Top 10 Privacy and Data Protection Cases 2022

The Privacy Perspective

Inforrm covered a wide range of data protection and privacy cases in 2022. Following my posts in 20182019,  2020 and 2021 here is my selection of notable privacy and data protection cases across 2022.

  1. ZXC v Bloomberg [2022] UKSC 5

This was the seminal privacy case of the year, decided by the UK Supreme Court. It was considered whether, in general a person under criminal investigation has, prior to being charged, a reasonable expectation of privacy in respect of information relating to that investigation.

The case concerned ZXC, a regional CEO of a PLC which operated overseas. An article was published concerning the PLC’s operations for which ZXC was responsible. The article’s was almost exclusively focused on the contents of a letter sent to a foreign law enforcement agency by a UK law enforcement agency, which was investigating the PLC’s activities in the region.

ZXC claimed a reasonable expectation of privacy in relation to the fact and details of a criminal investigation into his activities, disclosed by the letter, and that the publication of the article by Bloomberg amounted to a misuse of that private information. He argued that details of the law enforcement’s investigations into him, the fact that it believed that he had committed criminal offences and the evidence that was sought were all private.

At first instance Nicklin J found for the claimant, a finding which was upheld by the Court of Appeal. There were three issues before the UK Supreme Court hearing a further appeal by Bloomberg:

(1) Whether the Court of Appeal was wrong to hold that there is a general rule, applicable in the present case, that a person under criminal investigation has, prior to being charged, a reasonable expectation of privacy in respect of information relating to that investigation.

(2) Whether the Court of Appeal was wrong to hold that, in a case in which a claim for breach of confidence was not pursued, the fact that information published by Bloomberg about a criminal investigation originated from a confidential law enforcement document rendered the information private and/or undermined Bloomberg’s ability to rely on the public interest in its disclosure.

(3) Whether the Court of Appeal was wrong to uphold the findings of Nicklin J that the claimant had a reasonable expectation of privacy in relation to the published information complained of, and that the article 8/10 balancing exercise came down in favour of the claimant.

The Court dismissed the appeal on all three grounds. Therefore the precedent is established that there is, as a legitimate starting point, an assumption that there is a reasonable expectation of privacy in relation to the facts of and facts of a criminal investigation at a pre-charge stage.

There was an Inforrm case comment  on the case, See also Panopticon Blog and 5RB case comment.

  1. Driver v CPS [2022] EWHC 2500 (KB)

My second case also concerns law enforcement investigations, this time the passing of a file from the CPS and the disclosure of that fact to a third party. Whilst the disclosure did not include the name of the claimant, it was found that  “personal data can relate to more than one person and does not have to relate exclusively to one data subject, particularly when the group referred to is small.”

In this case, the operation in question, Operation Sheridan, concerned only eight suspects, of which the claimant was one. It should be noted that the claim was one under the Data Protection Act 2018, not the GDPR.

In finding for the claimant on the data protection grounds, but dismissing those for misuse of private information, the Judge made a declaration and awarded £250 damages. It should be noted the “data breach was at the lowest end of the spectrum.”

See Panopticon Blog on case

  1.  AB v Chief Constable of British Transport Police [2022] EWHC 2740 (KB)

The respondent, an individual with autistic spectrum disorder of the Asperger’s type, claimed that retention of his information by the police in relation to 2011 and 2014 accusations that he touched women inappropriately, was unlawful. The respondent stims, rubbing fabric between his fingers. In both cases no prosecution was brought against AB.

The respondent’s claim was based on the fact the data retained was inaccurate and that its retention was a disproportionate inference with his right to respect for his private life under Article 8 of the European Convention of Human Rights.

In December 2017, Bristol County Council was contacted with safeguarding concerns about AB- in particular, that he was suffering ongoing trauma due to the appellant maintaining ongoing false allegations against him.

