Top 10 Privacy and Data Protection Cases of 2021: A selection – Suneet Sharma

Inforrm covered a wide range of data protection and privacy cases in 2021. Following  my posts in 20182019 and 2020 here is my selection of most notable privacy and data protection cases across 2021:

  1. Lloyd v Google LLC [2021] UKSC 50

 In the most significant privacy law judgment of the year the UK Supreme Court considered whether a class action for breach of s4(4) Data Protection Act 1998 (“DPA”) could be brought against Google of its obligations as a data controller for its application of the “Safari Workaround”. The claim for compensation was made under s.13 DPA 1998.  The amount claimed per person advanced in the letter of claim was £750. Collectively, with the number of people impacted by the processing, the potential liability of Google was estimated to exceed £3bn.

Lord Leggatt handed down the unanimous judgement in favour of the appellant Google LLC:

“the claim has no real prospect of success. That in turn is because, in the way the claim has been framed in order to try to bring it as a representative action, the claimant seeks damages under section 13 of the DPA 1998 for each individual member of the represented class without attempting to show that any wrongful use was made by Google of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach of the requirements of the Act by Google.”

The case has been heralded for its central importance in determining the viability of data protection class actions. The case drew wide coverage from Pinsent MasonsHill DickinsonClifford ChanceBindmans and Stewarts.

  1. HRH The Duchess of Sussex v Associated Newspapers Limited [2021] EWHC 273 (Ch) and [2021] EWCA Civ 1810.

In February 2021 Meghan, Duchess of Sussex, won her application for summary judgment against the Mail on Sunday.  Warby LJ said there were “compelling reasons” for it not to go to trial over its publication of extracts of a private letter to her estranged father, Thomas Markle.  He entered judgment for the Duchess in misuse of private information and copyright.  There was a news piece on Inforrm and a piece by Dominic Crossley.

Associated Newspapers was granted permission appeal and the appeal was heard on 9 and 11 November 2021 with judgment being handed down on 2 December 2021,  The Court, Sir Geoffrey Vos MR, Sharp P and Bean LJ, unanimously dismissed the appeal on all grounds, stating:

“Essentially, whilst it might have been proportionate to disclose and publish a very small part of the Letter to rebut inaccuracies in the People Article, it was not necessary to deploy half the contents of the Letter as Associated Newspapers did. As the Articles themselves demonstrate, and as the judge found, the primary purpose of the Articles was not to publish Mr Markle’s responses to the inaccurate allegations against him in the People Article. The true purpose of the publication was, as the first 4 lines of the Articles said: to reveal for the first time [to the world] the “[t]he full content of a sensational letter written by [the Duchess] to her estranged father shortly after her wedding”. The contents of the Letter were private when it was written and when it was published, even if the claimant, it now appears, realised that her father might leak its contents to the media.” [106]

 The case has been analysed on INFORRM by Brian Cathcart.

  1. Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367

The Federal Court of Australia found that Google misled some users about the personal location data it collected through Android devices between January 2017 and December 2018.

The Court found that, in providing the option, “Don’t save my Location History in my Google Account”, represented to some reasonable consumers that they could prevent their location data being saved on their Google Account. In actual fact, users need to change an additional setting, separate, to stop their location data being saved to their Google Account.

Inforrm had a case comment.

  1. Hájovský v. Slovakia [2021] ECHR 591

Mr Hájovský placed an anonymous advert in a national newspaper offering payment to a woman in return for giving birth to his child. An investigative reporter posed as a candidate interested in surrogacy, replied to the advert and secretly filmed the ensuing meetings. These were later complied into a documentary. A national tabloid also covered the story using stills of footage and taking a critical stance of the applicants’ actions. Both stories revealed the applicant’s identity. This prompted the applicant to bring an action against the media groups for violation of his privacy under Slovakian law.

The Slovakian courts dismissed the application on the basis that the article contributed to a matter of public interest- the debate around surrogacy for payment and in any event the publishing of the advert had brought a private matter, the applicant’s wish to have a child, into the public domain.The ECtHR found in favour of the applicant. In doing so it reiterated the well-established balancing approach vis a vi privacy and freedom of expression as per Von Hannover and Axel Springer. In this instance the court found that the applicants right to privacy had been violated and that the Slovakian courts has erred in their approach to balancing the competing rights. In doing so the court make key observations about the privacy implications of photographs.

Inforrm has a case comment.

  1. Warren v DSG Retail Ltd [2021] EWHC 2168 (QB)

This case concerned the viability of claims for breach of confidence and misuse of private information against data controllers who have suffered cyber-attacks. In dismissing the claims for breach of confidence and misuse of private information Saini J found that both causes require some form of “positive conduct” by the defendant that is lacking where the cause of the private information being leaked is a cyber-attack.

Inforrm had a case comment.

