail, Johnson “exploited the opportunity to get confirmation of his story about Sir Cliff, and more details if possible” from the South Yorkshire Police (SYP). In exchange for Johnson not publishing the story immediately, the SYP promised that he would be given advance notice of the search of Sir Cliff’s estate. The raid was eventually conducted in August 2014, with BBC crew waiting at the gates and helicopters hovering overhead to capture the whole ordeal.

In case you’re wondering where the Beeb’s lawyers were, the BBC held a meeting to discuss whether to name Sir Cliff and when to broadcast. In her testimony, Senior Editor Fran Unsworth explained that “the legal risk was diminishing because they had got a lot of confirmation of the facts of the story”. The principal legal concern seems to have been in respect of factual accuracy and defamation, and not privacy – as “the lawyers had not flagged that up to her as a specific risk” (para 111).

scne2
the (not very exciting) footage shows plain-clothes police entering Sir Cliff’s estate.
scene1
Three gloved individuals appear to be looking through what is likely Sir Cliff’s office

The legal framework of Sir Cliff’s privacy claim is enshrined in European Convention on Human Rights, brought into force in the UK by the Human Rights Act 1998.

Article 8 sets out the right to privacy: “Everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law […] or for the protection of the rights and freedoms of others.”

Article 10 upholds the BBC’s competing rights of expression: “Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society [including those] for the protection of the reputation or rights of others.”

In instances where which both Article 8 and Article 10 are engaged, the Court has to perform a balancing and weighing act to ascertain which predominates. Neither article has prima facie precedence over the other.

Article 8 privacy protections arise only where an individual has a reasonable expectation of privacy. For example, if I have a conversation with my friend in a crowded coffee shop in central London, I cannot reasonably expect our discussion to be protected as truly private.

The 77 year-old singer told the Court that he suffered an “unbelievable amount of hurt and pain” after the BBC broadcast the allegations that he had sexually assaulted a boy in 1985. “It felt like torture, sustained over almost two years. It felt as though everything I had done, everything I had built and worked to achieve, was being torn down, like life itself was coming to an end.”

But one might wonder if, as a celebrity, Sir Cliff cannot claim to have an expectation of privacy. A certain amount of emphasis was given by the BBC to the fact that Sir Cliff was a public figure, and one who had promoted his Christian beliefs. Because Sir Cliff had been so vocal (ie public) about Christian morality, the BBC considered that his alleged sexual crimes against a child qualified as a matter of public interest. To that point, the Court acknowledged that in certain special circumstances, the public’s right to be informed can extend into private aspects of public figures (para 276).

However,  Rocknroll v News Group Newspapers [2013] EWHC 24 (Ch) upheld that a public figure is not, by virtue of their fame, necessarily deprived of his or her legitimate expectations of privacy. Axel Springer v Germany 39954/08 [2012] ECHR 227 also makes clear that the safeguard afforded by Article 10 to journalists is subject to the proviso that they are acting in good faith and on an accurate factual basis, and that they provide “reliable and precise” information in accordance with the ethics of journalism.

In considering the BBC’s argument that the stories about Sir Cliff had been published in the public interest, the Court disagreed, saying that reporters at the BBC “were far more impressed by the size of the story and that they had the opportunity to scoop their rivals.” (para 280) This echoes the findings in Axel Springer, in that photographs and commentary which expose a person’s private life cannot be considered to have been published in the name of public interest, if they were in fact made public only to “satisfy the curiosity of a particular readership” (Axel Springer, para 48). It is unsurprising in my view that Justice Mann “came to the clear conclusion that Sir Cliff’s privacy rights were not outweighed by the BBC’s rights to freedom of expression” (para 315).

Publicity is the very soul of justice. In the darkness of secrecy, sinister interest and evil in every shape, have full swing. Only in proportion as publicity has place can any of the checks, applicable to judicial injustice, operate. Where there is no publicity there is no justice.

Jeremy Bentham. legal and social reformer (1748 – 1832)

Will this case have a chilling effect on media freedoms? Writing for The Guardian, Professor of Financial Journalism Jane Martinson argues that “as long as the media reports accurately – making it clear when a suspect is under investigation for a serious crime, rather than arrested or charged – there should be no bar to the public knowing what is going on.” However, in my view this fails to take into consideration the complexity of public perception. In his concluding remarks, Justice Mann cited “the failure of the public to keep the presumption of innocence in mind at all times” as an aggravating factor against the BBC.

