The recent case of Totalise v Motley Fool, decided on 19 February 2001, dealt with disclosure in the context of a Web site. Amanda Kearsley and Nick Rudgard examine some of the wider issues, that arise concerning data protection and the CPR as the result of a 19th-century case being invoked in connection with 21st-century technology.
The recent case, Totalise plc v the Motley Fool Limited and Another, has highlighted some interesting conundra in reconciling the principles of disclosure under the Civil Procedure Rules with disclosure of personal data under the Data Protection Act 1988 and, in so doing, has provided fresh illustration of the Court’s willingness to adapt historic legal principles to modern situations.
Background
Totalise plc (the Claimant) is an Internet service provider. Motley Fool Limited and Interactive Investor Limited (the Defendants) both operated Web sites which had bulletin boards on which members of the public could post comments. One of Motley Fool’s subscribers posted a number of messages on its bulletin board, using the nom-de-web ‘Z Dust’, which Totalise considered to be highly defamatory of its organisation. Totalise complained and successfully persuaded Motley Fool to remove the postings and to revoke Z Dust’s right of access to the bulletin boards. However, Motley Fool refused Totalise’s request to disclose Z Dust’s true identity so that it could bring proceedings for defamation against the originator of Z Dust, on the basis that Motley Fool’s terms and conditions precluded this disclosure. Motley Fool also cited the Z Dust moved its activities to Interactive Investor’s bulletin board, and posted further similar comments there about Totalise. After receiving a complaint from Totalise, Interactive Investor removed the comments, denied access to Z Dust but refused to disclose Z Dust’s true identity, also citing its own terms and conditions and the DPA.
Totalise was faced with a problem. Unless it did something to stop the postings, Z Dust’s campaign was likely to continue. However, effective action depended upon discovering Z Dust’s identity.
The Norwich Pharmacal Principle
Totalise brought an action against Motley Fool and Interactive Investor to obtain disclosure of Z Dust’s true identity by invoking a principle established in the 19th-century case, Upmann v Elkan, in which the judge said:
‘If through no fault of his own a person gets mixed up in the tortious acts of others so as to facilitate their wrongdoing, he may incur no personal liability, but he comes under a duty to assist the person who has been wronged by giving him full information and disclosing the identity of wrong doers’.
This principle was confirmed by the House of Lords in Norwich Pharmacal Co v Customs & Excise [1974] 1 AC 133. In this case, Norwich Pharmacal who owned a patent, were trying to discover the identity of importers whom they alleged had infringed their patent. They knew that the Customs & Excise had obtained information about the importers which included their names. As proceedings had not yet commenced against any of the importers for patent infringement, disclosure against a non-party to proceedings (such as Customs & Excise) under s34 of the Supreme Court Act did not apply. However, the Lords held that the Upmann v Elkan duty to assist did apply to the Customs & Excise and ordered them to disclose the identity of the importers.
The Totalise Decision
The judge in the Totalise claim took the Norwich Pharmacal principle a step further, saying that it was not necessary for Totalise to intend to take proceedings against Z Dust in order to require the Defendants to disclose his true identity. It was sufficient for Totalise to require to be told the identity merely in order to consider its rights.
In addition, the judge held that the DPA did not restrict this view. Furthermore, he held that the Defendants could not invoke s10 of the Contempt of Court Act 1981, the principle used by journalists to conceal their sources, because they had no editorial control over their bulletin boards and were not therefore responsible for Z Dust’s publications. Most significantly perhaps, the judge ordered the Defendants to pay Totalise’s costs of the action. He said that it was ‘perfectly plain from the outset that the postings on both Web sites were highly defamatory’ and that the Defendants ‘should have complied with the requests made by the Claimant’ without the necessity of court action.
It is likely that this situation will recur. Indeed the writers know of a number of other cases where anonymous parties have contributed defamatory comments on bulletin boards. This issue therefore requires closer analysis and review.
Issues arising from the Case
Discretionary remedy
It is evident that the Norwich Pharmacal principle is a discretionary remedy and this discretion is preserved in CPR, r31.18, which is entitled ‘Rules not to limit other powers of the court to order disclosure’. This means that the Court can move outside the normal principles of disclosure of documents between parties to an action in the CPR in order to cover a Norwich Pharmacal situation.
