It is unfortunate at times that some charities which do the most sensitive of work also hold the most sensitive data. It makes data protection compliance all the more critical. Unfortunately, the transgender rights charity Mermaids has fallen afoul of data protection laws in the creation of a email group that was not sufficiently annexed or encrypted to protect the data it contained.
The result was that the 780 email pages were identifiable online over a period of three years. This led to the personal information of 550 people to be searchable online. Furthermore. the personal data of 24 of those people revealed how they were coping and feeling. Finally, for a further 15 classified as special category data as mental and physical health and sexual orientation were exposed.
Steve Eckersley, Director of Investigations at the ICO said:
This serves a warning call for charities who process sensitive personal data – under the GDPR and the framework of self reporting you need to have appropriate technical measures in place. Failure to do so puts users data at risk and leaves them vulnerable. Mermaids penalty was imposed for the data being at risk for the period of 25 May 2018 to 14 June 2019.
It is notable that Mermaids data protection policies and procedures were not updated to reflect GDPR standards. Post the implementation of the Data Protection Act 2018 data protection practices are taking increasing importance and a robust review with practical changes to data harvesting, management, retention and rights handling is now a necessity.
This was taken from the case of Puttaswamy v Union of India. The case entrenched the right to privacy under Indian law. The infographic provides a useful means for distilling the concept of privacy and it’s scope.
“A home security product upscaled and diversified into law enforcement and integrated with video software brings with it some serious privacy concerns.”
What is the Ring?
The Ring is Amazon’s bestselling smart security device product line. The most notable of which is the Ring doorbell which allows users to monitor movement by their front doors, video and receive mobile notifications whenever someone presses the doorbell. Users can also benefit from an App which is installed on their mobile, monitors local news and allows social media style sharing with other Ring users.
Ring additionally offers security services, cross-selling into the wider security service market.
Ring and law enforcement
Recent controversy was sparked when it was found that the Ring in partnering with over 400 police departments in the United States. The extent of the Ring’s collaborative efforts extend to targeting ad words to users encouraging that they share live video feed footage with law enforcement. This in and of itself is a significant extension in police surveillance meriting further legislative scrutiny.
However, pair this with the fact that the Ring’s being dubbed as “the new neighborhood watch”- it becomes a little disconcerting.
It is well-established that people’s likeness is considered personal data and that the recording of individuals without their consent is potentially invasive. There are also civil liberties concerns regarding the police acquiring these live video feeds for their own use.
This has drawn the attention of the Senator for Massachusetts, Edward Markey, who recently published a letter sent to Amazons CEO Jeffery Bezos, highlighting civil liberties concerns with the Ring. This highlights issues previously raised in the United Kingdom in relation to the use of facial recognition software; its potential to racially profile individuals. Whilst this was considered by the Administrative Court to be too an intangible argument lacking sufficient supporting data, further scrutiny would be most welcome.
And it looks like further scrutiny seems forthcoming. In his letter Senator Markey highlights 10 key concerns around the Ring system, demanding a response from the Amazon CEO by 26 September 2019. We highly recommend readers consider the letter in its entirety here.
Breach of confidence occurs when confidential information, as shared between parties in a manner which is confidential, is shared with a third party in breach of that duty of confidence. What imposes the duty to protect the information in a breach of confidence case is a pre-existing confidential relationship between the parties.
The case of Coco v A.N. Clark involved the claimant looking to bring a new form of moped to the market, parts of which were then sourced from a third party in breach of obligations of confidence. This case underpinned the three elements of the tort and highlights the most common scenario breach of confidence claims arise in; those involving business secrets and negotiations.
In relation to privacy breach of confidence tends to cover confidential conversations and communications where the nature of the information itself attracts a reasonable expectation of privacy. This may relate to communications with lawyers or medical professionals, for example.
Defamation seeks to protect the individuals’ reputation from false statements which harm or may harm it. Slander and libel (more permanent forms of communication) refer to a statement publicized to a third party which has or is likely to cause serious harm to their reputation.
Thornton v Telegraph Media Group Ltd  EWHC 159 (QB) highlighted that defamation claims often cross the threshold to engage Article 8 privacy rights. In particular, the European Court of Human Rights has ruled that:
“In order for Article 8 to come into play, however, an attack on a person’s reputation must attain a certain level of seriousness and in a manner causing prejudice to personal enjoyment of the right to respect for private life…”
Claimants have to show the statement at issue is likely to cause serious harm to their reputation per s.1 Defamation Act 2013. This is typically via evidence such as circulation, subscribers and views of the statement at issue.
The defenses available to defamation are:
Truth: That the statement itself was substantially true.
Honest opinion: That the statement was one of opinion and that an honest person could have reasonably held that opinion.
Public interest: That the matter was one which was in the public interest and the publisher of the statement reasonably believed it to be so.