As to the claims for inaccuracy “he complained that the records retained by the police inaccurately record that AB put his hands between the legs, and under the dress, of the 2011 complainant. He also implicitly complained that the records of the 2014 incident were inaccurate insofar as they suggested that AB had placed his hand over the complainant’s jeans in the area of her vagina.”

It was found at first instance that the police records were inaccurate, that their retention was a disproportionate interference with AB’s article 8 rights and awarded £15,000 for distress, £15,000 for loss of earnings, and £6,000 for aggravated damages.

It was found that “the police records in this case are intended to reflect the information that was provided to the police, rather than the underlying facts as to what happened. On this issue I have reached a different conclusion from the judge, with the result that I have concluded that the OSRs are accurate. To this narrow extent, the appeal succeeds.” [95]

However, the article 8 finding for the claimant was upheld, as was, accordingly, the judge’s declaration that retention was unlawful and the assessment of damages.

  1. Chief Constable of Kent Police v Taylor [2022] EWHC 737 (QB)

A breach of confidence claim relating to a series of videos which the defendant was provided by Berryman’s Lace Mawer LLP (“BLM”). The videos were said to contain sensitive information in relation to a vulnerable minor, KDI, who was the subject of an anonymity order in civil proceedings. The videos themselves were particularly sensitive, relating to police interviews of KDI in relation to criminal allegations against them.

The claimant sued the CC of Kent Police for damage to his front door which occurred in the course of entering his property to search for child pornography. BLM acted for the CC of Kent Police in relation to this matter. During the course of those proceedings that the defendant was given access to the videos, which were for an unrelated claim.

The defendant refused to delete the videos upon request or to explain his dealings with the videos. He instead demanded payment if thousands of pounds for his cooperation with the requests.

The Judge accordingly ordered the defendant disclose matters in relation to his dealing with the videos, to ensure confidentiality has not been breached. A further, unusual, order was granted for independent permanent deletion of the videos- it should be noted the order considered the defendants privacy in the coruse of such an inpdenendent assessment being undertaken with the judge stating “I have built in a safeguard in the order I propose to make to limit the nature of the independent IT expert’s role to protect Mr Taylor’s privacy interests”.

  1. Various Claimants v MGN [2022] EWHC 1222 (Ch)

A case concerning the ongoing phone hacking litigation against Mirror Group Newspapers (“MGN”) in which MGN issued and served applications for summary judgment in 23 individual claims. The judge grouped the claims, with this judgment considering six claimants.

It was considered by the judge whether claimants should have been put on notice at various times up until and following the first primary trial in the scandal on 21 May 2015. The judge found that such matters were not “clear-cut” for the purposes of determining whether summary judgment could be entered into; they were more appropriate to be settled at trial.  There was a comment on the case on the JMW blog.  On 11 August 2022 Andrews LJ refused MGN permission to appeal.

  1. Brake v Guy [2022] EWCA Civ 235

The claimants appealed an order dismissing their claim for a final injunction and damages for misuse of private information and breach of confidence. The claim was made in relation to a series of emails sent to and received by the first claimant, Mrs Brake, into a business general enquiries email account. The Court reviewed whether “the judge’s evaluation of the evidence which led him to conclude that they had no reasonable expectation of privacy in respect of the contents of the enquiries account and that the information was not imparted to the Guy Parties in circumstances which gave rise to an obligation of confidence.”

Only two of the 3,149 tranche of emails were produced for the judge to consider- he was, understandably, not inclined to accept that there was a reasonable expectation of privacy in relation to the emails on the basis of those two emails alone. The burden of proof was considered to be “a very substantial hurdle” which the claimants had “fallen well short of surmounting it”.

The arguments for breach of confidence were advanced on the same grounds and dismissed. The judge concluded “the claimants have put forward no argument before this Court which persuades me that the judge was wrong to conclude that the personal information in the enquiries account was not “imparted in circumstances imparting an obligation of confidence.””

