GDPR and privacy damages: causation and quantum

Personal data of a private and sensitive nature can, of course, end up being used in ways that are both distressing and tangled – in the sense that it is not altogether clear who (if anyone) to hold responsible, in law and in fact. The recent judgment of Chamberlain J in Ali v Chief Constable of Bedfordshire [2023] EWHC 938 (KB) is a must-read case study for anyone needing guidance in navigating thickets of causation and quantum (spoiler: award of £3k for UK GDPR breaches; the same award would have arisen for misuse of private information and under Article 8 ECHR in these circumstances). Continue reading

Subject access disputes: exemptions, closed procedures and more

As noted by Panopticon earlier today, the CJEU has been busy pronouncing on subject access request principles. The drift has, in general, been pro-data subject. In the UK, however, subject access case law has not necessarily been one-way pro-disclosure traffic, as is evident from the robust and careful judgment handed down this week by Mrs Justice Farbey in X v Transcription Agency and Master James. Continue reading

Subject access requests: what do you need to provide?

Dear Sir/Madam, I hereby make a subject access request, please give me copies of documents and specify everyone you gave my data to, yours sincerely.

Response: okay, you can have some data, but no documents and we only need to tell you about ‘categories’ of recipients, not specific recipients.

Reply: not good enough, Article 15 GDPR entitles me to more detail.

Who is right? The CJEU has had a busy few months shedding some light on these kinds of issues, thanks mainly to a slew of Austrian referrals, with its latest contribution coming last week. Continue reading

GDPR compensation claims: no threshold of seriousness

Panopticon has covered a number of judgments handed down in the UK over the last year or two that demonstrate judicial scepticism about compensation claims for alleged data protection infringements. In a number of cases (though not all), judges have been particularly sceptical whether, on the facts before them, the claim – even if made out – would pass the threshold of seriousness for entitlement to compensation. Some, however, argue that compensation claims under the GDPR/UK GDPR are not subject to any such threshold. So what’s the answer? Continue reading

Erasure requests: accuracy and images

The right to be forgotten – remember that? It isn’t often the subject of litigation, in the UK at least: uncertainty about outcomes is probably a significant reason why parties usually opt not to put their disputes before the courts. Last week’s judgment of the Grand Chamber of the CJEU in TU and RE v Google LLC (Case C‑460/20) won’t remove uncertainty about judicial approaches to such cases, but it does shed helpful light on some common elements of disputes under Article 17 (UK) GDPR. Continue reading

DPA breach at “lowest end of spectrum”: High Court awards £250

Just about anyone who works in data protection will probably have asked, or have been asked: what do courts tend to award claimants who suffer data breaches? They will probably also be used to an answer along the lines that ‘it’s quite difficult to say; there isn’t very much case law’. Last week’s judgment of Knowles J in Driver v Crown Prosecution Service [2022] EWHC 2500 (KB) is a helpful contribution to this limited line of authority. Continue reading