Data protection – aspects of the new landscape

Data protection – aspects of the new landscape's Tags

Tags related to this article

Data protection – aspects of the new landscape

Published 17 December 2021

Written by Lord Justice Warby


In 1974, the Master of the Rolls, Lord Denning, referred to the incoming tide of what is now EU law. He said it “flows into the estuaries and up the rivers. It cannot be held back.” That was in a trade mark case about passing off a fizzy alcoholic pear drink as champagne: HP Bulmer v Bollinger SA (No 2) [1974] Ch 401.

Data protection law is an EU creation, but its arrival on these shores can hardly be seen as involving a vigorous rising tide of the kind that Lord Denning had in mind. We have had data protection statutes since 1984. But there was never a flood tide. The process by which data protection law has entered the legal consciousness of English lawyers has been so slow that it seems more akin to the seeping effects of rising damp. If that seems disparaging, perhaps a better comparison is with the effects of global warming – a gradual but slow rise in the sea level. But let me stick with the tide analogy.

On occasion, some have tried to plant sandbags in its way. I am thinking in particular of the 2009 case of Quinton v Peirce [2009] EWHC 912 (QB), [2009] FSR 17, in which Eady J held that it was not necessary or proportionate to interpret the 1998 Act so as to afford a set of parallel remedies for false information which was neither defamatory nor malicious. But there has, in the end, been no holding back the rising tide of data protection law. Now of course – with Brexit –the tide of EU law has ebbed. But it has left behind a solid mass of retained law, including the GDPR. We are therefore left in 2021 with a legal landscape, many aspects of which bear the clear impression of data protection law.

It is not my aim in this keynote address to map out the entire territory. I will aim to survey just the last year or so, by way of a kind of annual review, picking out some prominent features. I am doing this from a particular vantage point – the bench. More specifically, I look at this landscape from the Court of Appeal, and my perspective is that of the supervising Lord Justice for media and communications cases. So, I shall focus much of my attention on the role of data protection in cases of that kind, and its relationship with misuse of private information, defamation and other publication torts.

I am giving this talk as Christmas approaches, with – to be candid – some guilt about my lack of preparation for the big day. So I thought I would give it a contemporary, seasonal flavour. My two main headings will be shopping and lists.


When I talk of shopping in this context I refer to the process of shopping around for the best causes of action, the best remedies, and the best forum or venue for the claim.

Let me be clear. People have different views about shopping – in every sense of the word. When it comes to forums, the term “shopping” seems to have derogatory connotations. For my part, I see shopping as an essentially neutral activity, and today I am using the term for its seasonal fit rather than implying any disapproval. I am working on the footing that legal practitioners are, in principle, entitled to shop around for the cause of action that is easiest for their client to establish, which has the best or most appropriate remedies; and they are entitled to seek out the forum that best suits their case and their client, within the applicable rules.

This has been and remains a complex task, as there are many and various torts from which a choice can be made when faced with unwanted communication of information, there are many and various differences between those torts, and some areas of doubt. But my theme today is that I do think that things are becoming a bit clearer and a bit easier for the well-informed shopper and – dare I say it – for the shopkeepers.

In this context, I want to talk about five recent cases.

The most obvious one to mention is the most recent: Lloyd v Google [2021] UKSC 50. This was a representative action, brought on behalf of over 4 million iPhone users. The claim arose from something called the Safari workaround. It was a claim for compensation for the unauthorised acquisition and use of browser generated information or BGI. The BGI had been used to target advertising at the data subjects, according to their inferred preferences. The issue was whether permission should be granted to serve the claim on Google in the USA. The Supreme Court affirmed the first instance decision refusing permission.

The judgment is rich in insights, but the core decision was that the claim had no real prospect of success because - as a matter of construction - only material damage and distress are within the scope of the statutory right to compensation for breach of data protection rights. It was held, further, that it follows that the right to compensation does not extend to “user” or negotiating damages.

This was a decision based on s 13 of the Data Protection Act 1998 and Article 23 of the parent Directive. The wording of the relevant provisions of the GDPR is slightly different1. It may be that in future, it will be argued that the differences in wording make a difference of substance. I do not intend to say anything about that. But let me proceed on the assumption, for the moment, that the current law is as stated in Lloyd v Google.

I would make three points about this decision.