The case is instructive as to the method and approach to be taken when claiming there is a reasonable expectation of privacy or obligation of confidence in relation to a high volume of documents. It also provides a tacit reminder of the difficulties over overcoming first instance privacy decisions on appeal. There was a DLA Piper case comment.

  1.  TU and RE v Google LLC [2022] EUECJ C-460/20

A case concerning two claimants applying for the delisting of search results under Article 17 of the GDPR.

The case is instructive as to the pleading of inaccuracy of data in erasure requests- where it arises and where it does, how such a request should be dealt with:

  • The case states at [72 and 73]: “where the person who has made a request for de-referencing submits relevant and sufficient evidence capable of substantiating his or her request and of establishing the manifest inaccuracy of the information found in the referenced content or, at the very least, of a part – which is not minor in relation to the content as a whole – of that information, the operator of the search engine is required to accede to that request for de-referencing. The same applies where the data subject submits a judicial decision made against the publisher of the website, which is based on the finding that information found in the referenced content – which is not minor in relation to that content as a whole – is, at least prima facie, inaccurate”, and
  • “By contrast, where the inaccuracy of such information found in the referenced content is not obvious, in the light of the evidence provided by the data subject, the operator of the search engine is not required, where there is no such judicial decision, to accede to such a request for de-referencing. Where the information in question is likely to contribute to a debate of public interest, it is appropriate, in the light of all the circumstances of the case, to place particular importance on the right to freedom of expression and of information”.

For further analysis please see the Panopticon Blog’s excellent analysis of this case.

  1. SMO  v TikTok Inc. [2022] EWHC 489 (QB)

The former Children’s Commissioner of England’s case against Tik Tok for data protection infringements and misuse of private information was discontinued this year. The result was due to the myriad of procedural issues arising in relation to the case including permission to serve out of jurisdiction, extension of time and permission to serve on UK lawyers instead. The case serves as a warning for claimants seeing to issue data protection claims outside of the jurisdiction of ensuring it is done so in proper time and with consideration of matters such as service outside of jurisdiction.

See Panopticon Blog on case and on the discontinuance of the claim.

  1. Smith & Other v TalkTalk Telecom Group Plc [2022] EWHC 1311 (QB)

A claim under the Data Protection Act 1998 and tort of misuse of private information, following a mass data breach. The case concerned three applications:

  • For strike out of the misuse of private information claim and references to unconfirmed breaches in the particulars;
  • For permission to amend the particulars of claim in light of the case Warren v DSG Retail Ltd [2021] EWHC 2168 (QB); and
  • An application for further information.

The misuse of private information claim was dismissed. Although the claim had been repleaded to focus on “acts” rather than “omissions” (in an attempt to avoid the consequences of the Warren decision), the Judge followed his own decision in Warren, holding that the action was, in substance, a claim in negligence and that creating a situation of vulnerability to third party data theft was not a claim in missue of private information.  There was an Inforrm post on the case and a two part discussion of the issues here and here. See also the Panopticon Blog on case.

This case was the final nail in the coffin of mass data breach claims on CFAs supported by ATE insurance (as these are not available in data protection cases).  Unless forming part of group litigation, data breach claims are likely to be transferred to the small claims track (see Stadler v Currys Group Limited [2022] EWHC 160 (QB)).

  1. Owsianik v. Equifax Canada Co.2022 ONCA 813

An appeal arising out of three separate class actions in which the plaintiffs sought to apply the tort of inclusion upon seclusion in “data breach” cases.  The Ontario Court of Appeal held that on the facts as pleaded, the defendants did not do anything that could constitute an act of intrusion or invasion into the privacy of the plaintiffs. The intrusions alleged were committed by unknown third-party hackers, acting independently from, and to the detriment of, the interests of the defendants.  The defendants’ alleged fault was their failure to protect the plaintiffs by unknown hackers which could not be transformed into an invasion by the defendants of the plaintiffs’ privacy.

This decision in Ontario is consistent with the approach of the English court in Case No.9.  There were case comments by Blakes and McCarthy Tetrault.