Privilege: This can be absolute (such as a Parliamentary statement) or qualified (e.g. job references). Qualified privilege does not protect the publisher of a statement where it was done so maliciously.
Passing off is typically used to protect a person’s name or image, which has attracted goodwill as a business commodity. There are three well-established elements of passing off as stated in the case of Reckitt & Colman Products Ltd v Borden Inc & Ors  RPC 341:
Goodwill or reputation in the mind of the public attached to goods or services;
The defendant misrepresented that their goods or services are that of the claimant’s; and
The claimant suffered or is likely to suffer damages due to erroneous belief in the mind of the public that the defendant’s goods are the claimant’s.
A case which illustrates this is that of Fenty v Arcadia  EWCA Civ 3, a case involving Rihanna bringing a passing off action against Topshop. The action arose from Topshop’s unauthorized use of an image of Rihanna on a line of t-shirts. It was first considered that:
“registered trade marks aside, no-one can claim monopoly rights in a word or a name. Conversely, however, no-one may, by the use of any word or name, or in any other way, represent his goods or services as being the goods or services of another person and so cause that other person injury to his goodwill and so damage him in his business” – p.34
However, it was concluded that all elements of the tort were made out by the claimant. Rihanna had a marked presence in the fashion industry and had generated significant goodwill. By using her image on its t-shirts Topshop created a likelihood of confusion between customers that the t-shirts were endorsed by Rihanna herself. They were not. It was, therefore, considered Rihanna suffered damage due to the unauthorized use of her image. This was despite the fact that there is no standalone right to protect one’s image at law.
The Fenty case is illustrative of how passing off can be used to protect elements of the person which are inherently private identifying factors. The foremost of these being the likeness of a person or their name.
It should be noted that the rationale from protection in passing off cases in protecting the goodwill which attaches to these elements of the person. The nature of a passing-off action is, therefore, more akin to other economic torts such as malicious falsehood. Notwithstanding this nature, the propensity for passing off actions to be used to protect elements of the persona that attract inherent private character is significant.
These claims stem from the malicious publication of a false statement which identifies the claimant and has caused them financial loss. These four elements must be proven by the claimant. What malicious falsehood seeks to protect is the claimant’s economic rights, primarily the goodwill in their business. Therefore, in many cases claimants will seek to show special pecuniary loss in the form of damages to business evidenced by loss of profits.
In some cases, however, no loss needs to be proven by the claimant. These instances are outlined in s3(1)(a) and (b) Defamation Act 1952 and typically involve instances, where the statement complained of, is in writing and was calculated to cause pecuniary damage to the plaintiff.
Malicious falsehood is firstly concerned with the falsity of a statement, rather than matters of comment or opinion that defamation is typically debated around.
“Some malicious falsehood claims also involve Art 8 (privacy) rights, although less frequently than in defamation claims” – Thornton v Telegraph Media Group Ltd  EWHC 159 (QB)at p.33
The requirement for financial loss to be evidenced in malicious falsehood cases means that it less often covers Article 8 issues, as these are more likely to be personal attacks meriting Article 8 protection. As an economic tort malicious falsehood sits less easily with Article 8 issues than the personal tort of defamation (see Ajinomoto Sweetners Europe SAS v Asda Stores Limited  EWCA Civ 609).
In a malicious falsehood claim damages are compensatory in nature. They seek to provide compensation for the pecuniary loss caused by the false statement.
As practical matter defamation and malicious falsehood claims are typically brought together. Covering Article 8 rights statements can include false allegations which impinge upon the private life of the claimant. These include mixed statements which have personal imputations which damage the claimant’s business, such as statements about infidelity or convictions.
The tort of misuse of private information is relatively new and is the primary action which protects privacy rights under English law. To give effect to the European Convention of Human Rights Article 8, which enshrined the right to a private life, English common law (Campbell v MGN Ltd  UKHL) 22 sought to extend the remit of the breach of confidence action to cover instances absent a pre-existing confidential relationship.
The result was the formation of the new tort of misuse of private information. The starting point in Campbell was that there was no cause of action for invasion of privacy. Mirror Group Newspapers, in disclosing information regarding Naomi Campbell’s drug addiction, has committed wrongful use of private information.
The elements of the tort are that:
the Claimant must prove that they had a reasonable expectation of privacy in respect of the information at issue; and
contrary interests, typically between privacy rights and freedom of expression, must be balanced.
A reasonable expectation of privacy arises typically, in the context of private information such as health matters. A reasonable expectation of privacy takes into account a broad number of elements from the individual themselves to the quality of information used and previous statements concerning the information. As in Campbell the information at issue may be broken down into categories from most private to least to enable the application of this test.
Managing competing interests typically involves a consideration of journalistic freedom of expression. This considers the public interest for and against the disclosure of the information. It will also consider the context in which the information is communicated. Interference with rights must be considered proportionate and justifiable.