Following the widely read posts in 2018 and 2019 here is my selection of most notable privacy and data protection cases from 2020:
- Schrems II C-311/18
The seminal case that invalidated the adequacy decision of the EU/US privacy shield and retained the Standard Contractual Clauses Framework. The case has highly significant ramifications for the means and processing of data between the EU and the US. Coverage of the case was broad with Bird & Bird, Norton Rose Fulbright, Jones Day, Penningtons and Eversheds Sutherland.
- ZXC v Bloomberg LP  EWCA Civ 611
The Court of Appeal heard the significant case concerning whether someone can have a reasonable expectation of privacy in relation to the information that relates to a criminal investigation into their activities was undertaken, without them being charged. Bloomberg’s appeal of the first instance finding was unsuccessful, and award of £25,000 damages was affirmed. There was an Inforrm case comment.
- Sicri v Associated Newspapers  EWHC 3541(QB)
This case concerned the publication of an article by the Mail Online following the arrest of a man for having a connection with suicide bomber Salman Abedi. The Mail Online did not remove the article after the claimants’ release and divulged his name via an alternative spelling, address and other identifiable details. The article was taken down following a letter of claim citing actions for damages for breach of confidence and misuse of private information.
The claimant was successful and awarded £83,000 in damages as he had a reasonable expectation of privacy in respect of his identity remaining private when his arrest was reported. Bindmans comments as does the Manchester Evening News and Matrix Chambers.
- Aven v Orbis Business Intelligence  EWHC 1812 (QB)
The Defendant produced the “Steele Dossier” an intelligence memorandum concerning any link which might exist between Russia and its President Vladimir Putin and Donald Trump. The claimants sought recourse under the Data Protection Act 1998 that parts of the report contain their personal data inaccurately, contrary to the Fourth Data Protection Principle (“Fourth Principle”). This data was alleged to have been processed unlawfully by Orbis contrary to the First Data Protection Principle.
The Court granted a limited order for rectification in respect of all inaccurate data but declined to grant a wider remedy under DPA s.14(1)-(3). Compensation of £18,000 each was a warded to the first and second claimants. Bird and Bird, Nelsons and Lexology all provided commentary.
- WM Morrison’s Supermarkets plc v Various Claimants  UKSC 12
The highly significant UK Supreme Court decision which acted as a confirmation that there needs to be more than a temporal or causal link for vicarious liability to be imposed. Over 9000 Morrison’s employees brought the claim against Morrison’s following a an employee leaking their personal data as part of a personal vendetta. There was an Inforrm case comment.
- R (Bridges) v Chief Constable of South Wales Police  1 WLR 5037
The UK Court of Appeal’s finding that the South Wales Police Force’s use of facial recognition was unlawful. It was found that a proper Data Protection Impact Assessment had not been undertaken and that there was no compliance with the public sector equality duty. There was an comment on the Privacy Law Barrister and an Inforrm case comment.
- Dawson-Damer v Taylor Wessing LLP  EWCA Civ 352.
A case which considered what constitutes a “relevant filing system” under s1(1) DPA 1998, the Court considered four questions:
- Are the files a “structured set of personal data”?
- Are the data accessible according to a specific criteria?
- Are those criteria “related to individuals”?
- Do the specific criteria enable the data to be easily retrieved?
The Court considered the judge to have erred in relation to the fourth question- there was no ease of access, the files required lawyers to analyse them page by page with a senior lawyer reviewing providing additional oversight. As such the 35 files where not a relevant filing system. Serle Court comments. There was a comment on the Panopticon Blog.
- Case C-623/17, Privacy International, and in Joined Cases C-511/18, La Quadrature du Net and Others, C-512/18, French Data Network and Others, and C-520/18, Ordre des barreaux francophones et germanophone and Others (referred to as La Quadrature du Net and Others).
The Court of Justice here found that “the national measures restricting the confidentiality of communications in fact impose certain obligations on service providers, be it to transmit communications data to State authorities, to retain and provide access to data, or to perform certain processing operations on the basis of pre-defined parameters.”
It considered that EU law applies every time a national government forces a telecommunications provider to process data, including in instances for national security. It also concluded that EU law, in this case the e-Privacy Directive, sets out privacy safeguards regarding the collection of data by national governments which must be followed. Privacy International has commentary.
- Elgizouli v Secretary of State for the Home Department  2 WLR 857
The case concerns the UK’s stance on the application of mutual legal assistance to the United States where doing so may result in the death penalty being carried out. It considered the case of two men who were responsible for the beheadings of 27 men in Syria. The Data Protection elements of the case concerned the provision of information from the United Kingdom to the United States to allow for such a trial to take place and the qualification of some of that information as personal data. Providing such information was found to be unanimously unlawful under Part 3 of the Data Protection Act 2018.
The Telegraph reports on the case as does the UK Constitutional Law Association.
- R v Nigel Wright ( EW Misc 22 (CCrimC)). There was an Inforrm case comment.
The defendant was charged with blackmailing a supermarket chain and contaminating food. The case concerned the anonymity of corporate victims in cases of blackmail. Following the arrest of Mr Wright in February 2020, Tesco obtained a pre-issue interim injunction restraining him from disclosing information that Tesco was subject to the blackmail attempt.
However, at trail the maintenance of anonymity was refused as Warby J found that blackmail of corporate entities did not engage the same policy considerations as blackmail involving a threat to disclose “wrongdoing, or embarrassing facts, of a personal and private nature”. Further, Tesco’s article 6 rights to a fair trial were not engaged by the facts of the case. The BBC and Yahoo both had coverage.
Your serious reminder that we have every right on our facial recognition data and we must make sure no unauthorized party has access to it is so true. As someone who works at a high-tech farm, there are certain places that my cousin can only enter using biometric scanning. Maybe this article would help him find out the best way to manage all those information safely.