Inforrm covered a wide range of data protection and privacy cases in 2023. Following my posts in 2018, 2019, 2020, 2021 and 2022 here is my selection of notable privacy and data protection cases across 2023. TPP is delighted to repost its annual article on this topic after a haitus.
- Stoute v News Group Newspapers Ltd [2023] EWHC 232 (KB)
Having secured the United Kingdom’s most lucrative government contract for PPE during covid-19, worth £2 billion, a married couple sought an emergency injunction at first instance (and again on appeal), to prevent the publication of photographs of them walking along a public beach, fully dressed (her in a knee-length kaftan, him in board shorts and a polo shirt), on their way to a family lunch at a beach restaurant frequented by celebrities (and paparazzi).(6) The court denied the couple’s application to prevent publication in The Sun of the photographs, over which the court said the couple had no reasonable expectation of privacy.
The Court of Appeal upheld the fact that there was simply no reasonable expectation of privacy in photographs in the circumstances, with some considerable interest placed on the “performative” manner in which the couple arrived at the beach with their larger party by way of loud jet skis from their luxury yacht parked just off-shore.
2. WFZ v BBC [2023] EWHC 1618 (KB)
The applicant, a high-profile man arrested for sexual offences against two women but not charged, sought an interim injunction pending trial to prevent the BBC from publishing his name as part of a broader story concerning the failings in the industry concerned properly to deal with such allegations.(7) The applicant had not yet been named by the mainstream media. The basis for the injunction application was misuse of private information and contempt of court (a novel claim for a private individual to bring).
The High Court held that the applicant had a reasonable expectation of privacy in his arrest, indicating that courts are likely to restrain information about arrests as well as investigations (following the Supreme Court’s decision in ZXC) until the suspect is charged. Additionally, though controversially, the court found that having been arrested, publication of the man’s name would likely give rise to a contempt of court such as to justify restraint.
3. Prismall v Google
In the latest attempt to open the floodgates for group data privacy claims, a representative claimant brought a misuse of private information claim against DeepMind and Google on behalf of £1.6 million people arising from the transfer of their NHS medical records.
The claim was struck out by the High Court for failing to show that, on the lowest common denominator basis, all claimants would be able to establish a reasonable expectation of privacy in the data shared and were entitled to more than nominal damages. The claim would have been a means of getting around the finding in Lloyd v Google that there were no recoverable damages in data claims for loss of control of data. The Court of Appeal has granted permission to appeal.
See the comment from the Panopticon Blog.
4. Baroness Lawrence & Ors v Associated Newspapers Ltd [2023] EWHC 2789 (KB)
A summary judgment where the claimants alleged that the Daily Mail, the Mail on Sunday and MailOnline acquire the private or confidential information through unlawful methods including voicemail interception, eavesdropping on calls, deception and use of private investigators. This information was then alleged posted online by the outlets.
The Defendants made an application to challenge the claim on two grounds- limitation; that the claims were made over six years after the misconduct occurred and contesting the use of ledgers from the leveson inquiry of which there were three orders in place.
It was held that each of the claimants had a real prospect of success with reliance on section 32 of the Limitation Act 1980. In relation to the orders it was found that the approach needed to be regularised which could be achieved in three ways- (a) by the defendant voluntarily disclosing the Ledgers; (b) the relevant government Minister varying the order; or (c) amending the Particulars of Claim to remove the material from the Ledgers.
There was a 5RB case comment on the case.
5. Duke of Sussex v MGN Ltd [2023] EWHC 3217 (Ch).
Fancourt J held that phone hacking had been habitual and widespread at The Daily Mirror, The Sunday Mirror and The People newspapers from 1998 until 2006, and had continued extensively but on a reducing basis from 2007 until 2011. The editors and in-house legal departments knew it was being used, and the group legal director and CEO had known about or turned a blind eye to it. Although claims by the Duke of Sussex and others for damages for loss caused by publication of their private information obtained by phone hacking and/or other unlawful means were statute-barred, some of their claims for damages for misuse of private information succeeded. When assessing damages, losses flowing from publication of their private information were recoverable as damages for the original unlawful information gathering. 5RB news, has a comment.
6. VB v. Natsionalna agentsia za prihodite (C‑340/21)
A case which clarified the concept of non-material damage under Article 82 of the EU General Data Protection Regulation (“GDPR”) and the rules governing burden of proof under the GDPR.
