The Guardian has reported that two corporate intelligence firms spied on protestors on behalf of a number of large companies, including British Airways, the Royal Bank of Scotland, Caterpillar, and Porsche.
Documents have been leaked from two corporate security firms, C2i International Limited (which is no longer in business) and the Kent-based corporate security firm, the Inkerman Group relating to surveillance which is said to have included the use of infiltrators to spy on campaigners. The Guardian reports that one target included the bereaved family of Rachel Corrie, the student protester crushed to death by an Israeli military bulldozer. In 2007, the family’s legal claim against Caterpillar, the company said to have manufactured and sold the bulldozer to the Israeli military, was dismissed by the US courts. Shortly afterwards, a conference call took place between Corrie’s mother and around 70 other members of a campaign supporting the family’s lawsuit. C2i recorded the contents of that call in a five-page “restricted-commercial” document known as a “corporate threat intelligence alert”. The document bore the Caterpillar logo.
The leaked documents also suggest that the Inkerman Group had also been instructed to covertly deploy infiltrators on demonstrations that are directed at certain companies. They were also able to obtain “verbatim” emails being circulated among local protesters who were objecting on health grounds to phone masts being built. C2i operatives also infiltrated protests by groups such as Plane Stupid, environmental group Rising Tide (which protested against banks), and protests against the Iraq war.
What can campaigners do?
Campaigners who believe they have been affected have a number of potential remedies. First, individuals can make subject access requests (“SARs”) under section 7 of the Data Protection Act 1998 (“DPA”) of any company which they believe has obtained their personal data. A data subject is entitled not only to the information held about them but to be told whether any personal data is being processed, the reasons for it and whether it will be or has been provided to any other organisation or person. They are also entitled to receive a copy of the information comprising the data and the details of its source (where available). SARs must be made in writing. There is no limit on the number of SARs that an individual can make to different companies.
There are some exceptions to an individual’s right of access, such as where the request is too onerous or disproportionate, it may be refused. However, any refusal to comply with a SAR must be justified by the data controller: Dawson-Damer v Taylor Wessing  EWCA Civ 74. Failure to adequately comply with a SAR may in and of itself give rise to a claim for damages under s. 13 DPA: AB v Ministry of Justice  EWHC 1847.
Second, there are potential civil claims for breaches of the DPA, breach of confidence and misuse of private information. Such a claim was made last year in the case of Bains v Moore – which concerned an individual engaged by corporate intelligence company K2 Intelligence Limited to spy on anti-asbestos campaigners. A spy working for K2 Intelligence masqueraded as a sympathetic documentary maker in order to gather significant amounts of sensitive material about the leading figures in the campaign, their methods, funding and future plans. The Claimants successfully obtained an order compelling K2 to identify its client, although the name of the company remains subject to an anonymity order. The Claimants were also successful in their application for delivery up of the Claimants’ confidential information, prior to service of the Particulars of Claim.
Although there is not yet a final judgment in Bains, it is likely that the Claimants will argue, for example, that in relation to breaches of the DPA, the Claimants did not consent to their personal data being made available to K2, they did not know the purposes for which their data was likely to be processed (indeed, they were actively misled as to its purpose), and that their data was not lawfully obtained. Such arguments are likely to be of general application to these types of case.
It is also likely that in cases where communications have been intercepted, or groups infiltrated, that there will be strong claims for misuse of private information and breach of confidence. This would apply, for example, to communications between campaigners about campaign matters and personal conversations and communications. In addition to damages, campaigners would also be entitled to injunctive relief and delivery up of all documents obtained as a result of the espionage. The latter is likely to be particularly important as a safeguard against further wrongdoing and misuse of confidential and private information.
Campaigners may also be able to give notice under s. 10 of the DPA to compel a data controller to cease processing their personal information where (1) the processing is causing or is likely to cause substantial damage or substantial distress to him/her or another; and (2) such damage or distress is or would be unwarranted. This can be done via a written data subject notice. The data controller must reply within 21 days, which makes this a useful tool for those wishing to obtain at least interim reassurance that their data is no longer being processed. Further, if the data controller expresses an opinion based on inaccurate data, it may be possible to obtain an order from the court to compel the data controller to “rectify, block, erase, or destroy” that data: s. 14 DPA.
In short, campaigners who believe they have been targeted have a wide variety of potential remedies. The first step is to find out what data is held about them, and by whom. This can be done in the first instance via a SAR, although it may be necessary to apply to the court for further information prior to particularising any claims as the claimants did in Bains v Moore. While the evidence is only just emerging, this may well be the tip of the iceberg.
Kirsten Sjøvoll is a member of Matrix Chambers, practising the field of media and information law.