  • It does seem to spell the end of this particular form of class action. I know there are other cases sitting behind Lloyd v Google, in which no allegations of material harm or distress are made. It does not follow, of course, that all forms of class action are now impossible for all cases where there is unwanted communication or use of personal information. I suspect that the ingenuity of our legal profession may find other ways to do this. But the decision does seem to make it hard to do so via data protection.

  • Secondly, the fact that the right to compensation for breach of data protection rights is relatively narrow in scope will surely have consequences that go beyond the question of class actions. If data protection law does not afford an individual a right to compensation for an unauthorised disclosure or use that does not cause material harm, or distress, the consequences must spill over into claims for other kinds of breach.

  • My third and related point is to note that, the judgment records with apparent approval the present state of the law of misuse of private information. This is that in a misuse claim you can recover substantial damages for loss of control over your information, even if the act complained of causes you no material loss or distress. That is one of the lessons of the phone hacking litigation. The Court of Appeal’s decision in Gulati v MGN Ltd [2015] EWCA Civ 1291, [2017] QB 149 was not challenged in the Supreme Court on the Lloyd v Google appeal. As Lord Leggatt put it at [104]:-

“English common law now recognises as a fundamental aspect of personal autonomy a person’s freedom to choose and right to control whether and when others have access to his or her private affairs.”

Why then was the claim in Lloyd v Google not brought as a claim for misuse of private information? We do not know, but at [106-107] Lord Leggatt identified one possible reason. He noted that such a claim would require proof of a reasonable expectation of privacy and suggested that “the view might have been taken” that this would require evidence of facts particular to each individual claimant. And that was incompatible with the form of class action pursued.

That is or may be a disadvantage of the misuse tort for the purposes of a class action of that kind, but it is now clear that a common law claim for misuse has one advantage over a data protection claim: the common law tort protects a wider range of interests. There is another advantage. Old-style CFAs, with a costs uplift of up to 100%, are long gone from most kinds of litigation. Until April 2019 they remained permissible in “publication and privacy proceedings”, a term that included misuse of private information but not data protection. CFAs of that kind are no longer possible, but recovery of after-the-event insurance premiums remains available.

My second case is Warren v DSG Retail Ltd [2021] EWHC 2158 (QB), decided at the end of July this year. As you know, data protection law imposes obligations to maintain data security. The facts of Warren were these. In 2017 and 2018 Dixons, the retailer, was the victim of a sophisticated cyber-attack in the course of which the attackers gained access to the personal data of many of Dixons’ customers. Mr Warren, a Dixons customer, claimed compensation limited to £5,000 for distress suffered as a result of his personal data being compromised and lost. He sued for breach of confidence, misuse of private information, breach of the 7th data protection principle, and negligence. All the claims, except the data protection claim, were struck out. Mr Justice Saini said this:

22. … In my judgment, neither BoC nor MPI impose a data security duty on the holders of information (even if private or confidential). Both are concerned with prohibiting actions by the holder of information which are inconsistent with the obligation of confidence/privacy …

27. … a ‘misuse’ may include unintentional use, but it still requires a ‘use’: that is, a positive action.

If that is right – and I am not aware of any attempt to appeal - then we now have a second point of clarification: data security is the exclusive preserve of data protection law.

Before leaving Warren v DSG I would add one observation. The residual data protection claim was transferred to the County Court. In 2019, the Civil Procedure Rules were amended to create the Media and Communications List and to amend Part 53. Data protection claims were mentioned for the first time in the rules. It seems there may have been some misunderstanding about the role of data protection claims under this new regime. The majority of these are low value claims that raise no important points of law or principle, and are therefore suitable for the County Court. The only cases that merit the attention of the High Court are those which qualify as High Court cases under the usual criteria. I understand from the current Judge in Charge that the Judges and Masters dealing with cases in the MAC List are alive to this point, and that seems to be borne out by a recent decision of Master Thornett in the case of Johnson v Eastlight Community Homes Ltd [2021] EWHC 3069 (QB).

My third case is ZXC v Bloomberg. This is a case that was heard in the Supreme Court last week, so we are still awaiting judgment. I mention it now because it seems to raise some other interesting points about the relationship between data protection and publication torts.

ZXC is one of a class of modern cases about reports that the claimant was under official suspicion of some form of criminality. The other two are Sir Cliff Richard’s case against the BBC, and Sicri v Associated Newspapers Ltd. In each case, the claim might have been brought in libel. One of the most famous libel cases of all – Lewis v Daily Telegraph - was brought in respect of a newspaper report about a “fraud probe”. But each of these cases was brought in misuse of private information. And each resulted in an award of damages. In ZXC, an appeal was dismissed by the Court of Appeal. It is an appeal from that decision that is currently before the Supreme Court.

