Sir Mark Warby
Lord Justice of Appeal of England and Wales
The guarantee of judicial independence
- Judicial independence is constitutionally fundamental in a liberal democracy. That should go without saying, but it has not always and everywhere been understood. It was not as well understood as it should have been in 1995, when the EU enacted the Data Protection Directive, or when the United Kingdom passed domestic legislation to implement the Directive; the Data Protection Act The effect of those provisions was to subject judges to the regulatory jurisdiction of the general data protection regulator, the Information Commissioner’s Office (ICO)
- The EU’s General Data Protection Regulation put things right – at least, as a matter of principle. Chapter 6 of the GDPR deals with Supervisory Authorities. It requires each Member State to establish one or more independent public authorities, to monitor the application of the Regulation, and to carry out various specified functions. But the designated functions do not include the supervision of judicial activities. The Supervisory Authority cannot do that. Article 55(3) (“Competence”) provides that “Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.”
- The background to this is to be found in Recital 20, the key part of which is:
“The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State …”
- The unofficial designation of this recital, which you will find if you go to the European Commission’s website, is “Respecting the independence of the judiciary.” The GDPR also exempts those “acting in a judicial capacity” from the prohibition on processing special category data, and the requirement to have a data protection officer. It empowers Member States to legislate for exemptions from data subject rights and corresponding duties, in order to protect “judicial independence and judicial proceedings.”
The UK response
- As a Member State of the EU at the time, the United Kingdom was directly bound by the GDPR. But in 2018 it passed its own legislation, the Data Protection Act 2018 (the DPA), to supplement the GDPR in areas which the Regulation left to Member States’ discretion, as well as certain other purposes. Brexit has left the essentials of this regime intact.
- The DPA establishes the ICO as the supervisory authority in the UK, for the purposes of Article 51 of the GDPR. The DPA reflects Recital 20 by providing expressly, under the heading “Competence in relation to courts, etc.” as follows:-
“Nothing in this Act permits or requires the Commissioner to exercise functions in relation to the processing of personal data by—
(a) an individual acting in a judicial capacity, or
(b) a court or tribunal acting in its judicial capacity”
- The competence of the ICO in that field is therefore expressly excluded. Other exemptions for the judiciary, contained in the GDPR, are also reflected in the DPA. But unlike some other Member States, the UK did not legislate for any special body to oversee data processing by the courts in their judicial capacity. It was left to the judges to establish “specific bodies with the judicial system” for that purpose.
England and Wales
- The UK has a single Supreme Court, but below that there are three constituent jurisdictions, each with its own judiciary: (1) England and Wales (2) Scotland and (3) Northern Ireland. I speak only for the first of these. Other jurisdictions have their own arrangements.
The Judicial Data Protection Panel
- What we have in England is a panel – the Judicial Data Protection Panel (JDPP) – established by the heads of the relevant judiciary. To complicate things a little more, our judiciary has two main branches: the Courts judiciary, and the Tribunals judiciary. The JDPP was established by the heads of those two branches – the Lord Chief Justice and the Senior President of Tribunals. This seems to be constitutionally proper, and to reflect the principle of judicial independence.
- The composition of the Panel is: one judge from our Court of Appeal, one from the High Court, and one from the Upper Tribunal (the appellate tier of the Tribunals system). The JDPP is Chaired by Sir Kim Lewison, a Lord Justice of the Court of Appeal with expertise in data protection. I was appointed as the High Court representative. I am a media lawyer by background, and until I joined the Court of Appeal in February 2021 I was Judge in Charge of the Media and Communications List. In those capacities I have done a great deal of data protection work, which gives me a qualification other than merely having volunteered. The third Panel member is Judge Alison McKenna, President of the General Regulatory Chamber of the Tribunals system. Among her functions is dealing with freedom of information cases, and some data protection claims.
- The JDPP has terms of reference which reflect the wording of Recital 20 to the GDPR. This states that the bodies within the judicial system to whom responsibility is to be allocated
“should, in particular, ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.”
