Lloyd v Google in the EU: Damage and the AG

When I learned from Twitter that Advocate General Campos Sánchez-Bordona had been writing an Opinion dedicated to the late-90s R&B boyband Damage, I was surprised but not shocked. This, I thought, is precisely the sort of esoteric approach to middling music-based law that resulted in so many voting to leave the EU. Imagine, then, my surprise to find upon reading the Opinion in Case C-300/12 UI v Österreichische Post AG (EU:C:2022:756) that there is almost no mention of Jade Jones’ long-term relationship with Spice Girl Emma Bunton, but instead there is a detailed Lloyd v Google style analysis of in what circumstances damages can be obtained for contravention of the GDPR. Continue reading

Online Safety Bill: first indications of Ofcom’s regulatory approach

Ofcom has today published its ‘roadmap to regulation’  if and when the Online Safety Bill becomes law, together with a ‘call for evidence’ for the first phase of online safety regulation. Both are premised on the current version of the Online Safety Bill, which is acknowledged to be subject to alteration as the legislation goes through the Parliamentary process.

Continue reading

GLO-ing with Satisfaction? Conducting Data Breach Litigation

Post the little-known judgment in Lloyd v Google LLC, those representing data subjects affected by a data breach (usually, although not always, a data security breach incident) have been considering alternative ways of litigating a large number of small value claims arising from the same factual matrix. The obvious alternative, well-established in various areas of the law, is a group litigation order (“GLO”). (This post does not concern the Netflix series about women’s wrestling. There is more violence, but less lycra. Each to their own.) Continue reading

President Biden moves on online harms

For those of you waiting with baited breath to see what will happen with the UK Online Safety Bill (currently at the Committee Stage in the House of Commons), you may like to note that only last week President Biden signed a Presidential Memorandum establishing the ‘White House Task Force to Address Online Harassment and Abuse’, which task force it appears will be focussing particularly on online harms which ‘disproportionately affect women, girls, people of color, and LGBTQI+ individuals, with ‘technology-facilitated gender-based violence’ it seems being the top priority. This is perhaps an unsurprising move by President Biden, given his liberal credentials, and it no doubt reflects a growing unease within liberal circles in the US about the ways in which the internet can be used to generate violent and oppressive conditions for women in the US (including women operating within the sphere of politics). Continue reading

TalkTalk: Clever pleading cannot guide Claimants out of Warren

Since last year, Warren has proved a thorn in the side of those bringing claims arising out of external cyber-attacks – appearing, at least, to bar such Claimants from relying on the torts of negligence and misuse of private information (MPI), as well as breach of confidence.  That appearance was confirmed to be reality by Saini J in Graeme Smith & ors v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB).  Avid readers of Panopticon will observe that it was Saini J who also decided Warren, thus confirming the position in Smith (not the South African cricketer), in the face of attempts by the Claimants initially to suggest that Warren was wrongly decided; diluted subsequently to seek to distinguish it on the facts.  Saini J’s confirmation of the position post-Warren (and explaining that had given consideration to the case of Swinney v Chief Constable of Northumbria Police Force [1997] QB 464), is important, as it makes the law clear, following HHJ Pearce’s decision in Collins & Ors v Ticketmaster UK Limited [2022] Costs LR 123. .  In Collins, the Court had not decided the point, but did permit an amendment to plead MPI in a data breach case despite Warren – although “could not say that the claim went beyond that which was arguable”.  HHJ Pearce permitted the amendment in Collins where the claimants had argued that Warren could be distinguished and did not apply to cases where the defendant had taken a deliberate decision to conduct its business in a manner that did not comply with the relevant industry standard – as opposed to ‘pure’ omission cases.  The clarity now provided by Saini J is welcome, given the importance of the feasibility of MPI claims in this field to claimants potentially being able to recover ATE premia (the conventional wisdom being that they are irrecoverable in DPA/GDPR claims).

Continue reading

Who next for 7 seconds of fame? Representative action SMO v TikTok discontinued shortly after getting started

If you search online for “how to win at TikTok”, you’ll soon land on the 7 second theory: the most successful TikTok videos are limited to 7 seconds. The idea being that users will happily grant you 7 second of fame before swiping onto the next video. However, the same logic does not hold as a winning strategy for representative litigation (a kind of opt-in class action) in the data protection sphere. The most recent such representative claim, against a variety of TikTok companies, has been discontinued by the Claimant. It had, by lawyers’ standards, an analogously short lifecycle on our screens but with notably less success.

Continue reading