A range of issues arises. Two in particular are worth mentioning:-

  • Is it right to protect this kind of information as private at all? Or should this be left to the tort of defamation?
  • If this kind of information does fall within the scope of the misuse of private information tort, should damages be available for reputational harm caused by a wrongful disclosure?

On the first point, the Court of Appeal’s answer in ZXC was a firm yes. The defendants in ZXC have argued (and they were arguing before the Supreme Court last week) that it is unprincipled to say that a person has a reasonable expectation that information about their arrest or the fact they have come under suspicion should be kept private. The argument runs that the tort of defamation is capable of dealing with the matter, and it is a distortion to treat such information as private information that in any real sense “belongs” to the individual. We shall see where that goes.

On the second point – what damages would be recoverable - there is a range of answers in the first instance authorities. In Richard [2018] EWHC 1837 (Ch) [2019] Ch 169, the Judge (Mann J) awarded substantial damages for reputational injury. In ZXC the Judge declined to do so. In Sicri it was argued – again – that an award for reputational harm was wrong in principle for several reasons. One point was that allowing this would circumvent a range of protections built into the law of defamation, including (for instance) the uniquely short limitation period. In a judgment handed down just under a year ago ([2020] EWHC 2541 (QB)), I declined to award damages for reputational harm. That was for procedural reasons, but I expressed the view, obiter, that compensation for reputational harm belongs exclusively in the realm of defamation law. Again, this is an area where the law is in a state of flux, or development. I am not sure the Supreme Court decision in ZXC will resolve the issue. Courts have a tendency, sometimes regretted by practitioners, to decide only the issues that are necessary to the decision they have to make.

But this is a talk about data protection, so it is relevant to reflect on how claims of this kind might fare if they were framed in data protection. I am not going to try to answer that question. But I would make a few observations.

The first is that whatever may be the position in the tort of misuse, it is not easy to see why such a claim would fall outside the scope of data protection law. As everybody knows, information does not have to be private in order to fall within the GDPR.

Secondly, there is the question of what kind of data this would be. Under the old law it was sensitive personal data. It is not special category data under the GDPR, but it may be “personal data relating to criminal … offences” within the scope of Article 10 of the UKGDPR and sections 10 and 11(2) of the DPA 2018. If that is right, then in order to be lawful, the disclosure of data in that category requires special justification.

The relevant provisions for journalists seem to be those of Schedule 1 paragraph 132. Without going into any of the detail, it seems that one key condition in that paragraph is (e): that the controller "reasonably believes that publication of the personal data would be in the public interest”. It is not obvious that this is an easier test to satisfy than the one that applies in the misuse tort.

My third point is to note that, following Lloyd v Google, compensation in a data protection claim would only be available for material damage or distress. Harm to reputation does not appear to be material harm. What of distress? In defamation, damages for distress are available, but only as damage consequential on established reputational harm. I can see room for argument here.

This brings me to my fourth case: Aven v Orbis Business Intelligence Ltd [2020] EWHC 1812 (QB). This was a data protection claim, which I described as follows (in paragraph 1 of the judgment):

“This is a claim for the correction of the record and other remedies in relation to one component of the so-called “Steele Dossier”. That is the name that has been given to a set of memoranda produced by the defendant (“Orbis”) in 2016, on the instructions of a Washington DC consultancy. Orbis’ instructions were to provide intelligence memoranda concerning any links which might exist between Russia, its President, Vladimir Putin, and Donald Trump.”

The decision was handed down in July of 2020 but given the pandemic that seems quite recent. The trial was heard over four days on 16-19 March 2020, just before lockdown and I remember it very well. There were some interesting case management issues, prompted by the pandemic.

In the judgment I upheld the claimants’ case that aspects of the Dossier were inaccurate, in breach of the Fourth Data Protection Principle, and I awarded them compensation under s 13 of the DPA 1998. The point of interest for present purposes is that the compensation encompassed reputational injury. At paragraph [196] I said this:

“What of reputational harm? If, as the authorities make clear, damage is not limited to material loss, it seems hard to exclude this as a matter of principle. And Mr Millar concedes that in principle, the Court can award compensation under s 13 for reputational harm. In a case such as this, where the inaccurate information is seriously defamatory, that seems right. The issue might deserve closer attention in different circumstances.”

