The Queen’s Bench gets it right on bundles.

OK, I would say that, because the QBD requirements are pretty similar to what I’d advocate. Nonetheless, this is the shortest, clearest exposition I’ve seen. I’d go with it.

The torrent of official and quasi-official advice emanating from the judiciary about how the legal system can run through these strange times has ebbed somewhat. Probably much to everyone’s relief. And law firms and chambers are putting out useful guides to remote working. Too numerous to link to, but much of it excellent.

The slackening means it’s possible to pay proper attention to something special. And I think the Queen’s Bench Division of the High Court has produced something that warrants that description. It’s only three pages long, and the gold is on page three: the most succinct and sensible description of how an electronic bundle should be put together that I’ve yet seen.

Which isn’t to say everyone else’s advice isn’t great. It’s just that this is really, really short, and hits the nail squarely on the head.

It’s so short, in fact, that the best thing I can do is repeat it. While also encouraging you to read the rest. Admittedly it’s only directly critical for those working in the QBD, and the bundle requirements are specifically for the QB Masters. But as with much of the other division- or court-specific advice, much of it is transferable.

So what does it say about how a bundle should be prepared? These are direct quotes, with my comments in brackets and italics.

  1. The document must be a single PDF. (The emphasis is the QBD’s, not mine.)
  2. The document must be numbered in ascending order regardless of whether multiple documents have been combined together; the original page numbers of the document will be ignored and just the bundle page number will be referred to. (So it’s crucial to use your PDF app’s tools to make sure the bundle numbers stand out from individual document page numbers. I realise I haven’t got to page numbers yet – when I get over an immediate deadline crisis early next week, I promise that’s on the agenda. PDF Expert is really good at doing this.)
  3. Index pages and authorities must be numbered as part of the single PDF document. They are not to be skipped; they are part of the single PDF and must be numbered. (A lot of people like to number index pages separately, perhaps with Roman numerals. The QBD says no. So best to put placeholder index pages in, number the pages in the bundle, fill in the numbering on your index pages in Word or whatever you use, then drop them back in and renumber just those index pages. Again, PDF Expert is great at this.)
  4. The default display view size of all pages must always be 100%.
  5. Texts on all pages must be selectable to facilitate comments and highlights to be imposed on the texts. (So either Adobe or PDFpen, with their built-in OCR, or an extra app like ReadIris, is a must. Unless your solicitor does it for you. It’s such a wonderful feeling when you get a bundle which has already been OCRed that I’ve taken to thanking solicitors who do so personally, and publicly…)
  6. The bookmarks must be labelled indicating what document they are referring to (best to have the same name or title as the actual document) and also display the relevant page numbers. (We’ve covered bookmarking, or Outlining as PDF Expert calls it (keeping bookmarks for the equivalent of Post-its). It’s really important. But remember that some apps, PDF Expert among them, don’t always carry bookmarks across in documents you merge or add later. So do the bookmarking afterwards – or automatically, as with Adobe. I admit it excels there.)
  7. The resolution on the electronic bundle must be reduced to about 200 to 300 dpi to prevent delays whilst scrolling from one page to another. (Not all apps do it terribly well. PDF Expert does it tolerably – look for Reduce File Size on the File menu – but won’t tell you what dpi, instead talking about high, medium or low quality. Medium should cut file size by half or thereabouts and is still usually fine for readability.)
  8. The index page must be hyperlinked to the pages or documents they refer to. (This can be tricky. I’ll get to it, honest. But it’s a great idea – and once you know how to do it, you can start cross-linking bits of your bundle for your own purposes. I know of one silk at Outer Temple who routinely does this and it works marvellously for him.)

All in all, a masterly (sorry) run-down of the key elements of a soft bundle that works for everyone concerned. Just, for heaven’s sake, remember to remove your own annotations (in PDF Expert, this is on the Edit menu) before sending it out…

What’s your data worth?

In allowing Google to appeal against the Court of Appeal’s findings in Lloyd v Google llc, the Supreme Court holds out the prospect that we’ll conclusively know whether a personal data breach is a loss in itself – or whether a pecuniary loss or some specific distress is required.

In 2019, the Court of Appeal did something special to personal data. It gave it a value in and of itself – such that a loss of control over personal data became an actionable loss in itself. No actual pecuniary loss or distress was necessary. Now the case in question is going to the Supreme Court, and the understandable controversy triggered by the Court of Appeal’s decision may (once the case is heard, late this year or more probably next) finally be resolved one way or the other.

