Crucial and difficult questions continue to bedevil the litigation of data breach claims: how much (if anything) are claims worth, and how do you take forward large volumes of low-value claims arising from the same incident in ways that are cost-effective and proportionate? The recent judgment of Nicklin J in Farley and 473 others v Paymaster (1836) Limited (trading as Equiniti) [2024] EWHC 383 (KB) is a further notable development on these fronts. Continue reading →

ICO Enforcement Notices and Monetary Penalty Notices (“MPNs”), and the resulting appeals to the FtT, are the bread and butter of information law litigation. Readers of Panopticon would be forgiven for thinking that issues such as the burden and standard of proof in such appeals would be uncontentious. But not so, according to the appellant in Doorstep Dispensaree Ltd v Information Commissioner [2023] UKUT 132 (AAC).

Continue reading →

As Panopticon’s readership will be well aware, last week’s judgment in Prismall v Google UK Ltd and Deep Mind Technologies Ltd [2023] EWHC 1169 (KB) saw Mrs Justice Williams strike out the only live attempt in the UK at an opt-out class action for data misuse. In this post, I’ll summarise the Court’s key reasons. Continue reading →

Personal data of a private and sensitive nature can, of course, end up being used in ways that are both distressing and tangled – in the sense that it is not altogether clear who (if anyone) to hold responsible, in law and in fact. The recent judgment of Chamberlain J in Ali v Chief Constable of Bedfordshire [2023] EWHC 938 (KB) is a must-read case study for anyone needing guidance in navigating thickets of causation and quantum (spoiler: award of £3k for UK GDPR breaches; the same award would have arisen for misuse of private information and under Article 8 ECHR in these circumstances). Continue reading →

As noted by Panopticon earlier today, the CJEU has been busy pronouncing on subject access request principles. The drift has, in general, been pro-data subject. In the UK, however, subject access case law has not necessarily been one-way pro-disclosure traffic, as is evident from the robust and careful judgment handed down this week by Mrs Justice Farbey in X v Transcription Agency and Master James. Continue reading →

Dear Sir/Madam, I hereby make a subject access request, please give me copies of documents and specify everyone you gave my data to, yours sincerely.

Response: okay, you can have some data, but no documents and we only need to tell you about ‘categories’ of recipients, not specific recipients.

Reply: not good enough, Article 15 GDPR entitles me to more detail.

Who is right? The CJEU has had a busy few months shedding some light on these kinds of issues, thanks mainly to a slew of Austrian referrals, with its latest contribution coming last week. Continue reading →