Category Archives: fairness

June 9, 2025 · 12:36 pm

Defamation rules are applied to UK GDPR claim

An interesting recent judgment in the High Court considers the extent to which rules in defamation law might also apply to data protection claims.

In July 2024 His Honour Judge Lewis struck out a claim in defamation brought by Dale Vince against Associated Newspapers. The claim arose from a publication in the Daily Mail (and through the Mail+ app). The article reported that the Labour Party had returned a £100,000 donation made by another person, who was said to be “a high-flying City financier accused of sex harassment”, but also said that the claimant had donated £1.5m to the Labour Party, but then caused the Party embarrassment by joining an “eco-protest” in London, which had blocked traffic around Parliament Square. The article had the headline “Labour repays £100,000 to ‘sex harassment’ donor”, followed by eleven paragraphs of text, two photographs of the claimant and the caption “Road blockers: Dale Vince in London yesterday, and circled as he holds up traffic with Just Stop Oil”.

The strike-out succeeded on the basis that a claim in libel “may not be founded on a headline, or on headlines plus photographs and captions, in isolation from the related text, and it is impermissible to carve the readership into different groups, those who read only headlines (or headlines and captions) and those who read the whole article”, following the rule(s) in Charleston v News Group Newspapers Ltd [1995] 2 AC 65 (the wording quoted is from the defendant’s strike-out application). When the full article was read, as the claimant conceded, the ordinary reader would appreciate very quickly that he was not the person being accused of sexual harassment.

A subsequent claim by Mr Vince, in data protection, under the UK GDPR, has now also been struck out (Vince v Associated Newspapers  [2025] EWHC 1411 (KB)). This time, the strike out succeeded on the basis that, although the UK GDPR claim was issued (although not served) prior to the handing down of judgment in the defamation claim, Mr Vince not only could, but should have brought it earlier:

There was every reason why the UKGDPR and defamation claims should have been brought in the same proceedings. Both claims arose out of the same event – the publication of the article in Mail+ and the Daily Mail. Both claims rely on the same factual circumstances, namely the juxtaposition of the headline, photographs and caption, and the contention that the combination of the headline and the photograph created the misleading impression that Mr Vince had been accused of sexual harassment. In one claim this was said to be defamatory, in the other the misleading impression created was said to comprise unfair processing of personal data

This new claim was, said Mr Justice Swift, an abuse of process – a course which would serve only “to use the court’s process in a way that is unnecessary and is oppressive to Associated Newspapers”.

Additionally, the judge would have granted Associated Newspapers’ application for summary judgment, on the grounds that the rule in Charleston would have applied to the data protection claim as it had to the defamation claim:

in the context of this claim where the processing relied on takes the form of publication, the unfairness relied on is that a headline and photographs gave a misleading impression, and the primary harmed caused is said to be reputational damage, the law would be incoherent if the fairness of the processing was assessed other than by considering the entirety of what was published

This last point, although, strictly, obiter, is an important one: where a claim of unfair processing, by way of publication of personal data, is brought in data protection, the courts are likely to demand that the entirety of what was published be considered, and not just personal data (or parts of personal data) in isolation.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, defamation, fairness, judgments, UK GDPR

Tagged as , ,

July 4, 2023 · 5:56 am

Labour’s Grubby Data Grab

Nine years ago (I’ve been doing this a long time) I wrote about the Labour Party harvesting details by hosting a page inviting people to find out “what baby number” they were in relation to the NHS. At that time, no privacy notice information was given at all. Fast forward to today, and Labour is once again hosting a similar page. This time, there is a bit more explanatory information, but it’s far from reassuring.

As an aside, I note that, when a person inputs their date of birth, what the website does is simply calculate, by reference to broad census data, approximately how many babies would have been born since the NHS started and that birth date. So the idea that this gives a “baby number” is ridiculous from the outset.

In any event, the person is then required to give their first name, email address and postcode.

(There is also an odd option to “find out the baby number” of a relative, or friend, by giving that person’s date of birth. Here, the person completing the form is only required to give their own email address and postcode (not their own first name).)

