Subject access requests, threats of violence, exemptions and the like

The High Court (Steyn J) has today handed down judgment in Harrison v Cameron and ACL [2024] EWHC 1377 (KB), a case full of notable legal points and rather colourful facts. On phone calls with one of the defendants, the claimant had repeatedly made threats of violence, without realising that the calls were being recorded. Via subject access requests under Article 15 of the UK GDPR, he sought the identities of individuals to whom the content of the recordings had been disclosed. The defendants refused, relying inter alia on the ‘personal data of others’ exemption (see DB v General Medical Council, etc), in light of the claimant’s conduct. In dismissing the claimant’s claim for the identities of the recipients, Steyn J’s judgment addresses not only that exemption, but a range of important data protection issues including the ‘personal/household’ exemption, the definition of ‘data controller’, the right to request specific identities of recipients and the application of post-Brexit CJEU case law (Austrian Post). I acted for the defendants, instructed by Charles Fussell & Co LLP, so for now I’ll just post this.

Equiniti group claim: court strikes out almost all claims

Crucial and difficult questions continue to bedevil the litigation of data breach claims: how much (if anything) are claims worth, and how do you take forward large volumes of low-value claims arising from the same incident in ways that are cost-effective and proportionate? The recent judgment of Nicklin J in Farley and 473 others v Paymaster (1836) Limited (trading as Equiniti) [2024] EWHC 383 (KB) is a further notable development on these fronts. Continue reading

Standing on the doorstep: UT affirms burden and standard of proof orthodoxy

ICO Enforcement Notices and Monetary Penalty Notices (“MPNs”), and the resulting appeals to the FtT, are the bread and butter of information law litigation. Readers of Panopticon would be forgiven for thinking that issues such as the burden and standard of proof in such appeals would be uncontentious. But not so, according to the appellant in Doorstep Dispensaree Ltd v Information Commissioner [2023] UKUT 132 (AAC).

Continue reading

GDPR and privacy damages: causation and quantum

Personal data of a private and sensitive nature can, of course, end up being used in ways that are both distressing and tangled – in the sense that it is not altogether clear who (if anyone) to hold responsible, in law and in fact. The recent judgment of Chamberlain J in Ali v Chief Constable of Bedfordshire [2023] EWHC 938 (KB) is a must-read case study for anyone needing guidance in navigating thickets of causation and quantum (spoiler: award of £3k for UK GDPR breaches; the same award would have arisen for misuse of private information and under Article 8 ECHR in these circumstances). Continue reading

Subject access disputes: exemptions, closed procedures and more

As noted by Panopticon earlier today, the CJEU has been busy pronouncing on subject access request principles. The drift has, in general, been pro-data subject. In the UK, however, subject access case law has not necessarily been one-way pro-disclosure traffic, as is evident from the robust and careful judgment handed down this week by Mrs Justice Farbey in X v Transcription Agency and Master James. Continue reading