I’ve written up my thoughts for the Mishcon de Reya website, on the baffling decision by the ICO to take no action in response to the most catastrophic data breach in UK history, which exposed many thousands of people to immediate risk to their lives.
https://www.mishcon.com/news/data-protection-risks-to-life-should-more-be-done
“Pretexting” and “blagging” are forms of social engineering whereby someone attempts to extract information from a source by deception. One (unethical) example is when a journalist purports to be someone else in order to gather information for a story.
A recent misuse of private information and data protection judgment in the High Court deals with a different, and sadly not uncommon, example – where an estranged, abusive partner convinced a third party to give information about their partner so they can continue their harassment of them.
The claimant had worked at a JD Wetherspoon pub, but had left a few months previously. She had given her contact details, including her mother’s mobile phone number, to her manager, and the details were kept in a paper file, marked “Strictly Private and Confidential”, in a locked filing cabinet. During the time she was employed she had been the victim of offences by a former partner of serious violence and harassment which involved subjecting her to many unwanted phone calls. He was ultimately convicted of these and sentenced to 2 ½ years in prison. Her employer was aware of the claimant’s concerns about him.
While her abuser was on remand, he rang the pub, pretending to be a police officer who needed to contact the claimant urgently. Although the pub chain had guidance on pretexting, under which such attempts to acquire information should be declined initially and referred to head office, the pub gave out the claimant’s mother’s number to the abuser, who then managed to speak to (and verbally abuse) the claimant, causing understandable distress.
She brought claims in the county court in misuse of private information, breach of confidence and for breach of data protection law. She succeeded at first instance with the first two, but not with the data protection claim. Wetherspoons appealed and she cross-challenged, not by appeal but by way of a respondent’s notice, the rejection of the data protection claim.
In a well-reasoned judgment in Raine v JD Wetherspoon PLC [2025] EWHC 1593 (KB), Mr Justice Bright dismissed the defendant’s appeals. He rejected their argument that the Claimant’s mother’s mobile phone number did not constitute the Claimant’s information or alternatively that it was not information in which she had a reasonable expectation of privacy: it was not ownership of the mobile phone that mattered, nor ownership of the account relating to it – what was relevant was information: the knowledge of the relevant digits. As between the claimant and the defendant, that was the claimant’s information, which was undoubtedly private when given to the defendants and was intended to remain private, rather than being published to others.
The defendant then argued that there can be no cause of action for misuse of private information if the Claimant is unable to establish a claim under the DPA/GDPR, and, relatedly, that a data security duty could not arise under the scope of the tortious cause of action of misuse of private information. In all honesty I struggle to understand this argument, at least as articulated in the judgment, probably because, as the judge suggests, this was not a data security case involving failure to take measures to secure the information. Rather, it involved a positive act of misuse: the positive disclosure of the information by the defendant to the abuser.
The broadly similar appeal grounds in relation to breach of confidence failed, for broadly similar reasons.
The counter challenge to the prior dismissal of the data protection claim, by contrast, succeeded. At first instance, the recorder had accepted the defendant’s argument that this was a case of purely oral disclosure of information, and that, applying Scott v LGBT Foundation Limited, this was not “processing” of “personal data”. However, as the judge found, in Scott,
the information had only ever been provided to the defendant orally; and…then retained not in electronic or manual form in a filing system, but only in the memory of the individual who had received the original oral disclosure…In that case, there was no record, and no processing. Here, there was a record of the relevant information, and it was processed: the personnel file was accessed by [the defendant’s employee], the relevant information was extracted by her and provided in written form to [another employee], for him to communicate to [the abuser].
This fell “squarely within the definition of ‘processing’ in the GDPR at article 4(2)”. Furthermore, there was judicial authority in Holyoake v Candy that, in some circumstances, oral disclosure will constitute processing (a view supported by the European Court in Endemol Shine Finland Oy).
Damages for personal injury, in the form of exacerbation of existing psychological damage, of £4500 were upheld.
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Section 1(2) of the Data Protection Act 2018 tells us that
Most processing of personal data is subject to the UK GDPR
Despite the attention given to the progress of the Data (Use and Access) Act 2025 (and I have certainly given it a lot), now that it has passed, its significance for data protection practitioners is essentially only in how it will amend the three core legislative instruments relevant to their practice area: the UK GDPR, the DPA 2018, and PECR.
