Top 10 Privacy and Data Protection Cases of 2021: A selection – Suneet Sharma

Inforrm covered a wide range of data protection and privacy cases in 2021. Following  my posts in 20182019 and 2020 here is my selection of most notable privacy and data protection cases across 2021:

  1. Lloyd v Google LLC [2021] UKSC 50

 In the most significant privacy law judgment of the year the UK Supreme Court considered whether a class action for breach of s4(4) Data Protection Act 1998 (“DPA”) could be brought against Google of its obligations as a data controller for its application of the “Safari Workaround”. The claim for compensation was made under s.13 DPA 1998.  The amount claimed per person advanced in the letter of claim was £750. Collectively, with the number of people impacted by the processing, the potential liability of Google was estimated to exceed £3bn.

Lord Leggatt handed down the unanimous judgement in favour of the appellant Google LLC:

“the claim has no real prospect of success. That in turn is because, in the way the claim has been framed in order to try to bring it as a representative action, the claimant seeks damages under section 13 of the DPA 1998 for each individual member of the represented class without attempting to show that any wrongful use was made by Google of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach of the requirements of the Act by Google.”

The case has been heralded for its central importance in determining the viability of data protection class actions. The case drew wide coverage from Pinsent MasonsHill DickinsonClifford ChanceBindmans and Stewarts.

  1. HRH The Duchess of Sussex v Associated Newspapers Limited [2021] EWHC 273 (Ch) and [2021] EWCA Civ 1810.

In February 2021 Meghan, Duchess of Sussex, won her application for summary judgment against the Mail on Sunday.  Warby LJ said there were “compelling reasons” for it not to go to trial over its publication of extracts of a private letter to her estranged father, Thomas Markle.  He entered judgment for the Duchess in misuse of private information and copyright.  There was a news piece on Inforrm and a piece by Dominic Crossley.

Associated Newspapers was granted permission appeal and the appeal was heard on 9 and 11 November 2021 with judgment being handed down on 2 December 2021,  The Court, Sir Geoffrey Vos MR, Sharp P and Bean LJ, unanimously dismissed the appeal on all grounds, stating:

“Essentially, whilst it might have been proportionate to disclose and publish a very small part of the Letter to rebut inaccuracies in the People Article, it was not necessary to deploy half the contents of the Letter as Associated Newspapers did. As the Articles themselves demonstrate, and as the judge found, the primary purpose of the Articles was not to publish Mr Markle’s responses to the inaccurate allegations against him in the People Article. The true purpose of the publication was, as the first 4 lines of the Articles said: to reveal for the first time [to the world] the “[t]he full content of a sensational letter written by [the Duchess] to her estranged father shortly after her wedding”. The contents of the Letter were private when it was written and when it was published, even if the claimant, it now appears, realised that her father might leak its contents to the media.” [106]

 The case has been analysed on INFORRM by Brian Cathcart.

  1. Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367

The Federal Court of Australia found that Google misled some users about the personal location data it collected through Android devices between January 2017 and December 2018.

The Court found that, in providing the option, “Don’t save my Location History in my Google Account”, represented to some reasonable consumers that they could prevent their location data being saved on their Google Account. In actual fact, users need to change an additional setting, separate, to stop their location data being saved to their Google Account.

Inforrm had a case comment.

  1. Hájovský v. Slovakia [2021] ECHR 591

Mr Hájovský placed an anonymous advert in a national newspaper offering payment to a woman in return for giving birth to his child. An investigative reporter posed as a candidate interested in surrogacy, replied to the advert and secretly filmed the ensuing meetings. These were later complied into a documentary. A national tabloid also covered the story using stills of footage and taking a critical stance of the applicants’ actions. Both stories revealed the applicant’s identity. This prompted the applicant to bring an action against the media groups for violation of his privacy under Slovakian law.

The Slovakian courts dismissed the application on the basis that the article contributed to a matter of public interest- the debate around surrogacy for payment and in any event the publishing of the advert had brought a private matter, the applicant’s wish to have a child, into the public domain.The ECtHR found in favour of the applicant. In doing so it reiterated the well-established balancing approach vis a vi privacy and freedom of expression as per Von Hannover and Axel Springer. In this instance the court found that the applicants right to privacy had been violated and that the Slovakian courts has erred in their approach to balancing the competing rights. In doing so the court make key observations about the privacy implications of photographs.

Inforrm has a case comment.

  1. Warren v DSG Retail Ltd [2021] EWHC 2168 (QB)

This case concerned the viability of claims for breach of confidence and misuse of private information against data controllers who have suffered cyber-attacks. In dismissing the claims for breach of confidence and misuse of private information Saini J found that both causes require some form of “positive conduct” by the defendant that is lacking where the cause of the private information being leaked is a cyber-attack.

