Cricketer Ben Stokes and mother Deborah Stokes achieve settlement in privacy case against the Sun newspaper, securing rare unreserved apology

Following the publication of an article in 2019 in the Sun newspaper concerning a family matter before the cricketer was born, Ben Stokes and his mother have achieved a settlement from the Sun newspaper.

Mother of Ben Stokes, Deborah Stokes commented: “The decision to publish this article was a decision to expose, and to profit from exposing, intensely private and painful matters within our family. The suffering caused to our family by the publication of this article is something we cannot forgive.

“Ben and I can take no pleasure in concluding this settlement with the Sun. We can only hope that our actions in holding the paper to account will leave a lasting mark, and one that will contribute to prevent other families from having to suffer the same pain as was inflicted on our family by this article.”

The family were represented by Brabners LLP. Paul Lunt, solicitor to Ben and Deborah Stokes and Head of Litigation, said “The Sun has apologised to Ben and Deborah. The paper has accepted that the article ought never to have seen the light of day. The apology to our clients acknowledges the great distress caused to Ben, Deborah and their family by what was a gross intrusion – and exploitation – of their privacy. Substantial damages have also been paid, as well as payment of legal costs.”

See the Brabners LLP press release here.

The Sun stated: “On 17 September 2019 we published a story titled ‘Tragedy that Haunts Stokes’ Family’ which described a tragic incident that had occurred to Deborah Stokes, the mother of Ben Stokes, in New Zealand in 1988. The article caused great distress to the Stokes family, and especially to Deborah Stokes. We should not have published the article. We apologise to Deborah and Ben Stokes. We have agreed to pay them damages and their legal costs.”

Coverage of the settlement can be found in the Guardian, Press Gazette and BBC Sport, amongst others.

An Introduction to English laws tackling revenge pornography – Colette Allen

As the UK moved online in response to the COVID-19 pandemic, reports of image-based abuse – ‘revenge porn’ – doubled. One reason for the increase is that the national lockdown pushed dating lives online, and the sharing of sexual images became one of the few ways to show intimacy. Disclosing, or threatening to disclose, intimate images has a massive psychological toll on victims, and is therefore an effective means of exerting control. Financial pressure, a surge in domestic violence, and relationship breakdowns have contributed to the rise of reported cases.

Too often, the victim is blamed when their image ends up online. This response disregards the victim’s right to privacy and denies them of their sexuality. Most would agree that a person’s consent to have sex with another does not amount to consent to sleep with all of his/her friends – but that is the very logic of those who say individuals ‘should have been more careful’ when their image is disclosed.

If you are a victim of revenge porn, the law can help you regain control and achieve justice.

The uploading of sexual or intimate images online, without the consent of the individual pictured, and with the intention to cause the victim humiliation or embarrassment, is a criminal offence in England and Wales.

The relevant law differs depending on whether or not the victim is over 18 years of age.

Section 33 of the Criminal Justice and Courts Act 2015 (‘CJCA 2015′) applies to adult victims and establishes a maximum sentence of 2 years’ imprisonment following conviction.

For s.33 CJCA 2015 to apply, the image(s) must be private and sexual. Certain parts of the body, like exposed genitals or pubic area, are considered inherently private for the purposes of the offence. Posing in a sexually provocative way will be regarded as private if the image depicts something that would not ordinarily be seen in public.

The victim must show that the reason, or one of the reasons, that their intimate image was shared without their consent was to cause the victim distress (the ‘distress element’). Without proving this, a victim will not be able to secure a conviction against the defendant. The distress element is a distinct part of the trial that will require its own evidence. It is not enough that distress is or would be a natural consequence of the disclosure.

Doctored and computer-generated images, also known as ‘deep fakes’, are not covered by the CJCA 2015. A victim who has had an innocent image transposed onto a pornographic photograph or film does not, unfortunately, have any specific law to draw on. Victims in this scenario should, however, discuss with their solicitor the possibility of securing a conviction under section 1 of the Malicious Communications Act 1988 and/or section 127 of the Communications Act 2003. Victims pursuing this route will still have to find evidence for the distress element in order to secure a conviction, as both s.1 and s.127 require that the message be sent to cause distress or anxiety, or be of a menacing character, respectively.

It is not guaranteed that a victim of revenge porn will be able to secure legal aid funding, but this is something you should ask your solicitor.

If you are a victim of revenge porn, the law can help you regain control and achieve justice.

