Category Archives: Data Protection Act 2018

March 22, 2025 · 5:55 am

O’Carroll v Meta – what now for targeted adverts on Facebook

Following the news that claimant Tanya O’Carroll and defendant Meta have settled ahead of what was likely to be a landmark data protection case, what are the implications?

Ms O’Carroll argued that advertising served to her on Facebook, because it was targeted at her, met the definition of “direct marketing” under section 122(5) of the Data Protection Act 2018 (“the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”) and thus the processing of her personal data for the purposes of serving that direct marketing was subject to the absolute right to object under Article 21(2) and (3) UK GDPR.

Meta had disputed that the advertising was direct marketing.

The “mutually agreed statement” from Ms O’Carroll says “In agreeing to conclude the case, Meta Platforms, Inc. has agreed that it will not display any direct marketing ads to me on Facebook, will not process my data for direct marketing purposes and will not undertake such processing (including any profiling) to the extent it is related to such direct marketing”.

One concludes from this that Meta will, at least insofar as the UK GDPR applies to its processing, now comply with any Article 21(2) objection, and, indeed, that is how it is being reported.

But will the upshot of this be that Meta will introduce ad-free services in the UK, but for a charge (because its advertising revenues will be likely to drop if people object to targeted ads)? It is indicating so, with a statement saying “Facebook and Instagram cost a significant amount of money to build and maintain, and these services are free for British consumers because of personalised advertising. Like many internet services, we are exploring the option of offering people based in the UK a subscription and will share further information in due course”.

The ICO intervened in the case, and have uploaded a summary of their arguments, which were supportive of Ms O’Carroll’s case, and her lawyers AWO Agency have also posted an article on the news.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, facebook, Information Commissioner, marketing, Meta, Right to object, UK GDPR

Tagged as , ,

March 11, 2025 · 6:04 am

Why is the ICO so quiet about prosecutions?

Not infrequently, I get contacted (personally and professionally) by individuals who are concerned that their personal data has been compromised in circumstances that may constitute the criminal offence of “obtaining” or “retaining”, under section 170 of the Data Protection Act 2018.

In many cases, there is not much I can bring to the table. If an offence has been committed then this is a matter for the prosecutor. Normally, for data protection offences, this is the Information Commissioner’s Office.

But what strikes me is that there appears to be no information on the ICO website for anyone who wants to report an alleged or potential offence. Their “For the public” pages don’t cover the scenario, and all of the data protection complaints information there is predicated on the assumption that the individual will be complaining about the data controller’s compliance (whereas, in a section 170 offence, the controller is more of the status of “victim”).

In fact, the best I can find is one brief reference (at page 61) of a lengthy guide to the DPA 2018, aimed at “organisations and individuals who are already familiar with data protection law”, and which doesn’t even actually explain that the offences described can be prosecuted by the ICO.

Dr David Erdos has recently highlighted both the low number of ICO prosecutions, and the rather slapdash way in which the ICO appears to be handling information about them. But the section 170 provisions are criminal ones for a reason: they will sometimes involve the most distressing and serious interferences with people’s data protection and privacy rights.

Surely the ICO should pay more attention to such incidents, and assist concerned data subjects (or others) who might want to report potential offences?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, Information Commissioner, offences

Tagged as ,

March 8, 2025 · 6:31 am

Can a data subject inspect withheld information in court proceedings?

When a controller, in response to a subject access request, has withheld personal data on the grounds of an exemption or exemptions, the data subject can apply to the court for a compliance order, under section 167 of the Data Protection Act 2018. That application will be determined by a judge who must determine whether the personal data was properly withheld or not. But general rules in adversarial proceedings do not permit one side and the judge to have access to material when the other side does not. So can the claimant and his/her lawyers therefore have access to the withheld information? Of course not – you all say – that would be absurd. However, the picture is not quite as clear as one might think.

Section 15(2) of the Data Protection Act 1998 specifically dealt with this issue: it said that the information should “be made available for [the judge’s] own inspection but shall not, pending the determination of that question in the applicant’s favour, require the information sought by the applicant to be disclosed to him or his representatives”.

But no such provision is contained in the equivalent sections of the 2018 Act. That appears to have been a drafting error.