The DUAA is (in data protection law terms) mostly an amending statute: once its provisions have commenced, their relevance lies in how they amend those three core texts.
How that amending is done in practice is important to note.
When a piece of legislation is amended, Parliament doesn’t reenact it, so the “official” printed version remains. In pre-internet days this meant that practitioners had to read the original instrument, and the amending instrument, side by side, and note what changes applied. This was generally done with the assistance of legal publishers, who might print “consolidated” versions of the original instrument with, effectively, the amendments showing in mark-up.
In the internet age, things actually haven’t changed in substance, but it’s very much easier to read the consolidated versions. If, for example, you go to the legislation.gov.uk website, and look at the DPA 2018, you can view it in “Original (as enacted)” version, and “Latest available” version (in the second image below, for instance, you can see that “GDPR” was amended to “UK GDPR”, with the footnote explaining that this was effected by
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019)).
The DUAA has not been published yet (and remember that many of its provisions won’t come into immediate effect, but will require secondary legislation to “commence” them into effect), but once it is, and once the clever people who maintain the legislation website have done their thing, most practitioners won’t need to refer to the DUAA: they should, instead, refer to the newly amended, consolidated versions of the UK GDPR, the DPA 2018 and PECR.
And also remember, “Most processing of personal data is [still] subject to the UK GDPR”.
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
An interesting recent judgment in the High Court considers the extent to which rules in defamation law might also apply to data protection claims.
In July 2024 His Honour Judge Lewis struck out a claim in defamation brought by Dale Vince against Associated Newspapers. The claim arose from a publication in the Daily Mail (and through the Mail+ app). The article reported that the Labour Party had returned a £100,000 donation made by another person, who was said to be “a high-flying City financier accused of sex harassment”, but also said that the claimant had donated £1.5m to the Labour Party, but then caused the Party embarrassment by joining an “eco-protest” in London, which had blocked traffic around Parliament Square. The article had the headline “Labour repays £100,000 to ‘sex harassment’ donor”, followed by eleven paragraphs of text, two photographs of the claimant and the caption “Road blockers: Dale Vince in London yesterday, and circled as he holds up traffic with Just Stop Oil”.
The strike-out succeeded on the basis that a claim in libel “may not be founded on a headline, or on headlines plus photographs and captions, in isolation from the related text, and it is impermissible to carve the readership into different groups, those who read only headlines (or headlines and captions) and those who read the whole article”, following the rule(s) in Charleston v News Group Newspapers Ltd [1995] 2 AC 65 (the wording quoted is from the defendant’s strike-out application). When the full article was read, as the claimant conceded, the ordinary reader would appreciate very quickly that he was not the person being accused of sexual harassment.
A subsequent claim by Mr Vince, in data protection, under the UK GDPR, has now also been struck out (Vince v Associated Newspapers [2025] EWHC 1411 (KB)). This time, the strike out succeeded on the basis that, although the UK GDPR claim was issued (although not served) prior to the handing down of judgment in the defamation claim, Mr Vince not only could, but should have brought it earlier:
There was every reason why the UKGDPR and defamation claims should have been brought in the same proceedings. Both claims arose out of the same event – the publication of the article in Mail+ and the Daily Mail. Both claims rely on the same factual circumstances, namely the juxtaposition of the headline, photographs and caption, and the contention that the combination of the headline and the photograph created the misleading impression that Mr Vince had been accused of sexual harassment. In one claim this was said to be defamatory, in the other the misleading impression created was said to comprise unfair processing of personal data
This new claim was, said Mr Justice Swift, an abuse of process – a course which would serve only “to use the court’s process in a way that is unnecessary and is oppressive to Associated Newspapers”.
Additionally, the judge would have granted Associated Newspapers’ application for summary judgment, on the grounds that the rule in Charleston would have applied to the data protection claim as it had to the defamation claim:
in the context of this claim where the processing relied on takes the form of publication, the unfairness relied on is that a headline and photographs gave a misleading impression, and the primary harmed caused is said to be reputational damage, the law would be incoherent if the fairness of the processing was assessed other than by considering the entirety of what was published
This last point, although, strictly, obiter, is an important one: where a claim of unfair processing, by way of publication of personal data, is brought in data protection, the courts are likely to demand that the entirety of what was published be considered, and not just personal data (or parts of personal data) in isolation.
