Do Neo-Nazis have a right to privacy?

Do Neo-Nazis have a right to privacy?

Earlier this month, a leftist art collective in Germany called the Centre for Political Beauty (Zentrum für Politische Schönheit or “ZPS”) launched a website to name and shame neo-Nazis. At soko-chemnitz.de, people were invited to examine photographs taken during this summer’s violent anti-immigration protests in Chemnitz, and in exchange for identifying suspected right-wing demonstrators, would receive a crowd-funded reward of at least €30. The twist? The image recognition database was a honeypot: a sophisticated hoax to induce neo-Nazis into identifying themselves.

This recent project gives rise to serious questions regarding the exploitation of personal data for illegitimate or unlawful purposes – even if those purposes are seen by many as socially or ethically justified.

Image result for center of political beauty
“Doxing” – a portmanteau of document (“dox”) and dropping – is a term used to describe publicly exposing someone’s real identity on the internet.

The Chemnitz Context

Known as Karl-Marx Stadt when it was part of the Soviet bloc, Chemnitz is an industrial city in eastern Germany with a population of about 250,000. After German reunification in 1990, the political and economic systems changed drastically as democracy and capitalism replaced the communist regime. Similarly, as thousands of East Germans relocated to the more prosperous West, expatriates and immigrants filled shortages in the labour market and made their home in East Germany. For the first time in decades, the East was forced to deal with the challenges posed by multiculturalism, immigration and globalism.

Such problems have only intensified in light of Chancellor Merkel’s more liberal migrant policy, which has seen an influx of those seeking asylum and refugee status. Accordingly, Eastern Germany has seen a significant surge in far-right populism and xenophobic protests. In 2017, nearly 25 per cent of the city’s residents voted for the far-right German nationalist party, Alternative for Germany (Alternative für Deutschland, orAfD”).

Tensions between “native” East Germans and immigrants made headlines again this August, when a German man was stabbed to death in Chemnitz. When police revealed that his two attackers were Kurdish (one from Iraq and the other Syria) far-right groups quickly organised anti-immigration protests. Nearly 7,000 people joined the demonstrations, which were marked by hate speech and violence against non-Germans. The swastika and other Nazi symbols, including making the Nazi salute, are banned in Germany.

The Honeypot

Known for its “activist art”, the ZPS uses satirical stunts, performance pieces and interventions to draw attention to various humanitarian issues. By way of example, the group designed a monument in 2010 to “memorialise” Western co-responsibility for the Srebrenica massacre. In 2017, they built a “Holocaust Memorial” in front of nationalist politician Björn Höcke’s house.

In the weeks following the Chemnitz protests, ZPS published pictures of far-right rioters online at soko-chemnitz.de, and asked visitors to “identify and denounce your work colleagues, neighbors or acquaintances today and collect instant cash!” The rewards started at €34 (£30) with special bonuses awarded for identifying photos of people who were police, or members of Germany’s domestic security agency, the Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz or BfV). While the ZPS had indeed previously identified over 1,500 individuals who participated in the protest, the real goal of the campaign was to get far-right sympathizers to search for and thereby name themselves.

Related image
Gesucht: Wo arbeiten diese Idioten? / Wanted: where do these idiots work?

The honeypot design was simple. When visitors entered the website, they were presented with only 20 pictures at a time. Much to the delight of ZPS, Chemnitz protesters went straight to the site’s search bar to type in their own name and the names of fellow participants, to see if they’d already been named. The average visitor searched for the names of seven people.

In this way, the protesters “delivered their own entire network to ZPS without realising it. They told us more about themselves than publicly available sources ever betrayed.” ZPS founder Philipp Ruch claims that use of the website has created “the most relevant set of data on right-wing extremism that currently exists in Germany.”

The Controversy

The Special Commission Chemnitz site sparked a huge controversy in Germany for several reasons. Firstly, many questioned the legality of the website itself. Photos of demonstrators were uploaded without permission from the individuals pictured, an action which could potentially contravene German and European data protection law. Although no such private information other than photographs were revealed on soko-chemnitz.de,  users were asked to send in names, addresses, and names of employers of demonstrators. DeutscheWelle, Germany’s public international broadcaster, reported that “Germany’s data protection commissioner’s office said it was looking into whether the ZPS site was acting within legal limits.”

Image result for center for political beauty
Members of the ZPS always wear black face paint during during public appearances, to symbolize the “soot of German history”. The group’s fundamental mission statement is that “the legacy of the Holocaust is rendered void by political apathy, the rejection of refugees and cowardice. It believes that Germany should not only learn from its History but also take action.”