6.  ES v Shillington 2021 ABQB 739

In this case the Alberta Court of the Queen’s Bench awarded damages under new “public disclosure of private fact” tort. The case concerned the making public of images of the claimant engaging in sex acts with the defendant- these had been shared during a romantic relationship between 2005 to 2016 where the parties had two children together. The parties had a mutual understanding that the images would not be shared or published anywhere. However, the defendant then proceeded to share the images online, including those involving the sexual assault of the claimant.

Delivering judgment for the claimant, Inglis J accepted their submissions that a new “public disclosure of private information” tort should be recognised as a separate cause of action from existing common law statutes.

Inforrm has a case comment.

  1. Hurbain v Belgium ([2021] ECHR 544)

 A case in which an order to anonymise a newspaper’s electronic archive was found not to breach the applicant publisher’s right to freedom of expression. This case reflects an important application of the right to be forgotten under article 8 of the Convention.  The applicant, Patrick Hurbain, is the president of the Rossel Group which owns one of Belgium’s leading French-language newspapers, Le Soir, of which he was previously Managing Editor. The article in question concerned a series of fatal car accidents and named one of the drivers, G, who had been convicted of a criminal offence for his involvement in the incidents. G made a successful application for rehabilitation in 2006.

However, Le Soir created a free, electronic, searchable version of its archives from 1989 onwards, including the article at issue.  G relied on the fact that the article appeared in response to a search on his name on Le Soir’s internal search engine and on Google Search. He explained that its availability was damaging to his reputation, particularly in his work as a doctor. The newspaper refused the application by stated it had asked Google to delist/deindex the article.

In 2012 G sued Mr Hurbain as editor of Le Sior and was successful domestically. Mr Hurbain then lodged an application with the Strasbourg Court complaining that the anonymisation order was a breach of Article 10. In balancing the article 8 and 10 rights in the case the Strasbourg Court found in favour of G.

Informm had a case comment.

  1. Peters v Attorney-General on behalf of Ministry of Social Development [2021] NZCA 355

The New Zealand Court of Appeal provided guidance in respect of the tort of invasion of privacy in this high-profile case. In 2017, the Ministry for Social Development (“MSD”) realised that Mr Peters, MP and leader of the New Zealand First Party, had overpaid New Zealand Superannuation (“NZS”). Due to errors NZS had been paid at the single rate when it should have been paid at the partner rate. Mr Peters immediately arranged for the overpaid amount to be repaid.

In August 2017 several reporters received anonymous calls in respect of the overpayment. To pre-empt any publicity, Mr Peters released a press statement addressing the incident. He also issued a claim for infringement of the tort of invasion of privacy against several MSD executives.  The High Court found the MSD executives were proper recipients of information and thus the claim failed.  The Court of Appeal dismissed Mr Peters’ appeal. For an invasion of privacy claim to succeed there is a two “limb” test:

  • the existence of facts in respect of which there was a reasonable expectation of privacy; and
  • that the publicity given to those private facts would be considered highly offensive to an objective reasonable person.

The Court agreed that limb one was met on the facts. However, the Court found that Mr Peters did not have a reasonable expectation of protection from disclosure of this information within MSD and from MSD to the relevant Ministers and select staff. As the claimant could not prove that any of defendants had released information to the media. The appeal was dismissed. The case affirmed the removal of the requirement for there to be widespread disclosure and the potential for the removal of the requirement that disclosure be highly offensive.

  1. R (Open Rights Group and the 3 million) v Secretary of State for the Home Department and Others [2021] EWCA Civ 800,

A case concerning “the lawfulness” immigration exemption found in paragraph 4 of Schedule 2 of the Data Protection Act 2018. This exemption allows those processing personal data for immigration control purposes to refuse to comply with the data subject rights guaranteed by the GDPR to the extent that complying with those provisions would prejudice those purposes.  The Court of Appeal found that this exemption was not compliant with Article 23 of the GDPR.

There was coverage from Hunton Andrews Kurth and 11KBW.

  1. Biancardi v. Italy [2021] ECHR 972

The ECtHR found that an order that the editor of an online newspaper was liable for failing to de-index an article concerning criminal proceedings did not breach Article 10 of the Convention. The case concerned an application for the delisting of an article concerning a fight involving a stabbing in a restaurant which mentioned the names of the those involved including the applicant V.X.

Inforrm had a case comment.

Suneet Sharma is a junior legal professional with a particular interest and experience in media, information and privacy law.  He is the editor of The Privacy Perspective blog.

Quotes from caselaw 5: Lloyd v Google LLC [2021] UKSC 50 – no one size fits all claim available in data protection “Safari Workaround” class action

In one of the most significant privacy law judgments of the year the UK Supreme Court considered whether a class action for breach of s4(4) Data Protection Act 1998 (“DPA”) could be brought against Google of its obligations as a data controller for its application of the “Safari Workaround”. The claim for compensation was made under s.13 DPA 1998.

The amount claimed per person advanced in the letter of claim was £750. Collectively, with the number of people impacted by the processing, the potential liability of Google was estimated to exceed £3bn.

“The claim alleges that, for several months in late 2011 and early 2012,
Google secretly tracked the internet activity of millions of Apple iPhone users and used the data collected in this way for commercial purposes without the users’ knowledge or consent.”