The person completing the form then has the option to agree or not agree to be kept “updated via email on the latest campaigns, events and opportunities to get involved”. This initially seems acceptable when it comes to compliance with the emarketing rules in the Privacy and Electronic Communications (EC Directive) Regulations 2003, so perhaps an improvement on how things were nine years ago. However, in smaller print, the person is then told that “We may use the information you provide, such as name and postcode, to match the data provided to your electoral register record held on our electoral database, which could inform future communications you receive from us”. So it appears that, even if one declines to receive future emails, the party may still try to match one’s details with those on the electoral register and may still send “future communications” (although query how accurate – or even feasible – this will be: how many Johns, say, potentially live in postcode SK9 5AF?).

This suggests that some sort of profiling is going on, but it is all a bit unclear, and opaque, which are not words that really should be associated with the processing of personal data by a political party. But if one clicks the link to “know more about how we use your information” the first thing one encounters is a cookie banner with no option but to accept cookies (which will, it is said, help the party make its website better). Such a banner is, of course, not lawful, and – if the ICO is to be believed – puts the party at current risk of enforcement action. If, teeth gritted, one clicks through the banner, one is faced with a privacy notice which, dear readers, I think needs to be the subject of a further blog (maybe with a comparative analysis of other parties’ notices). Suffice to say that the Labour Party appears to be doing one heck of a lot of profiling, and “estimation” of political opinions, from a range of statutory and/or public information sources.

For now, the TL;DR of this post is that the “NHS Baby Number” schtick from the Labour Party seems to be as much of a (although maybe a different) grubby data grab as it was nine years ago when I last wrote about it. There’s a lot that the ICO could, and should, do about it, but nothing was done then, and – I fear – nothing will be done now.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under fairness, Information Commissioner, PECR, political parties, privacy notice, profiling

Tagged as , ,

September 1, 2022 · 7:12 pm

ICO investigates collection of barristers’ names

News from the Mishcon de Reya website on data protection concerns arising from criminal barristers’ dispute with the MoJ

https://www.mishcon.com/news/information-commissioner-investigates-collection-of-criminal-barristers-names

Leave a comment

Filed under Data Protection, fairness, Information Commissioner, Ministry of Justice, UK GDPR

Tagged as , ,

December 15, 2020 · 3:14 pm

Windrush and data protection

As far as I know the Information Commissioner has never investigated this issue (I’ve made an FOI request to find out more), but this, on the Mishcon site, is an overview of the key issue.

Leave a comment

Filed under accuracy, adequacy, Data Protection, fairness, Home Office, human rights, Information Commissioner

December 15, 2020 · 3:10 pm

Students challenge International Baccalaureate on data protection grounds

My firm is acting for the students, and there’s a link to the detailed grounds in this explanatory piece.

Leave a comment

Filed under accuracy, Data Protection, fairness, Further education, GDPR, transparency

August 16, 2020 · 7:32 pm

Cometh the hour…

One thing in particular struck me about the statement from the Information Commissioner’s Office (ICO) in response to the huge distress and uncertainty facing thousands of students and their families, following the announcement of A-level grades:

Anyone with any concerns about how their data has been handled should raise those concerns with the exam boards first, then report to us if they are not satisfied

In some ways, this is standard. Even the ICO’s “contact us” page leads a potential complainant through various stages before telling people who haven’t raised their concerns by “contacting the [offending] organisation in writing” to “Raise your concern with the organisation handling your information”.

Whilst I can understand the reason for this general approach (ICO’s resources are limited, and many complaints can no doubt be resolved at source), it is difficult to reconcile it with what the law requires the ICO to do. Article 77 GDPR says that a supervisory authority must handle complaints lodged by a data subject, and investigate, to the extent appropriate, the subject matter of the complaint. There is no caveat, no exemption. It does leave the option open for the ICO to handle a complaint, and choose not to investigate it all, but that is not what the ICO is doing here (and in its general approach).