- The Terms of Reference are:
“The Panel will be responsible for:
- promoting awareness of data protection law amongst the courts and tribunals judiciary;
- ensuring effective guidance, including judicial training, is in place to ensure compliance with obligations that arise under data protection law both where courts and tribunals act in a judicial capacity and where judges otherwise carry out data processing functions in the course of the appointment;
- ensuring an effective system is in place to investigate complaints in relation to data processing both where courts and tribunals act in a judicial capacity and where judges otherwise carry out data processing functions in the course of their appointment; and
- liaising with the Information Commissioner, in so far as appropriate, concerning compliance with data protection law.”
- Nothing is said in Recital 20 to the GDPR or the JDPP’s Terms of Reference about the imposition of any sanctions on a judge, court or tribunal, for breaching data protection principles in the course of judicial work. The JDPP has no power to do that. But there is an independent public body with overall responsibility for complaints of judicial misconduct. It is called the Judicial Conduct Investigations Office (“JCIO”). The JDPP has resolved that any breach that appears serious enough to merit disciplinary investigation would be referred to the JCIO.
- Three years into the life of the JDPP, it is possible to report progress, but some areas where there are issues that still need to be settled.
A progress report
- The JDPP, with the support of a small but hard-working and expert secretariat, has
- drawn up and distributed two editions of a Judicial Data Protection Handbook, setting out “practical and proportionate ground rules concerning the use of data by the judiciary”
- published Judicial IT Security Guidance, to help judges safeguard their technical equipment and the means of access to the data they control
- prepared and supplied privacy notices to be used by leadership judges, explaining to those whose data they process in that capacity what uses will be made of such data
- established a Judicial Data Processing Complaints handling policy
- operated a system to receive, investigate and adjudicate on complaints of wrongful data processing by the judiciary in their judicial capacity and
- liaised with the ICO on
- the demarcation lines between its jurisdiction and that of the JDPP
- the creation of guidance to members of the public on their rights and remedies when they believe a judge, a court or a tribunal has infringed their data protection rights
- The most substantial undertaking in all of this is the Handbook. That is a work that has evolved. Today, it is a 60-page document. To make it manageable, it is divided into five parts. Part one contains FAQs: answers to questions that often arise. Part two sets out comprehensively the standards and procedures that judges should adopt and apply, to ensure compliance with data protection law. Part three tells judges how to keep data safe. Part four gives details of what to do if there is a data breach. The final part advises judges on how to respond to data subject access requests. Contact details are given for key personnel.
- The handling policy is a document designed for public use. It explains the functions of the JDPP, the scope of its jurisdiction, how to submit a complaint, and how the JDPP will deal with a complaint when it is submitted.
- Since its establishment the Panel has received around a hundred queries and complaints. Given the volume of work potentially within the Panel’s remit this does not seem excessive. Most complaints, approximately a third, relate to the refusal of a request made under Article 15 (the right of access). These requests are often for notes made by the judge during a case or for emails or other correspondence exchanged by judges in relation to a case. Other complaints seek to have ‘incorrect’ data in a judgment or decision corrected, or data redacted (GDPR Article 16 right to rectification or GDPR Article 17 right to erasure).
- However, the second most common complaint, making up approximately a quarter of those received, relates to the publication of judgments online. All judgements of some specific tribunals, in particular Employment Tribunals, are published online. The decision to do so was made by the UK’s Ministry of Justice (MoJ), rather than being a judicial decision. Resolving these complaints is therefore outside the panel’s remit and all these are directed to the MoJ. Indeed, about half the complaints and queries directed to the Panel are not strictly within its remit.
- The Panel requests that all personal data breaches are reported to it. As well as enabling the provision of timely advice on mitigating the potential harm arising from the incident, this is valuable intelligence, helpful in deciding what additional advice, guidance or training should be developed. Fortunately, most breaches involve the compromise of only small number of data subjects’ data and in over half the incidents the compromised data is recovered.
- The single most common type of incident (approximately 50 %) involves material being emailed to an incorrect recipient. In most instances, the recipient is trustworthy, such as a judicial colleague or party’s solicitor, and the email is deleted.