Beyond the textual or purely legalistic overtures of data protection law violations, the website elicits serious concerns over whether doxing private individuals is ever justified. Much has been written about the free speech rights of those who promote abhorrent ideologies. Those with a more libertarian perspective on free speech will insist that Nazi speech must be defended because it is so especially controversial. But what about the right to privacy?

In his article entitled Why it’s important to name the Nazis, journalist David Perry argued that identifying those whose pictures appear online attending a public rally is justified. Neo-Nazi protesters are people intending to do or to advocate harm, and have therefore surrendered their right to anonymity. The right to freedom of expression does not extend to a right of social impunity. One could also consider that view that as such protests occurred in a public space, any reasonable expectation of privacy was materially lacking.

But in the European —and notably, German— context, rights to privacy are especially treasured given the history of both Nazi and Communist security service tactics. These regimes demonstrated in the most heinous ways possible that collection of personal information can lead to harm. The idea of encouraging and paying private individuals to “out” their friends, neighbours and colleagues —even if for a seemingly noble cause—does not sit well with many Europeans today. Interior Minister Roland Wöller went so far as to say that the ZPS website “endangered social cohesion”.

Consider the distinction between how the United States and Germany “name and shame” sex offenders. The United States was the first country to establish a national sex offender registration and notification system in 1994. By contrast, Germany has no national sex offender registration legislation, nor a public notification system. This perhaps illustrates the extent to which Germans value the protection of individual privacy, even where those individuals have committed criminal or otherwise morally reprehensible acts.

The soko-chemnitz.de project forces upon the public an uncomfortable question: do neo-Nazis have a right to privacy? Those who say “no” would likely choose to identify and denounce the Chemnitz protesters as potentially dangerous far-right radicals. In so doing, one could take comfort in having participated in some sort of righteous, anti-Nazi resistance movement. But at what cost? Doxing campaigns have gone terribly wrong in the past, and errors in identification can led to irreparable emotional and reputation damage, or even job loss and suicide. On the other hand, refusing to participate in the campaign could arouse suspicions that one sympathizes or even identifies with the Nazi ideology.

As a piece of political performance art, soko-chemnitz.de was certainly provocative. But it is also politically significant. Coverage of the website forced people to consider their own personal prioritisation of ideals associated with a democratic society: to what extent should we protect privacy, expression, freedom from interference, security, liberty, trust…? It’s a predicament as old as political philosophy itself, and an increasingly uncomfortable balancing act to achieve in today’s world of hyper-surveillance and social media. Perhaps this was the disquieting, satirical reminder the ZPS was hoping to convey all along.

 


*Note on soko-chemnitz.de

ZPS has replaced its original soko-chemnitz website with a splash page explaining the honeypot campaign. You can visit earlier archives of the page using the Wayback Machine. This is what the website looked like on 4 December 2018, absent the images of individuals, which have since been deleted.

Facebook and Privacy: cases, reports and actions in Europe

Facebook and Privacy: cases, reports and actions in Europe

A list of European enforcement action, official legislative (Parliamentary) reports, and cases concerning Facebook with respect to data protection and privacy. This is a work in progress, last updated November 2018.

Data Protection Commissioner (Ireland) v Facebook Ireland Limited, Maximillian Schrems [Case C-311/18]

  • Jurisdiction: European Union, Ireland
  • Status: Case still in progress
  • Authority:  Court of Justice of the European Union
  • Keywords: EU Data Protection Directive (95/46/EC); EU/US Privacy Shield; Fundamental Rights

Continue reading “Facebook and Privacy: cases, reports and actions in Europe”

Transatlantic Data Transfers: US-EU Privacy Shield under review

When personal data travels between Europe and America, it must cross international borders lawfully. If certain conditions are met, companies can rely on the US-EU Privacy Shield, which functions as a sort of “tourist visa” for data. 

Earlier this week (19 November) the United States Federal Trade Commission finalised settlements with four companies that the agency accused of falsely claiming to be certified under the US-EU Privacy Shield framework. This news closely follows the highly anticipated second annual joint review of the controversial data transfer mechanism. 

IDmission LLC, mResource LLC, SmartStart Employment Screening Inc., and VenPath Inc. were slapped on the wrist by the FTC over allegations that they misrepresented their certification. But this is just the latest saga in an on-going debate regarding the Privacy Shield’s fitness for purpose. Only this summer, the European Parliament urged the European Commission to suspend the Privacy Shield programme over security and privacy concerns.

flying airplane

Background and purpose

Designed by the United States Department of Commerce and the European Commission, the Privacy Shield is one of several mechanisms in which personal data can be sent and shared between entities in the EU and the United States. The Privacy Shield framework thereby protects the fundamental digital rights of individuals who are in European Union, whilst encouraging transatlantic commerce.

