Category Archives: litigation

April 2, 2025 · 5:02 am

The legality of data processing in the course of litigation

There is very convoluted litigation taking place which has as its focus a witness statement, prepared by a solicitor acting for a number of insurance companies who are defending personal injury claims arising from road traffic accidents (RTAs). And part of the argument (and a satellite claim) has now become about compliance with data protection law.

Five original claims were made for damages arising from RTAs. The defendant insurance companies were represented by law firm DWF, and one of DWF’s solicitors prepared a witness statement which contained an analysis of claims data collected by DWF in relation to a number of claims submitted by claimants represented by the solicitors who acted on behalf of the five claimants. The statement sought to adduce that in an unusually high number of the claims claimants had been referred for further psychological assessment, by a doctor who in 100% of those cases diagnosed a psychiatric condition and in two thirds of those cases said that the recovery period would be over two years. In short, a large number of claimants in the relevant RTAs appeared to develop long-term psychiatric conditions.

The claimant sought unsuccessfully to debar the witness statement, although the judge (on appeal) noted that it would be “for the Judge at trial to make of this evidence what they will [although] there are questions as to the extent to which this evidence assists without more in proving fundamental dishonesty”.

Notwithstanding this, an initial 317 (now reduced to three) claims were then made by people whose personal data was accepted to have been processed by DWF for the purposes of preparing the witness statement above. The claims here are for various breaches of the UK GDPR (such as excessive processing, and lack of fairness, lawful basis and transparency).

In a judgment handed down on 1 April, on an application by the claimants for specific disclosure in the UK GDPR claim (and an application by the defendant to amend its defence and strike out a witness statement of the claimants’ solicitor) Mrs Justice Eady DBE dismissed the disclosure applications (made under various headings), on the basis that much of the information would clearly be privileged material, or not relevant, or that the application was a fishing expedition.

If this gets to trial it will be interesting though. This sort of processing of personal data takes place in the course of (non-data-protection) private litigation routinely. It is generally not assumed that any issues of illegality arise. Any ultimate findings would be notable for litigators, and those who need to advise them on data protection compliance.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, litigation, UK GDPR

Tagged as

July 30, 2024 · 7:19 am

Immunity from suit in data protection (and other) claims

[reposted from LinkedIn]

All too often, in my experience, public authorities might inadvertently disclose confidential information about one person to someone with whom that person is in dispute, or from whom that person is in danger. Typical examples are when a council discloses information about one resident to a neighbour, or when the police disclose information about a vulnerable person to their abusive partner.

This can also happen during the process of court proceedings.

There is a long-standing – and complex – common law concept of “immunity from suit”, which, in the very simplest and most general of terms, will prevent someone from being sued for something they say in court.

This judgment involves a fascinating, but headache-inducing, analysis of the different types of immunity from suit – witness immunity at court, advocate’s immunity at court, witness immunity before court, advocate’s immunity before court and legal proceedings immunity before court (which may apply to lawyers, police officers or administrative staff preparing a case for trial).

The background facts are grim: a woman fleeing from domestic violence was forced to flee from safe homes because twice her addresses were inadvertently disclosed (or at least indicated) to the perpetrator, against whom criminal proceedings were being brought – once by the police and once by the CPS.

The woman brought claims against both public authorities under the Human Rights Act 1998, the Data Protection Act 2018 and in misuse of private information. However, the defendants initially succeeded in striking the claims out/getting summary judgment (one part of the claim against the police was permitted to continue).

Mr Justice Richie upheld the appeal against the strike out/summary judgment, with rather a tour de force run through of the history and authorities on immunity (para 66 begins with the words “I start 439 years ago”).

In very short summary, he held that strike out/summary judgment had been inappropriate, because “the movement in the last 25 years in the appellate case law has been away from absolutism, towards careful consideration of whether the facts of each case actually do fit with the claimed ‘immunity’ by reference to whether the long-established justifications for the immunity apply” (at 106). In the examples here, it was at least arguable that immunity was being claimed not over evidence in the case, but “extraneous or peripheral or administrative matters”. The judge should have applied a balancing exercise to the facts to decide whether immunity applied: she had failed to do so, and had not been entitled to determine that there was no arguable claim

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under compensation, damages, Data Protection Act 2018, human rights, judgments, LinkedIn Post, litigation, misuse of private information, police

Tagged as , , , ,

June 6, 2024 · 7:45 am

The demise of portmanteau data breach claims

Many defendants in data protection proceedings will have experienced claims which also plead a misuse of private information (MPI). Often, on the face of things, the latter appears to add nothing to the data protection claim, but there can be procedural and costs/other financial implications. Importantly, where claimants have secured after-the-event (ATE) insurance, premiums can be recovered from losing defendants (as there is an exception for certain claims, including MPI ones, to the general rule introduced by the Legal Aid, Sentencing and Punishment of Offenders Act 2012, by which ATE premiums became generally irrecoverable between parties). This can be perceived as a factor which might impel defendants to settle otherwise weak claims.

The practice of bundling data protection and MPI claims (sometimes with a bonus breach of confidence claim) in “data breach” proceedings was struck a blow in 2021, when Mr Justice Saini, in Warren v DSG, held that, as both MPI and breach of confidence require there to have been a “use”, a “positive action”, they do not impose a data security obligation on a defendant, or create liability where the defendant was, instead, alleged to have failed to do something.

This inevitably led to a drop in claims pleading MPI (and breach of confidence) in data security cases, but not a complete stop: after all – I imagine some claimant lawyers thought, a claim can still be pleaded as a MPI claim – even if it might not look like one (following Warren v DSG).

However, in a costs judgment from September last year, but only recently published, Deputy Costs Judge Roy held that a “spurious” (as opposed to a “genuine”) MPI claim (in Saini J’s characterisation “an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI”) can’t avail itself of the ATE premium irrecoverability exception. (The claim was against Equiniti, but seems to be separate to the recent attempted group litigation against the same defendant.)

I suspect the story is not entirely over. Claimants will quite possibly say “yes, spurious MPI claims can’t be shoehorned into data protection claims, but this one – Judge – is not spurious on the facts”. Nonetheless, the days of portmanteau data breach claims seem to disappearing into the past.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, data security, judgments, litigation

Tagged as ,