- The second most common type of incident involves paperwork being lost or stolen. Around a third of all data breaches are in this category. Breaches of this type mostly occur when the paperwork is in transit. Examples include instances of files being left on public transport and paperwork left in vehicles overnight being stolen. A few instances have involved the theft of paperwork from judges’ houses. Although these incidents are distressing it is very unlikely the paperwork is the target of the thief. The paperwork has always been in a bag or case with items such as laptop computers more readily converted into cash.
- The Panel meets quarterly, to receive reports on data breaches and other current issues, and to determine its future policy and programme of publications.
- Four points have particularly engaged our attention over the last three years.
- Question: when is a judge not “acting in a judicial capacity”? The question might not be so hard to answer in a regime where the only work undertaken by the judiciary is hearing and adjudicating on disputes in civil and criminal cases. In such a regime there might be a simple answer to my question. It could be, “when he or she is not at work”; or, “when she or he is not doing the tasks which she or he has been engaged, and is paid by the state, to perform”. But if there is such a regime, it is not to be found in England. The picture is considerably more complex.
- We have a long and proud tradition of judicial independence. In the 17th century, King James II and other monarchs sought to influence or control the judiciary. In the Act of Settlement 1701, mainly designed to ensure that the English Monarch would always be a Protestant, Parliament provided that:
“… judges’ commissions be made quamdiu se bene gesserint [during good behaviour], and their salaries ascertained and established; but upon the address of both Houses of Parliament it may be lawful to remove them.”
- This means that removal is only possible on a vote of both Houses of Parliament, and this remains the law, for members of the senior judiciary: High Court Judges and above. But Parliament has legislated again on this subject, as recently as 2005, with results that have a bearing on the question I have posed. Section 3 of the Constitutional Reform Act is headed “Guarantee of continued judicial independence”. It imposes a duty on the Lord Chancellor (the Secretary of State for Justice) and others to “uphold the continued independence of the judiciary”. Some specific duties are imposed for the purpose of upholding that independence, including a specific ban on seeking to influence particular judicial decisions, and a duty to have regard to the resources needed. This is all very welcome.
- At the same time, however, Parliament imposed new duties on the judiciary. The Lord Chief Justice (the head of the Judiciary of England and Wales) was given responsibility not just for judicial deployment but also for “the maintenance of appropriate arrangements for the welfare, training and guidance of the judiciary of England and Wales”. His counterparts in Scotland and Northern Ireland were given corresponding responsibilities. This was done in pursuit of judicial independence.
- The Government’s Explanatory Notes to the 2005 Act explained that this Part of the Act:
“… deals with functions relating to the judiciary and courts so that they are appropriately shared between the reformed ministerial office of Lord Chancellor and the Lord Chief Justice (and/or other senior members of the judiciary as appropriate).
[and is] intended to give substantial effect to the agreement between the Lord Chief Justice of England and Wales and the Lord Chancellor on the proposals relating to the transfer of the Lord Chancellor’s judiciary-related functions … (the Concordat).”
The result, in practice, has been a substantial shift of what might be called management and administrative responsibility from the civil service to the judiciary.
- Two lessons from this. First, contrary to popular belief, we do have a written constitution. It is just not all written in a single document. Indeed, not all the documents which embody our constitution are held in a single location. Secondly, and more pertinently today, our judiciary now perform a range of functions that go beyond hearing and adjudicating on legal disputes. I have mentioned some of my roles. In addition, I am currently Director of Training for the Senior Judiciary, and I chair the Courts Committee of the Judicial College, and the Standing Committee of the Judges’ Council on Communications. For three years I was Chair of the High Court Judges’ Association. This multiplicity of roles, which is entirely typical of Judges in our senior judiciary, gives us a keen interest in knowing the scope of the term “acting in a judicial capacity”.
- The answer is of course important for more than one reason. If an act is not performed in a judicial capacity it is not exempt from the regulatory regime of the ICO, and falls outside the responsibility of the JDPP. The JDPP has taken advice on the question. The question of when a court acts in a “judicial capacity” is before the Court of Justice of the European Union, on a reference from the High Court of the Republic of Ireland in a different context. The issue is whether, in that context, a court is acting “in a judicial capacity” when it makes a decision about access to court records relating to proceedings after final judgment has been given and all rights of appeal have been exhausted. In early December 2020, Advocate General Bobek delivered an Opinion proposing a negative answer. There is a more recent request for a preliminary opinion, directly concerning the GDPR. We look forward to learning more, as these cases progress.