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Data Protection, defamation, fairness, judgments, UK GDPR
In the run-up to last year’s General Election, the campaigning group The Good Law Project (GLP) actively encouraged people to make subject access requests (under Article 15 of the UK GDPR) to political parties, and they say that they enabled 13,000 people to do so.
The GLP says that the Reform Party “replied to hardly anyone”, and as a result it is bringing the first ever case in the UK under Article 80(1) of the UK GDPR, whereby a data subject (or subjects) mandates an representative organisation to bring an Article 79 claim on their behalf.
Helpfully, the GLP has published both its own particulars of claim, and, now, Reform’s defence to the claim. The latter is particularly interesting, as its initial approach is to threaten to apply to strike out the claim on the grounds that the GLP does not meet the criteria for a representative body, as laid out in section 187 of the Data Protection Act 2018.
Given the nature of the two parties (one a bullish campaign group, the other a bullish political party) it seems quite likely that this will proceed to trial. If so, we should get some helpful clarification on how Article 80(1) should operate.
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Article 80, Data Protection Act 2018, political parties, UK GDPR
The Information Tribunal has ruled that the Nuclear New Build Generation Company, a subsidiary of EDF Energy, created to construct s new nuclear power plant at Hinkley Point C (HPC), is a public authority for the purposes of the Environmental Information Regulations 2004 (EIR)
In the last fifteen years or so, a very interesting body of case law has been built up regarding the extent to which certain private persons have accrued, or have been conferred upon them, the status of a public authority for the purposes of the EIR. Some of the bodies who have been held to be public authorities (at least in a limited EIR sense) are water companies, BT, public gas transporters, and port authorities. Some which have not been held to be include Heathrow Airport and housing associations.
The EIR create a scheme for public access to environmental information held by public authorities, which runs in parallel to the scheme under the Freedom of Information Act 2000 (FOIA). Where FOIA, though, specifically designates public authorities, the EIR (which implemented an EU Directive, emanating in turn from the 1998 UNECE Aarhus Convention) define a public authority by virtue of its actions and powers.
Whether a person is a public authority will often turn on whether it “carries out functions of public administration”. The tests for this derive from the “Fish Legal ” in the CJEU: whether they are “entrusted, under the legal regime which is applicable to them, with the performance of services of public interest, inter alia in the environmental field, and…are, for this purpose, vested with special powers beyond those which result from the normal rules applicable in relations between persons governed by private law”
In NNB Generation Company (HPC) Ltd v Information Commissioner & Anor [2025] UKFTT 634 (GRC), the Tribunal, considering an appeal by HPC from a decision by the Information Commissioner’s Office that it was an EIR public authority (and in which Fish Legal were again the applicant), held that the relevant Development Consent Order, and the electricity and nuclear licences granted to HPC constituted entrustment with the performance of public services in relation to the environment, and the powers accruing from that entrustment “go far beyond what a private person without the benefit of such powers would be able to do in those circumstances, for example in empowering HPC to make byelaws, even if it opts not to do so”.
Decisions of this sort are nuanced and complex, and for that reason, often amenable to appeal. I would not be surprised if this one goes to the Upper Tribunal.
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
The issue of the legality of the making of, and subsequent use of, covert audio and/or visual recordings of individuals is a complex one – even more so when it comes to whether such recordings can be adduced as evidence in court proceedings.
I’m not going to try to give an answer here, but what I will do is note that the Family Justice Council has recently produced guidance on cover recordings in family law proceedings concerning children, and it contains some rather surprising sections dealing with data protection law.
Firstly, I should say what it gets right: I think it is correct when it indicates that processing consisting of the taking of and use of covert recordings for the purpose of proceedings will not normally be able to avail itself of the carve-out from the statutory scheme under Article 2(2)(a) UK GDPR (for purely personal or household purposes).
However, throughout, when addressing the issue of the processing of children’s data, it refers to the Information Commissioner’s Office’s Children’s Code, but doesn’t note (or notice?) that that Code is drafted specifically to guide online services on the subject of age appropriate design of such services. Although some of its general comments about children’s data protection rights will carry over to other circumstances, the Children’s Code is not directly relevant to the FJC’s topic.
