An interesting issue about the scope of the DPA arose in The Law Society and others v Rick Kordowski [2011] EWHC 3185 (QB). The Law Society and a number of firms of solicitors sought an injunction requiring the Defendant, the publisher of the “Solicitors from Hell” website, to cease publication of the website in its entirety and to restrain him from publishing any similar website. The causes of action relied upon were libel, harassment under the Protection from Harassment Act 1997 and breach of the Data Protection Act 1998.

The Defendant was the data controller of personal data, including sensitive personal data (for example, allegations made by a third party on the Defendant’s website about the alleged commission of an offence by a solicitor). Mr Justice Tugendhat did not mince his words in finding that the Defendant was in breach of the DPA:

In breach of the First Data Protection Principle the Defendant has not processed the personal data of the solicitors and other individuals named on the Website fairly and lawfully. The Defendant has processed the said personal data in a grossly unfair and unlawful way by, in particular, (a) publishing highly offensive defamatory allegations about these solicitors and other individuals on the Website; (b) pursuing a course of conduct against these solicitors and other individuals that amounts to harassment contrary to the PHA; (c) on numerous occasions refusing to remove the posting about a solicitor or other individual unless the Defendant is paid a fee. This is not permitted by law and is disreputable. (d) None of the conditions in Schedule 2 of the DPA 1998 is met by the Defendant in respect of the processing of the said personal data on the Website.

In breach of the Fourth Data Protection Principle the personal and sensitive personal data about solicitors and other individuals processed by the Defendant and published on the Website is not accurate, indeed it is usually seriously inaccurate. The Claimants rely upon the following, amongst other matters: (a) The wholly inaccurate and untrue allegations processed and published by the Defendant via the Website about the Third Claimant; (b) The Schedule of Complaints which sets out and describes how the personal data of solicitors and other individuals processed and published by the Defendant via the Website is inaccurate. (c) The Defendant’s failed attempts to justify defamatory allegations in the many cases brought against him for libel in respect of the defamatory publications on the Website as evidence of inaccurate information; in breach of the Sixth Data Protection Principle the Defendant did (and does) not process personal data of the solicitors and other individuals who are Individual Complainants in accordance with their rights, as he has failed to comply with the request made in the Complaints’ solicitor’s letter dated 12 August 2011.

…on 12 August 2011 the Claimants’ solicitor gave the Defendant formal notice under section 10(1) of the DPA that the individual complainants, who include the Third Claimant, required the Defendant to cease the processing of their personal data (i.e. to remove the offending material from the Website and destroy any copies retained elsewhere) as the processing of this data was (and continues) causing them unwarranted damage and distress. Additionally, the Claimants’ solicitor required the Defendant to agree not to process any data in the manner complained of in the future. As a result of the Defendant’s failure to comply with the Notice, he has breached the Sixth Data Protection Principle. The Defendant did not state that he considered the notice to be unjustified (as he could have done under section 10(3)(b) of the DPA).”

Not surprisingly, given these findings, Mr Justice Tugendhat concluded that the Third Claimant was entitled to an order under section 10(4), requiring the Defendant to comply with the Notice. He went on to comment on the scope of the DPA and the Information Commissioner’s powers.  The background was that the Chief Executive of the Law Society had written to the Information Commissioner to complain about the website. The Information Commissioner had responded that the DPA was not designed to deal with this kind of case. The Commissioner considered that it was “not the purpose of the DPA to regulate an individual right to freedom of expression – even where the individual uses a third party website, rather than his own facilities, to exercise this“. He relied on section 36 DPA, which provides that “Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the Data Protection principles under provisions of Parts II [rights of data subjects and others] and III [Notification by data controllers]”. The Commissioner also highlighted the practical difficulties of trying to use the DPA to regulate material posted on websites.