- One feature of the UK’s jurisdictional landscape is its diversity. When describing the two main branches of our judiciary I left out some complexities. Tribunals, which typically have specialist jurisdictions and often sit with non-legal members, were brought into a unified system by the Tribunals, Courts and Enforcement Act 2007, but there are several tribunals established by law that fall outside this regime. A consequence is that they fall outside the scope of the JDPP. And if, as we believe, these are tribunals performing judicial functions, they are also outside the regulatory scope of the ICO. We have made progress on ensuring that some of such “orphans” are brought within the JDPP regime.
- Judicial decisions, including case management, are always the responsibility of a judge not an administrator. But some aspects of managing a case, such as “listing”, may in practice involve be carried out by staff using “delegated” powers, subject to oversight. This would seem to be an instance of work done in a judicial capacity by the Judge, via an agent or delegate. A recent trend in the distribution of work in some jurisdictions is the increased use of qualified lawyers to make initial decisions, subject to review by a judge if requested. Is the delegate “acting in a judicial capacity” in this situation?
- If an act, though carried out by a judge in the course of his or her official duties, is not performed “in a judicial capacity”, it may fall within the regulatory scope of the ICO and – consequently – outside the JDPP regime. But there may still be an available exemption. Using the power conferred by Article 23(1)(f) of the GDPR, Parliament has provided that subject rights conferred by the Regulation do not apply to personal data which is not processed in a judicial capacity “to the extent that the application of those provisions would be likely to prejudice judicial independence or judicial proceedings.”
- This is a qualified exemption, with two limbs which seem to me to raise separate and distinct questions. It is one thing to ask whether granting access to an item of information would be likely to prejudice particular judicial proceedings (for instance, by undermining measures taken by the court to secure anonymity for a party). An answer can be given according to the concrete circumstances of the individual case. The question of whether granting access to particular information, which (by definition) is not covered by the “judicial capacity” exemption would be “likely to prejudice judicial independence” seems to raise more abstract issues.
 In the interests of brevity, I write here sometimes of England and English judges, without wishing to offend anybody from Wales – which should be taken to be included in such references, unless the contrary is indicated.
 Judge of the Courts Judiciary of England and Wales, Member, Judicial Data Protection Panel.
 Regulation 2016/679/EU.
 Article 9(2)(f).
 Article 37(1)(a).
 Article 23(1)(f).
 Giving effect to the Law Enforcement Directive, and providing for dealings with data by the intelligence agencies, for instance.
 Section 3 of the European Union (Withdrawal) Act 2018 makes the GDPR part of our “retained EU law”.
 Section 115.
 Section 117.
 See section 69 (exemption from need for data protection officer), Schedule 1 Part 3 para 34 (exemption from prohibition on processing special category data), Schedule 2 Part 2 para 14 (exemption from data subject access rights and duties).
 Eg, in the Republic of Ireland: Data Protection Act 2018, s.157.
 Jurisdiction to hear data protection appeals is divided between tribunals and the civil courts – see e.g. DPA 2018 ss. 162, 166 and 180.
 This means how a judge has behaved personally (such as making a racist remark, inappropriate use of social media, or falling asleep in court). It does not extend to complaints about a judge’s decision or the way a judge has managed a case; any remedy against these must be found within the judicial system itself.
 The original document is deposited in the Lower Saxon State Archives in Hanover, Germany.
 Section 7.
 Concerning the interpretation of Article 2(2) of Directive 2003/4 on public access to environmental information, in its application to court records.
 Friends of the Irish Environment Ltd v Commissioner for Environmental Information, joined party: The Courts Service of Ireland Case C-470/19, Opinion dated 2 December 2020.
 X, Z v Autoriteit Persoonsgegevens Case C-245/20, lodged by the Midden-Nederland District Court in the Netherlands.
 Strictly speaking they are not using delegated powers but rather are acting under a statutory authorisation to exercise judicial functions.
 More accurately, “the listed GDPR provisions”, defined in para 1 of Schedule 1.
 Schedule 2 Part 2 para 14(3).