Top 10 Privacy and Data Protection Cases of 2021: A selection – Suneet Sharma

Inforrm covered a wide range of data protection and privacy cases in 2021. Following  my posts in 20182019 and 2020 here is my selection of most notable privacy and data protection cases across 2021:

  1. Lloyd v Google LLC [2021] UKSC 50

 In the most significant privacy law judgment of the year the UK Supreme Court considered whether a class action for breach of s4(4) Data Protection Act 1998 (“DPA”) could be brought against Google of its obligations as a data controller for its application of the “Safari Workaround”. The claim for compensation was made under s.13 DPA 1998.  The amount claimed per person advanced in the letter of claim was £750. Collectively, with the number of people impacted by the processing, the potential liability of Google was estimated to exceed £3bn.

Lord Leggatt handed down the unanimous judgement in favour of the appellant Google LLC:

“the claim has no real prospect of success. That in turn is because, in the way the claim has been framed in order to try to bring it as a representative action, the claimant seeks damages under section 13 of the DPA 1998 for each individual member of the represented class without attempting to show that any wrongful use was made by Google of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach of the requirements of the Act by Google.”

The case has been heralded for its central importance in determining the viability of data protection class actions. The case drew wide coverage from Pinsent MasonsHill DickinsonClifford ChanceBindmans and Stewarts.

  1. HRH The Duchess of Sussex v Associated Newspapers Limited [2021] EWHC 273 (Ch) and [2021] EWCA Civ 1810.

In February 2021 Meghan, Duchess of Sussex, won her application for summary judgment against the Mail on Sunday.  Warby LJ said there were “compelling reasons” for it not to go to trial over its publication of extracts of a private letter to her estranged father, Thomas Markle.  He entered judgment for the Duchess in misuse of private information and copyright.  There was a news piece on Inforrm and a piece by Dominic Crossley.

Associated Newspapers was granted permission appeal and the appeal was heard on 9 and 11 November 2021 with judgment being handed down on 2 December 2021,  The Court, Sir Geoffrey Vos MR, Sharp P and Bean LJ, unanimously dismissed the appeal on all grounds, stating:

“Essentially, whilst it might have been proportionate to disclose and publish a very small part of the Letter to rebut inaccuracies in the People Article, it was not necessary to deploy half the contents of the Letter as Associated Newspapers did. As the Articles themselves demonstrate, and as the judge found, the primary purpose of the Articles was not to publish Mr Markle’s responses to the inaccurate allegations against him in the People Article. The true purpose of the publication was, as the first 4 lines of the Articles said: to reveal for the first time [to the world] the “[t]he full content of a sensational letter written by [the Duchess] to her estranged father shortly after her wedding”. The contents of the Letter were private when it was written and when it was published, even if the claimant, it now appears, realised that her father might leak its contents to the media.” [106]

 The case has been analysed on INFORRM by Brian Cathcart.

  1. Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367

The Federal Court of Australia found that Google misled some users about the personal location data it collected through Android devices between January 2017 and December 2018.

The Court found that, in providing the option, “Don’t save my Location History in my Google Account”, represented to some reasonable consumers that they could prevent their location data being saved on their Google Account. In actual fact, users need to change an additional setting, separate, to stop their location data being saved to their Google Account.

Inforrm had a case comment.

  1. Hájovský v. Slovakia [2021] ECHR 591

Mr Hájovský placed an anonymous advert in a national newspaper offering payment to a woman in return for giving birth to his child. An investigative reporter posed as a candidate interested in surrogacy, replied to the advert and secretly filmed the ensuing meetings. These were later complied into a documentary. A national tabloid also covered the story using stills of footage and taking a critical stance of the applicants’ actions. Both stories revealed the applicant’s identity. This prompted the applicant to bring an action against the media groups for violation of his privacy under Slovakian law.

The Slovakian courts dismissed the application on the basis that the article contributed to a matter of public interest- the debate around surrogacy for payment and in any event the publishing of the advert had brought a private matter, the applicant’s wish to have a child, into the public domain.The ECtHR found in favour of the applicant. In doing so it reiterated the well-established balancing approach vis a vi privacy and freedom of expression as per Von Hannover and Axel Springer. In this instance the court found that the applicants right to privacy had been violated and that the Slovakian courts has erred in their approach to balancing the competing rights. In doing so the court make key observations about the privacy implications of photographs.