Mr Justice Tugendhat expressed considerable sympathy with the Commissioner’s comments about the practical difficulties in cases such as this. However, his starting point was that the offensive comments on the website in question were unlawful and that the DPA required that data be processed lawfully. He did not see how the exemption in section 36 DPA could apply in this case.  Mr Justice Tugendhat commented that had  the Defendant been publishing information in the public interest on his website, he could have relied on the exemption relating to journalism in section 32 DPA. Further, the fact that a claimant may have claims under common law torts or the Human Rights Act 1998, did not prevent enforcement under the DPA. He concluded by commenting that where there is any room for argument as to whether processing is unlawful under the general law, it may be more appropriate that a complainant should be required to pursue his remedy in the courts and further that there be many grounds on which the Commissioner may properly decline to exercise his powers under Part V DPA. However, where there is no room for argument that processing is unlawful, it was more difficult to say that the matter was not one which could be dealt with under Part V DPA. This ruling potentially has significant implications for the Commissioner in practice.

Rachel Kamm


Here’s an update to my post of 5 June about the ICO’s guidance on obtaining the consent of users before ‘cookies’ can be placed on machines. The European Data Protection Supervisor, Peter Hustinx, gave a public lecture on 7 July 2011 on the privacy implications of online behavioural advertising. This included discussion of ‘cookies’. He commented that browser providers have developed opt-out solutions, whereas the ideal is to have privacy-by-default unless individual preferences are set using a “privacy wizard”. The lecture also suggested that recent speeches made by the European Commission’s Vice President, Neelie Kroes, raise doubts about the Commission’s position on the e-Privacy Directive’s requirements; the Commission has expressed support for initiatives which Mr Hustinx considers are in fact non-compliant.


The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force on 26 May 2011 and amend the Privacy and Electronic Communications (EC Directive) Regulations 2003, which cover direct marketing by electronic means and the use of cookies.  

The amendments give the Information Commissioner new powers to  serve a monetary penalty on an organisation when very serious breaches of the 2003 Regulations occur and to investigate breaches of the 2003 Regulations by obtaining information from certain third party organisations.

They also introduce an additional requirement where a website uses ‘cookies’, which are small files of letters and numbers downloaded on to a device when the user accesses certain websites, which allow the website to recognise the device. Except where a ‘cookie’ is strictly necessary, websites will now have to obtain the consent of the user or subscriber before ‘cookies’ can be placed on machines.  The Information Commissioner has published guidance on the change to the rules. Organisations have 12 months from 26 May 2011 to make sure they comply with the new rules.  

The Information Commissioner has issued this statement about how he intends to approach enforcing the new rules and using the new powers.


The Information Commissioner has delivered his latest report to the Home Affairs Select Committee on “the state of surveillance” in the UK. The report traces privacy-related developments since the Commissioner’s 2006 report on the same theme, which memorably observed that the UK may be “sleepwalking into a surveillance society”. According to the November 2010 report, that warning

 “… is no less cogent in 2010 than it was several years ago. It is not being suggested that the UK is a ‘police state’ or that there are surveillance conspiracies afoot against the public. Neither the 2006 report nor this one supports such an assumption, and evidence for it is lacking. Much of what is taken to be surveillance is done for benign reasons and has beneficial effects on individuals and society. But much surveillance also goes beyond the limits of what is tolerable in a society based on the rule of law and human rights, one of which is the right to privacy.”

The report provides an illuminating summary of trends in (amongst others) the use of CCTV, body scanning and border control (including ‘ethnic targeting’ for security searches), workplace monitoring, social networking, ‘crowdsourcing’, the monitoring of protest activities and even the use of unmanned drones. Scrutiny is also given to a number of governmental policy tools, such as databases and the use of ‘social sorting’ (eg into groups such as ‘high cost, high risk’ social groups who are vulnerable to social exclusion’) to develop targeted welfare strategies.

As regards private-sector online commerce, the Commissioner recommends a number of measures to correct what he describes as the “worrying trend particularly with those who provide on-line services not to have thought through the privacy implications of their activities and given users robust privacy settings as a default”.