This is particularly important given that the United States has no single, comprehensive law regulating the collection, use and security of personal data. Rather, the US uses a patchwork system of federal and state laws, together with industry best practice. At present, the United States as a collective jurisdiction fails to meet the data protection requirements established by EU lawmakers.

As such, should a corporate entity or organisations wish to receive European personal data, it must bring itself in line with EU regulatory standards, known as being “protected under” the Privacy Shield. To qualify, companies must self-certify annually that they meet the requirements set out by EU law. This includes taking measures such as displaying privacy policy on their website, replying promptly to any complaints, providing transparency about how personal data is used, and ensuring stronger protection of personal data.

Today, more than 3,000 American organisations are authorised to receive European data, including Facebook, Google, Microsoft, Twitter, Amazon, Boeing, and Starbucks. A full list of Privacy Shield participants can be found on the privacyshield.gov website.

Complaints and non-compliance?

There is no non-compliance. We are fully compliant. As we’ve told the Europeans, we really don’t want to discuss this any further.

—Gordon Sondland, American ambassador to the EU

Although the Privacy Shield imposes stronger obligations than its ancestor, the now-obsolete “Safe Harbor,” European lawmakers have argued that “the arrangement does not provide the adequate level of protection required by Union data protection law and the EU Charter as interpreted by the European Court of Justice.”

In its motion to reconsider the adequacy of the Privacy Shield, the EU Parliament stated that “unless the US is fully compliant by 1 September 2018” the EU Commission would be called upon to “suspend the Privacy Shield until the US authorities comply with its terms.” The American ambassador to the EU, Gordon Sondland, responded to the criticisms, explaining: “There is no non-compliance. We are fully compliant. As we’ve told the Europeans, we really don’t want to discuss this any further.”

Věra Jourová, a Czech politician and lawyer who serves as the European Commissioner for Justice, Consumers and Gender Equality, expressed a different view: “We have a list of things which needs to be done on the American side” regarding the upcoming review of the international data transfer deal. “And when we see them done, we can say we can continue.”

Photo: Ambassador Sondland with Commissioner Jourova in the Berlaymont.
Jourová and Sondland, via a tweet from Sondland saying he was “looking forward to our close cooperation on privacy and consumer rights issues that are important to citizens on both sides of the Atlantic.” 

The list from the Parliament and the First Annual Joint Review [WP29/255] (.pdf) concerns institutional, commercial, and national security aspects of data privacy, including:

  • American surveillance powers and use of personal data for national security purposes and mass surveillance. In particular, the EU is unhappy with America’s re-authorisation of section 702 of the Foreign Intelligence Surveillance Act (FISA), which authorises government collection of foreign intelligence from non-Americans located outside the United States (Remember Edward Snowden and PRISM? See the Electronic Fronteir Foundation’s explanation here)
  • Lack of auditing or other forms of effective regulatory oversight to ensure whether certified companies actually comply with the Privacy Shield provisions
  • Lack of guidance and information made available for companies
  • Facebook and the Cambridge Analytica scandal, given that 2.7 million EU citizens were among those whose data was improperly used. The EU Parliament stated it is “seriously concerned about the change in the terms of service” for Facebook
  • Persisting weaknesses regarding the respect of fundamental rights of European data subjects, including lack of effective remedies in US law for EU citizens whose personal data is transferred to the United States
  • The Clarifying Overseas Use of Data (“CLOUD”) Act signed into law in March 2018 allows US law enforcement authorities to compel production of communications data, even if they are stored outside the United States
  • Uncertain outcomes regarding pending litigation currently before European courts, including Schrems II and La Quadrature du Net and Others v Commission.

 

Image result for max schrems
Max Schrems is an Austrian lawyer and privacy activist. In 2011 (at the age of 25) while studying abroad at Santa Clara University in Silicon Valley, Schrems decided to write his term paper on Facebook’s lack of awareness of European privacy law. His activism led to the replacement of the Safe Harbor system by the Privacy Shield.

What happens if the Privacy Shield is suspended?

In a joint press release last month, the representatives from the EU and USA together reaffirmed “the need for strong privacy enforcement to protect our citizens and ensure trust in the digital economy.” But that may be easier said than done.

