An individual suffers a data protection breach and claims compensation – often as part of a group. What kinds of consequence can they claim for? How serious do those consequences need to be for there to be a viable claim? These are pivotal issues in data protection litigation, from both commercial and legal perspectives. The Court of Appeal’s very recent judgment in the Equiniti litigation is hugely important on these fronts: see Farley and Others v Paymaster (1836) Limited (trading as Equiniti) [2025] EWCA Civ 1117. Continue reading →

Multi-party claims for misuse of data: how do you take them forward? GLOs yes, though they are often seen as too unwieldy. Straightforward multi-claimant litigation using ‘omnibus’ claim forms is fine, but doesn’t get litigation funders the maximum volumes they seek. Representative actions under CPR 19.8 are the ideal vehicle in that sense, but Lloyd v Google effectively killed them as regards data protection claims (no loss of control damages; individualised assessment needed). Can misuse of private information claims (loss of control damages available; individualised assessment perhaps not needed) fare better? The Prismall action was the leading post-Lloyd candidate on this front, but it has suffered another death this Advent. Continue reading →

Nearly five years into the life of the GDPR/DPA 2018 regime, the dust is finally settling on the first monetary penalty notice issued by the ICO under that regime. This was against Doorstep Dispensaree, whose multiple challenges to that MPN have finally run aground Continue reading →

The High Court (Steyn J) has today handed down judgment in Harrison v Cameron and ACL [2024] EWHC 1377 (KB), a case full of notable legal points and rather colourful facts. On phone calls with one of the defendants, the claimant had repeatedly made threats of violence, without realising that the calls were being recorded. Via subject access requests under Article 15 of the UK GDPR, he sought the identities of individuals to whom the content of the recordings had been disclosed. The defendants refused, relying inter alia on the ‘personal data of others’ exemption (see DB v General Medical Council, etc), in light of the claimant’s conduct. In dismissing the claimant’s claim for the identities of the recipients, Steyn J’s judgment addresses not only that exemption, but a range of important data protection issues including the ‘personal/household’ exemption, the definition of ‘data controller’, the right to request specific identities of recipients and the application of post-Brexit CJEU case law (Austrian Post). I acted for the defendants, instructed by Charles Fussell & Co LLP, so for now I’ll just post this.

Crucial and difficult questions continue to bedevil the litigation of data breach claims: how much (if anything) are claims worth, and how do you take forward large volumes of low-value claims arising from the same incident in ways that are cost-effective and proportionate? The recent judgment of Nicklin J in Farley and 473 others v Paymaster (1836) Limited (trading as Equiniti) [2024] EWHC 383 (KB) is a further notable development on these fronts. Continue reading →

ICO Enforcement Notices and Monetary Penalty Notices (“MPNs”), and the resulting appeals to the FtT, are the bread and butter of information law litigation. Readers of Panopticon would be forgiven for thinking that issues such as the burden and standard of proof in such appeals would be uncontentious. But not so, according to the appellant in Doorstep Dispensaree Ltd v Information Commissioner [2023] UKUT 132 (AAC).

Continue reading →