Inforrm has a case comment.

  1. Warren v DSG Retail Ltd [2021] EWHC 2168 (QB)

This case concerned the viability of claims for breach of confidence and misuse of private information against data controllers who have suffered cyber-attacks. In dismissing the claims for breach of confidence and misuse of private information Saini J found that both causes require some form of “positive conduct” by the defendant that is lacking where the cause of the private information being leaked is a cyber-attack.

Inforrm had a case comment.

6.  ES v Shillington 2021 ABQB 739

In this case the Alberta Court of the Queen’s Bench awarded damages under new “public disclosure of private fact” tort. The case concerned the making public of images of the claimant engaging in sex acts with the defendant- these had been shared during a romantic relationship between 2005 to 2016 where the parties had two children together. The parties had a mutual understanding that the images would not be shared or published anywhere. However, the defendant then proceeded to share the images online, including those involving the sexual assault of the claimant.

Delivering judgment for the claimant, Inglis J accepted their submissions that a new “public disclosure of private information” tort should be recognised as a separate cause of action from existing common law statutes.

Inforrm has a case comment.

  1. Hurbain v Belgium ([2021] ECHR 544)

 A case in which an order to anonymise a newspaper’s electronic archive was found not to breach the applicant publisher’s right to freedom of expression. This case reflects an important application of the right to be forgotten under article 8 of the Convention.  The applicant, Patrick Hurbain, is the president of the Rossel Group which owns one of Belgium’s leading French-language newspapers, Le Soir, of which he was previously Managing Editor. The article in question concerned a series of fatal car accidents and named one of the drivers, G, who had been convicted of a criminal offence for his involvement in the incidents. G made a successful application for rehabilitation in 2006.

However, Le Soir created a free, electronic, searchable version of its archives from 1989 onwards, including the article at issue.  G relied on the fact that the article appeared in response to a search on his name on Le Soir’s internal search engine and on Google Search. He explained that its availability was damaging to his reputation, particularly in his work as a doctor. The newspaper refused the application by stated it had asked Google to delist/deindex the article.

In 2012 G sued Mr Hurbain as editor of Le Sior and was successful domestically. Mr Hurbain then lodged an application with the Strasbourg Court complaining that the anonymisation order was a breach of Article 10. In balancing the article 8 and 10 rights in the case the Strasbourg Court found in favour of G.

Informm had a case comment.

  1. Peters v Attorney-General on behalf of Ministry of Social Development [2021] NZCA 355

The New Zealand Court of Appeal provided guidance in respect of the tort of invasion of privacy in this high-profile case. In 2017, the Ministry for Social Development (“MSD”) realised that Mr Peters, MP and leader of the New Zealand First Party, had overpaid New Zealand Superannuation (“NZS”). Due to errors NZS had been paid at the single rate when it should have been paid at the partner rate. Mr Peters immediately arranged for the overpaid amount to be repaid.

In August 2017 several reporters received anonymous calls in respect of the overpayment. To pre-empt any publicity, Mr Peters released a press statement addressing the incident. He also issued a claim for infringement of the tort of invasion of privacy against several MSD executives.  The High Court found the MSD executives were proper recipients of information and thus the claim failed.  The Court of Appeal dismissed Mr Peters’ appeal. For an invasion of privacy claim to succeed there is a two “limb” test:

  • the existence of facts in respect of which there was a reasonable expectation of privacy; and
  • that the publicity given to those private facts would be considered highly offensive to an objective reasonable person.

The Court agreed that limb one was met on the facts. However, the Court found that Mr Peters did not have a reasonable expectation of protection from disclosure of this information within MSD and from MSD to the relevant Ministers and select staff. As the claimant could not prove that any of defendants had released information to the media. The appeal was dismissed. The case affirmed the removal of the requirement for there to be widespread disclosure and the potential for the removal of the requirement that disclosure be highly offensive.