In the event that the Privacy Shield is suspended, entities transferring European personal data to the United States will need to consider implementing alternative compliant transfer mechanisms, which could include the use of Binding Corporate Rules, Model Clauses, or establishing European subsidiaries. To ensure that the American data importer implements an efficient and compliant arrangement, such alternatives would need to be assessed on a case-by-case basis involving careful review of data flows, and the controller and processors involved.

Regardless of the method used to transfer data, American companies must ensure that they receive, store, or otherwise use European personal data only where lawfully permitted to do so. The joint statement noted above concluded by saying that the “U.S. and EU officials will continue to work closely together to ensure the framework functions as intended, including on commercial and national-security related matters.”

The European Commission is currently analysing information gathered from its American counterparts, and will publish its conclusions in a report before the end of the year.

NDAs and the Sound of Silence

NDAs and the Sound of Silence

“When truth is replaced by silence, the silence is a lie.” 
Yevgeny Yevtushenko

The #MeToo movement has brought Non-Disclosure Agreements (NDAs) as a way to silence allegations of sexual harassment into the public debate.  In light of controversies surrounding Donald Trump, Harvey Weinstein and now – Sir Philip Green, the billionaire retailer whose brands include Topshop – much has been discussed about the legality and morality of using NDAs to prevent publicity or otherwise cover up  bad behaviour.

But like any legal document, NDAs are not inherently “good” or “bad”. They are simply a tool, regularly used by lawyers in many contexts. To understand why they have become controversial, and to contribute to the debate concerning their use and abuse, we must first consider their structure and purpose.

NDAs, which are also called Confidentiality Agreements, are simply a type of contract used to prevent someone from sharing confidential information in ways which are unacceptable or damaging to another person. What information is considered “confidential” depends very much on the situation, as well as the relationship between the person providing the information (“discloser“) and the person receiving it (“recipient“).

Use of the word “confidential” to mean “intended to be treated as private” dates from the 1770s, and has its roots in the Latin word confidentia. This means “firmly trusting,” and is itself derived from confidere, which means “to have full trust or reliance.” 

Confidential information is often shared for a business purpose or in corporate negotiations, especially when mergers or collaborations occur. For example, a restaurant chain looking for a deal with a food manufacturer may want to share recipes, or a fashion designer may seek a partnership with a well-known athlete who has sketches and drawings of a sports-inspired clothing range. Likewise, when a company hires a new employee, they may be given access to company client lists, manufacturing processes or other valuable data.

The basic anatomy of the NDA is relatively straight forward, and should always contain the following elements:

  • A clear definition of the confidential information.
    These are often heavily negotiated clauses, and it is usual to have very wordy and detailed definitions which set out explicitly what is and is not captured by the agreement. Sometimes, even the NDA itself is considered “confidential information,” which means that its terms or existence must be kept secret.The discloser will often want a broad definition of confidential information which covers not only the documents or products in question, but perhaps any derivative ideas, feedback, analysis or concepts created or inspired by the confidential information. On the other hand, the receiving party will want to keep this definition as narrow as possible.

 

  • The key obligation to keep the information secret.
    Standard wording will typically begin as follows: “In return for the discloser making confidential information available to the recipient, the recipient promises to the discloser that it shall keep the confidential information secret and confidential.”However, the obligation clause almost always contains many more rules and responsibilities. For example, the recipient may be prohibited from even indirectly sharing or hinting at the confidential information. They may also be prohibited from making copies, removing the information from a particular location, or storing it on their personal smartphone.

 

  • The ways in which the information can be used.
    The recipient will be prohibited from using or exploiting the confidential information except for the “purpose.” The purpose is the defined reason the information will be shared in the first place, for example, “to establish a collaboration in respect of the Tommy Hilfiger x Lewis Hamilton fashion line.”Disclosures of the information by the recipient to their employees and professional advisers (including lawyers and accountants) are usually permitted. In such cases, the discloser may ask that all individuals who receive the confidential information from the recipient sign a separate confidentiality agreement. While some may consider this a bit over the top, it makes sense from the discloser’s perspective that the receiver should take responsibility if its employees or advisers breach confidentiality.

 

  • What happens if the project or deal does not go ahead, and the duration of the secrecy.
    The discloser will often ask that the receiver returns or destroys the confidential information if the project or transaction fails to materialise. The parties should also establish a realistic time period for the duration of the secrecy, as it may be unreasonable to expect that the information has to remain confidential for eternity.
Image result for Lilly Panholzer
Lilly Panholzer for City finds it is easy to silence women with NDAs

Seems simple enough, so what’s all the fuss about?

As mentioned above, NDAs are incredibly common and used in a wide variety of situations, ranging from complex corporate takeovers to short-term collaborations. But despite their ubiquitous nature and seemingly straightforward terms, it would be a mistake to assume that these are simple contracts. 