Following a cyber attack against the Bulgarian National Revenue Agency (the “Agency”), one of the more than six million affected individuals brought an action before the Administrative Court of Sofia claiming compensation. In support of that claim, the affected individual argued that they had suffered non-material damage as a result of a personal data breach caused by the Agency’s failure to fulfill its obligations under, inter alia, Articles 5(1)(f), 24 and 32 of the GDPR. The non-material damage claimed consisted of the fear that their personal data, having been published without their consent, might be misused in the future, or that they might be blackmailed, assaulted or even kidnapped.
In its judgment, the CJEU takes the view that the mere fact that a personal data breach occurred does not mean that the Agency did not implement appropriate technical and organizational measures to comply with Articles 24 and 32 of the GDPR. The EU legislator’s intent, as explained by the CJEU, was to “to ‘mitigate’ the risks of personal data breaches, without claiming that it would be possible to eliminate them.” National courts should assess the measures implemented “in a concrete manner, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks.”
That said, the CJEU further notes that the fact that an infringement results from the behaviour of a third-party (cyber criminals) does not exempt the controller of liability and that, in the context of an action for compensation under Article 82 of the GDPR, the burden of proving that the implemented technical and organizational measures are appropriate falls on the controller and not on the individual.
Finally, building on its Österreichische Post judgment, the CJEU indicates that the fear experienced by individuals with regard to a possible misuse of their personal data by third parties as a result of an infringement of the GDPR may, in itself, constitute non-material damage. In this respect, the national court is required to verify that the fear can be regarded as well founded, in the specific circumstances at issue for the concerned individual.
7. Delo v Information Commissioner [2023] EWCA Civ 1141
A case which considered the approach to be taken by the Information Commissioner’s approach to complaints made by data subjects. Mr Delo made a data subject access request to Wise Payment Limited to which Wise responded that it was exempt from providing much of the information requested. Upon Mr Delo complaining to the Information Commissioner he was advised that Wise had declined to provide the information sought in keeping with its obligations.
Mr Delo escalated his request by bringing a claim for judicial review and suing Wise.
In finding that Wise had complied with his obligations two matters were clarified by the Court of Appeal as matter which were in the public interest:
1) Is the Commissioner obliged to reach a definitive decision on the merits of each and every complaint or does he have a discretion to decide that some other outcome is appropriate?
(2) If the Commissioner has a discretion, did he nonetheless act unlawfully in this case by declining to investigate or declining to determine the merits of the complaint made by the claimant
Both questions were adjudicated by the Court to be negatives.
Panopticon Blog has an excellent summary of the case.
8. Ali v Chief Constable of Bedfordshire [2023] EWHC 938 (KB)
A informed the police that her husband was a cocaine dealer and a danger to her family, she indicated that she was providing the information on the basis that she would not be identified as a source.
The police informed the local council social services department. However, a malicious council employee informed A’s husband of what A had said.
Whilst the council was not held vicariously liable for the criminal acts of their employee. Her action against Bedford Police succeeded for breaches of the GDPR, misuse of private information and contravention of Article 8 of the ECHR.
For a summary of the case see the Panopticon Blog.
9. Hurbain v Belgium
In 2008 the newspaper placed on its website an electronic version of its archives dating back to 1989 (including the Article). In 2010 Dr G contacted Le Soir, requesting that the article be removed from the newspaper’s electronic archives or at least anonymised. The request mentioned his profession and the fact that the article appeared among the results when his name was entered in several search engines. The newspaper refused to remove the article.
In 2012 Dr G sued Mr Hurbain (in his capacity as editor of Le Soir) to obtain the anonymisation of the article. His action was founded on the right to private life, which (under Belgian law) encompassed a right to be forgotten. Ultimately, the Grand Chamber found that there had been no violation of Article 10, the interference with the right here had been necessary and proportionate.
10. FGX v Gaunt [2023] EWHC 419 (KB)
The covert recording of naked images of the claimant and their publication on a pornographic website gave rise to this claim for (i) intentionally exposing the claimant to a foreseeable risk of injury or severe distress which resulted in injury; (ii) infringement of the claimant’s privacy; and (iii) breach of the claimant’s confidence.
Said to be the first case of its kind in England and Wales, the case resulted in an award of damages in total of £97,041.61.
The Privacy Perspective 