Admiral, the UK-based insurance company, has been refused legal access to a non-customer's mobile phone location data after claiming it would help decide whether or not a policyholder was committing fraud.
The Court of Appeal of England and Wales' previously unnoticed decision comes as a similar one in Germany this week raises questions about the use of the law against third-party providers of tech services.
Vodafone did not object to Admiral's application for a Norwich Pharmacal order (NPO) in November 2020 to obtain call records of someone who was not an insurance customer – with Admiral's barrister telling judges that mobile phones "have enabled people to lie about their whereabouts."
Handing down their judgment late last month, Lord Justices Baker and Lewis together with Mr Justice Francis upheld an earlier ruling refusing Admiral access to cell site location data about the mother of a man who held an insurance policy with the company.
Admiral (a trading name of EUI Ltd) had applied for a Norwich Pharmacal order against Vodafone after suspecting one of its own customers had made a fraudulent insurance claim.
The insured man's home insurance policy let him claim temporary housing costs if he had to move out from his address in London while damage was repaired. His insurer thought its (unnamed) customer was fraudulently claiming rent from it after moving into a house owned by his parents, following what he said was a water leak in his own home.
Lord Justice Baker said Admiral believed "that there may be grounds for a claim against the policy holder and his mother in deceit and conspiracy. For that reason, before taking proceedings, they wish to obtain information which may clarify whether or not the policy holder's parents were staying in Milton Keynes between 2 and 8 December 2019 as asserted by the policy holder in his signed statement."
- Assange extradition case goes to UK Home Secretary as High Court rules he can be sent to US for trial
- Uber's gig economy business model takes a blow from London legal double-whammy
- UK Home Secretary delays Autonomy founder extradition decision to mid-December
- Google swats away £3bn Safari Workaround ad-tracking cookie lawsuit in Supreme Court victory
That information was the insured man's mother's "call records" and "the cell site data showing the location of the phone during the period in question," as the Court of Appeal said.
Admiral also wanted copies of "SMS/MMS data." His Honour Judge Sephton QC, sitting as a High Court judge in Manchester, refused Admiral's legal application last year – even though Vodafone had "indicated it did not oppose the application."
Throwing out Admiral's uncontested appeal case (Vodafone didn't turn up, telling the court it remained "neutral"), Lord Justice Baker said:
The fact that the phone account holder would have been able to pretend she was somewhere she was not does not draw the phone company into her wrongdoing. It is true that the phone records may assist in establishing the truth of the parents' whereabouts. But in that regard the phone company is manifestly a mere witness.
Its position is no different from anyone else who may be able to provide evidence about that issue – for example, the nephew living in Milton Keynes, or the neighbours to the parents' property, or, as Lewis LJ helpfully suggested in the course of the hearing, the milkman.
Norwich Pharmacal orders can only be granted if the respondent was somehow involved in the alleged wrongdoing. Merely being a witness (such as a CCTV operator) doesn't cross that threshold.
Tech lawyer Neil Brown of decoded.legal, who spotted the court decision and blogged about it, mused that the precedent this case sets "gives ISPs and communications providers a reasonable degree of scope for arguing that, while they might have information, they're not just a reference source, available on demand, and that they must be more closely connected with the underlying issue to justify the grant of an order."
And in Germany
Swiss DNS provider Quad9 lost a legal bid last week to suspend an order forcing it to block DNS lookups for IP addresses of sites Sony Music claimed were hosting pirated albums.
Quad9 presents itself as a security-enhancing non-profit; the company merely runs a DNS server and blocks lookups to addresses on its internal blacklist.
Sony secured the injunction from a Hamburg court in the summer after convincing a judge that resolving domain names for sites allegedly hosting copyright-infringing files was in breach of German law.
A statement from a German civil rights campaign group (complete with video from ex-Pirate Party MEP Julia Reda) reckoned that Quad9 didn't qualify for legal immunity given to ISPs in Germany "because it does not itself route the copyright-infringing information from A to B, but merely provides indirect access to it."
John Todd, general manager of Quad9, said in a statement: "There are a large number of internet-based services which we think ultimately are put at serious risk by this ruling, and we will not stop our legal challenges on this injunction." ®