It is rare for the parties entering the agreement to have perfectly equal bargaining power. Due to an imbalance of money, expertise, resources or even reputation, one of the parties involved will almost always be able to exert more influence over the other. This inherent imbalance can lead to the creation of NDAs which grant – or limit – rights in an unfair or improper way.

Entrepreneurs may think that an NDA adequately protects their valuable information when it is divulged to a potential investor. But unless the definitions and obligations are sufficiently locked down, little may prevent the investor from stealing the entrepreneur’s ideas.

Similarly, some unscrupulous companies may attempt to force their employees to enter into NDAs in an attempt to prevent whistleblowing or discrimination lawsuits. Matters can become very complex when an individual who has a grievance against a powerful boss is threatened with dismissal or further harassment, unless they sign an NDA. Moreover, a new common extension of NDAs is the inclusion of a “non-disparagement” clause. This goes beyond the protection of confidential information, and requires employees to never speak negatively about their employer or former employer.

In both the United States and the United Kingdom, lawmakers and courts have begun to establish clearer boundaries about the enforceable scope of NDAs. In the court of public opinion, powerful individuals who weaponise NDAs in an attempt to stifle access to justice, impair free speech and limit creativity are already losing. Regardless of the reason for entering a NDA, you owe it to yourself to ensure the document is checked first by a lawyer, and that your rights – and remedies – are adequately protected. 

 

Airbrushing history? Photos of Oxford Student Celebrations Raise Questions About Privacy Rights and Journalism

Airbrushing history? Photos of Oxford Student Celebrations Raise Questions About Privacy Rights and Journalism

A former Oxford University student asked image agency Alamy to remove photographs of her celebrating the end of exams. Now, the photographer accuses Alamy of “censoring the news”.  Is this a threat to freedom of the press, or has the woman’s human right of privacy been correctly protected?

The end of exams are a liberating and happy time for university students around the world. At Oxford, students take their celebrations to another level by partying en masse in the streets, covering each other in champagne, shaving foam, confetti, flour and silly string in a tradition known as “Trashing.”

Screenshot 2018-10-14 at 9.37.21 AM
An Alamy photo of Oxford celebrations from 1968. “Trashing” has become a bit more crazy since the 1990’s.

Speaking to the Press Gazette, Photographer Greg Blatchford explained that during the 2014 Trashing, a student invited him to take photographs of her celebrating on the public streets. Some of the images show her swigging from a bottle of champagne, while in others she is covered in silly string.

Blatchford then sent “about 20” images to Alamy as news content. The former student subsequently stated that she “loved” the images in email correspondence to Blatchford, and even shared them on Facebook. This summer, four years later, the woman contacted Alamy to have the photos deleted. The company removed the images – much to Blatchford’s dismay.

Screenshot 2018-10-14 at 9.37.58 AM
An Alamy stock image of Oxford University Trashing celebrations. Note: THIS IS NOT ONE OF THE SUBJECT PHOTOGRAPHS.

The right to be forgotten under the GDPR

Because the woman was able to be identified from the photographs, they constitute “personal data” as defined by Article 4 of the General Data Protection Regulation (GDPR). Under Article 17 GDPR, data subjects have the right in certain circumstances to compel the erasure of personal data concerning him or her.

For example, if the data was originally collected or used because the individual gave their consent, and that consent is subsequently withdrawn, the company may honour the request for deletion (Article 17(1)(b)). However, a company can also use a “counter attack” if an exception applies. Importantly for news and media agencies, if keeping the data is necessary for exercising the right of freedom of expression and information, they may be able to refuse the request and keep the data (Article 17(3)(a)).

For more details on how the right to be forgotten works in practice, see my earlier post, Now You’re Just Somebody That I Used to Know.

Are journalists under threat from privacy lawyers?

Blatchford explained that although they are now considered “stock images,” they were originally “news” photos and should not have been removed. By deleting the photos, Alamy “are censoring the news. I’m incensed that someone can influence news journalism and censor the past where clearly if photographs are taken in public, with the full consent of participants they can turn around and say ‘sorry, that’s not news’ later. This sets a precedent for anybody to walk up to a news organisation and say I don’t like the pictures of me. Journalists will then start feeling the threat of lawyers.”

In a statement to the Press Gazette, Alamy’s director of community Alan Capel said the images were submitted as news four years ago, but moved 48 hours later to the stock collection. “Therefore we are surprised that this is deemed to be ‘censoring the news.’ As per our contract with our contributors, we can remove any images from our collection if we see a valid reason to do so.”

