It was perhaps in 2017 that media and information lawyers became fully aware of the potential benefits of data protection claims. The Court of Appeal approved what has now become the standard practice of pleading data protection and defamation claims in tandem.
A large scale group action (Various Claimants v W M Morrison) was tried, data protection issues were argued in a number of interesting first instance cases and three important cases reached the Court of Appeal.
The most high profile data protection case of the year was Various Claimants v Wm Morrisons  EWHC 3113 (QB)(Langstaff J). This was the trial of 10 lead cases in a group action by 5,518 employees of the supermarket chain WM Morrison Supermarkets PLC arising out of the disclosure of payroll data of 100,000 employees. Although the disclosure had taken place outside working hours and from the employee’s personal computer, the judge held that the defendant was vicariously liable for data breaches. There were case comments on the Panopticon Blog by Tim Pitt-Payne and Christopher Knight.
In Holyoake v Candy  EWHC 52 (QB) Warby J tried a Part 8 claim seeking to enforce subject access requests (“SARs”) under section 7 of the DPA. He held that searches were reasonable and proportionate and the data controller was not required to search private email accounts which were not processed by it as a data controller. The legal professional privilege (“LPP”) exemption was properly claimed. A section 7(9) order was not appropriate.
There were two reported data protection trials in Scotland
- Anthony Woolley and Deborah Woolley v. Nahid Akbar  ScotSC 7: The defendant had a CCTV system which included audio recording facilities and recorded record happenings on the claimants’ private property. At the front of the house they recorded every person approaching the claimants’ house and happenings in their pursuers’ private garden area. There were breaches of three data protection principles. Compensation of £10 per day was awarded to each claimant (£8,634).
- Beyts v Trump International Golf Club Scotland  ScotSC 21. An employee of the defendants took a digital photograph of pursuer urinating. Photograph was personal data and defendant was a data controller. The only breach of the DPA relied on was non-registration under section 21. The claim failed because the penalty for breach of that provision was prosecution. There was no causal connection between the lack of registration and the distress that the court accepted the pursuer had suffered.
Other First Instance Cases
We draw attention to four other first instance decisions which dealt with data protection issues:
- ZXC v Bloomberg LP  EWHC 328 (QB) Garnham J). The claimant argued a data protection point as an alternative to an injunction for misuse of private information in relation to the publication of information concerning a law enforcement agency investigation. The Judge held that the claimant had not shown that he was likely to succeed in overcoming the section 32 “journalistic exemption”.
- Hussain v Sandwell MBC  EWHC 1641 (Admin)(Green J). In the context of a wider judicial review claim the claimant’s contention that the publication of a legal opinion critical of his conduct was unlawful processing of his personal data was rejected.
- Al-Ko Kober Ltd v Sambhi  EWHC 2474 (QB)(Whipple J). Court granted an injunction under section 10(4) of the DPA to restrain continued processing of inaccurate personal data. We had a case comment by Emma Foubister.
- Stunt v Associated Newspapers Ltd  1 WLR 3985 (Popplewell J). The claimant unsuccessfully challenged section 32(4) of the Data Protection Act 1998 (“the DPA”) on the ground that it was incompatible with Directive 95/46 art.9 and the EU Charter of Fundamental Rights. An appeal in this case will be heard in June 2018 (see below)
Subject Access Requests
There were two important Court of Appeal decisions on SARS
- *Dawson-Damer and others v Taylor Wessing LLP and others (Information Commissioner intervening) –  1 WLR 3255. The Court of Appeal made an order was made under section 7(9). The request was not invalid, although it was made for the collateral purpose of assisting in litigation, and the solicitors’ efforts to comply with the request had been inadequate. The LPP exemption relieved data controller from complying with an SAR request only if there was relevant privilege according to the law of any part of the UK. We had a case comment on this decision by Ashley Hurst and Peter Barratt.
- Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd and others (Information Commissioner intervening); Deer v University of Oxford (Information Commissioner intervening) –  3 WLR 811. The Court of Appeal highlighted the need for proportionality when considering whether to make an order under section 7(9). It also said that if an applicant lacks a ‘legitimate reason’ for making a request, that can be a factor weighing against granting relief, although having a collateral purpose is not necessarily an absolute bar . The case also contains an important analysis of the definition of “personal data” and of the domestic purposes exemption in section 36 of the DPA> There was a Panopticon Blog case comment.
Following these two decisions the ICO issued a revised “Subject access code of practice [pdf]”
Defamation and Data Protection
In Prince Moulay Hicham Ben Abdallah Al Alaoui of Morroco v Elaph Publishing Ltd –  4 WLR 28 the Court of Appeal held there was no good reason of principle why a claim under the DPA could not be linked to a defamation claim as that the different causes of action were directed to protecting different aspects of the right to private life. We had a case comment by Simon Brown.
A number of data protection cases will be the subject of appeal hearings in 2018:
TLT v Secretary of State for the Home Department – hearing 11 or 12 April 2018
Stunt v Associated Newspapers – hearing on 19 or 20 June 2018.
The Judge gave permission to appeal in the Morrisons Supermarkets case and it seems likely that an appeal will be lodged.