The GDPR has focused minds on the use of data protection law in media law claims even though the strategy is by no means new. While almost all recent decisions have been decided under the old Data Protection Act 1998, underlying themes can be extrapolated to show how these claims are likely to evolve under the UK GDPR and the Data Protection Act 2018.
A data protection claim can be brought alongside other claims
The courts have held that a data protection claim can be brought alongside a defamation claim brought by an individual, ie a claim that a statement made about the Claimant to a third party is defamatory of them at common law and has caused serious harm.
- In Law Society v. Kordowski, in the context of publications made by the Defendant on his website, the Judge concluded that claims brought under defamation, harassment and data protection could all be run simultaneously because they covered different elements. The Court stated that "the different causes of action are directed to protecting different aspects of the right to private life. A claim in libel is directed to protecting the right to reputation. The claim in harassment is to protect persons from being subjected to unjustifiable alarm and distress. The claim under the DPA is wider than the claim under PHA, but includes the aim of protecting persons from being subjected unfairly and unlawfully to distress."
- Similarly, in His Highness Prince Moulay Hicham Ben Abdullah Al Alaoui of Morocco v Elaph Publishing Limited, the Court of Appeal rejected the Defendant's appeal, saying it saw “no good reason of principle why a claim under the DPA cannot be linked to a defamation claim” and that if defences to the defamation claim succeeded “the DPA claim may found an appropriate alternative means of redress”. However, the Court stated that careful case management would be required to “ensure that the litigation process is directed to achieving a just result in a proportionate manner, and, emphatically, is not used as a means of stifling criticism under the guise of correcting inaccuracy.”
Or can it?
A strain of non-media related case law has developed demonstrating that when other claims are brought alongside data protection claims (presumably to bolster them and increase potential damages) the courts have been resistant to this doubling or tripling up and have decided that these additional claims are not appropriate. For example:
- In Warren v DSG Retail Ltd, the High Court concluded that the Claimant (who had his customer data stolen following a malware attack on the Defendant) could only rely on his data protection claim, and not on additional claims for breach of confidence, misuse of private information, and negligence. The Court struck out these three claims because the Defendant had not carried out a positive act (being itself the victim of a hack).
- In Johnson v Eastlight Community Homes Ltd, the High Court considered a claim brought in respect of a data breach after one of the Defendant's employees accidentally sent an email attaching a compilation of rent statements, including of the Claimant, to a third party. The Judge found that "taking the claim as a whole, the breach of confidence claim and the claim in privacy fail to satisfy me they add anything useful and independent to the claim arising from the admitted breach of the GDPR."
But what has been made clearer is what happens when a Claimant gets it wrong (in the eyes of the court) and brings one of the two claims, but the wrong one. For example, in Lloyd v Google LLC (mentioned in more detail below), the Supreme Court found that a data protection claim was the wrong claim in the circumstances and that a misuse of private information claim should have been considered instead.
A data protection claim can be an alternative to a defamation claim to obtain damages for loss of reputation
Defamation claims are usually brought to restore a company's or an individual's reputation after the publication or broadcast of false and defamatory allegations. Once a Claimant has shown that the statement complained of is defamatory at common law and has caused serious harm, the burden shifts onto the Defendant to establish a defence, one of which is Truth. But individuals can also challenge false allegations under data protection law.
This happened in Aven v Orbis Business Intelligence Ltd. Claims were brought under the DPA 98 for breach of the first and fourth principles over allegations of favours, including favours involving “illicit cash”, for President Putin. This case saw the Judge import various legal principles from defamation law (including Chase Levels of meaning and responsible journalism, and the approach to damages), but also involved a shift in the burden of proof. It was down to the Claimant to establish that the data consisting of the allegations which included sensitive personal data regarding alleged criminal offences, was inaccurate. The Claimant did not need to satisfy the test for defamation, including the need to show serious harm.
The inaccuracy claim was upheld and damages were awarded, clearly showing that data protection claims are an alternative means of redress for damage to reputation.