The university said that participating in trashing can lead to fines and disciplinary action since it is against the university’s code of conduct
The comical images of students wearing sub fusc (formal academic attire) while partying are often published in newspapers around the country in May.

Privacy and press freedom have long been considered competing interests, but that’s not to say that striking an appropriate balance between the two is impossible.

On some level, I do sympathise with the photographer. I also struggle to buy Alamy’s argument that the images are not “news content” and are now “stock images.” The classification of an image should be based on its context, purpose and subject matter – not the time that has elapsed since the event, nor the label attributed to it on a website.

Stock images are, by definition, professional photographs of common places, landmarks, nature, events or people. By contrast, the Oxford Trashing photos are attributed to a specific time (May), place (Oxford), category of people (students), and event (celebrating the end of exams). They are popular for several reasons. Firstly, they illustrate a charming and comical juxtaposition. Although these students attend one of the oldest and most prestigious Universities in the world, they are – after all – entitled to a bit of fun. Secondly, Trashing has received increased press attention in recent years, as students have become subject to complaints fines, disciplinary action, and even police enforcement. These images clearly show, in ways that words alone cannot, matters of public interest.

Screenshot 2018-10-14 at 1.04.41 PM.png

In this particular instance however, I think Alamy have made the right decision in deleting the images.

Although the Press Gazette does not name the woman, it does note she is “a marketing director in New York.” It’s entirely plausible that she has valid concerns that the images of her participating in Trashing may negatively impact her reputation and career, or otherwise cause some sort of harm or embarrassment.

She claims that “there was no consent given to publish or sell my photos anywhere. I am not a model nor have given permission to any photographers to take photos of me to publicly display or to sell. This was a complete breach of privacy.” This contradicts what the email records show, but even if she had lawfully consented to the photographs being taken at the time, she is entirely within her rights to now withdraw consent. 

On balance, Alamy probably has dozens – if not hundreds – of images from the 2014 Trashing at Oxford. The likelihood that the images of this woman in particular are somehow especially newsworthy is minimal. Had Alamy refused to delete the photos, the woman would have been entitled to raise a complaint with the Information Commissioner’s Office. ICO enforcement action can include injunctions, sanctions, or monetary fines. Furthermore, Alamy would risk becoming known as an organisation that doesn’t care about privacy laws, thereby damaging its reputation.

Contrary to Blatchford’s concerns, it is doubtful that an organisation would delete a genuinely newsworthy image, simply because someone doesn’t like how they look. The right to be forgotten is not an absolute right to be purged from history, but a right to regain control of how information about you appears online.

For more details on how the right to be forgotten works in practice, see my earlier post, Now You’re Just Somebody That I Used to Know. If you’re interested in how celebrities control images of themselves, see Fame and Fortune: How do Celebrities Protect Their Image?

Header image by Alex Krook via Flickr

Sir Cliff Richards v BBC: is publicity the soul of justice?

Sir Cliff Richards v BBC: is publicity the soul of justice?

You don’t have to be a privacy or media lawyer to have heard of the sex abuse allegations levied against celebrities in the entertainment industry over the last few years. The investigations concerning Sir Cliff Richard, a famous British musician, included a widely-televised raid on his estate in Berkshire by South Yorkshire Police. Nearly four years after the BBC first named and shamed Sir Cliff in what is now considered to have been “sensationalist” journalism, the High Court has determined that his rights of privacy were infringed.

What makes this case so interesting is that it does not focus on defamation —that is, the publication (or voicing) of a statement which adversely affects another person’s reputation. Instead, Sir Cliff won his case on the basis that the BBC’s wrongful disclosure of his private information was an invasion of his privacy. 

In Sir Cliff Richard v BBC and South Yorkshire Policethe Court considered if suspects who have not been formally charged by police have a reasonable expectation of privacy in respect of the criminal investigation. How are an individual’s rights to privacy balanced against the freedom of expression enjoyed by media organisations? That the suspect in this case is a celebrity only complicates matters, as it calls into question the importance publishing private details in the name of public interest.

Prosecutors said in 2016 that there was not enough evidence to justify criminal charges against Mr. Richard, one of Britain’s best-known entertainers, with a career spanning some 60 years. However, the BBC stands by their reportage of the allegations, and I suspect the BBC will indeed appeal this decision.

