Since last year, Warren has proved a thorn in the side of those bringing claims arising out of external cyber-attacks – appearing, at least, to bar such Claimants from relying on the torts of negligence and misuse of private information (MPI), as well as breach of confidence. That appearance was confirmed to be reality by Saini J in Graeme Smith & ors v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB). Avid readers of Panopticon will observe that it was Saini J who also decided Warren, thus confirming the position in Smith (not the South African cricketer), in the face of attempts by the Claimants initially to suggest that Warren was wrongly decided; diluted subsequently to seek to distinguish it on the facts. Saini J’s confirmation of the position post-Warren (and explaining that had given consideration to the case of Swinney v Chief Constable of Northumbria Police Force [1997] QB 464), is important, as it makes the law clear, following HHJ Pearce’s decision in Collins & Ors v Ticketmaster UK Limited [2022] Costs LR 123. . In Collins, the Court had not decided the point, but did permit an amendment to plead MPI in a data breach case despite Warren – although “could not say that the claim went beyond that which was arguable”. HHJ Pearce permitted the amendment in Collins where the claimants had argued that Warren could be distinguished and did not apply to cases where the defendant had taken a deliberate decision to conduct its business in a manner that did not comply with the relevant industry standard – as opposed to ‘pure’ omission cases. The clarity now provided by Saini J is welcome, given the importance of the feasibility of MPI claims in this field to claimants potentially being able to recover ATE premia (the conventional wisdom being that they are irrecoverable in DPA/GDPR claims).
Who next for 7 seconds of fame? Representative action SMO v TikTok discontinued shortly after getting started
If you search online for “how to win at TikTok”, you’ll soon land on the 7 second theory: the most successful TikTok videos are limited to 7 seconds. The idea being that users will happily grant you 7 second of fame before swiping onto the next video. However, the same logic does not hold as a winning strategy for representative litigation (a kind of opt-in class action) in the data protection sphere. The most recent such representative claim, against a variety of TikTok companies, has been discontinued by the Claimant. It had, by lawyers’ standards, an analogously short lifecycle on our screens but with notably less success.
Bounty – A Taste of Data Protection Paradise?
In April 2019, the ICO fined Bounty UK Ltd £400,000 for a breach of the first data protection principle under the DPA 1998, in circumstances where it operated a data broking service alongside pregnancy and parenting support services, but failed transparently and fairly to make clear to data subjects that it would share their data. One of the ways in which Bounty got access to data subjects, was under contracts with NHS Trusts, giving them access to new mothers. Continue reading
A war of words: EU sanctions and the blocking of online ‘disinformation’
The decision by Western powers to fight the war in Ukraine through swingeing sanctions regimes is widely regarded as a hugely powerful demonstration of the West’s unified commitment to the championing of liberal democratic values, in the face of an amoral totalitarian aggressor. However, an important question which falls to be answered is whether those regimes may ironically also pose a threat to the very values they are seeking to defend, particularly insofar as they operate so as to curb media and online freedoms; free expression of course being one of the cornerstones of any liberal democracy. This question has now become very hard-edged, particularly as a result of the interpretation which the EU Commission is apparently placing on particular EU sanctions legislation embodied in EU Regulation 2022/350 (“the Regulation”). Continue reading
TikTok: keep an eye on the clock
Prior to the Supreme Court’s judgment in Lloyd v Google [2021] UKSC 50, numerous representative claims – akin to opt-in class actions – were afoot in the data protection arena. Most seem, understandably, to have fizzled out following Lloyd. But not all. Following this week’s judgment in SMO v TikTok Inc. and Others [2022] EWHC 489 (QB), the claim against TikTok has more or less scraped through its first procedural hurdle, and now is now gearing up for a summary judgment hearing in the months ahead. Continue reading
Bloomberg v ZXC – the Supreme Court decides
The central question for the Supreme Court in Bloomberg v ZXC [2022] UKSC 5 was, as Lords Hamblen and Stephens put it (with Lord Reeds, Lloyd-Jones and Sales agreeing): “whether, in general, a person under criminal investigation has, prior to being charged, a reasonable expectation of privacy in respect of information relating to that investigation”. The short answer was “yes”.