The Court of Appeal’s decision came in Lloyd v Google llc [2019] EWCA Civ 1599, a case involving one of the highest-profile tech firms in the world, and one of the foremost examples of either (depending on your perspective) finding an inventive solution to another firm’s (in this case Apple’s) unreasonable intransigence, or shamelessly evading that firm’s customers’ privacy protections for one’s own gain. The issue was Google’s use of what was generally termed the “Safari workaround”, a means of tracking users of websites on which a Google subsidiary had placed ads even if a user’s Apple device was set up to stop this from happening.

Richard Lloyd, a privacy activist, was trying to initiate a class action on an opt-out basis, which could in principle encompass millions of users of Apple’s Safari web browser. This was in itself highly controversial, although I don’t propose to address that side of things. Of more direct interest from a privacy perspective was the claim made on Mr Lloyd’s behalf that the Safari Workaround was actionable in itself: that users didn’t have to prove they’d lost out emotionally or financially, but that the loss of control over their personal data which the Workaround caused was per se a loss sufficient to allow them to sue under the Data Protection Act (the 1998 version, which had been in force at the time).

The High Court had no truck with this argument, Warby J concluding that without some actual loss or distress, section 13(1) of the 1998 Act wasn’t engaged. The Court of Appeal disagreed, with Vos LJ finding (at [44-47]) that a person’s control over their personal data had an intrinsic value such that loss of that control must also have a value if privacy rights (including those arising from article 8 of the European Convention on Human Rights) were to be properly protected.

(The Court of Appeal also reversed Warby J’s findings on the other key point: that the potential claimants all had the same “interest” in the matter, such that a representative action under CPR r.19.6 could proceed. As such, it ruled that it could exercise its discretion to allow Mr Lloyd to serve proceedings on Google even though it was out of the jurisdiction.)

To no-one’s surprise, Google sought permission to appeal the matter to the Supreme Court. The Court has now given permission for the appeal to proceed – not just on the core question of whether loss of control over personal data is actionable in itself, but on the other points on which the Court of Appeal disagreed with Warby J.

The question of where the cut-off point lies in privacy breaches involving loss of control over personal data has been a live one ever since an earlier case involving Google, Vidal-Hall v Google Inc [2015] EWCA 311, which (as Vos LJ put it in Lloyd) had analogous facts but one critical difference: it had been pleaded on the basis of distress caused by a personal data breach, rather than the idea that such a breach was intrinsically harmful and thus actionable in itself. The Court of Appeal in Lloyd went beyond Vidal-Hall in expanding the scope of actionable harm. Now, at last, we may conclusively get to identify the outer borders of that scope. Watch this space.

(Incidentally – I’m rather late to this party. The Supreme Court granted permission in March. I’d intended to write about it a little earlier, but the Bug got in the way. My apologies.)

A good day for employers. With a data protection sting in the tail.

I’m not going to usurp those who know a lot more than me (Panopticon, I’m looking at you). But today’s Supreme Court decisions on vicarious liability are a big deal.

There’s a thematic beauty to the fact that the Supreme Court decided to release its judgments in WM Morrisons Supermarkets plc v Various Claimants [2020] UKSC 12 and Barclays Bank plc v Various Claimants [2020] UKSC 13 on the same day. Taken together, the two judgments offer a solid dose of relief to employers worried about the circumstances in which they can be held liable for the acts of employees (Morrisons) and independent contractors (Barclays). But there’s at least a slight sting in the tail of the Morrisons judgment, which anyone responsible for keeping an organisation on the data protection straight and narrow would do well to recognise.

I don’t propose here to go into huge detail. If you want a really in-depth look at Morrisons – and it pains me to point you to another Chambers, of course – 11KBW’s Panopticon blog does a lovely job, while the estimable UKSC Blog’s writeup of Barclays will give you what you need in just a few paragraphs.

But these cases are so interesting that I couldn’t let the day pass without at least a quick note.

On the vicarious liability front, the main lesson from Barclays appears to be that nothing dilutes the fundamental question where the wrongdoer is in fact an independent contractor, which is to determine whether their role and their actions are akin to an employment relationship. In doing so, it’s important not to get hung up on the five “incidents”, factors identified in the Christian Brothers case ([2012] UKSC 56) such that one loses sight of that central question. If the independence of the contractor is clear, there’s no need to waste time going through the incidents. They’re a guide, not a test.. So the incidents aren’t a test; they’re a guide.

