TalkTalk: Clever pleading cannot guide Claimants out of Warren

May 30th, 2022 by Daniel Isenberg

Since last year, Warren has proved a thorn in the side of those bringing claims arising out of external cyber-attacks – appearing, at least, to bar such Claimants from relying on the torts of negligence and misuse of private information (MPI), as well as breach of confidence.  That appearance was confirmed to be reality by Saini J in Graeme Smith & ors v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB).  Avid readers of Panopticon will observe that it was Saini J who also decided Warren, thus confirming the position in Smith (not the South African cricketer), in the face of attempts by the Claimants initially to suggest that Warren was wrongly decided; diluted subsequently to seek to distinguish it on the facts.  Saini J’s confirmation of the position post-Warren (and explaining that had given consideration to the case of Swinney v Chief Constable of Northumbria Police Force [1997] QB 464), is important, as it makes the law clear, following HHJ Pearce’s decision in Collins & Ors v Ticketmaster UK Limited [2022] Costs LR 123. .  In Collins, the Court had not decided the point, but did permit an amendment to plead MPI in a data breach case despite Warren – although “could not say that the claim went beyond that which was arguable”.  HHJ Pearce permitted the amendment in Collins where the claimants had argued that Warren could be distinguished and did not apply to cases where the defendant had taken a deliberate decision to conduct its business in a manner that did not comply with the relevant industry standard – as opposed to ‘pure’ omission cases.  The clarity now provided by Saini J is welcome, given the importance of the feasibility of MPI claims in this field to claimants potentially being able to recover ATE premia (the conventional wisdom being that they are irrecoverable in DPA/GDPR claims).

Read more »


Who next for 7 seconds of fame? Representative action SMO v TikTok discontinued shortly after getting started

May 25th, 2022 by benmitchell

If you search online for “how to win at TikTok”, you’ll soon land on the 7 second theory: the most successful TikTok videos are limited to 7 seconds. The idea being that users will happily grant you 7 second of fame before swiping onto the next video. However, the same logic does not hold as a winning strategy for representative litigation (a kind of opt-in class action) in the data protection sphere. The most recent such representative claim, against a variety of TikTok companies, has been discontinued by the Claimant. It had, by lawyers’ standards, an analogously short lifecycle on our screens but with notably less success.

Read more »


Bounty – A Taste of Data Protection Paradise?

April 14th, 2022 by Christopher Knight

In April 2019, the ICO fined Bounty UK Ltd £400,000 for a breach of the first data protection principle under the DPA 1998, in circumstances where it operated a data broking service alongside pregnancy and parenting support services, but failed transparently and fairly to make clear to data subjects that it would share their data. One of the ways in which Bounty got access to data subjects, was under contracts with NHS Trusts, giving them access to new mothers. Read more »


A war of words: EU sanctions and the blocking of online ‘disinformation’

March 16th, 2022 by Anya Proops KC

The decision by Western powers to fight the war in Ukraine through swingeing sanctions regimes is widely regarded as a hugely powerful demonstration of the West’s unified commitment to the championing of liberal democratic values, in the face of an amoral totalitarian aggressor. However, an important question which falls to be answered is whether those regimes may ironically also pose a threat to the very values they are seeking to defend, particularly insofar as they operate so as to curb media and online freedoms; free expression of course being one of the cornerstones of any liberal democracy. This question has now become very hard-edged, particularly as a result of the interpretation which the EU Commission is apparently placing on particular EU sanctions legislation embodied in EU Regulation 2022/350 (“the Regulation”). Read more »


TikTok: keep an eye on the clock

March 10th, 2022 by Robin Hopkins

Prior to the Supreme Court’s judgment in Lloyd v Google [2021] UKSC 50, numerous representative claims – akin to opt-in class actions – were afoot in the data protection arena. Most seem, understandably, to have fizzled out following Lloyd. But not all. Following this week’s judgment in SMO v TikTok Inc. and Others [2022] EWHC 489 (QB), the claim against TikTok has more or less scraped through its first procedural hurdle, and now is now gearing up for a summary judgment hearing in the months ahead. Read more »


Bloomberg v ZXC – the Supreme Court decides

February 25th, 2022 by 11KBW Blogs

The central question for the Supreme Court in Bloomberg v ZXC [2022] UKSC 5 was, as Lords Hamblen and Stephens put it (with Lord Reeds, Lloyd-Jones and Sales agreeing): “whether, in general, a person under criminal investigation has, prior to being charged,  a reasonable expectation  of  privacy  in respect  of  information  relating  to  that  investigation”. The short answer was “yes”.

Read more »