But it must be said that sometimes, as it is permitted to, under Articles 57 and 58, the ICO does conduct investigations of its volition. It also has a range of powers, including the power to give an opinion to parliament and/or the government. Given that its Norwegian counterpart has indicated it will take strong action against the International Baccalaureate Organisation, I am hopeful that, as a new week of uncertainty for students approaches, the ICO will take this particular bit between its teeth, and properly investigate such a pressing issue.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, fairness, GDPR, Information Commissioner, parliament

Tagged as , ,

April 5, 2019 · 1:09 pm

ICO hasn’t given own staff a GDPR privacy notice

The first principle of GDPR says that personal data shall be processed in a transparent manner. Articles 13 and 14 give details of what information should be provided to data subjects to comply with that principle (and that information should be provided at the time it is collected (if it is collected directly from the data subject)).

As the Information Commissioner’s Office (ICO) says

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. [emphasis added]

and

Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage

If you read the ICO’s Guide to GDPR, it is largely predicated on the understanding that privacy notices will be made available to data subjects, effectively as a prerequisite to overall compliance.

So, one thing a data controller must – surely – prioritise (and have prioritised, in advance of GDPR becoming applicable in May 2018) is the preparation and giving of appropriate privacy notices, including to its own employees.

With that in mind, I was interested surprised astounded well-and-truly-gobsmacked to see an admission, on the “WhatDoTheyKnow” website, that the ICO itself has – almost a year on from GDPR’s start – not yet prepared, let alone given, its own staff a GDPR privacy notice

I can confirm we do not currently hold the information you have requested. The privacy notice for ICO employees is currently under construction.

As getting the right to be informed wrong can leave one open to fines (as well as reputational damage), one wonders if ICO is considering fining itself for this fundamental infringement of a fundamental right?

The views in this post (and indeed all posts on this blog, unless they indicate otherwise) are my personal ones, and do not represent the views of any organisation I am involved with.

10 Comments

Filed under Data Protection, fairness, GDPR, Information Commissioner, privacy notice, transparency

Tagged as , , ,

February 16, 2018 · 12:03 pm

Data protection and fake pornography

Wired’s Matt Burgess has written recently about the rise of fake pornography created using artificial intelligence software, something that I didn’t know existed (and now rather wish I hadn’t found out about):

A small community on Reddit has created and fine-tuned a desktop application that uses machine learning to morph non-sexual photos and transplant them seamlessly into pornographic videos.

The FacesApp, created by Reddit user DeepFakesApp, uses fairly rudimental machine learning technology to graft a face onto still frames of a video and string a whole clip together. To date, most creations are short videos of high-profile female actors.

The piece goes on to discuss the various potential legal restrictions or remedies which might be available to prevent or remove content created this way. Specifically within a UK context, Matt quotes lawyer Max Campbell:

“It may amount to harassment or a malicious communication,” he explains. “Equally, the civil courts recognise a concept of ‘false privacy’, that is to say, information which is false, but which is nevertheless private in nature.” There are also copyright issues for the re-use of images and video that wasn’t created by a person.

However, what I think this analysis misses is that the manipulation of digital images of identifiable individuals lands this sort of sordid practice squarely in the field of data protection. Data protection law relates to “personal data” –  information relating to an identifiable person – and “processing” thereof. “Processing” is (inter alia)

any operation…which is performed upon personal data, whether or not by automatic means, such as…adaptation or alteration…disclosure by transmission, dissemination or otherwise making available…

That pretty much seems to encapsulate the activities being undertaken here. The people making these videos would be considered data controllers (persons who determine the purposes and means of the processing), and subject to data protection law, with the caveat that, currently, European data protection law, as a matter of general principle, only applies to processing undertaken by controllers established in the European Union. (In passing, I would note that the exemption for processing done in the course of a purely personal or household activity would not apply to the extent that the videos are being distributed and otherwise made public).

Personal data must be processed “fairly”, and, as a matter of blinding obviousness, it is hard to see any way in which the processing here could conceivably be fair.

Whether victims of this odious sort of behaviour will find it easy to assert their rights, or bring claims, against the creators is another matter. But it does seem to me to be the case here, unlike in some other cases, that (within a European context/jurisdiction) data protection law potentially provides a primary initial means of confronting the behaviour.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Europe, fairness, Uncategorized