  1. R (Open Rights Group and the 3 million) v Secretary of State for the Home Department and Others [2021] EWCA Civ 800,

A case concerning “the lawfulness” immigration exemption found in paragraph 4 of Schedule 2 of the Data Protection Act 2018. This exemption allows those processing personal data for immigration control purposes to refuse to comply with the data subject rights guaranteed by the GDPR to the extent that complying with those provisions would prejudice those purposes.  The Court of Appeal found that this exemption was not compliant with Article 23 of the GDPR.

There was coverage from Hunton Andrews Kurth and 11KBW.

  1. Biancardi v. Italy [2021] ECHR 972

The ECtHR found that an order that the editor of an online newspaper was liable for failing to de-index an article concerning criminal proceedings did not breach Article 10 of the Convention. The case concerned an application for the delisting of an article concerning a fight involving a stabbing in a restaurant which mentioned the names of the those involved including the applicant V.X.

Inforrm had a case comment.

Suneet Sharma is a junior legal professional with a particular interest and experience in media, information and privacy law.  He is the editor of The Privacy Perspective blog.

Quotes from caselaw 6: HRH The Duchess of Sussex v Associated Newspapers Ltd [2021] EWCA Civ 1810- Megan Markle successful in defending appeal by Mail on Sunday

An appeal against the finding for summary judgment for her misuse of private information and copyright claim.

The appellant was granted permission appealed the elements of the case on seven grounds:

i) The new evidence issue: Whether the new evidence provided by each of the
parties should be admitted.

ii) The nature of the attack issue: Whether the judge mistakenly failed to
recognise the significance and importance of the People Article’s attack on Mr
Markle.

iii) The reasonable expectation of privacy issue: Whether the judge adopted a
flawed analysis of the factors undermining the Duchess’s alleged reasonable
expectation of privacy.

iv) The appropriate test issue: Whether the judge wrongly stated the test, by
suggesting that the defendant had to justify an interference with the claimant’s
right of privacy, when the proper approach was to balance the competing article 8 and 10 rights.

v) The right of reply issue: Whether the judge wrongly applied a strict test of
necessity and proportionality to Mr Markle’s right of reply to the People Article.

vi) The public interest/article 10 copyright issue: whether the judge failed
properly to evaluate the interference with article 10, saying that it would be a
rare case in which freedom of expression would outweigh copyright.


vii) The fair dealing copyright issue: whether the judge wrongly relied on his
privacy analysis to reject the fair dealing defence to breach of copyright, bearing
in mind the limited scope of the copyright in the Letter and the wide scope of
the concept of reporting current events.

The Sir Jeoffery Vos decided against the defendant on all grounds dismissing the appeal, in a unanimous judgment, stating summarily:

Essentially, whilst it might have been proportionate to disclose and publish a very small part of the Letter to rebut inaccuracies in the People Article, it was not necessary to deploy half the contents of the Letter as Associated Newspapers did. As the Articles themselves demonstrate, and as the judge found, the primary purpose of the Articles was not to publish Mr Markle’s responses to the inaccurate allegations against him in the People Article. The true purpose of the publication was, as the first 4 lines of the Articles said: to reveal for the first time [to the world] the “[t]he full content of a sensational letter written by [the Duchess] to her estranged father shortly after her wedding”. The contents of the Letter were private when it was written and when it was published, even if the claimant, it now appears, realised that her father might leak its contents to the media.

p.106

ICO issues provisional view to fine Clearview AI Inc over £17 million

The Information Commissioner’s Office (“ICO”) has issued a provisional view of the imposition of a £17m fine over Clearview AI.

The BBC cites that the firms’ database has over 10bn images. The ICO has issued a provisional notice to stop further processing of the personal data of people in the UK and to delete any such data following alleged serious breaches of the UK’s data protection laws.

In a joint investigation with the Australian Information Commissioner (“AIC”) the ICO concluded that the data, some scraped from the internet, was being processed, in the case of UK persons, unlawfully in some instances.

Clearview AI Inc’s services were being used on a free trial basis by some law enforcement agencies. This has been confirmed to no longer be the case.