Defences

It is a complete defense if the defendant reasonably believed that the disclosure was necessary for the investigation, prevention or detection of crime (s.33(3) CJCA 2015), or if the image is disclosed by a journalist who reasonably believes that publication is in the public interest (s.33(4)). A journalist relying on the s.33(4) defense will have to show that there was a legitimate need to publish the photograph or film that goes to the value of a story on an important matter. ‘Public interest’ in this context is not simply something with which the journalist believes the public will be interested.

It is a defense if the defendant believed that the image(s) had previously been made public for financial purposes, i.e. commercial pornography (s.33(5) CJCA 2015). However, a defendant will not be able to rely on s.33(5) if they had reason to believe that the victim had not consented to prior release.

Anyone who forwards on the image(s) without the victim’s consent is only guilty of a s.33 offence if they do so with the intention to cause the victim distress. Re-sending the image(s) as a joke or for sexual gratification will not amount to an offence merely because distress was a natural consequence of their actions (s.33(8)).

Children 

Possessing, taking, distributing or publishing sexual images of individuals under the age of 18 are offences under section 1 of the Protection of Children Act 1978 and section 160 of the Criminal Justice Act 1988. If you are under the age of 18 and your image has appeared online, the process is much simpler than if you were an adult. There is no need to show a distress element on behalf of the defendant.

Parents who have been made aware that their children have shared or have been sent sexual images should be aware that Crown Prosecution Service Guidelines on revenge pornography makes clear that consensual ‘sexting’ between minors of a similar age is not to be treated as an offence. Where there is evidence of grooming, harassment or exploitation then it will be treated as a criminal matter.

Websites

The CJCA 2015 makes it possible for the website operator who hosts the site on which an intimate image was illegally shared to be liable, but only when the operator has actively participated in the disclosure, or failed to remove the material once they have been made aware that it is criminal in nature. In reality, most social media sites will be compliant in removing such material on request.

If any of the matters discussed in this article affect you, visit https://revengepornhelpline.org.uk


Colette Allen has hosted “Newscast’” on The Media Law Podcast with Dr Thomas Bennett and Professor Paul Wragg since 2018. She has recently finished the BTC at The Inns of Court College of Advocacy and will be starting a MSc in the Social Sciences of the Internet at the University of Oxford in October 2021.

A look at the European Data Protection Board guidance on supplementary measures – Olivia Wint

Data transfers have been a prominent topic in the data protection world in recent months, with the UK’s recent adequacy decision adding to the conversation on the topic.

On 21 June 2021, the European Data Protection Board (“EDPB”) published the final version of Recommendations on supplementary measures (the “Recommendations”). For context, the first draft Recommendations which were published in November 2020 were prompted as a result of the much-anticipated Schrems II judgment which was handed down in July 2020.

The Schrems II judgment comes after the Schrems I judgment, which in 2015, invalidated the Safe Harbour regime in 2015. The focal point of the Schrems II case concerned the legitimacy of standard contractual clauses (“SCCs”) as a transfer mechanism in respect of cross border data transfers from the EU to the US. Max Schrems, a privacy advocate argued that Facebook Ireland transferring a significant amount of data to the US was not adequate due to the US’ surveillance programmes. Schrems argued that this fundament tally affected his right to ‘privacy, data protection and effective judicial protection’.  Rather unexpectedly, the Court of Justice in the European Union (“CJEU”) declared the invalidity of the privacy shield in this case and whilst SCCs were not invalidated, the CJEU laid down stricter requirements for cross border transfers relying on SCCs, which included additional measures to ensure that cross border transfers have ‘essentially equivalent’ protection to that of the General Data Protection Regulation 2016/ 679 (“GDPR”).

As a result of the Schrems II judgment and the invalidation of the privacy shield, the estimated 5300 signatories to this mechanism now need to seek alternate transfer mechanisms and companies on a transatlantic scale have been forced to re-examine their cross-border transfers. As such EDPB’s Recommendations could not have come sooner for many in the privacy world. 

Based on the Schrems II judgment, supplementary measures are in essence additional safeguards to any of the existing transfer mechanisms as cited in Article 46 GDPR, which include SCCs, binding corporate rules (“BCRs”) and approved code of conducts to name a few with the overarching objective of the supplementary measures to ensure the ‘essentially equivalent’ threshold is met.

The EDPB’s Recommendations, outline six key steps which comprise part of an assessment when deducing the need for supplementary measures:

  1. know your transfers;
  2. identify the transfer mechanism(s) you are relying on;
  3. assess whether the transfer mechanism you are relying on is effective in light of all circumstances of the transfer);
  4. identify and adopt supplementary measures;
  5. take any formal procedural measures; and
  6. re-evaluate at appropriate intervals.