Other criticisms focus on the point that this case provides an undeserved blanket of anonymity to criminals, providing a way to keep allegations against possible abusers secret. Whether or not there is a reasonable expectation of privacy in a police investigation is in actuality fact-sensitive question, and is not capable of a universal answer (para. 237). According to Police Guidance on Relationships with the Media, the names or identifying details of suspects of crime should not be released by police to the press or public, unless special circumstances apply — such as threat to life, the prevention or detection of crime, or a matter of public interest.

The inevitable stigma attached to the extremely serious allegations against Sir Cliff made the invasion of privacy even worse. When an individual’s good reputation is tarnished, even wrongfully, it may never be recoverable. This is especially harmful to celebrities, who rely so heavily on public favour. In my view, Sir Cliff Richards v BBC is not a sweeping new precedent that stifles freedom of the press: it simply restates the statutory protections afforded by the Human Rights Act within the context of already-established European and English case law.

Social network, media company, host provider, neutral intermediary… what’s in a name for YouTube?

Social network, media company, host provider, neutral intermediary… what’s in a name for YouTube?

Media companies who call themselves social networks will have to recognize that they, too, have to take on responsibility for the content with which they earn their millions.

-— Markus Breitenecker, CEO of Puls4

Who is to blame, if someone records TV programmes and illegally uploads them to YouTube: YouTube, or the individual? According to the Commercial Court of Vienna, YouTube is jointly responsible for copyright breaches from user-uploaded content. Is this einer Entscheidung, die das Internet revolutionieren könnte – a decision that could revolutionize the Internet?

To date, the unanimous opinion of European case law supports the position that YouTube is only a platform, an intermediary, a service provider, a neutral host, and so on – and therefore could not bear the responsibility for stolen content. That’s no longer true, says the Handelsgericht Wien (Vienna’s Commercial Court).

In its judgement of 6 June, the Court handed Austrian TV broadcaster Puls4 a key victory in its four-year legal battle with Google-owned YouTube. In 2014, Puls4 had sued YouTube for allowing Puls4’s stolen content to appear on the YouTube platform. YouTube responded by asserting the Host Provider Privilege set out in Article 14 of the E-Commerce Directive 2000/31/EC, which in certain situations shields host providers from being held responsible for the actions of its users.

The Americans have a similar provision in the Online Copyright Infringement Liability Limitation Act (OCILLA), which forms part of the Digital Millennium Copyright Act. The OCILLA creates a conditional “safe harbor” for online service providers by shielding them for their own acts of direct copyright infringement, as well as from potential secondary liability for the infringing acts of others. In exempting internet actors from copyright infringement liability in certain scenarios,  both Article 14 and the Safe Harbor rule aim to balance the competing interests of the copyright holders, and those who use the content online.

Where YouTube is simply a host provider, it is the individual who uploaded the video in the first instance who is to blame for the theft of copyrighted material. This time, the Court disagreed with YouTube’s argument, and has found finding the media giant to be jointly responsible for the copyright infringement.

So, why should we care about the Puls4 case? Although Austrian case law is not binding for other European Union member states, the Commercial Court’s judgment sets a precedent for denying Host Provider Privilege to YouTube. This may encourage similar decisions in the future which are based on the same line of argument.

Speaking to German newspaper Der Standard, Puls4’s CEO Markus Breitenecker explained that YouTube had effectively abandoned its neutral intermediary position and assumed an active role, which provided it with a knowledge of or control over certain data. In European legislative parlance, this is known as being a false hosting provider or false intermediary.

For years, many of us have assumed that YouTube is just a inanimate platform to which users upload videos. This case underscores that YouTube can no longer “play the role of a neutral intermediary” because of its “links, mechanisms for sorting and filtering, in particular the generation of lists of particular categories, its analysis of users’ browsing habits and its tailor-made suggestions of content.”

Puls4 and YouTube have until early July to petition the court, before it issues its binding ruling. In a statement to The Local Austria, YouTube said it was studying the ruling and “holding all our options open, including appealing” the decision.  In the meanwhile however, YouTube noted that it takes protecting copyrighted work very seriously.