As if written for the stage, the Justice Mann’s 120-page judgement begins with a summary of key characters and the plot as it unfolded…

Related image
Daniel Johnson, in front of Sir Cliff’s Berkshire estate

Daniel Johnson, an investigative journalist for the BBC, received a tip-off from a police insider in June 2014 that Sir Cliff was under investigation for historic sex offences against a child. In a manner some would consider blackmail, Johnson “exploited the opportunity to get confirmation of his story about Sir Cliff, and more details if possible” from the South Yorkshire Police (SYP). In exchange for Johnson not publishing the story immediately, the SYP promised that he would be given advance notice of the search of Sir Cliff’s estate. The raid was eventually conducted in August 2014, with BBC crew waiting at the gates and helicopters hovering overhead to capture the whole ordeal.

In case you’re wondering where the Beeb’s lawyers were, the BBC held a meeting to discuss whether to name Sir Cliff and when to broadcast. In her testimony, Senior Editor Fran Unsworth explained that “the legal risk was diminishing because they had got a lot of confirmation of the facts of the story”. The principal legal concern seems to have been in respect of factual accuracy and defamation, and not privacy – as “the lawyers had not flagged that up to her as a specific risk” (para 111).

scne2
the (not very exciting) footage shows plain-clothes police entering Sir Cliff’s estate.
scene1
Three gloved individuals appear to be looking through what is likely Sir Cliff’s office

The legal framework of Sir Cliff’s privacy claim is enshrined in European Convention on Human Rights, brought into force in the UK by the Human Rights Act 1998.

Article 8 sets out the right to privacy: “Everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law […] or for the protection of the rights and freedoms of others.”

Article 10 upholds the BBC’s competing rights of expression: “Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society [including those] for the protection of the reputation or rights of others.”

In instances where which both Article 8 and Article 10 are engaged, the Court has to perform a balancing and weighing act to ascertain which predominates. Neither article has prima facie precedence over the other.

Article 8 privacy protections arise only where an individual has a reasonable expectation of privacy. For example, if I have a conversation with my friend in a crowded coffee shop in central London, I cannot reasonably expect our discussion to be protected as truly private.

The 77 year-old singer told the Court that he suffered an “unbelievable amount of hurt and pain” after the BBC broadcast the allegations that he had sexually assaulted a boy in 1985. “It felt like torture, sustained over almost two years. It felt as though everything I had done, everything I had built and worked to achieve, was being torn down, like life itself was coming to an end.”

But one might wonder if, as a celebrity, Sir Cliff cannot claim to have an expectation of privacy. A certain amount of emphasis was given by the BBC to the fact that Sir Cliff was a public figure, and one who had promoted his Christian beliefs. Because Sir Cliff had been so vocal (ie public) about Christian morality, the BBC considered that his alleged sexual crimes against a child qualified as a matter of public interest. To that point, the Court acknowledged that in certain special circumstances, the public’s right to be informed can extend into private aspects of public figures (para 276).

However,  Rocknroll v News Group Newspapers [2013] EWHC 24 (Ch) upheld that a public figure is not, by virtue of their fame, necessarily deprived of his or her legitimate expectations of privacy. Axel Springer v Germany 39954/08 [2012] ECHR 227 also makes clear that the safeguard afforded by Article 10 to journalists is subject to the proviso that they are acting in good faith and on an accurate factual basis, and that they provide “reliable and precise” information in accordance with the ethics of journalism.

In considering the BBC’s argument that the stories about Sir Cliff had been published in the public interest, the Court disagreed, saying that reporters at the BBC “were far more impressed by the size of the story and that they had the opportunity to scoop their rivals.” (para 280) This echoes the findings in Axel Springer, in that photographs and commentary which expose a person’s private life cannot be considered to have been published in the name of public interest, if they were in fact made public only to “satisfy the curiosity of a particular readership” (Axel Springer, para 48). It is unsurprising in my view that Justice Mann “came to the clear conclusion that Sir Cliff’s privacy rights were not outweighed by the BBC’s rights to freedom of expression” (para 315).

Publicity is the very soul of justice. In the darkness of secrecy, sinister interest and evil in every shape, have full swing. Only in proportion as publicity has place can any of the checks, applicable to judicial injustice, operate. Where there is no publicity there is no justice.

Jeremy Bentham. legal and social reformer (1748 – 1832)

Will this case have a chilling effect on media freedoms? Writing for The Guardian, Professor of Financial Journalism Jane Martinson argues that “as long as the media reports accurately – making it clear when a suspect is under investigation for a serious crime, rather than arrested or charged – there should be no bar to the public knowing what is going on.” However, in my view this fails to take into consideration the complexity of public perception. In his concluding remarks, Justice Mann cited “the failure of the public to keep the presumption of innocence in mind at all times” as an aggravating factor against the BBC.