Step 1- know your transfers

Step 1 concerns organisations having a good grasp on their data processing activities, mainly evidenced through data mapping and/or records of processing activities (“ROPAs”). As ROPAs are a direct obligation under the GDPR, in theory for most organisations it will be a case of ensuring that the ROPA accurately reflects any new data processing that has occurred (with the inclusion of any third parties).

Key data protection principles should also be considered for example, lawfulness, fairness and transparency (does the privacy policy make it clear that cross border transfers are taking place?), data minimisation (is the whole data set being transferred or just what is relevant?) and accuracy (have data quality checks been conducted on the data in question?).

The Recommendations stipulate that these activities should be executed before any cross-border transfers are made and highlights the fact that cloud storage access is also deemed to be a transfer too.

Step 2- identify the transfer mechanism(s) you are relying on

There are a number of transfer mechanisms that can be relied on for cross border data transfers, such as SCCs, BCRs, codes of conduct etc and adequacy decisions and this step requires organisations to identify the mechanism that will be used for the transfer.

EDPB has noted for organisations that will be using the adequacy decision as their desired transfer mechanism, the subsequent steps in the Recommendations can be discarded.

N.B. to date, the European Commission has only recognised Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the UK.

Step 3- Assess whether the transfer mechanism you are relying on is effective in light of all circumstances of the transfer

This is a critical part of the assessment and requires organisations to assess/ examine the third country’s legislation and practices to ascertain the extent to which there are limitations which may mean the protection afforded as a result of the cross-border transfer is less than ‘essentially equivalent’. The Recommendations affirm that the scope of the assessment needs to be limited to the legislation and practices relevant to the protection of the specific data you transfer. The legislation and/or practices examined must be publicly available in the first instance, verifiable and reliable.

Key circumstances which may influence the applicable legislation/ and or practices include (but are not limited to):

  • purpose for data transfer (marketing, clinical research etc);
  • sector in which transfer occurs (financial, healthcare etc);
  • categories of personal data transferred (children’s data, health data etc); and
  • format of the data (raw, pseudonymised, anonymised, encrypted at rest and in transit etc).

The assessment should be holistic in nature and cover all relevant parties such as controllers, processors and sub- processors (as identified in Step 1) and should consider the effectiveness of data subject rights in practice.

Examining of legislation and practices is of utmost important in situations when:

  1. legislation in third country does not formally meet EU standards in respect of rights/freedoms and necessity and proportionality;
  2. legislation in third country may be lacking; and
  3. legislation in third country may be problematic.

The EDPB stipulates that in scenarios i) and ii) the transfer in question has to be suspended, there is more flexibility in scenario iii) where the transfer may be either be suspended, supplementary measures may be implemented or continue without supplementary measures if you are able to demonstrate and document that the problematic legislation will not have any bearing on the transferred data.

Step 4- Identify and adopt supplementary measures

If as a result of Step 3, the assessment concludes that the transfer mechanism is not effective with third legislation and/ or practices, then the Recommendations urge that consideration needs to be given to whether or not supplementary measures exist that can ensure ‘essentially equivalent’ level of protection. Supplementary measures can be in a myriad of forms which include technical (controls such as encryption), organisational (procedures) and contractual and must be assessed on a case-by-case basis for the specific transfer mechanism.

N.B. A non-exhaustive list of supplementary measures include can be found in Annex 2 of the Recommendations.

Step 5- Take any formal procedural measures

A recurring theme throughout the Recommendations is the need for a nuanced approach to be adopted when assessing each specific transfer mechanism and as such, the procedural measures that will need to be taken are dependent on the specific transfer mechanism with some mechanisms requiring supervisory authority notification.

Step 6- Re-evaluate at appropriate intervals

As with all aspects of compliance, monitoring and re-evaluating of supplementary measures should be done frequently, the Recommendations do not explicitly define a time period, however factors which could impact the level of protection on transferred data such as developments in third country legislation will cause re-evaluation.

One of the main aims of the GDPR (and also one of the key principles) is that of accountability and the EDPB’s Recommendations on supplementary measures bolsters this premise. There is emphasis placed on documentation which adequately considers and records the decision-making process at each of the six steps to ensure organisations have an accurate audit trail.

In addition to the EDPB’s Recommendations, it is important for organisations (especially global ones) to take heed of any local developments in this area. With the CNIL already publishing guidance, the ICO expected to issue guidance and the Bavarian Data Protection Authority’s ruling against Mailchimp in this area, it can be said that supplementary measures will be crux of many impending data protection developments.

Olivia Wint is a seasoned data protection professional, with over five years experience in this area. Olivia has worked in a range of sectors including local authority, third sector, start-ups and the Big 4 advising on all aspects of data protection compliance.