2023 UK Data Protection and Privacy Case Law Update

2023 was a tumultuous year in politics, global affairs and regulatory developments and we also saw various key new case law developments in data and privacy in the UK. This included one of the first cases to consider the “legal proceedings” exemption under the Data Protection Act 2018 and cases clarifying positions on representative actions and the calculation of damages in privacy and data proceedings.

As with our previous annual roundups from 2021 and 2022, we summarise some of the key cases related to data protection and privacy to have taken place over 2023, along with key takeaways.

February

Riley v. Student Housing Co (Ops) Ltd [2023] 2 WLUK 278

In this case, a former employee of the defendant, Mr Courtney Timoney Riley, launched proceedings alleging breach of Article 5 of the UK GDPR (GDPR) arising from the mishandling of his personal data as part of the defence of an employment tribunal claim raised by another former employee, and seeking £75,000 in damages. The defendant argued that its disclosures of Mr Riley’s personal data were permissible, as they were executed in the context of legal proceedings for the purpose of defending their position.

Mr Riley argued that the defendant should have provided him with the copies of documents related to the tribunal proceedings and invited him to submit a witness statement. He argued that the defendant’s failure to do so constituted a failure to handle his personal data in a fair and transparent manner, and that the processing of his personal data was incompatible with the purpose for which it was collected.

The case was dismissed, citing Paragraph 5(3) of Schedule 2 of the Data Protection Act 2018 (DPA), which asserts that GDPR provisions do not apply when their application would impede the controller from making necessary disclosures. The court also ruled that the claimant failed to provide details regarding which personal data was processed, or to establish that any material or non-material damage suffered had resulted from the defendant’s acts.

Key takeaways

In its judgment, the court reiterated the importance of maintaining a balance between data subjects’ rights under the GDPR and controllers’ rights to conduct litigation and to a fair trial.
This decision is believed to be one of the first, if not the first, to consider the “legal proceedings” exception under the DPA and, whilst it is a Scottish case, this exception of course applies across the UK.
This case is a reminder to those pursuing data protection claims that they must make sure to provide enough detail to allow the court to carry out a thorough assessment of any alleged breach of rights.

May

Stoute v. News Group Newspapers [2023] EWCA Civ 523

In this appeal from the High Court, the claimants, Richard and Sarah Stoute, applied for an interim injunction to restrain further publication of certain photographs pending a trial for misuse of private information. The High Court judge refused the injunction on the basis that the claimants were unlikely to be able to successfully argue their case at trial.

The underlying claim concerned whether the claimants had a reasonable expectation of privacy in respect of photographs taken of them by paparazzi on a public beach and published by the defendant, News Group Newspapers Limited (NGN) in The Sun on Sunday. The claimants were owners of Full Support Health Care Ltd, a company selling personal protective equipment. The company was established in 2002; however, it made substantial profits during the COVID-19 pandemic when it secured government contracts worth around £2 billion, simultaneously generating increased press interest in the claimants.

The claimants argued that, although they were in a public place, they were celebrating a private family occasion (their child’s birthday), and did not anticipate photos of their vacation appearing in the national press.

The Court of Appeal upheld the judgment, reaffirming the refusal of the interim injunction.

Key takeaways

Although the judge recognised that the fact that the appellants were in a public place did not preclude them from having a reasonable expectation of privacy, he did stress that such scenarios are highly fact sensitive. Individuals pursuing claims for misuse of private information should remember that the expectation of privacy is less likely to be established in cases where the event occurred in a public place, particularly if there are no other additional elements that would be inherently private.
For those defending (or pursuing) cases for misuse of private information involving photographs, the court has helpfully set out the long-standing case law on the topic. In doing so, the court emphasised that photographs require special consideration when it comes to privacy cases, as it is a more intrusive medium for conveying information. However, it was also noted that claimants are more likely to succeed where photographs (i) are taken in a private place; and/or (ii) involve the depiction of something sensitive.
Parties seeking interim injunctions will find a cautionary tale in this case, emphasising the importance of carefully considering, and even scrutinising, prospects of success at trial as well as the situations in which their privacy may be protected.

Prismall v. Google UK Limited and Deepmind Technologies Limited [2023] EWHC 1169 (KB)

This case concerned the alleged mishandling of medical records belonging to 1.6 million patients. The records were transferred to DeepMind, a subsidiary of Google specialising in artificial intelligence research and development. The primary objective behind this data transfer was to aid in the development of an application designed to assist health care professionals in identifying and treating individuals with acute kidney injury.

Andrew Prismall, who brought the representative action, was one of the affected patients. Mr Prismall argued that the transfer of the data without seeking prior specific consent from the patients constituted misuse of private information, and sought damages for loss of control over his data and the data of those represented. Mr Prismall also brought an action for breach of data protection legislation; however, it was discontinued following the decision in Lloyd v. Google LLC [2021] UKSC 50, included in our 2021 roundup.

Whilst the court acknowledged the claimant’s concerns, it dismissed the claim, determining that there was no realistic prospect of establishing a reasonable expectation of privacy among the members of the claimant’s class, and that the diverse nature of the class members’ circumstances precluded the feasibility of pursuing a representative action.

The case is currently pending appeal.

Key takeaways

This judgment further clarifies the position on representative actions in relation to data disputes, and highlights the importance of the representative claimant having the “same interest” as the members of the claim.
This and other cases demonstrate that courts will diligently scrutinise whether all the necessary thresholds are met.
The case is yet another reminder for defendants that it may be worth applying for summary judgment at the earlier stages of the proceedings. Opting for summary judgment not only expedites the case but also mitigates the risk of accumulating substantial legal fees in the later stages of litigation.