Those, then, were the particular circumstances of that case, decided after the Court of Appeal’s 2019 decision in Lloyd v Google. A court deciding this issue today would have the Supreme Court decision in that case and – for what they are worth – my observations in Sicri. It seems very doubtful that the concession would be made.

My fifth and final case is Soriano v Forensic News [2021] EWHC 56 (QB). The claimant, a British citizen domiciled in London, sued six media defendants all based in the USA, in respect of a series of publications which, in the judgment of Mr Justice Jay, appeared to make extremely serious allegations against the claimant including (among others) multiple homicide. And there were multiple causes of action. The claim was brought in … libel, malicious falsehood, misuse of private information, harassment, and data protection. The issue was whether permission should be granted to serve these claims on the defendants in the USA. I say immediately that we heard an appeal and cross-appeal against the Judge’s decision in early October, and judgment is reserved. Nothing I say should be taken as any indication of our view on the outcome of the appeals. Indeed, I do not mention the case because of what it decided, but because it has served to bring to light two points of interest for forum shoppers and shopkeepers.

  • First, in the Defamation Act 2013 Parliament enacted a series of measures to buttress freedom of expression. One of these was in s 9 of the Act, which contains what I have called “the Casablanca test”. I shall leave you to look up the precise wording of s 9 but glossing it – at the expense of accuracy - a claimant who wants to sue a foreign-domiciled defendant for libel has to show that of all the courts in all the places in all the world they have to sue in this one. That is a different and more demanding threshold compared to the normal forum conveniens test. But there is no such test for any cause of action other than defamation. And there are recognised overlaps between defamation, privacy, and data protection.

  • Secondly, data protection has its very own jurisdictional regime. The territorial scope of the GDPR is defined in Article 3. This has two relevant parts. Article 3(1) provides that the Regulation applies to the processing of personal data

“In the context of activities of an establishment of a controller or a processor in the United Kingdom, regardless of whether the processing takes place in the United Kingdom or not.”

(I quote the terms of the UKGDPR, as amended).

So a key point here is not domicile, but whether the controller or processor has an “establishment” here. Article 3(2) deals with controllers or processors that are not established here. It provides that the Regulation applies to processing by them of personal data of data subjects who are in the United Kingdom,

“where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom.”

I am not making any suggestion as to how these provisions should be interpreted or applied. My point is simply this. One does not need to spend too much time pondering these provisions to see that they set up a very different test from the one established by s 9 of the Defamation Act, and that a court might arrive at different conclusions as to jurisdiction over the differing causes of action.


Finally, I turn briefly to the second topic I mentioned earlier: that of lists. I do so simply to draw attention to the fact that the Information Commissioner is currently consulting on a draft code for journalism3, and to remind you of s 12(4) of the Human Rights Act.

The code on which the ICO is consulting is not the first of its kind. There has been an ICO Code on the topic since 2014. But this is a new and rather more elaborate affair. I am not aware that the existing code has featured in any litigation. The new one might. That is because a couple of recent cases have taken account of existing privacy codes. In Sicri I took account of the Editor’s Code of Conduct of IPSO. I did that, and the ICO Code may become relevant, because of s 12. That covers any case in which the court is considering whether to grant a remedy that might affect the right to freedom of expression. Where the proceedings relate to journalistic, literary or artistic material s 12(4)(b) requires the court to “have regard” to “any relevant privacy code”. That term is not defined, but I think everyone agrees that it covers the Editors’ Code, and it could certainly be argued that it also covers the code the ICO has drawn up.

Final words

With those thoughts I wish you the compliments of the season, and hope you enjoy the holiday period, including any Christmas cookies you may choose to accept.


1Article 23 of the Directive required Members States to provide that “any person who has suffered damage as a result of an unlawful processing operation…” should have a right to compensation.  Article 82 confers the right to compensation on “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation …” 

2Providing for exemptions or derogations for processing carried out for journalistic purposes, pursuant to Article 85 of the GDPR.

3The consultation closes on 10 January 2022.

Key Contacts

Patrick Hill

Patrick Hill

London - Walbrook

+44 (0)20 7894 6930

Hans Allnutt

Hans Allnutt

London - Walbrook

+44 (0) 20 7894 6925

Eleanor Ludlam

Eleanor Ludlam

London - Walbrook

+44 (0)20 7894 6098

< Back to articles