Unsurprisingly I find Morrisons even more fascinating. Just to recap the facts: Andrew Skelton, a Morrisons employee with access to payroll data as part of his job was disciplined for misconduct in 2013. In retaliation, in early 2014 Skelton put a copy of payroll data for the supermarket group’s entire workforce online, and tried to leak it to the papers – who, thankfully, instead told Morrisons. (Skelton is now in jail for having done this.)

Some of Morrisons’ employees sought to hold the company vicariously liable for the leaker’s breach of their data protection rights. At first instance and appeal, they won.

The Supreme Court has now decided otherwise. Critically, the Court points out that just because Morrisons gave Skelton access to the data, making him a data controller, that doesn’t make them responsible for everything he did with it. In this case the Christian Brothers incidents aren’t relevant – no-one argues Skelton wasn’t an employee. But his misuse of the data wasn’t sufficiently part of the task he was entrusted with (which was to send it to Morrisons’ auditors) to make Morrisons responsible for his actions. The fact that he had a strongly personal motive – to retaliate against Morrisons – was highly relevant to the analysis too.

Before everyone starts getting too comfortable, though, Morrisons doesn’t leave companies with a free pass for their employees’ data protection errors:

  • For one thing, the Data Protection Act and the GDPR (for as long as it remains applicable…) can impose direct liability on organisations if the wrongdoing is in practice on the employer’s behalf, or if the organisation’s slipshod controls played a part in enabling it.
  • For another, and this is the real sting in the tail: Morrisons sought to argue that the DPA excluded vicarious liability, whether for common law or statutory wrongs, limiting liability only on data controllers and even then only if they’d acted without reasonable care. The Supreme Court had little time for this. It drew the comparison with vicarious liability for an employee’s negligence: assuming the normal test for vicarious liability was met, there was no reason why, if strict employer liability applied to that, there was no reason absent explicit statutory language (which there isn’t), it shouldn’t apply to employee data protection wrongdoing too.

So a big day for employers, a fascinating one for employment lawyers – and good times for the data protection geeks as well.

The darkest timeline?

Certainly feels that way. Thank goodness for Scarfolk.

I think the phrase comes from an episode of Community, but if there is such a thing as the multiverse, then a non-negligible number of people think that since 2016 at least, we’ve been living in what’s been termed the darkest timeline: an alternative reality where our choices have dropped us into the worst of all possible worlds.

Why 2016? A spate of pop culture deaths: Bowie, Prince, loads more. Brexit. Trump. (Yeah. Political heart on sleeve there. Sorry.) And the slide since then into populist shoutiness and wholly inept (when not actually malevolent) leadership from far too many directions at once.

Put that together with where we are now, sheltering in place with Covid-19 ravaging lives and economies, and the idea that somehow we’ve slid into the darkest timeline rather makes sense.

Before that drives me to despair and drink, thank goodness for Scarfolk, which came to me via Cory Doctorow’s newish linkblog Pluralistic. For the uninitiated, Scarfolk is a site which celebrates (wrong word entirely) an imaginary English community stuck in a hideous, timelooped version of the 70s. (Do yourself a favour and just have a look around. Although be warned – like XKCD, the rabbit hole is effectively bottomless. You may be a while.)

Its take on social distancing is apt, hilarious, and depressing. Perfect for these times of ours.

This. Bug. Sucks.

Forgive me for going personal for a minute…

A quick one. I don’t know if I’ve got you-know-what. Symptoms don’t entirely match – only a very mild tightness in the chest and a very occasional cough. But my temperature is north of 38 most of the time, my heart rate (normally resting at about 60) is hovering between 80 and 90. And weirdest of all, I periodically start shivering so hard my teeth actually chatter and I can’t hold a mug without spilling. A genuinely new experience. Fascinating.

Other family members have it, or have had it, too. Although sometimes with less shivering and more coughing. (One is coughing a bit more today. Trying not to let myself get too worried.)

I guess we won’t know for ages (given the truly outrageous failure of our government to test – oh, to be in Taiwan right now, like a good friend of mine…) whether we’ve actually got CV or not. But all I can say is: if I have got it, then given what a royal pain in the backside even this stupefyingly mild dose is proving to be, I’m actually stunningly fortunate. At least I can still work, if for shorter stretches than usual and with longer breaks.

This thing isn’t messing.

The funniest thing of all: the only paracetamol left in the house is multiple bottles of Calpol. And I’d had NO idea just how gross it tastes…