Inforrm had a case comment.

6.  ES v Shillington 2021 ABQB 739

In this case the Alberta Court of the Queen’s Bench awarded damages under new “public disclosure of private fact” tort. The case concerned the making public of images of the claimant engaging in sex acts with the defendant- these had been shared during a romantic relationship between 2005 to 2016 where the parties had two children together. The parties had a mutual understanding that the images would not be shared or published anywhere. However, the defendant then proceeded to share the images online, including those involving the sexual assault of the claimant.

Delivering judgment for the claimant, Inglis J accepted their submissions that a new “public disclosure of private information” tort should be recognised as a separate cause of action from existing common law statutes.

Inforrm has a case comment.

  1. Hurbain v Belgium ([2021] ECHR 544)

 A case in which an order to anonymise a newspaper’s electronic archive was found not to breach the applicant publisher’s right to freedom of expression. This case reflects an important application of the right to be forgotten under article 8 of the Convention.  The applicant, Patrick Hurbain, is the president of the Rossel Group which owns one of Belgium’s leading French-language newspapers, Le Soir, of which he was previously Managing Editor. The article in question concerned a series of fatal car accidents and named one of the drivers, G, who had been convicted of a criminal offence for his involvement in the incidents. G made a successful application for rehabilitation in 2006.

However, Le Soir created a free, electronic, searchable version of its archives from 1989 onwards, including the article at issue.  G relied on the fact that the article appeared in response to a search on his name on Le Soir’s internal search engine and on Google Search. He explained that its availability was damaging to his reputation, particularly in his work as a doctor. The newspaper refused the application by stated it had asked Google to delist/deindex the article.

In 2012 G sued Mr Hurbain as editor of Le Sior and was successful domestically. Mr Hurbain then lodged an application with the Strasbourg Court complaining that the anonymisation order was a breach of Article 10. In balancing the article 8 and 10 rights in the case the Strasbourg Court found in favour of G.

Informm had a case comment.

  1. Peters v Attorney-General on behalf of Ministry of Social Development [2021] NZCA 355

The New Zealand Court of Appeal provided guidance in respect of the tort of invasion of privacy in this high-profile case. In 2017, the Ministry for Social Development (“MSD”) realised that Mr Peters, MP and leader of the New Zealand First Party, had overpaid New Zealand Superannuation (“NZS”). Due to errors NZS had been paid at the single rate when it should have been paid at the partner rate. Mr Peters immediately arranged for the overpaid amount to be repaid.

In August 2017 several reporters received anonymous calls in respect of the overpayment. To pre-empt any publicity, Mr Peters released a press statement addressing the incident. He also issued a claim for infringement of the tort of invasion of privacy against several MSD executives.  The High Court found the MSD executives were proper recipients of information and thus the claim failed.  The Court of Appeal dismissed Mr Peters’ appeal. For an invasion of privacy claim to succeed there is a two “limb” test:

  • the existence of facts in respect of which there was a reasonable expectation of privacy; and
  • that the publicity given to those private facts would be considered highly offensive to an objective reasonable person.

The Court agreed that limb one was met on the facts. However, the Court found that Mr Peters did not have a reasonable expectation of protection from disclosure of this information within MSD and from MSD to the relevant Ministers and select staff. As the claimant could not prove that any of defendants had released information to the media. The appeal was dismissed. The case affirmed the removal of the requirement for there to be widespread disclosure and the potential for the removal of the requirement that disclosure be highly offensive.

  1. R (Open Rights Group and the 3 million) v Secretary of State for the Home Department and Others [2021] EWCA Civ 800,

A case concerning “the lawfulness” immigration exemption found in paragraph 4 of Schedule 2 of the Data Protection Act 2018. This exemption allows those processing personal data for immigration control purposes to refuse to comply with the data subject rights guaranteed by the GDPR to the extent that complying with those provisions would prejudice those purposes.  The Court of Appeal found that this exemption was not compliant with Article 23 of the GDPR.

There was coverage from Hunton Andrews Kurth and 11KBW.

  1. Biancardi v. Italy [2021] ECHR 972

The ECtHR found that an order that the editor of an online newspaper was liable for failing to de-index an article concerning criminal proceedings did not breach Article 10 of the Convention. The case concerned an application for the delisting of an article concerning a fight involving a stabbing in a restaurant which mentioned the names of the those involved including the applicant V.X.

Inforrm had a case comment.

Suneet Sharma is a junior legal professional with a particular interest and experience in media, information and privacy law.  He is the editor of The Privacy Perspective blog.