The ICO’s preliminary view is that Clearview AI Inc appears to have failed to comply with UK data protection laws in several ways including by:

  • failing to process the information of people in the UK in a way they are likely to expect or that is fair;
  • failing to have a process in place to stop the data being retained indefinitely;
  • failing to have a lawful reason for collecting the information;
  • failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
  • failing to inform people in the UK about what is happening to their data; and
  • asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed.

Information Comissioner Elizabeth Denham commented:

“I have significant concerns that personal data was processed in a way that nobody in the UK will have expected. It is therefore only right that the ICO alerts people to the scale of this potential breach and the proposed action we’re taking. UK data protection legislation does not stop the effective use of technology to fight crime, but to enjoy public trust and confidence in their products technology providers must ensure people’s legal protections are respected and complied with.

Clearview AI Inc’s services are no longer being offered in the UK. However, the evidence we’ve gathered and analysed suggests Clearview AI Inc were and may be continuing to process significant volumes of UK people’s information without their knowledge. We therefore want to assure the UK public that we are considering these alleged breaches and taking them very seriously.”

This is one of the largest fines issued under the GDPR to date. Clearview now has the opportunity to respond, both in the UK and Australia (the AIC has found breaches of Australian privacy laws).

It’s unsurprising that its database, said to have included images scraped from social media, has drawn the attention of regulators. Facial recognition services have been at the forefront of recent data analytics scrutiny and data protection enforceability.

The ICO press release can be found here and the AIC press release here.

The previous statement of the ICO on the conclusion of the joint investigation can be found here.

Quotes from caselaw 4: PJS v News Group Newspapers Limited [2016] UKSC 26 – privacy rights are broader than just confidentiality

It is a rare case where an application for a interlocutory injunction succeeds despite an article on the subject already being published. Such was the case in PJS, one of the most significant English law cases concerning privacy law to date.

The leading judgment was handed down by Lord Mance. It concerned the grant of an injunction to keep details of an extra marital affair between a claimant of great renown being published by the press.

Lord Mance observes the fact that privacy is a zonal right justifying protection, differing in character from the right of confidentiality. The esteemed judge highlights previous cases at paragraphs 58 and 59 of the judgment, endorsing the well entrenched approach from the Court of Appeal.

He characterises privacy, rightly, as extending beyond the bounds of confidentiality. In doing so ones private life becomes a space that should remain, in certain circumstances, free from intrusion.

However, claims based on respect for privacy and family life do not depend on confidentiality (or secrecy) alone... “unwanted access to private information and unwanted access to [or intrusion into] one’s … personal space”

Lord Mance at p.58-59

Concluding Lord Mance opined on the capacity of the internet to change perceptions of privacy. He acknowledged that the courts need to remain cognizant of this. In doing so he affirmed the findings of previous caselaw, gave credence to commentators and noted the implications of tweeting and blogging:

 I also accept that, as many commentators have said, that the internet and other electronic developments are likely to change our perceptions of privacy as well as other matters – and may already be doing so. The courts must of course be ready to consider changing their approach when it is clear that that approach has become unrealistic in practical terms or out of touch with the standards of contemporary society. However, we should not change our approach before it is reasonably clear that things have relevantly changed in a significant and long-term way. In that connection, while internet access became freely available in this country only relatively recently, almost all the cases listed at the end of para 59 above were decided since that happened, and many of those cases were decided after blogging and tweeting had become common.

Lord Mance at p.70

TPP has commented further on the PJS case here.

Citation: INFORRM Blog, ZXC v Bloomberg LP: Privacy and Reputational Harm – Jeevan Hariharan

The INFORRM Blog has an excellent post on the inter-related nature of privacy and reputational harms.

Whether an individual has a reasonable expectation of privacy that outweighs the public interest in cases where there has been an investigation, but no charge, by the police is an imminent case before the Supreme Court in the case of ZXC v Bloomberg LP.

The case is before the UK Supreme Court on 30 November and 1 December next week and was cited by Hariharan in his analysis of the proximity between privacy and reputational harms.

The Court of Appeal judgment can be found here. The Court found that there could be a reasonable expectation of privacy in the fact of a police investigation. This builds upon notable caselaw such as the Cliff Richard case.

