1
Joint Letter Re Discovery IssuesC- 10-1282 MMC(DMR)
June 3, 2011The Honorable Donna M. RyuUnited States District Court1301 Clay StreetOakland, California 94612
Re:
Io Group, et al. v. GLBT, Ltd. et al.
, 10-1282 MMC(DMR)
Dear Judge Ryu:The Parties submit the following:
Defendants’ further submiss
ion on issue 3
Defendants have consulted with UK counsel, Mr. Ashley Roughton of Hogarth Chambers,
Lincoln’s Inn, London, who has provided written advice.
We set out in pertinent part the key points of Mr. Roughton’s advice. References to Sections of
the DPA have been added.
“I am a lawyer in the United Kingdom. I have been in intellectual property practice
for about 19 years. I am a member of the bar here and I also specialise in dataprotection and privacy law. I practice additionally in both intellectual property anddata protection crime. Of the three significant data protection court cases in theUnited Kingdom I have appeared in two.The Act has eight specific principles concerned with the processing of personaldata. Personal data are, for this purpose, any information relating to an individualwhich is or is intended to be processed by means of automatic equipment. Thereis an additional requirement that those data must be private in nature though thisrequirement is untested. Processing is a very wide term - it can include merelykeeping and (importantly) sending personal data to somebody else. It is howevermuch wider than that. Put shortly any sort of dealing with computerisedinformation, including just keeping it (whether on a computer or just a printout orindeed whether a handwritten antecedent form) is covered by the Act. Thatinformation is called personal data. Those data must relate to a living individualand must relate to the privacy of that individual. Thus not all data are personal data.The person who processes personal data is called the data controller and has certainlegal responsibilities. Some if not all of those responsibilities are aimed atprotecting the privacy of the person who is the subject of those personal data - thedata subject. The data subject has rights as against the data controller in relation tobreaches of the eight principles which I have alluded to above.
Case3:10-cv-01282-MMC Document55 Filed06/03/11 Page1 of 20
2
Joint Letter Re Discovery IssuesC- 10-1282 MMC(DMR)
The eight principles are, in summary:- [DPA Part I of Schedule 1]1. That the privacy of the data subject must be respected and that processingof such data must be fair (the requirement of legality).2. That processing may only take place for the purposes previously notified tothe authorities (the requirement of specificity).3. That processing must not be excessive (the requirement of adequacy).4. That those data shall be accurate and up to date (the requirement of completeness).5. That once data are no longer needed they shall be discarded (the requirementof necessity).6. That the requirements of the Act shall be complied with (the requirement of compliance).7. That those data shall be kept securely and systems shall be designed to besecure (the requirement of security)8. That transfers of data overseas shall only take place where these principlescan be effective (the requirement of reciprocity).Hence the eight requirements are legality, specificity, adequacy, completeness,necessity, compliance, security and reciprocity.In addition where processing is going to take place then the data subject needs tobe told about it in a particular way (this is a
quid pro quo
the legality requirement)and a failure to do so is deemed to be a breach of the first principle. This coupled
with the right to ask and be told about one’s personal data are known as the
subjectinformation provisions. In addition this obligation to tell the data subject thatpersonal data concerning him are being processed along with the requirements of specificity, adequacy, completeness and necessity are called the non-disclosureprovisions.Certain disclosures are exempt from the subject information provisions or nondisclosure provisions depending upon the circumstances. For instance disclosureto the police in order to investigate crimes might strike one as being an example of a case where effectively tipping off could be problematic. The Act containssafeguards to deal with this sort of situation. [DPA Sec 29]Section 35 of the Act states:-35.
–
(1) Personal data are exempt from the non-disclosure provisions wherethe disclosure is required ... by the order of a court.(2) Personal data are exempt from the non-disclosure provisions where thedisclosure is necessary
–
(
a
) for the purpose of, or in connection with, any legal proceedings(including prospective legal proceedings), or(
b
) for the purpose of obtaining legal advice,or is otherwise necessary for the purposes of establishing, exercising or
Case3:10-cv-01282-MMC Document55 Filed06/03/11 Page2 of 20
3
Joint Letter Re Discovery IssuesC- 10-1282 MMC(DMR)
defending legal rights.However there are three rather serious matters which stand in the way of thatfreedom.
…… no discovery at all ma
y be made if it offends the requirement of specificity. [DPA 2
nd
principle Part I of Schedule 1]
Thus if the defendant’s notification to the
authorities includes no authorisation to transmit data overseas then to do so would offend therequirement of specif
icity. However the “order” of the court would (subject to what I say below)
override this as the requirement of specificity is part of the non-disclosure provisions. Howeverif the court made no order then the data controller cannot just discover voluntarily. To do sowould be a criminal and administrative offence (inthe sense that both the criminal courts and the regulator can impose penal sanctions).
The defendant’s registration with the authorities here cover processing for the
purposes of staff administration, advertising, marketing & public relations,accounts & records, consultancy and advisory services and administration of membership records. In each case the specified processing carries the disclaimer(fairly common in relation to data protection registrations here in the UnitedKingdom) that there should be no disclosures outside the European EconomicArea. I have gleaned the foregoing to looking at the publicly accessible dataprotection register here in the United Kingdom for a company called GLBTLimited of Office 44, 151 High Street, Southampton, SO14 2BT. I do not warrantthat the information concerning the status of the register is correct or accurate.Readers are invited to check for themselves.[See http://www.ico.gov.uk/ESDWebPages/search.asp insert registration number Z1730026]
Finally (and however) I do not believe that a court in the United States of Americais a court for the purposes of section 35(1) of the Act. My reason for saying this isnot because there is no avenue of redress by way of appeal or because of thequality of justice - there clearly is an avenue of appeal and there is certainly noissue concerning the quality of justice - however there is no avenue of redress byway of reference. The European Legal Order requires that all courts are subject tothe ultimate legal jurisdiction of the General Court (formerly the European Courtof Justice) so far as questions of construction and legal meaning of pieces of European Legislation are concerned. Recourse to the General Court is afundamental right here in Europe. Since the Act derives its ultimate authority fromEuropean instruments (specifically Directive 95/46/EC of the European Parliamentand of the Council of the 24th of October 1995 on The protection of individualswith regard to the processing of personal data and on the free movement of suchdata) any issue of construction of the Act and its parent directive must be referableto the General Court. Courts in the United States of America can make noreferences to the General Court since such courts are not courts of the membersstates of the European Union (and it is only they which can make references to the
General Court). The word “court” in the Act means, in my v
iew, a court which is
Case3:10-cv-01282-MMC Document55 Filed06/03/11 Page3 of 20
|