Top 10 EU and UK Data Breach fines of 2021: a selection – Suneet Sharma

This is my selection of the top 5 data breach fines in the EU and the United Kingdom in 2021, many of which have featured in our Law and Media Round Ups over the past year.

EU Fines

  1. Amazon Europe Core S.a.r.l €746,000,000

 Luxembourg’s National Commission for Data Protection issued a fine under the GDPR to Amazon Europe Core S.a.r.l. Amazon plans to appeal the penalty stating “there has been no data breach, and no customer data has been exposed to any third party… these facts are undisputed. We strongly disagree with the CNPD’s ruling.” Whilst Luxembourg’s national data protection law precludes the Commission from commenting on individual cases Amazon disclosed the fine in a filing of its quarterly results with the US Securities and Exchange Commission.

From what we can gather the fine came following a May 2018 complaint by La Quadrature du Net.  The fine is by far the biggest under the GDPR to date.

Bloomberg has the initial report. The fine attracted much coverage from the BBCPinsent Masons and the Hunton Privacy Blog.

  1. Whatsapp Ireland Ltd   €225,000,000

On 2 September 2021 the Irish Data Protection Commission announced a fine of €225,000,000 to Whatsapp. The investigation began on 10 December 2018 and it examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.

The case is notable due to its cross-border nature, which required data protection authorities in France, Germany and the Netherlands to consider it. The fine was considered by the European Data Protection Board, which mandated a reassessment and increase. WhatsApp disagreed with the fine, calling it “wholly disproportionate”.

The IAPPBird & Bird and Pinsent Masons have coverage of the fine.

  1. Notebooksbillinger.de  €10,400,000

The State Commissioner for Data Protection in Lower Saxony fined notebooksbilliger.de AG €10,400,000, issued in December 2020. The Commission found that the company has been using video surveillance to monitor its employees for at least two years without any legal justification. Areas recorded included workspaces, sales floors, warehouses and staff rooms.

Whilst the company argued the cameras has been installed to prevent theft it first should have tried to implement less serve means. Furthermore, the recordings were saved for 60 days which was much longer than deemed necessary.

“This is a serious case of workplace surveillance”, says the State Commissioner for Data Protection in Lower Saxony, Barbara Thiel. “Companies have to understand that such intensive video surveillance is a major violation of their employees’ rights”. While businesses often argue that video surveillance can be effectively used to deter criminals, this does not justify the permanent and unjustified interference with the personal rights of their employees. “If that were the case, companies would be able to extend their surveillance without limit. Employees do not have to sacrifice their personal rights just because their employer puts them under general suspicion”, explains Thiel. “Video surveillance is a particularly invasive encroachment on a person’s rights, because their entire behaviour can theoretically be observed and analysed. According to the case law of the Federal Labour Court, this can put staff under pressure to act as inconspicuously as possible to avoid being criticised or sanctioned for their behaviour”.

Data Privacy ManagerData GuidanceSimmons & Simmons and Luther have commentary.

  1. Austrian Post  €9,500,000

The Austrian Data Protection Authority issued a fine of €9,500,000 to the Austrian Post alleging that it had not enabled data protection enquiries via email.

In October 2019 the Post received a €18,000,000 fine for processing personal data on the alleged political affinity of affected data subjects. The fine was later annulled in a November 2020 court decision. The Post has announced it plans to appeal this second penalty. “The allegations made by the Authority mainly relate to the fact that, in addition to the contact opportunities made available by Austrian Post via mail, a web contact form and the company’s customer service centre, inquiries about personal data must also be made possible via e-mail. Austrian Post also intends to launch an appeal against this decision.”

See coverage from Data Guidance.

  1. Vodaphone Espana   €8,150,000

From April 2018 to September 2019, 191 complaints were received for similar cases concerning telephone calls and SMS messages to citizens who had opposed the processing of their data for advertising. The failure of Vodapone to avoid advertising actions to those citizens who had exercised their rights of opposition or erasure of their data justified a fine.

Coverage was broad with Compliance WeekData Guidance and Stephenson Harwood commenting.

United Kingdom Fines

UK fines- the ICO has issued 35 monetary penalty notices thus far in 2021. Below we take a look at a selection of the fines.

  1. Clearview AI  £17 million

The Information Commissioner’s Office (“ICO”) has issued a provisional view of the imposition of a £17m fine over Clearview AI..  The BBC cites that the firms’ database has over 10bn images. The ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete any such data following alleged serious breaches of the UK’s data protection laws.

In a joint investigation with the Australian Information Commissioner (“AIC”) the ICO concluded that the data, some scraped from the internet, was being processed, in the case of UK persons, unlawfully in some instances.