If the preliminary decision is upheld, YouTube must perform a content check upon upload, instead of simply removing copyright infringing content upon notification. In respect of this, the Viennese court stated that “YouTube must in future — through advance controls — ensure that no content that infringes copyright is uploaded.” It is therefore rather timely that YouTube began beta testing a feature called Copyright Match last month, a tool which allows users to scan the platform to locate full re-uploads of their original videos on other users’ YouTube channels.

Screenshot 2018-06-28 at 10.29.54 PM
some Puls4 content is still available on YouTube (at least, here in the UK).

The European Parliament seems to think the arguments about false hosting providers is best left to the courts to decide. Despite the E-Commerce Directive being more than 15 years old, there is no pressing need for a reform. In a recent report on the matter,  the European Parliament’s Committee on the Internal Market and Consumer Protection stated that while false hosting providers may not have been envisaged at the time of the adoption of the E-Commerce Directive in 2000, “the delineation between passive service providers caught by Article 14 and active role providers remains an issue for the court.”

 

 

Now you’re just somebody that I used to know

Now you’re just somebody that I used to know

The GDPR has been in force for less than two weeks, but Europeans have already started to contact companies left, right and centre to exercise their newly enshrined statutory “right to be forgotten.”

However, this right is not absolute, and only applies in certain circumstances. Let’s look at the balancing act between a data subject’s right to have their data erased on the one hand, and an organisation’s need to maintain data for legitimate purposes, on the other.

Organisations (data controllers and processors) are obliged to only collect and use personal data in a lawful manner, as set out in Article 6. There are several types of “lawful processing,” including in instances where an individual grants his or her explicit and informed consent. But lawful processing also covers the use of data for a controller’s legitimate interests, the performance of a contract, or legal obligations, such as fraud prevention. For more on lawful processing, check out my earlier post – Lights, camera, data protection?

With this in mind, it’s important to note that only in certain scenarios does an individual have the right to be forgotten. Under Article 17(1), their data must be either:

  1. no longer necessary for the original purpose
  2. processed based on consent, which is now withdrawn
  3. processed based on the organisation’s legitimate interests, which the individual objects to;
  4. processed for direct marketing purposes, which the individual objects to;
  5. processed unlawfully (in contravention of Article 6);
    or
  6. erased to comply with a legal obligation.

But before an organisation hits “delete” it must see if any purposes for retention apply. In pre-GDPR days gone by, data subjects had to prove they had the right for their data to be erased. The burden now lies with the controller to prove that they have a legal basis for retaining the data. If so, the organisation has a lawful reason to refuse the erasure request. In fact, deleting data when an exemption does apply could be a breach of the law!

The purposes for retention under Article 17(3) are:

  1. the right of freedom of expression and information;
  2. complying with a legal obligation, or for performing a task in the public interest;
  3. for reasons of public health;
  4. for archiving in the public interest, including scientific or statistical research; or
  5. for the establishment, exercise or defence of legal claims.

Additionally, “manifestly unfounded” or “excessive” requests may be refused outright.

From what I’ve seen in practice over the last few days, most erasure requests are made because an individual no longer wants to receive marketing emails. Fair enough: in shifting responsibility onto corporate controllers, the right to be forgotten strengthens individual control. It also signifies public disapproval of entities which process – and, in some instances abuse – enormous quantities of personal information without the explicit consent or knowledge of the individuals concerned.

For those of us interested in the societal and human rights implications (I’m telling you – data protection isn’t just for the techies amongst us!) it’s worthwhile to consider how journalism fits into the picture.

As Oxford’s International Data Privacy Law summarises rather eloquently: The nebulous boundaries and susceptibility to misuse of the right to be forgotten make it a blunt instrument for data protection with the potential to inhibit free speech and information flow on the Internet.

As early as 2012, Reporters Without Borders (formally, Reporters Sans Frontières) criticized the right to be forgotten – then in early draft stages – as a generalised right that individuals can invoke when digital content no longer suits their needs. This runs the risk of trumping the public interest in the information’s availability. RSF also contends that the demand for complete erasure of online content, or the “right to oblivion”, could place impossible obligations on content editors and hosting companies.