TPP number 30 on Feedspot – Top 35 Privacy Websites and Blogs

We are delighted to be ranked 30 out of Feedspots top 35 blogs. TPP was ranked alongside law firms and authoritative blogs on privacy law.

According to Feedspot sites are ranked “by traffic rank, social media followers, domain authority & freshness.” The full list can be found here and is a must read for anyone interested in privacy law matters.

TPP re-published by the The Student Lawyer: Use of facial recognition software in school lunch queues in North Ayrshire

TPP is pleased to announce that the article that appeared on this site analysing use of facial recognition software in schools in North Ayrshire has been republished by the Student Lawyer.

The Student Lawyer is a go-to legal news and blogging site for law students. You can find the article here.

Citation: 5RB: European Court of Human Rights upholds Article 8 privacy breach in relation to reputation of a dead person

In a case builds upon pre-existing caselaw on the rights of those who are deceased the European Court of Human Rights has found an article 8 breach in relation to news articles posted about a deceased Roman Catholic Priest.

ML v Slovakia 34159/17 concerned a number of articles published by three Slovakian newspapers about the historic sex offence convictions of the claimants son.

The Court found that the articles were inaccurate and sensationalist citing that: “However, it follows from what has been said above that the domestic courts failed to carry out a balancing exercise between the applicant’s right to private life and the newspaper publishers’ freedom of expression in conformity with the criteria laid down in the Court’s case-law.

Concluding the Courts stated, applying Article 8:

“…dealing appropriately with the dead out of respect for the feelings of the deceased’s relatives falls within the scope of Article 8 of the Convention”.

Furthermore the Court stated a clear and concise view on the journalistic integrity of the reporting: “Although the journalists must be afforded some degree of exaggeration or even provocation, the Court considers that the frivolous and unverified statements about the applicants sons private life must be taken to have gone beyond the limits of responsible journalism” -p.47

5RB has an excellent case comment.

ICO intervenes in nine schools in North Ayrshire which are using facial recognition software to scan faces of pupils in lunch queues

According to the Financial Times and Guardian the ICO is set to intervene in nine schools in North Ayrshire following the discovery that pupils faces were being scanned in lunch queues to take payments.

The ICO commented: 

“Data protection law provides additional protections for children, and organisations need to carefully consider the necessity and proportionality of collecting biometric data before they do so. Organisations should consider using a different approach if the same goal can be achieved in a less intrusive manner. We are aware of the introduction, and will be making inquiries with North Ayrshire council.”

Whilst the company that provides the software argues this a safe way to take payments in the age of covid the question, as the ICO rightly posits, clearly arises as to whether a less invasive method of safely taking payments could be used.

Simple measures such as issuing pupils with lunch cards that they can scan to identify themselves or even with just a unique ID number that could easily be anonymised and aggregated, would just as easily serve this purpose.

Under Article 35 of the GDPR a Data Protection Impact Assessment must be made before this software is used. This would assess whether the use of facial recognition software was a proportionate means for achieving the legitimate aim of securely taking card payments. Aspects such as the retention period of data, storage methods, basis for processing, safeguards and processes for gathering consent must be considered.

Schools should have mechanisms and documentation in place to explain to children the circumstances of this data collection, storage and their rights under the GDPR, including an option to opt out of the data collection. 

Under the GDPR the age where children can consent to the sharing of their personal data in England and Wales is as low as is permissible- thirteen. In Scotland, the location of the schools, the age is lower- at twelve years of age.

Interestingly, North Ayrshire Council indicated that 97% of pupils or their parents had given consent to this process. The Council has temporarily paused the rollout of the software given the ICO’s intervention.

CBR Cumminghams, a company that provides the software, stated that their cameras check pupils faces against encrypted templates, an thus operated differently to “live” facial recognition used by the police to scan for criminal activities, that was challenged in the Bridges case.

A Principal of one of the schools, David Waugh, commented:

“The combined fingerprint and facial recognition system was part of an upgrade to the catering cashless system, so that the time it takes to serve students is reduced, thus giving a better dining experience. However, we will not be using the facial recognition aspect.”

Mischon de Reya has a excellent analysis of these issues, which cover Scotland and are thus outside of TPP’s remit. The BBC also reports on the story.