Other criticisms focus on the point that this case provides an undeserved blanket of anonymity to criminals, providing a way to keep allegations against possible abusers secret. Whether or not there is a reasonable expectation of privacy in a police investigation is in actuality fact-sensitive question, and is not capable of a universal answer (para. 237). According to Police Guidance on Relationships with the Media, the names or identifying details of suspects of crime should not be released by police to the press or public, unless special circumstances apply — such as threat to life, the prevention or detection of crime, or a matter of public interest.

The inevitable stigma attached to the extremely serious allegations against Sir Cliff made the invasion of privacy even worse. When an individual’s good reputation is tarnished, even wrongfully, it may never be recoverable. This is especially harmful to celebrities, who rely so heavily on public favour. In my view, Sir Cliff Richards v BBC is not a sweeping new precedent that stifles freedom of the press: it simply restates the statutory protections afforded by the Human Rights Act within the context of already-established European and English case law.

Now you’re just somebody that I used to know

Now you’re just somebody that I used to know

The GDPR has been in force for less than two weeks, but Europeans have already started to contact companies left, right and centre to exercise their newly enshrined statutory “right to be forgotten.”

However, this right is not absolute, and only applies in certain circumstances. Let’s look at the balancing act between a data subject’s right to have their data erased on the one hand, and an organisation’s need to maintain data for legitimate purposes, on the other.

Organisations (data controllers and processors) are obliged to only collect and use personal data in a lawful manner, as set out in Article 6. There are several types of “lawful processing,” including in instances where an individual grants his or her explicit and informed consent. But lawful processing also covers the use of data for a controller’s legitimate interests, the performance of a contract, or legal obligations, such as fraud prevention. For more on lawful processing, check out my earlier post – Lights, camera, data protection?

With this in mind, it’s important to note that only in certain scenarios does an individual have the right to be forgotten. Under Article 17(1), their data must be either:

  1. no longer necessary for the original purpose
  2. processed based on consent, which is now withdrawn
  3. processed based on the organisation’s legitimate interests, which the individual objects to;
  4. processed for direct marketing purposes, which the individual objects to;
  5. processed unlawfully (in contravention of Article 6);
    or
  6. erased to comply with a legal obligation.

But before an organisation hits “delete” it must see if any purposes for retention apply. In pre-GDPR days gone by, data subjects had to prove they had the right for their data to be erased. The burden now lies with the controller to prove that they have a legal basis for retaining the data. If so, the organisation has a lawful reason to refuse the erasure request. In fact, deleting data when an exemption does apply could be a breach of the law!

The purposes for retention under Article 17(3) are:

  1. the right of freedom of expression and information;
  2. complying with a legal obligation, or for performing a task in the public interest;
  3. for reasons of public health;
  4. for archiving in the public interest, including scientific or statistical research; or
  5. for the establishment, exercise or defence of legal claims.

Additionally, “manifestly unfounded” or “excessive” requests may be refused outright.

From what I’ve seen in practice over the last few days, most erasure requests are made because an individual no longer wants to receive marketing emails. Fair enough: in shifting responsibility onto corporate controllers, the right to be forgotten strengthens individual control. It also signifies public disapproval of entities which process – and, in some instances abuse – enormous quantities of personal information without the explicit consent or knowledge of the individuals concerned.

For those of us interested in the societal and human rights implications (I’m telling you – data protection isn’t just for the techies amongst us!) it’s worthwhile to consider how journalism fits into the picture.

As Oxford’s International Data Privacy Law summarises rather eloquently: The nebulous boundaries and susceptibility to misuse of the right to be forgotten make it a blunt instrument for data protection with the potential to inhibit free speech and information flow on the Internet.

As early as 2012, Reporters Without Borders (formally, Reporters Sans Frontières) criticized the right to be forgotten – then in early draft stages – as a generalised right that individuals can invoke when digital content no longer suits their needs. This runs the risk of trumping the public interest in the information’s availability. RSF also contends that the demand for complete erasure of online content, or the “right to oblivion”, could place impossible obligations on content editors and hosting companies.

EU Commissioner Viviane Reding responded to the criticism from RSF by explaining that the [GDPR] provides for very broad exemptions to ensure that freedom of expression can be fully taken into account.

Note – this post covers the statutory Right to Erasure under Article 17 of the GDPR. Although related, it is distinguished from the recent high-profile cases against Google, in which the English Supreme Court held that a defendant convicted of a crime was entitled to the right to be forgotten, and therefore delisted from Google search results. A more serious offence, with fewer mitigating circumstances, did not attract the same right.

photo © Cassidy Kelley