Given that it is a discretionary remedy, the facts of each case need to be considered on their own merits. In Totalise, it was accepted by all concerned (including the Defendants) that the material Z Dust posted on the bulletin boards was in fact defamatory. As the judge said, the defamatory material was ‘of a very serious nature, and called into question the claimant’s solvency and the competence and integrity of its management and directors’. It is however possible that, in future cases, if it is unclear that the comments in question are defamatory, judges may decide not to exercise their discretion in favour of disclosure.
In addition, the question of costs is likely to be decided according to the degree of obviousness of the libel. Paragraph 13.18.3 of the White Book states that ‘the claimant seeking the name of the wrongdoer will have to pay a blameless defendant’s expenses’. This suggests that the Defendants in Totalise were not blameless. But how does this sit with the provisions in the E-Commerce and Copyright Directives? Both of these measures aim to protect an ISP from liability where that ISP is a passive intermediary acting merely as a conduit, but allows liability to attach where the ISP actively intervenes. Despite the fact that the Defendants in the Totalise case had no editorial control over their bulletin boards and complied with the notice and take down procedure operated in the UK, costs were awarded against them. In that respect therefore, the net result of the case diverges from the provisions in the Directives.
Disclosure under the DPA
With increased publicity about the new data protection regime and ISP terms and conditions of use promising not to disclose the identity of its subscribers, any individual could be forgiven for thinking that his personal information would be protected from revelation. For the honourable subscriber, this may not be an unreasonable assumption but, for the subscriber who uses the terms and the legislation to hide unlawful activity, the Totalise case is clear on the use of the DPA as an instrument of concealment.
It is interesting that both Defendants declined to reveal the true identity of Z Dust, relying on s35 of the DPA which provides:
‘1. Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by order of a court.
2. Personal data are exempt from the non-disclosure provisions where the disclosure is necessary –
(a) for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or
(b) for the purpose of obtaining legal advice
or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.’
Section 35(2) specifically allows disclosure of personal data if that disclosure is for the purpose of obtaining legal advice, or for establishing legal rights. At first sight this very provision, upon which the Defendants relied to avoid revealing Z Dust’s true identity, seems to allow that disclosure to be made. However, the Defendants argued that s35 has to be construed narrowly. Its effect should be confined to the data controller for the purposes of obtaining legal advice, or for the data controller to establish, exercise or defend legal rights. A data controller is defined in s1 as ‘a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are or are to be processed’. The court rejected this interpretation, saying that if it had been intended to restrict the construction in this way, the parliamentary draftsman would have expressly done so.
We agree with the judge’s interpretation. The mischief of the DPA is to protect individuals. It is therefore appropriate that individuals are able to use s35 for the purposes of obtaining legal advice or for establishing, exercising or defending legal rights. If this is the case, there could have been no intention for the legislature to limit the use of s35 to data controllers.
Other Methods of Obtaining Disclosure
Whilst Totalise relied on the Norwich Pharmacal principle to obtain disclosure, this was not without risk. As explained above, Norwich Pharmacal offers a discretionary remedy and, in future cases, unwilling courts may not be prepared to grant such an order, requiring claimants to exhaust other avenues before seeking the assistance of the court. So what other avenues are open to a potential claimant?
Disclosure through High Court litigation
A claimant in the position of Totalise could invoke proceedings in defamation directly against the ISP and then seek disclosure of relevant documents which would include details of the identity of the originator of the defamatory comments. It could then either issue Part 20 proceedings known as Third Party proceedings prior to the CPR or bring a separate action against the originator. In the Totalise case itself, both Defendants removed the complained of material as soon as Totalise informed them of its existence. This timely reaction allows an ISP to invoke the defence of ‘innocent dissemination’ in s1 of the Defamation Act 1996, which provides that a person has a defence to a defamation claim if he can show that:
‘(a) he was not the author, editor or publisher of the statement complained of,
(b) he took reasonable care in relation to its publication; and
(c) he did not know, and had no reason to believe that, what he did caused or contributed to the publication of a defamatory statement.’
The existence of this defence makes it unlikely that proceedings for defamation against an ISP acting as the Defendants did in Totalise would succeed. Hence any such proceedings would not last long enough to allow disclosure of documents to take place. In Godfrey v Demon Internet Limited [1999] 4 All ER 342 however, this defence was not available to Demon, because they did not remove the alleged defamatory messages when asked to do so by Dr Godfrey. So an ISP who does not act promptly could find itself being forced to disclose the identity of the originator through the ordinary CPR disclosure rules.