It also goes into some detail about the need for an Article 6(1) UK GDPR lawful basis if footage is shared with another person. Although strictly true, this is hardly the most pressing point (there are a few potential bases available, or exemptions to the need to identify one). But it also goes on to say that a failure to identify a lawful basis will be a “breach of the DPA 2018” (as well as the UK GDPR): I would like its authors to say what specific provisions of the DPA it would breach (hint: none).
It further, and incorrectly, suggests that a person making a covert recording might commit the offence of unlawfully obtaining personal data at section 170 DPA 2018. However, it fails to recognise that the offence only occurs where the obtaining is done without the consent of the controller, and, here, the person making and using the recording will be the controller (as the “lawful basis” stuff above indicates).
Finally, when it deals with developing policies for overt recording, it suggests that consent of all the parties would be the appropriate basis, but gives no analysis of how that might be problematic in the context of contentious and fraught family law proceedings.
The data protection aspects of the guidance are only one small part of it, and it may be that it is otherwise sound and helpful. However, it says that the ICO were consulted during its drafting, and gave “helpful advice”. Did the ICO see the final version?
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
[EDIT: in this post I originally said I understood that the current parliamentary session would end when Parliament rises for summer recess. Prompted by Andrew Harvey, on the Jiscmail Data Protection list, I checked this point, and I was wrong: my MP (who, on the two occasions I’ve emailed him, has been impressively responsive), says “With the legislative programme from the King’s Speech barely a quarter of the way through, I would guess this will be at least an 18 month session”). So one of the pressing issues in the post is less pressing, but that still doesn’t get round the issue of the impasse.]
Westminster is at an impasse over the Data (Use and Access) Bill. The Lords have repeatedly introduced amendments, in the form of totally new clauses on AI and copyright which were never intended to be part of the Bill, and the Commons have repeatedly removed them. Yesterday’s reprise of the exercise suggests that ping pong is not stopping any time soon.
This must be of tremendous frustration to the government. In particular, it will be of significant concern to the ministers and civil servants who will be negotiating with the European Commission over the reciprocal data adequacy arrangements which allow free transfer of personal data between the EU and the UK. The Commission had introduced a sunset clause to the original agreement, which was due to expire this month, but this has been extended for a further six months, specially to allow for the passage and enactment of the DUAB (the Commission wants to see what the revised UK data protection scheme will look like).
So what happens now? As the Bill was introduced in the Lords, the Commons cannot invoke its powers to force the Bill through to Royal Assent, under section 2 of the Parliament Act 2011.
The current parliamentary session may well run on for some time yet. Traditionally, all parliamentary business would cease at prorogation, so if a Bill hadn’t passed, it fell. In recent years, however, procedures in both Houses have been developed, whereby, by agreement, a Bill can “carry over” to the next session. This is very unusual, though, with a Bill introduced in the Lords. It is also difficult to see how, or why, there would be agreement to carry over a Bill like the DUAB, over which the two Houses are in actual disagreement.
Maybe the alternative would be to allow the Bill to fall (or withdraw it), and reintroduce it in the Commons, in the next session.
But there would be no winners in such a scenario. The government (and Parliament) would have to go to significant time and cost, and the opponents in the Lords, serried behind Baroness Kidron, would be no closer to getting the artists’ protections from AI models that they seek.
And in the meantime, the extended sunset clause for UK adequacy would be dropping below the horizon.
Is there still time for compromise? The simple answer is yes, but there have been few signs of much movement from either side.
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under adequacy, Data (Use and Access) Bill, parliament
Was the leadership election in which Liz Truss was elected as leader of the Conservative Party (and as a result of which she was recommended to the Queen by the outgoing Boris Johnson, and appointed by the Queen as her Prime Minister) a decision amenable to judicial review?
Whether a person is a public authority for the purposes of the Freedom of Information Act 2000 is, in principle, a relatively straightforward issue: is it listed in Schedule 1 to FOIA?; or has it been designated as such by order under section 5?; or is it wholly owned by the public sector?
Whether a person is a public authority under section 6 of the Human Rights Act 1998, or whether a person is a public authority amenable to judicial review, are more complex questions.