A data protection claim may not add much to a privacy claim
The benefit of bringing both a data protection and a misuse of private information claim is not clear from the case law. The data claim in HHR The Duchess of Sussex v Associated Newspapers Ltd was dropped before the High Court or Court of Appeal decisions. In the earlier decision of Weller v Associated Newspapers Limited, in the context of a claim relating to an article and photos published by the Daily Mail identifying Mr Weller's children, the Court of Appeal unanimously upheld the High Court's decision that the Defendants were liable for both misuse of private information and a breach of the DPA 98. However, the data protection claim gained little attention from the High Court or the Court of Appeal as the parties had considered it to be dependent on the success of the misuse of private information claim. The same happened in ZXC v Bloomberg with regards to the data protection claim brought in that case.
A data protection claim brought in relation to processing for journalistic purposes pre-publication will be stayed
In Stunt v Associated Newspapers, the Claimant made an unsuccessful attempt to challenge s32(4) of the DPA 98, which had the effect of staying data subject claims relating to processing for journalistic purposes "with a view to the publication by any person of any journalistic, literary or artistic material which, at the time twenty-four hours immediately before the relevant time, had not previously been published by the data controller". Section 176 of the DPA 18 maintains the position.
While this case was on reference to the CJEU, on 29 October 2019 the Court of Appeal made an order withdrawing the case following the Claimant's failure to comply with a security for costs order obtained by the Defendants which led to the claim being struck out. Therefore, it remains the case that a data subject will have any claim brought pre-publication against a journalist or publisher for breach of his or her data protection rights stayed.
This is in contrast with the position when bringing a misuse of private information claim, where an application for an interim injunction to prevent the publication or disclosure of private information can be made wihtout being automatically stayed.
A privacy claim may yield higher damages than a data protection claim
While always dependent on the circumstances, from preceding media law cases, it is clear that damages awarded in data protection have, to date, been smaller than those in other traditional reputation or privacy cases. For example, in TLT v Secretary of State – which involved a breach of a spreadsheet containing data belonging to 1,598 asylum seekers which was downloaded 27 times – damages awards of between £2,500 and £12,500 were made.
In Brown v Metropolitan Police – which saw the disclosure of personal data in the course of a misuse of police powers – the global award of damages for both the misuse of privacy and data protection claims was £9,000. As stated above, in Aven v Orbis, damages of £18,000 were awarded for a successful data claim based on inaccuracy (allegations about favours for President Putin, which was more akin to a libel claim).
By comparison, ZXC v Bloomberg – which involved a privacy claim related to evidence in a criminal investigation – resulted in damages of £25,000 and Sicri v Associated – which involved the identity of a suspect arrested for terrorism – was also much higher.
Scale of publication can also increase the damages in such claims. For example, in Richard v BBC – which involved the widespread broadcast of a police raid on Sir Cliff Richard's property and interview information – £210,000 in damages was awarded (which included a special damages claim). In the Gulati v MGN, the frequency of interceptions over the number of years was a factor, as well as the effect on the Claimants and their relationships with others, and this led to awards of between £72,500 to £260,250 being made.
While damages for loss to reputation were recoverable via the data protection claims brought in Aven v Orbis, damages for loss of control (a head of loss imported from the phone hacking claim in Gulati) were found in Lloyd v Google not to be capable of recovery in what was a pre-GDPR data protection claim.
Data protection law has limits despite its extra-territorial reach
In the recent Court of Appeal decision in Soriano v Forensic News LLC, the Court reversed, in favour of the Claimant, an earlier first instance decision on Article 3 territorial applicability of the GDPR holding that the Defendants (including a US news website and US based journalists) had a stable arrangement, offered a service to UK/EU readers that was related to the journalistic processing of personal data and that the assembly, analysis, sorting and reconfiguration of the Claimant's data resulting in publication could arguably constitute ‘monitoring’ within the meaning of ‘behavioural analysis and profiling’.