The issue came up in X -v- The Transcription Agency LLP [2024] 1 WLR 33, and the court there held that

it would defeat the purpose of the legislation if a person challenging the application of an exemption were to be given sight of the material for the purpose of advancing his or her arguments…It would bring about a situation in which a party seeking personal data “would have obtained the very thing which the hearing was designed to decide”

As a result, I imagine, of the X case, Parliament moved to address the lacuna in the law: the Data Protection and Digital Information Bill contained a clause which would have given the court the express power contained in section 15(2) of the 1998 Act. That Bill was, of course, dropped just before the 2024 General Election, but the Data (Use and Access) Bill, now speeding through the Commons, contains something similar, at clause 103.

And so it was that the issue again arose in recent proceedings – Cole v Marlborough College [2024] EWHC 3575 (KB) – involving a former pupil who is seeking information through subject access regarding an investigation into a disciplinary matter in his former school.

As in X, the judge noted the absence of any express power to inspect the materials without permitting their disclosure to the claimant. But, relying on X, the judge held that there was an implied power (either implied within section 167) and/or in exercise of the court’s inherent jurisdiction.

Given the impending amendment of the statute to make the power express, rather than implied, these cases will probably just become footnotes, rather than landmark judgments. But they’re interesting for illustrating how courts will find implied powers and procedures where justice demands it.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under access to information, Data Protection Act 2018, judgments, subject access

Tagged as ,

February 4, 2025 · 6:15 am

NHS England and publication of the Calocane report

[reposted from my LinkedIn account]

[Edited to add: the day following the upload of this post NHS England did an about turn, and published the report in full, saying “The NHS has taken the decision to publish the report in full in line with the wishes of the families and given the level of detail already in the public domain”]

NHS England is reported to be refusing, partly on data protection grounds, to publish the full independent review report into the care and treatment of Valdo Calocane prior to his manslaughter of three people in Nottingham in 2023.

The report is said to be over 200 pages long, and although a summary will be published, families of the victims are calling for the full report (which they only saw after pressure from their lawyers) to be published on public interest grounds, saying “we have grave concerns about the conduct of the NHS”.

So does data protection law prevent disclosure?

The report will clearly contain details of Calocane’s health, and as such it constitutes a special category of personal data, requiring a condition for processing from Article 9 of the UK GDPR. The most likely candidate would be Article 9(2)(g):

processing is necessary for reasons of substantial public interest, on the basis of domestic law….

The domestic law provisions referred to are contained in schedule 1 to the Data Protection Act 2018. And at first glance, it is not straightforward to identify a provision which would permit disclosure.

However, paragraph 11 potentially does. It deals with processing which is necessary for a “protective function”, must be carried without the consent of the data subject so as not to prejudice that protective function and which is necessary for reasons of substantial public interest. A “protective function” includes a function which is intended to protect members of the public against failures in services provided by a body or association.

Reports into homicides by patients in receipt of mental health care are commissioned by NHS England under the Serious Incident Framework “Supporting learning to prevent recurrence”, and this says that “publication of serious incident investigation reports and action plans is considered best practice”, although “reports should not contain confidential personal information unless…there is an overriding public interest”.

I’m not saying it’s a straightforward legal question, as to whether the report can be published, but an argument can be made that there is a substantial, overriding, public interest in disclosure in order that the public can be aware of any failings and understand what actions are being taken to address them. No doubt though that NHS England’s argument would be that this is achieved by publication of the summary report.

I imagine, in any case, that freedom of information requests will be made for the full report, so ultimately we may see the Information Commissioner’s Office, and maybe the courts, rule on this.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Data Protection, Data Protection Act 2018, NHS, UK GDPR

Tagged as ,

January 30, 2025 · 7:54 am

Exceptionally unlikely: ICO and judicial review

[reposted from my LinkedIn account]

Where Parliament has entrusted a specialist body with bringing prosecutions, such as the Serious Fraud Office, or the Information Commissioner’s Office (ICO), it is “only in highly exceptional circumstances” that a court will disturb a decision made by that body (see Lord Bingham in R(Corner House and others) v Director of the Serious Fraud Office [2008] UKHL 60)).

Such was the situation faced by the claimant in an unsuccessful recent application for judicial review of two decisions of the ICO.

The claimant, at the time of the events in question, was a member of the Labour Party and of the Party’s “LGBT+Labour” group, She had been concerned about an apparent disclosure of the identity and trans status of 120 members of a “Trans Forum” of the group, of which she was also a member, and of what she felt was a failure by the LGBT+Labour group to inform members of the Forum of what had happened.