Use of the subject access provisions in the DPA
Section 7 of the DPA allows a data subject (an individual who is the subject of personal data) to have communicated to him, in intelligible form, the information constituting any personal data of which he is the subject. This would enable a data subject to request a copy of all information containing his personal data, potentially including copies of those documents which contain his personal data or his personal data coupled with personal data belonging to a third party, such as the person making defamatory comments.
Theoretically, this provides a simple means of obtaining the information needed, as statute requires a subject access request to be honoured within 40 days of receipt of a valid request. Furthermore, the maximum charge a data controller can make for providing the information is £10 – considerably cheaper than commencing High Court proceedings or seeking a Norwich Pharmacal order.
A key difficulty with relying on subject access is that it can be invoked only where the subject of the defamatory postings is a living individual. An example, using the Totalise case as illustration, would be if one of the directors of Totalise had been the subject of a personal defamatory attack by Z Dust. In making a subject access request, that director could have obtained some information in satisfaction of the request that revealed the identity of his defamer. A further problem with relying on s7 is that the data controller does not necessarily have to provide any information in satisfaction of a subject access request if, by doing so, it would allow another individual to be identified (the whole purpose of making the request in this context). The DPA sets out exceptions to this if the other individual has consented to the disclosure (which is highly unlikely in this type of situation), or it is reasonable in all the circumstances for the data controller to comply with the request without the consent of the other individual. In making its decision as to whether it would be reasonable in all the circumstances, the data controller is required by the DPA to take into account ‘any duty of confidentiality owed to the other individual’. The ISP’s Web site terms and conditions are likely to be relevant here.
Although s7 may not have provided an effective means of obtaining Z Dust’s true identity on the facts of the Totalise case, future cases may find the provision provides effective relief without the need to seek expensive and time-consuming court action.
What if Z Dust’s Identity had been Disclosed Voluntarily?
Of course, ISPs caught in the same position as Motley Fool and Interactive Investor will need to have regard to the Totalise case when deciding whether to disclose the identity of one of its subscribers to whom, no doubt, it will have promised confidentiality.
In order to evaluate whether to disclose or not to disclose, it is important to consider what would have been the consequences had Totalise managed to persuade the Defendants to disclose Z Dust’s true identity?
Clearly, there is scope for a claim against the ISP for breach of the terms and conditions of access, assuming that those terms do not permit disclosure. There is also the possibility of a claim for compensation under s13 of the DPA. However, in order to bring such a claim, the subscriber will have to show that he has suffered damage as a result of the data controller’s contravention of the Act or distress and damage (s13(1) and (2)).
Even if this can be proved, the ISP as data controller will have a defence if it can show itself to have ‘taken such care as in all the circumstances was reasonably required to comply with the requirement concerned’ (s13(3)).
There is nothing in the DPA to give any indication as to what constitutes ‘such care as in all the circumstances was reasonably required’. The only guidance is contained in Directive 95/46/EC from which the DPA is derived. Recital 55 provides that a data controller ‘may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject’. Arguably a data subject who defames is at fault, but the Directive is not clear as to whether it means fault in causing the disclosure or fault in making the disclosure an appropriate course of action.
Conclusion
What is clear is that, whether or not an ISP accepts the risk of a claim for breach of contract or for compensation for breach of the DPA, if the ISP discloses details of its subscribers too readily, it takes the risk of having no subscribers at all. When it comes to disclosure, Norwich Pharmacal, the Civil Procedure Rules, data protection law, contract law and the law of the European Union are complex, lacking in clarity, reliant on discretion, contradictory and hard to reconcile.
To disclose or not to disclose? It is for each ISP to consider ‘whether tis nobler in the mind to suffer the slings and arrows of outrageous fortune, or to take arms against a sea of troubles.’.
© Addleshaw Booth & Co
Amanda Kearsley and Nick Rudgard are Solicitors in the Technology & Intellectual Property Group at Addleshaw Booth & Co, and can be contacted at aok@addleshaw-booth.co.uk and nhr@addleshaw-booth.co.uk respectively.
