Inforrm covered a wide range of data protection and privacy cases in 2019. Following last years post here is my selection of most notable privacy and data protection cases across 2019:

  1. Lloyd v Google LLC [2019] EWCA Civ 1599

The data protection class action against Google which found that they are permissible in the case of DPA breaches for the Safari Workaround. The case sets a precedent for representative opt-out style class actions for data protection breaches under UK law. An application for permission to appeal to the Supreme Court is pending. INFORRM had a case comment. Coverage from legal outlets was broad including Matrix Chambers, DLA Piper, Linklaters and Farrer & Co.

  1. R (Bridges) v Chief Constable of South Wales Police and Others [2019] EWHC 2341 (Admin)

The decision of the Administrative Court that the police’s use of facial recognition software was lawful. The case applied the UK’s pre-existing data protection framework to determine the lawfulness of the software, a precedential exercise. An appeal to the Court of Appeal is pending. We had a post on Inforrm and there were posts also on Panopticon, Law Gazette, Matrix Chambers and the Privacy Law Barrister.

  1. ZXC v Bloomberg LP [2019] EWHC 970 (QB)

A case bought on the grounds that those investigated by law enforcement have the right to privacy generally. A newspaper named the claimant in the course of citing confidential information obtained from a UK law enforcement agency. The claimant was successful and awarded £25,000. We had a case comment on INFORRM. Matrix Chambers, 5RB, Wiggin and Practical Law also had commentary.

  1. Google LLC v CNIL[2019] EUECJ C-507/17

The Court of Justice found that the territorial scope of the right to be forgotten was jurisdictionally limited and therefore could not be applied to worldwide domain names. We had an Inforrm post on this. The case drew much commentary- see Harvard’s Law Blog, Monckton Chambers and The European Law Blog.

  1. R v Jarvis 2019 SCC 10

The Canadian Supreme Court’s important decision on “reasonable expectation of privacy” in the context of the “voyeurism” offence, with wider implications for regulatory and common law privacy.  There were posts on the Canadian Privacy Law blog and on The blog.

  1. Bull v Desporte [2019] EWHC 1650 (QB)

A case involving a claim for misuse of private information and copyright infringement arising from a book authored by the claimant’s ex-wife. The claimant succeeded and was awarded damages of £10,000 and aggravated damages of £2,500 as well as a premanant injunction to restrain publication of his private information. Damages for unauthorised use of photographs of the claimant amount to £50.  See a case comments from Wiggin LLP, Simkins and 5RB.

  1. Cooper v National Crime Agency[2019] EWCA Civ 16.

Following a drunken altercation with a police officer the claimant was dismissed from his role at the National Crime Agency (“NCA”). The claimant then pursued a case for breach of the Data Protection Act (“DPA”). The analysis of the issues in the judgment provides significant insight into the application of the DPA. There was a Panopticon blog post about the case.

  1. GC & Others v CNIL [2019] EUECJ C-136/17

The Court was asked a number of questions, all of which broadly related to the question of how the prohibitions on processing sensitive personal data under the Directive applied to search engines. The claimants wished to have various results from searches of their names dereferenced from Google’s search results. The Court concluded that there was no blanket prohibition on the processing of sensitive personal data by search engines under the Data Protection Directive, thus refusing to compel the dereferencing of results. The European Law Blog has commentary.

  1. Sergejs Buivids [2019] EUECJ C-345/17

The claimant recorded the inside of a Latvian police station whist he was there giving a statement. It was contested by the Latvian Data Protection Agency that this infringed Latvian data protection laws. The CJEU found that an individual filming police officers undertaking their duties in a police station and posting it online constituted processing of personal data, but may be covered by the journalistic purposes exemption under the Data Protection Directive. DLA Piper and the Panopticon Blog have analysis.

  1. Rudd v Bridle [2019] EWHC 1986 (QB)

A case covering the nuances of subject access requests and what information should be provided. Also examined the application of exemptions to cases. A asbestos industry advisor was ordered to respond to a physician’s data subject access requests. We had a case comment on INFORRM. See also commentary from Matrix Chambers, Panopticon and White & Case.

Suneet Sharma is a junior legal professional with a particular interest and experience in media, information and privacy law.  He is the editor of The Privacy Perspective blog.