EU Commissioner Viviane Reding responded to the criticism from RSF by explaining that the [GDPR] provides for very broad exemptions to ensure that freedom of expression can be fully taken into account.

Note – this post covers the statutory Right to Erasure under Article 17 of the GDPR. Although related, it is distinguished from the recent high-profile cases against Google, in which the English Supreme Court held that a defendant convicted of a crime was entitled to the right to be forgotten, and therefore delisted from Google search results. A more serious offence, with fewer mitigating circumstances, did not attract the same right.

photo © Cassidy Kelley

Lights, camera, data protection.

Lights, camera, data protection.

Cannes: movie stars, auteurs, glamour, the French Riviera, and… data privacy?

Before the cameras start rolling, a film production company will need to agree service contracts for cast and crew.  In honour of the Cannes Film Festival happening this week, let’s consider how data protection issues need to be addressed for an actor’s contract.

A standard Actor’s agreement will cover payment, travel and residence allowances, box office bonuses, and of course, intellectual property.  But if the production company intends to process a significant amount of personal data about the Actor – such as dates and locations of filming, and details of travel arrangements and accommodation –  the agreement should also contain a data protection clause.  Remember that “processing” is widely defined, and covers any activity involving personal data, including storing, sharing, or reading.

Related image
The Cannes 2018 poster, featuring an image from Jean-Luc Godard’s 1965 film “Pierrot le Fou.”

“The Actor agrees and hereby give her consent to the holding and processing of personal data relating to the Actor in any form, whether obtained or held in writing, electronically or otherwise, by the Producer.”

The above clause may be acceptable under the UK Data Protection Act 1998, but is problematic under the incoming General Data Protection Regulation (GDPR).

Consent. As worded above, the Actor is providing the Producer with blanket consent to process her personal data.  Under the GDPR, consent means “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Art. 4(11)).

Given that this is a contract between a prospective employee and her boss, there is an imbalance of power between the parties. Accordingly, the Actor’s consent statement is unlikely to be considered “freely given” as is required under the GDPR.  Furthermore, personal data processing should neither be disguised nor bundled with the provision of a contract (Art 7(4)).

Even in other contexts, it would be unwise to rely on the Actor’s consent for processing, as this can cause difficulties if consent is withdrawn at a later date.  It is therefore advisable to rely on another lawful basis.

Another lawful basis? “Lawful basis” is just another way of saying “reason to do something.” Consent is just one of the six lawful bases permitted (Art. 6 GDPR). As the conditions for consent are very strict and unlikely to be met in this scenario, the Producers should consider their other options:

  • Contract: Processing is necessary for a contract with the person. Employment contracts are certainly applicable in this instance: for example, the Producers must process the Actor’s bank details to pay her.
  • Legal obligation: Processing is necessary for the Producers to comply with the law. This could include their tax obligations for HMRC, or complying with money laundering regulations.
  • Legitimate interests: The Producers must process the data for their legitimate interests. This could include business purposes such as sending out publicity emails with the Actor’s name and contact details, posting her image on social media, and so on. This is the most flexible basis to rely upon, but requires the Producers to demonstrate (inter alia) that their objectives are not unreasonable, and do not harm the Actor’s human rights (Recital 47).
  • The other lawful bases of protecting vital interests and carrying out a public task are not applicable in our scenario, but worth noting for completeness.

To be GDPR compliant, the clause could be amended to something like:

The Producers will collect and process the Actor‘s personal data in accordance with the Privacy Notice annexed to this Agreement. The Actor will sign and date the Privacy Notice and return it to the Executive Producer within 10 days of signing this Agreement.

The purpose of the Policy Notice is to provide the ActorActor with the information she is entitled to receive as a data subject (Articles 13 and 14). The Privacy Notice, likely to take the form of a letter, will explain how the Producer obtains, uses, and retains the Actor’s personal data. It will also set out the relevant lawful bases for each type of processing, and explain how the Actor can exercise her rights (Articles 15 through 22 inclusive).

Of course, the work doesn’t end once the agreement is signed. The Producers will need to make sure anyone who handles personal data within their organisation understands the new requirements under the GDPR. Having clear policies is only part of the story: those policies will need to be followed.

It’s a common misconception that the GDPR is just about IT security and marketing emails filling up your inbox. In reality, the legislation will provide enhanced rights for data subjects, and it’s important to remember that employees are data subjects too.