Lord Leggatt at p.1

The class action claim was brought under rule 19.6 of the Civil Procedure Rules.

Lord Leggatt handed down the unanimous judgement in favour of the appellant Google LLC:

“the claim has no real prospect of
success. That in turn is because, in the way the claim has been framed in order to try to bring it as a representative action, the claimant seeks damages under section 13 of the DPA 1998 for each individual member of the represented class without attempting to show that any wrongful use was made by Google of personal data relating to that
individual or that the individual suffered any material damage or distress as a result of a breach of the requirements of the Act by Google.”

At p.159

It should be noted that the claim was brought under the Data Protection Act 1998 and not under the GDPR.

See the full judgement here. The Panopticon Blog has an excellent summary.

Big Brother Watch publishes The State of Free Speech Online Report

Government surveillance interest group Big Brother Watch has released an insightful Report entitled: The State of Free Speech Online.

The Report looks at crucial provisions of the English Government’s proposed Online Safety Bill, critiquing its impact on freedom of speech.

The Report in particular focuses on social media platforms and the impact of the Bills provisions on their ability to facilitate free speech.

TPP supports free speech unequivocally, recognising that in a democratic society both rights of free speech and the protection of ones private life must be carefully balanced and safeguarded.

The recent move of Facebook in removing the publication of third parties Australian news from its site in protest to the provisions of the proposed News Media Bargaining Code, in doing so lobbying the Australian government, serves to highlight the unequal bargaining position of online platforms and their extensive influence.  

Furthermore, Twitter permanently suspending then US President Donald Trump highlighted the ability of a platform to  operate at the highest levels as arbiters of free speech.

It serves to bring into sharp relief the need for proper safeguards and guidelines of, as the Report states, private companies who “wield power… comparable to that of governments”.

As arbiters of free speech companies such as Facebook, Instagram, YouTube and Twitter hold substantive sway over millions of conversations where the rights of free speech and those of privacy intersect. This Report is a welcome examination of the coming reforms in the Online Safety Bill through a lens of safeguarding free speech.

It argues that enforcement of free speech rights have been “questionable, inconsistent and problematic” across the platforms. It goes on to opine that such platforms need to mirror the rule of law and reflect human rights principles.

As English law moves to take the next step in regulating the activities of those online via the Online Safety Bill TPP with be reporting focusing on both sides of the free speech and privacy debate.

UK government releases NHS covid-19 data sharing agreements

Following significant pressure from groups such as OpenDemocracy and Foxglove the UK government has released its data sharing contracts with companies such as Amazon, Google and Microsoft for the creation of a cloud database for sharing covid-19 related data. Contracts with AI firms Planatir and Faculty were also released.

Continue reading

Google and healthcare provider Ascension collaboration raises privacy concerns

blue and silver stetoscopeGoogle Cloud has been providing Ascension, the second biggest healthcare provider in the US, with cloud infrastructure services since July 2019. Providing software services to healthcare providers to facilitate the secure management of patient data is not uncommon for Google. The services Ascension are taking are similarly commonplace- the migration of data to Google Cloud, utilizing suite productivity tools and providing technological tools to Ascension’s doctors for use. What perhaps is the defining factor is the scale, with this being the largest project of its kind to date – managing data of over 50 million Americans. This was dubbed “Project Nightingale”.

Continue reading

Citation: The Guardian: Google and Facebook to investigate the targeting of micro-political ads

The Guardian has an excellent piece on recent moves by Facebook and Google in seeking to ban micro-targeting political ads.

The practice, which underpins the Cambridge Analytica scandal, is being reviewed by the news providers. The harvesting of political oriented data is common and is usually undertaken as part of an effort to profile users.

Facebook has been known to group users for the purposes of ads-targeting, some of which considers political interests. This allows for nuanced and in many cases, an alarming degree of differentiation and influence of users.  The US legislatures have taken issue with this approach in the past.

The ICO has recently reached an agreement with Facebook over the fines put in place over the Cambridge Analytica scandal. The regulator continues work into data misuse in political advertising, to which the issue of micro-targeting of political ads is central.

£3billion class action against Google given the go-ahead – Lloyd v Google LLC [2019] EWCA Civ 1599

Mr Lloyd, a consumer protection advocate, brought a claim against Google for damages on behalf of 4m Apple iPhone users. It was alleged that Google secretly tracked some of their internet activity for commercial purposes between 9 August 2011 and 15 February 2012. Continue reading

The right to be forgotten does not apply to search engine results globally

On 24 September 2019 the European Court of Justice (“ECJ”) handed down judgment in the case of Google v CNIL C-507/17. The effect of the case was that right to be forgotten requests only need be applied to domain names of Member States and not extra-territorially globally. The case, therefore, has implications for the processing and effectiveness of the right to be forgotten requests, particularly for requestors who seek de-listing of search results from multiple non-EU jurisdictions. Notably, the administrative burden upon search engine operators has been limited by the ruling.

light smartphone macbook mockup

Continue reading