Clearview AI Inc’s services were being used on a free trial basis by some law enforcement agencies. This has been confirmed to no longer be the case.

The ICO’s preliminary view is that Clearview AI Inc appears to have failed to comply with UK data protection laws in several ways including by:

  • failing to process the information of people in the UK in a way they are likely to expect or that is fair;
  • failing to have a process in place to stop the data being retained indefinitely;
  • failing to have a lawful reason for collecting the information;
  • failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
  • failing to inform people in the UK about what is happening to their data; and
  • asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed.

Information Commissioner Elizabeth Denham commented:

“I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we’re taking. UK data protection legislation does not stop the effective use of technology to fight crime, but to enjoy public trust and confidence in their products technology providers must ensure people’s legal protections are respected and complied with.

Clearview AI Inc’s services are no longer being offered in the UK. However, the evidence we’ve gathered and analysed suggests Clearview AI Inc were and may be continuing to process significant volumes of UK people’s information without their knowledge. We therefore want to assure the UK public that we are considering these alleged breaches and taking them very seriously.”

 The ICO press release can be found here and the AIC press release here.

The previous statement of the ICO on the conclusion of the joint investigation can be found here.

  1. Cabinet Office  £500,000

The Cabinet Office was fined £500,000 on 2 December 2021 for disclosing the postal addresses of the 2020 New Years honours recipients online. In finding that the Cabinet Office failed to put appropriate technical and organisation measures in place the ICO noted that the data was accessed 3,872 times.

The ICO received three complaints from affected individuals who raise personal safety concerns and 27 contacts from individuals citing similar concerns. Steve Eckersley, ICO Director of Investigations, said:

“When data breaches happen, they have real life consequences. In this case, more than 1,000 people were affected. At a time when they should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed.

“The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety.

 “The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.”

The Guardian reports on the data breach as does Data Guidance.

  1. EB Associates Group Limited  £140,000

The ICO issued its largest fine to date to EB Associates Group Limited for instigating over 107,000 illegal cold calls to people about pensions. The practice has been banned since 2019.

Andy Curry, Head of ICO Investigations, said:

“Our priority is to protect people and we will always take robust action against companies operating illegally for their own financial gain.

“Cold calls about pensions were banned to protect people from scammers trying to cheat them out of their retirement plans.

“We encourage anyone who receives an unexpected call about their pension to hang up and then report it to us.”

The fine was covered by professional pensions.

  1. Mermaids  £25,000

It is unfortunate at times that some charities which do the most sensitive of work also hold the most sensitive data. It makes data protection compliance all the more critical. Unfortunately, the transgender rights charity Mermaids fell afoul of data protection laws in the creation of an email group that was not sufficiently annexed or encrypted to protect the data it contained.

The result was that the 780 email pages were identifiable online over a period of three years. This led to the personal information of 550 people to be searchable online. Furthermore. the personal data of 24 of those people revealed how they were coping and feeling. Finally, for a further 15 classified as special category data as mental and physical health and sexual orientation were exposed.

Steve Eckersley, Director of Investigations at the ICO said:

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often-vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

 “As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”

This serves a warning call for charities who process sensitive personal data – under the GDPR and the framework of self-reporting you need to have appropriate technical measures in place. Failure to do so puts users’ data at risk and leaves them vulnerable. Mermaids’ penalty was imposed for the data being at risk for the period of 25 May 2018 to 14 June 2019.

It is notable that Mermaid’s data protection policies and procedures were not updated to reflect GDPR standards. Post the implementation of the Data Protection Act 2018 data protection practices are taking increasing importance and a robust review with practical changes to data harvesting, management, retention and rights handling is now a necessity.

DAC Beachcroft comments as does Slaughter and Maythe Independent and EM Law.

  1. HIV Scotland  £10,000

In a cautionary tale for those using bulk email practices HIV Scotland was fined £10,000 for sending an email to 105 people which included patient advocates representing people living in Scotland with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name.

From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk. The ICO’s investigation found inadequate staff training, incorrect methods of sending bulk emails by blind carbon copy and an inadequate data protection policy.

Ken Macdonald, Head of ICO Regions, said:

“All personal data is important but the very nature of HIV Scotland’s work should have compelled it to take particular care. This avoidable error caused distress to the very people the charity seeks to help.

 “I would encourage all organisations to revisit their bulk email policies to ensure they have robust procedures in place.”

The BBCKeller Lenker and the Times have coverage.  

Suneet Sharma is a junior legal professional with a particular interest and experience in media, information and privacy law.  He is the editor of The Privacy Perspective blog.