She reported this to the ICO as potential offences under sections 170 and 173 of the Data Protection Act 2018 (it’s not entirely clear what specific offences would have been committed), and she asked whether she was “able to discuss matters relating to potential data breaches with the individuals involved”. The ICO ultimately declined to prosecute, and also informed her that disclosing information to the individuals could in itself “potentially be a section 170 offence”.

The application for judicial review was i) in respect of the “warning” about a potential prosecution in the event she disclosed information to those data subjects, and her subsequent rejected request for a commitment that she would not be prosecuted, and ii) in respect of the decision not to prosecute LGBT+Labour.

Neither application for permission succeeded. In the first case, there was no decision capable of being challenged: it was an uncontroversial statement by the ICO about a hypothetical and fact-sensitive future situation, and in any event she was out of time in bringing the application. In the second case, there were no “highly exceptional circumstances” that would enable the court “to consider there was a realistic prospect of showing that the ICO had acted outside the wide range of its discretion when deciding not to prosecute”.

One often sees suggestions that the ICO should be JRd over its failure to take action (often in a civil context). This case illustrates the deference that the courts will give to its status and expertise both as regulator and prosecutor. Outside the most exceptional of cases, such challenges are highly unlikely to succeed.

Peto v Information Commissioner [2025] EWHC 146 (Admin)

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under crime, Data Protection, Data Protection Act 2018, Information Commissioner, judgments, judicial review

Tagged as ,

January 26, 2025 · 9:45 am

Consent is not the only basis

In 2017 I attended a free event run by a “GDPR consultancy”. The presenter confidently told us that we were going to have to get consent from customers in order to process their personal data. One attendee said they worked at the DWP, so how were they going to get consent from benefits claimants who didn’t want to disclose their income, to which the presenter rather awkwardly said “I think that’s one you’ll have to discuss with your lawyers”. Another attendee, who was now most irritated that he’d taken time out from work for this, could hold his thoughts in no longer, and rudely announced that this was complete nonsense.

That attendee was the – much ruder in those days – 2017 version of me.

I never imagined (although I probably should have done) that eight years on the same nonsense would still be spouted.

Just as the Data Protection Act 2018 did not implement the GDPR in the UK (despite the embarrassing government page that until recently, despite people raising it countless times, said so) just as the GDPR does not limit its protections to “EU citizens”, so GDPR and the UK GDPR do not require consent for all processing.

Anyone who says so has not applied a smidgeon of thought or research to the question, and is probably taking content from generative AI, which, on the time-honoured principle of garbage-in, garbage-out, has been in part trained on the existing nonsense. To realise why it’s garbage, they should just start with the DWP example above and work outwards from there.

Consent is one of the six lawful bases, any one or more of which can justify processing. No one basis is better than or takes precedence over the other.

To those who know this, I apologise for having to write it down, but I want to have a sign to tap for any time I see someone amplifying the garbage on LinkedIn.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, DWP, GDPR, Let's Blame Data Protection, UK GDPR

Tagged as , , ,

December 6, 2024 · 7:07 am

The Data Protection Act 2018 does not “implement” the GDPR

They are separate instruments and the GDPR, pre-Brexit, did not require implementation – as a Regulation of the European Parliament and of the Council of the European Union, it had direct effect.

Since Brexit, by the effect of, among other laws, the European Union (Withdrawal Act) 2018 and the Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) Regulations 2019, we now have a retained-and-assimilated domestic version of the GDPR, called the UK GDPR.

Most processing of personal data is subject to the UK GDPR. The Data Protection Act 2018 deals with processing that is not subject to it, such as by law enforcement and security service agencies. It also provides some of the conditions and exemptions in relation to processing under the UK GDPR.

[None of this is new, and none of it will be unknown to genuine practitioners in the field, but I’m posting it here as a convenient sign to tap, at appropriate moments.]

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, UK GDPR

Tagged as

October 30, 2024 · 6:09 am

Pacini & Geyer v Dow Jones – at the interface between libel and data protection

[reposted from LinkedIn]

This is an important judgment on preliminary issues (the second preliminary issues judgment in the case – the first was on an unsuccessful strike out application by the defendants) in a data protection claim brought by two businessmen against Dow Jones, in relation to articles in the Wall Street Journal in 2017 and 2018. The claim is for damages and for erasure of personal data which is said to be inaccurate.

