The High Court (Steyn J) has today handed down judgment in Harrison v Cameron and ACL [2024] EWHC 1377 (KB), a case full of notable legal points and rather colourful facts. On phone calls with one of the defendants, the claimant had repeatedly made threats of violence, without realising that the calls were being recorded. Via subject access requests under Article 15 of the UK GDPR, he sought the identities of individuals to whom the content of the recordings had been disclosed. The defendants refused, relying inter alia on the ‘personal data of others’ exemption (see DB v General Medical Council, etc), in light of the claimant’s conduct. In dismissing the claimant’s claim for the identities of the recipients, Steyn J’s judgment addresses not only that exemption, but a range of important data protection issues including the ‘personal/household’ exemption, the definition of ‘data controller’, the right to request specific identities of recipients and the application of post-Brexit CJEU case law (Austrian Post). I acted for the defendants, instructed by Charles Fussell & Co LLP, so for now I’ll just post this.
Author: Robin Hopkins
Equiniti group claim: court strikes out almost all claims
Crucial and difficult questions continue to bedevil the litigation of data breach claims: how much (if anything) are claims worth, and how do you take forward large volumes of low-value claims arising from the same incident in ways that are cost-effective and proportionate? The recent judgment of Nicklin J in Farley and 473 others v Paymaster (1836) Limited (trading as Equiniti) [2024] EWHC 383 (KB) is a further notable development on these fronts. Continue reading
Standing on the doorstep: UT affirms burden and standard of proof orthodoxy
ICO Enforcement Notices and Monetary Penalty Notices (“MPNs”), and the resulting appeals to the FtT, are the bread and butter of information law litigation. Readers of Panopticon would be forgiven for thinking that issues such as the burden and standard of proof in such appeals would be uncontentious. But not so, according to the appellant in Doorstep Dispensaree Ltd v Information Commissioner [2023] UKUT 132 (AAC).
Never Mind: Prismall and privacy representative actions
As Panopticon’s readership will be well aware, last week’s judgment in Prismall v Google UK Ltd and Deep Mind Technologies Ltd [2023] EWHC 1169 (KB) saw Mrs Justice Williams strike out the only live attempt in the UK at an opt-out class action for data misuse. In this post, I’ll summarise the Court’s key reasons. Continue reading
GDPR and privacy damages: causation and quantum
Personal data of a private and sensitive nature can, of course, end up being used in ways that are both distressing and tangled – in the sense that it is not altogether clear who (if anyone) to hold responsible, in law and in fact. The recent judgment of Chamberlain J in Ali v Chief Constable of Bedfordshire [2023] EWHC 938 (KB) is a must-read case study for anyone needing guidance in navigating thickets of causation and quantum (spoiler: award of £3k for UK GDPR breaches; the same award would have arisen for misuse of private information and under Article 8 ECHR in these circumstances). Continue reading
Subject access disputes: exemptions, closed procedures and more
As noted by Panopticon earlier today, the CJEU has been busy pronouncing on subject access request principles. The drift has, in general, been pro-data subject. In the UK, however, subject access case law has not necessarily been one-way pro-disclosure traffic, as is evident from the robust and careful judgment handed down this week by Mrs Justice Farbey in X v Transcription Agency and Master James. Continue reading