No more Safe Harbours for EU-ser Uploaded Content?

No more Safe Harbours for EU-ser Uploaded Content?

The European Union is considering a sweeping new Directive on Copyright in the Digital Single Market, currently in draft stages. Industry groups are keen to ensure their opinions are taken into consideration, especially in instances where consumers share content which belongs to artists, authors, record labels, and television channels.

Digital platforms and internet service providers which host User Uploaded Content (UUC) argue that they are not responsible for any copyright infringing material uploaded by their users. However, trade bodies representing various industries believe the incoming Copyright in the Digital Single Market Directive doesn’t go far enough to reform this safe harbour principle.

The E-commerce Directive states that EU Member States shall ensure that internet service providers are not liable for copyright infringements carried out by its customers, on condition that: (a) the ISP does not have actual knowledge of illegal activity or information;  and (b) the provider “acts expeditiously to remove or to disable access” to the illegal content, once they become aware of it (see Article 14).

This article provides ISPs with a “safe harbour” from copyright liability (also known as the “mere conduit” provision). Generally speaking, a safe harbour* is simply a protection available within a regulation that specifies that certain actions do not to violate a given rule, in particular circumstances.

1709 - EU Safe Harbour
In the United States, this principle operates under the “notice-and-take-down system”

About 18 months ago, the European Commission announced its plans to introduce a new Directive on Copyright in the Digital Single Market. As the explanatory memorandum sets out, “the evolution of digital technologies has changed the way works and other protected subjectmatter are created, produced, distributed and exploited. In the digital environment, cross-border uses have also intensified and new opportunities for consumers to access copyright-protected content have materialised. Even though the objectives and principles laid down by the EU copyright framework remain sound, there is a need to adapt it to these new realities.”

Amongst other things, the propsed Directive seeks to rebalance the position of the copyright owner against that of the internet service provider. Last week, various trade groups representing Europe’s creators and creative content producers published an open Letter to the European Council.

The authors suggest that, far from ensuring legal certainty, the Directive as currently drafted “could be detrimental to our sectors,” which include journalism, film and TV, music, and sport. While the authors support the objectives of the proposed legislation, the Letter critiques the latest draft of the directive, and expresses significant concerns about the safe harbour reforms.

In particular, the problems seem to arise with sections addressing the “use of protected content” by ISPs and other platforms which “store and give access to large amounts of works and other subject-matter uploaded by their users”. Put simply, the copyright industries want the safe harbour reformed, so that it no longer applies to user-upload sites (Complete Music Update).

This draws into question how online platforms hosting UUC should monitor user behaviour and filter their contributions. Currently, the platforms review material after it has been published and reported or “flagged” as copyright infringement. This may, as has been discussed with Facebook’s proposed use of artificial intelligence in copyright and hate speech monitoring, “inevitably require an automated system of monitoring that could not distinguish copyright infringement from legal uses such as parody” (The Guardian).

The authors of the Letter voice complaints in respect of the draft forms of Article 2, Article 13(1) and Article 13(4):

  • Article 2 defines which services fall under liability, mentioned further at Article 13. The latest draft could leave most UUC platforms outside the scope, despite the fact they continue to provide access to copyright protected works and other subject-matter. For example, music playing in the background of a makeup tutorial on YouTube.
  • The problem with Article 13(1) as currently written is that it risks narrowing the scope of the right and contravening CJEU jurisprudence. The Letter’s authors argue that “any new EU law should secure that this right is broad,” and “contain no additional criteria which could change via future CJEU rulings.”
  • As for Article 13(4) and its relevant recitals, the authors suggest the language is tantamount to a new safe harbour, which would both “seriously undermine fundamental principles of European copyright,” and pose “unwarranted liability privilege risks breaching the EU’s obligations under international copyright treaties.”

The Letter closes with the authors’ promise to “remain at the Council’s disposal to find solutions to these points.” For more on the proposed Directive, be sure to check out the IPKat’s numerous posts on the subject.

*This “Safe Harbour” in copyright law is not to be confused with the Safe Harbor Data Privacy exemptions between the US and the EU, which have since been declared invalid. On that subject, I might write on the new Privacy Sheild… at some point…