What to do about the risks identified in the report? The ICO’s recommendations focus principally on overhauling the legislative process insofar as it affects privacy, by introducing: 

  • a requirement for a privacy impact assessment to be presented during the parliamentary process where legislative measures have a particular impact on privacy;
  • an opportunity for the Information Commissioner to provide a reasoned opinion to Parliament on measures that engage concerns within his areas of competence, and
  • a legal requirement to make sure all new laws that engage significant privacy concerns undergo post-legislative scrutiny to ensure they are being implemented and used as intended by Parliament.

If implemented, these measures would add substantially to the ICO’s clout as the guardian of privacy.

The report can be found here, with the accompanying press release from the ICO here.


The Information Commissioner has published a new Code of Practice explaining how the DPA applies in an online world, and offering ‘good practice’ advice for the collection and use of personal data through the internet.

The Code covers (among other things) application and payment forms, social networking sites, cookies and other personally-targeted marketing. It considers the difficulties of ‘non-obvious identifiers’ (such as IP addresses linked to devices rather than to individuals), cross-border data transfers by multinational or non-domestic organisations, and the practice of outsourcing the storage of databases to other web-based companies.

With the aid of examples from such contexts, the Code turns established principles into specific recommendations for internet businesses, including: avoid collecting personal data too early in the relationship or transaction with the user; only collect personal as far as is necessary; provide a clear explanation of how users’ personal data will be processed; ensure that employees only have access to customers’ personal data where necessary, and that this access withdrawn as soon as their employment ends.

Certain suggestions will be particularly welcomed by privacy campaigners: alert users to the security risks associated with ‘autocomplete’ forms; give users a simple option of declining to have their personal data stored and of disabling cookies or other trackers of their online behaviour, and make it easy for them to contact the data controller about how their personal data is being used.

Paying for the ICO

Organisations that process personal data must notify the Information Commissioner’s Office, and pay an annual fee. Up to now the fee has been £35, for all data controllers. With effect from 1st October 2009, some large data controllers will instead pay a fee of £500.

The changes are made by the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (SI 2009 No 1677). These divide data controllers into two groups: tier 1 organisations, which pay £35, and tier 2 organisations, which pay £500. All data controllers not in tier 2 are in tier 1.

A data controller will be in tier 2 if it satisfies the following three conditions: (i) it is not a charity or a small occupational pension scheme; (ii) it has been in existence for more than a month; and (iii) it has a turnover of £25.9 million or more for the data controller’s financial year and 250 or more members of staff, or it is a public authority with 250 or more members of staff. There are detailed provisions as to how turnover and staff numbers should be calculated for these purposes.

An explanatory memorandum issued by the Ministry of Justice gives the policy background to the change. Essentially it argues that large organisations cost more for the ICO to regulate, and so should pay a higher fee. The memorandum suggests that about 4% of data controllers will pay the higher fee, and that the extra annual income to the ICO will be about £4.7 million.

 A more interesting question perhaps – and one that the new Regulations do not affect at all – is who is obliged to notify the Information Commissioner. Anyone who uses a computer to process personal data is a data controller and obliged to notify, unless they are subject to an exemption. Under section 36 of the Data Protection Act 1998, personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the duty to notify (and indeed from most of the rest of the Act as well). This is sometimes referred to as the “domestic use”, or “Christmas card list” exemption: if you keep your family’s Christmas card list on a computer, you do not have to notify the ICO that you are processing personal data, and you can spend the £35 on something else instead.

But what if you put personal data on to the internet? The Lindqvist case in the European Court of Justice suggests that the domestic exemption would not apply here, because information posted on the internet is available to all the world. Since Lindqvist was decided, there has been an explosion of blogging, and social networking, all internet-based. How much of this activity would come within the domestic use exemption remains unclear.