It is believed to be the first time in a data protection claim that a court has been required to determine the meaning of personal data as a preliminary issue in an accuracy claim.

Determination of meaning is, of course, something that is common in defamation claims. The judgment is a fascinating, but complex, analysis of the parallels between determining the meaning of personal data in a publication and determining the meaning of allegedly defamatory statements in a publication. Although the judge is wary of importing rules of defamation law, such as the “single meaning rule” and “repetition rule” a key part of the discussion is taken up by them.

The single meaning rule, whereby “the court must identify the single meaning of a publication by reference to the response of the ordinary reader to the entire publication” (NT 1 & NT 2 v Google LLC [2018] EWHC 799 (QB)) is potentially problematic in a data protection claim such as this where the claimants argue that it is not the ordinary reader they are concerned about, but a reader who might be a potential business investor.

Similarly, it is not at all clear that the repetition rule, which broadly seeks to avoid a defamatory loophole by which someone argues “but I’m only reporting what someone else said – their words might be defamatory, but mine merely report the fact that they said them”, should carry over to data protection claims, not least because what will matter in defamation claims is the factual matrix at the time of publication, whereas with data protection claims “a claim for inaccuracy may be made on the basis that personal data are inaccurate at the time of the processing complained of, including because they have become misleading or out of date, regardless of whether they were accurate at the time of original publication. In that event, what matters is the factual matrix at the time when relief is sought” (at 66).

Nonetheless, and in a leap I can’t quite follow on first of the judgment, but which seems to be on the basis that the potential problems raised can be addressed at trial when fairness of processing (rather than accuracy) arises, the judge decides to determine meaning on a single meaning/repetition rule basis (at 82-84).

There’s a huge amount to take in though, and the judgment demands close reading (and re-reading). If a full trial and judgment ensue, the case will probably be a landmark one.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under accuracy, Data Protection, Data Protection Act 2018, judgments, UK GDPR

Tagged as ,

July 30, 2024 · 7:19 am

Immunity from suit in data protection (and other) claims

[reposted from LinkedIn]

All too often, in my experience, public authorities might inadvertently disclose confidential information about one person to someone with whom that person is in dispute, or from whom that person is in danger. Typical examples are when a council discloses information about one resident to a neighbour, or when the police disclose information about a vulnerable person to their abusive partner.

This can also happen during the process of court proceedings.

There is a long-standing – and complex – common law concept of “immunity from suit”, which, in the very simplest and most general of terms, will prevent someone from being sued for something they say in court.

This judgment involves a fascinating, but headache-inducing, analysis of the different types of immunity from suit – witness immunity at court, advocate’s immunity at court, witness immunity before court, advocate’s immunity before court and legal proceedings immunity before court (which may apply to lawyers, police officers or administrative staff preparing a case for trial).

The background facts are grim: a woman fleeing from domestic violence was forced to flee from safe homes because twice her addresses were inadvertently disclosed (or at least indicated) to the perpetrator, against whom criminal proceedings were being brought – once by the police and once by the CPS.

The woman brought claims against both public authorities under the Human Rights Act 1998, the Data Protection Act 2018 and in misuse of private information. However, the defendants initially succeeded in striking the claims out/getting summary judgment (one part of the claim against the police was permitted to continue).

Mr Justice Richie upheld the appeal against the strike out/summary judgment, with rather a tour de force run through of the history and authorities on immunity (para 66 begins with the words “I start 439 years ago”).

In very short summary, he held that strike out/summary judgment had been inappropriate, because “the movement in the last 25 years in the appellate case law has been away from absolutism, towards careful consideration of whether the facts of each case actually do fit with the claimed ‘immunity’ by reference to whether the long-established justifications for the immunity apply” (at 106). In the examples here, it was at least arguable that immunity was being claimed not over evidence in the case, but “extraneous or peripheral or administrative matters”. The judge should have applied a balancing exercise to the facts to decide whether immunity applied: she had failed to do so, and had not been entitled to determine that there was no arguable claim

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under compensation, damages, Data Protection Act 2018, human rights, judgments, LinkedIn Post, litigation, misuse of private information, police

Tagged as , , , ,

June 7, 2024 · 4:52 pm

Subject access: recipients, and motive

A very significant subject access judgment has been handed down in the High Court. Key rulings have been made to the effect that 1) requesters are entitled, in principle, to be informed of the identities of the recipients of their personal data (not just the categories of recipient), and 2) the subject access regime has a “specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her personal data unlawfully infringes privacy rights and, if so, to take such steps as the data protection law provides.