As a result, the Claimant had a good arguable case allowing him to serve his GDPR claim outside of this jurisdiction, and this decision sets a basis for US news websites being vulnerable to liability under the GDPR. How any decision by an English court for liability under the GDPR could be enforced against a US media Defendant in view of the US SPEECH ACT remains to be seen.
While acknowledging that reputation management doesn't just involve publishers, in Google v CNIL, the CJEU recognised the limitations of the GDPR beyond the EU. It found that when Google responds to 'right to be forgotten' requests, it is only required to remove links to search results on versions of its search engines corresponding to Member States. There is no obligation under EU law to go further and de-list from all versions of a search engine.
The CJEU said that the right to data protection is not an absolute right and must be balanced against competing rights and interests. In what the court called "third States" (like the USA), it said the right to be forgotten is not recognised or a different approach is taken to that in the EU and the EU legislation has not struck the right balance between the scope of de-listing outside the EU. Nor has it created rights for data subjects beyond the scope of Member States and EU law "does not provide for co-operation instruments and mechanisms as regards the scope of de-listing outside the EU".
Now that the UK has its own version of the GDPR and sits outside the EU, there may be further limits to this right under the UK GDPR, although, of course, the EU does have equivalent de-listing provisions.
It's still unclear how far the journalistic exemption will protect the media from data protection claims
There has been little if any case law about the journalistic exemption. Replacing previous guidance, the Information Commissioner's Office has recently published a Draft journalism code of practice (Code), which among other things, clarifies the ICO's interpretation of the journalistic exemption as set out in paragraph 26, Part 5, Schedule 2 of the Data Protection Act 2018. It is yet to be finalised but see here for more.
In a recent decision, True Vision Productions Ltd v Information Commissioner, the First-tier Tribunal considered the issue of whether the Appellant's belief that its processing for the purposes of journalism was incompatible with data protection principles was reasonable.
The case concerned a proposed documentary by True Vision Productions Ltd relating to still-births. While filming for the proposed documentary, True Vision had set up CCTV to record video and sound at consultations of low-risk pregnant women who were about to be told they had experienced a miscarriage. No warning was given to the women that they were being filmed, but the intention was not to use any recording in the documentary without the prior consent of the women that had been recorded. Recordings for which no consent was given would never be viewed or used.
Production of the documentary ceased after public backlash. The ICO investigated and fined True Vision £120,000 on grounds that their processing was incompatible with the first data protection principle (fair and lawful processing). True Vision applied to the First-tier Tribunal to seek to set aside the ICO's monetary penalty notice on the grounds that its processing of the women's data by the CCTV recordings fell under the journalistic exemption.
At the time the old exemption under s.32 of the DPA 98 applied. It was not under dispute whether i) processing was undertaken with a view to publishing; ii) that True Vision reasonably believed that publication was in the public interest. True Vision's application therefore rested entirely on whether its belief that the first data protection principle was incompatible with journalism was objectively reasonable.
The First-Tier Tribunal agreed with True Vision that it would have been impossible to obtain consent from the women who were being recorded before their consultation for risk of alerting the women that they were due to be informed of a miscarriage. However, the First-tier Tribunal found that True Vision had failed to consider the requirement that data (including the data recorded but not ultimately used in the programme) needed to be processed fairly. In this regard, the First-tier Tribunal found that use of the CCTV was not appropriate. True Vision should have used handheld cameras to record the consultations so that the women would have been aware that video and audio was being recorded.
Under the circumstances, the First-tier Tribunal concluded that True Vision's belief that the first data protection principle was incompatible with journalism was not reasonable.
What next?
UK GDPR and DPA 18 case law is embryonic to say the least. Claimants and Defendants will continue to adapt as fresh cases are brought involving data protection claims, alongside or instead of privacy and/or defamation claims. The media will also be looking closely at the application of the journalistic exemption, both in the ICO's upcoming Code, and in any decisions made by the courts.