July

Bekoe v. Islington LBC [2023] EWHC 1668 (KB)

This claim concerned the misuse of private information and breaches of the GDPR by a local authority, Islington LBC (Islington), which mishandled private and confidential details pertaining to Mr Bekoe’s finances by accessing and sharing them during legal proceedings. Mr Bekoe claimed that this information was obtained without legal basis. He also alleged that Islington had breached the GDPR by mishandling a data subject access request (DSAR) which he submitted, with Islington providing incomplete disclosure and responding with a four-year delay, and that Islington was liable for the loss or destruction of the legal file and failures to provide adequate security over personal data.

The court determined that Islington had demonstrated shortcomings in safeguarding data and privacy rights and had failed to demonstrate that the expectation of privacy was outweighed by other interests. Consequently, Islington had violated Mr Bekoe’s GDPR rights, and he was awarded £6,000 in damages.

Key takeaways

Given the frequency of claims for breaches of data protection legislation and for misuse of private information being brought as part of the same action (as was the case here), this case serves as a useful reminder that the courts have discretion to consolidate damages for both claims into a single figure. The court also determined that a thorough compilation of the claimant’s financial data met the requisite seriousness threshold for awarding damages, and factored in Islington’s conduct, which led to aggravated damages due to the recurrent failures to disclose information.
The court held that an award of compensation for misuse of private information requires fewer hurdles to be successful than under the GDPR, stating that “claimants can receive damages for the loss or diminution of the right to control their private information, independently of any distress caused” – which those finding themselves defending (or, indeed, bringing) such claims should bear in mind.
The case also emphasises the importance of timely and accurate disclosure in response to DSARs, which are often submitted during or just before legal proceedings.

October

Clearview AI Inc v. Information Commissioner [2023] UKFTT 819 (GRC)

This case involved an appeal brought by Clearview AI, a provider of facial recognition software, contesting a £7,552,800 fine imposed by the Information Commissioner’s Office (ICO) on 18 May 2022.

The ICO fined Clearview AI for failures to comply with the UK data protection laws, such as a lack of a lawful basis for data collection, inadequate data retention practices, and deficiencies in transparency regarding its data processing procedures, as well as issuing an Enforcement Notice instructing Clearview AI to stop obtaining and using the personal data of UK residents that was publicly available on the internet, and to delete the data of UK residents from its systems.

The First-Tier Tribunal overturned the fine, ruling that the processing conducted by Clearview AI was outside the material scope of the GDPR. This was on the basis that, although the processing undertaken by the company was related to the monitoring of data subjects’ behaviour in the UK, Clearview AI’s service was only provided to non-UK/EU law enforcement or national security bodies and their contractors, and the company had no establishments in the UK or the EU. As a result, it found that the ICO did not have the jurisdiction to issue the fine and the Enforcement Notice.

The ICO is appealing the decision and claims that “the Tribunal incorrectly interpreted the law when finding Clearview’s processing fell outside the reach of UK data protection law on the basis that it provided its services to foreign law enforcement agencies. The Commissioner’s view is that Clearview itself was not processing for foreign law enforcement purposes and should not be shielded from the scope of UK law on that basis.”

Key takeaways

Although the GDPR was deemed out of scope in this instance, the decision still serves as a reminder to entities outside the UK of when the data rules might come into scope. Entities which process personal data of UK residents should carefully consider whether their operations fall within the scope of the regulations, especially if they carry out monitoring for commercial or UK law enforcement purposes.
For companies involved in monitoring activities, the court offers further guidance regarding what constitutes “behaviour” and “monitoring”.
- Behaviour: The court contended that “behaviour” must go beyond mere identification or descriptive terms and reveal information about, amongst other things, the whereabouts of the data subject, their activities (including sports they play, employment or pastimes), their clothing, and who they associate with in terms of relationships.
- Monitoring: In this particular case, the court noted that the monitoring consisted of establishing where the person is/was at a particular point in time, using matched images to provide a narrative about the person in the images at the different times, and combining results with information from other forms of monitoring or surveillance.
Karpichkov v. National Crime Agency [2023] EWHC 2653 (KB)

The claim concerned Mr Karpichkov, a former KGB agent, who later served as a double agent for both the Russian and Latvian security services. After fleeing Latvia in 1998, he sought asylum in the UK and eventually became a British citizen, adopting a confidential new identity. The claimant was at risk as, under his old identity, he publicised unlawful activity by the Russian and Latvian intelligence services.

In 2019, Latvian authorities issued a European Arrest Warrant for Mr Karpichkov, leading to his arrest by Kent Police. In response to information requests related to the extradition, the National Crime Agency (NCA) disclosed Mr Karpichkov’s details, including his new name and address. Mr Karpichkov claimed that he received death threats following this disclosure.

Subsequently, Mr Karpichkov filed a claim against the NCA, alleging a breach of data protection rights and misuse of private information. He argued that the NCA’s disclosure to Latvian authorities exposed him to serious harm. The NCA conversely contended that it was legally obligated to make such disclosures, citing the legislation governing exchange of information regarding criminal suspects and European Arrest Warrant rules. In the proceedings, the NCA applied to strike out the claim.

The court refused NCA’s application, stating that data protection rights still had to be protected when complying with European Arrest Warrants and the exchange of information regarding criminal suspects. The court recognised merit in the claims made by the NCA; however, in the judgment, it stressed that the NCA should have protected Mr Karpichkov’s fundamental rights when exchanging information with the Latvian authorities.

Key takeaways
- Once again, the court reiterated the importance of a balancing act between the state’s obligations and safeguarding fundamental rights. It was emphasised that the legal obligations exemption may not always be an adequate ground to rely on. While the current case relates to state obligations, companies should be mindful that the legal obligations exemption is not entirely bulletproof as it still has to be balanced against an individual’s rights.