The underlying details of the case are interesting and alarming in themselves. A director of a gardening company (Mr Cameron) had covertly recorded threatening calls made by a wealthy homeowner working in the property investment industry (Mr Harrison) with whom the company was coming into dispute, and subsequently circulated the recordings to a limited number of unnamed family members and others.

The recordings found their way to a wider circle of people, including some of Mr Harrison’s peers and competitors in the property investment sector. Mr Harrison contended that the circulation of the recordings had caused his own company to lose out on a significant property acquisition. Accordingly, he made subject access requests, under Article 15 of the UK GDPR both to and Cameron and to Mr Cameron’s company (“ACL”). Those requests were rejected on the grounds that i) Mr Cameron, when circulating the recordings, was processing Mr Harrison’s personal data in a “purely personal and household” context, and so the processing was out of scope of the UK GDPR, ii) Mr Cameron was not personally a controller under the UK GDPR, iii) ACL could rely on the exemption to disclosure where it would involve disclosing information relating to another individual who did not consent to disclosure, and where – in the absence of such consent – it was not reasonable in the circumstances to disclose (see Article 15(4) UK GDPR and paragraph 16 of Schedule 2 to the Data Protection Act 2018).

In a lengthy judgment (dealing mostly with the facts and evidence) Mrs Justice Steyn held that Mr Cameron’s processing was not for purely personal and household reasons: he was clearly acting as a director of ACL in making the recordings and circulating them. However, she agreed that he was not a controller – he was acting in his capacity as a director, and – following Ittihadieh and In re Southern Pacific Loans – a director processing data in the course of their duties for their company is not a controller; the company is.

A crucial part of the judgment, in terms of wider relevance, is on the interpretation of Article 15(1)(c) of the UK GDPR. This provides that a data subject should be given information on “the recipients or categories of recipient” to whom personal data have been or will be disclosed. Many practitioners, and lawyers, have taken this be an option available to the controller (i.e. the controller can decide whether to provide information on the specific recipient or just on categories thereof). Not so, said Steyn J, agreeing with the CJEU in the Austrian Post case (which, as a post-Brexit case, wasn’t binding on her, but to which she could have regard, so far as it was relevant to the issues (see section 6(2) of the EU (Withdrawal) Act 2018)): the choice lies with the data subject, and, if the data subject chooses to receive information on individual recipients, he or she is entitled, in principle, to that information (unless it would be impossible or manifestly excessive to do so).

Notwithstanding this, Mr Harrison was not entitled in this case to have the identities. Mr Harrison had previously sent subject access requests individually to at least 23 employees of ACL and ACL, and he had an intention to pursue further legal options other than under the UK GDPR, if he was to identify potential claimants. ACL believed that disclosing identities of recipients of the recordings would put them at “significant risk of being the object of intimidating, harassing and hostile legal correspondence and litigation”. The judge agreed that it was “not unreasonable for the Defendants to give significant weight to [Mr Harrison’s] sustained and menacing behaviour in considering whether to protect or disclose the identities of friends, colleagues and family members”. The fact that “hostile litigation”, against the third parties to whom the recordings were disclosed, was being contemplated was a relevant factor to take into account when balancing their interests with Mr Harrison’s access rights, under paragraph 16 of Schedule 2. The judge held that

[Although there] is no general principle that the interests of the request should be treated as devalued by reason of a motive to obtain information to assist the requester in litigation…as Farbey J observed in X v Transcription Agency…the SAR regime “has a specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her ‘personal data’ unlawfully infringes privacy rights and, if so, to take such steps as the DPA 2018 provides“…[and so] it was reasonable for the Defendants to give weight to their desire to protect family, friends and colleagues from hostile litigation going beyond the exercise of rights under the UK GDPR and the DPA 2018

So, the perennial question of the extent to which a requester’s motive is relevant when responding to a subject access request rears its head again. Steyn J’s analysis is compelling, and so it certainly appears that – at the very least when it comes to the balancing test implied by paragraph 16 of Schedule 2 – the motive is capable of being taken into account.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Data Protection Act 2018, judgments, subject access, UK GDPR

Tagged as , , ,