It was the last of these that the Court of Appeal had primarily to consider in Tortoise Media Ltd, R (On the Application Of) v Conservative and Unionist Party [2025] EWCA Civ 673. Tortoise Media had written to the Party seeking certain information in relation to the leadership election process, and argued that the public effects of the leadership election meant that, in those circumstances, the Party was exercising a public function for the purposes of CPR 54.1(2). The follow-on argument was that the judgment of the ECtHR in Magyar Helsinki Bizottság v Hungary meant that the domestic courts should read down Article 10 of the ECHR (as incorporated in domestic law in the HRA) as imposing, in some cases, a positive obligation on a body to provide information to the media, who act as “watchdogs” in the public interest.
Perhaps unsurprisingly, though, the Court of Appeal did not accept that the effects and circumstances of the Party leadership election made the decision of the Party amenable to JR:
the nature of the act of electing a party leader…is at all times a private act. The fact that it has important, indirect consequences for the public does not transform a private act into a public one.
For that reason, the Court did not need to consider the Article 10/Magyar arguments (but on which, one feels – having regard to the submissions on behalf of the Duchy of Lancaster, as intervener, which argued that the Supreme Court’s decisions in Sugar and in Kennedy (which did not follow the reasoning in Magyar) bound all inferior courts – the claimants would have in any case lost).
It’s an interesting read, even if it was – to put it mildly – an ambitious case to bring.
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Non-compliance by a public authority with the provisions of the Freedom of Information Act 2000 is rarely a particularly serious matter for the public authority: a delay in responding, or a failure to disclose what should be disclosed, or wrong reliance on exemptions will at most normally only result in a public decision notice by the Information Commissioner’s Office (ICO), and there are hundreds of those issued each year, which pass with barely any attention.
Where it can get serious is where the public authority fails to comply with an order by the ICO, or where, upon a case having been appealed to the First-tier Tribunal (FTT), the FTT has made an order for disclosure. Sections 54 and 61, respectively, of FOIA, empower the ICO and the FTT to treat the failure to comply as offence of contempt of court, and certify the offence to the Upper Tribunal, which has the power to commit for contempt. In principle, as I understand it, the Upper Tribunal could, if it agreed there was a contempt, impose a period of imprisonment or a fine (the powers here are not contained in the Upper Tribunal Rules, but in YSA (Committal for contempt by media) [2023] UKUT 00075 (IAC), the Upper Tribunal (in a non-FOIA case) said that as the Upper Tribunal Rules do not expressly deal with contempt certifications, then the Upper Tribunal should, so far as it can, adopt the contempt provisions of part 81 of the Civil Procedure Rules.
I’m not aware of any FOIA case where the Upper Tribunal (or the High Court, which had the jurisdiction until the Data Protection Act 2018 amended FOIA and conferred jurisdiction on the Upper Tribunal) has actually made a contempt committal. But the latest case to make its way to the Upper Tribunal, to consider whether to do so, involves the University of Exeter. The University was asked under FOIA for the names of attendees, and the organisations they represented, at two University groups – the Exeter Community Panel and the Resident Liaison Group. The University refused, citing data protection concerns (and relying on the exemption at section 40(2) FOIA), and the ICO agreed. However, the FTT disagreed (these were public facing groups and attendees would have had no reasonable expectation that their names would be kept private) and ordered disclosure. This, however, the University did not do, and upon being chased by the applicant, indicated that at least some of the information no longer existed, because of (undocumented) oral right to be forgotten requests made by attendees after the FTT had ordered disclosure (which raised s77 FOIA questions). As the FTT pointed out, the University had supplied the withheld information to the ICO and to the FTT itself for the purposes of the original proceedings, and it was “less than credible that the Respondent cannot recover that information and provide it to the Applicant”.
The FTT was satisfied therefore, that this was a “wilful”, “flagrant” and continuing failure to comply with its order – “a contrived and persistent failure that is still ongoing”.
The FTT nonetheless still urged the University to fully comply with the order, as doing say “may mitigate any action taken by the Upper Tribunal”.
Compliance with FOIA is not voluntary for a public authority. Still less so is compliance with orders of a court.
The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under contempt, FOIA, Freedom of Information, Information Tribunal, Upper Tribunal
informationrightsandwrongs 