Ofcom has today published its ‘roadmap to regulation’  if and when the Online Safety Bill becomes law, together with a ‘call for evidence’ for the first phase of online safety regulation. Both are premised on the current version of the Online Safety Bill, which is acknowledged to be subject to alteration as the legislation goes through the Parliamentary process.

Read more »

Post the little-known judgment in Lloyd v Google LLC, those representing data subjects affected by a data breach (usually, although not always, a data security breach incident) have been considering alternative ways of litigating a large number of small value claims arising from the same factual matrix. The obvious alternative, well-established in various areas of the law, is a group litigation order (“GLO”). (This post does not concern the Netflix series about women’s wrestling. There is more violence, but less lycra. Each to their own.) Read more »

For those of you waiting with baited breath to see what will happen with the UK Online Safety Bill (currently at the Committee Stage in the House of Commons), you may like to note that only last week President Biden signed a Presidential Memorandum establishing the ‘White House Task Force to Address Online Harassment and Abuse’, which task force it appears will be focussing particularly on online harms which ‘disproportionately affect women, girls, people of color, and LGBTQI+ individuals, with ‘technology-facilitated gender-based violence’ it seems being the top priority. This is perhaps an unsurprising move by President Biden, given his liberal credentials, and it no doubt reflects a growing unease within liberal circles in the US about the ways in which the internet can be used to generate violent and oppressive conditions for women in the US (including women operating within the sphere of politics). Read more »

Since last year, Warren has proved a thorn in the side of those bringing claims arising out of external cyber-attacks – appearing, at least, to bar such Claimants from relying on the torts of negligence and misuse of private information (MPI), as well as breach of confidence.  That appearance was confirmed to be reality by Saini J in Graeme Smith & ors v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB).  Avid readers of Panopticon will observe that it was Saini J who also decided Warren, thus confirming the position in Smith (not the South African cricketer), in the face of attempts by the Claimants initially to suggest that Warren was wrongly decided; diluted subsequently to seek to distinguish it on the facts.  Saini J’s confirmation of the position post-Warren (and explaining that had given consideration to the case of Swinney v Chief Constable of Northumbria Police Force [1997] QB 464), is important, as it makes the law clear, following HHJ Pearce’s decision in Collins & Ors v Ticketmaster UK Limited [2022] Costs LR 123. .  In Collins, the Court had not decided the point, but did permit an amendment to plead MPI in a data breach case despite Warren – although “could not say that the claim went beyond that which was arguable”.  HHJ Pearce permitted the amendment in Collins where the claimants had argued that Warren could be distinguished and did not apply to cases where the defendant had taken a deliberate decision to conduct its business in a manner that did not comply with the relevant industry standard – as opposed to ‘pure’ omission cases.  The clarity now provided by Saini J is welcome, given the importance of the feasibility of MPI claims in this field to claimants potentially being able to recover ATE premia (the conventional wisdom being that they are irrecoverable in DPA/GDPR claims).

Read more »

If you search online for “how to win at TikTok”, you’ll soon land on the 7 second theory: the most successful TikTok videos are limited to 7 seconds. The idea being that users will happily grant you 7 second of fame before swiping onto the next video. However, the same logic does not hold as a winning strategy for representative litigation (a kind of opt-in class action) in the data protection sphere. The most recent such representative claim, against a variety of TikTok companies, has been discontinued by the Claimant. It had, by lawyers’ standards, an analogously short lifecycle on our screens but with notably less success.

Read more »

In April 2019, the ICO fined Bounty UK Ltd £400,000 for a breach of the first data protection principle under the DPA 1998, in circumstances where it operated a data broking service alongside pregnancy and parenting support services, but failed transparently and fairly to make clear to data subjects that it would share their data. One of the ways in which Bounty got access to data subjects, was under contracts with NHS Trusts, giving them access to new mothers. Read more »