Legal News

Blake and Seymour v Fox [2024] EWHC 146 ( KB) What are the practical implications of the case? The judgment provides a thorough examination of the elements needed to prove serious harm and the supporting evidence, especially where a prominent defendant, already associated with controversy and criticism, seeks to show that the particular allegations complained of caused reputational damage. It further highlights that ‘indiscriminately lobbed’ claims can land on ‘highly combustible material’; the consequences in the real world matter even if allegations are promptly removed, and it is often the ‘insidious creation of a “bad odour”, together with the difficulty of establishing a negative, that does the most reputational harm’. Practitioners should also advise clients pursuing vindication through specific findings of fact that the court will not stray beyond what is strictly necessary. In this instance, because the defendant failed to prove serious harm on his...

Gov Data Ltd v Indeed UK Operations Ltd [2024] EWHC 39 ( Comm) What are the practical implications of this case? This decision arose from Gov Data Ltd’s request for a Norwich Pharmacal order compelling Indeed UK Operations Ltd to reveal identifying information about four anonymous reviewers who had posted comments on Indeed’s platform, so that Gov Data could consider claims for defamation and malicious falsehood. It confirms that any Norwich Pharmacal application must be properly particularised. Moreover, even if the gateway criteria are satisfied—there is an arguable wrong, the order is required, and the respondent both facilitated the alleged misconduct and can supply the data—the court will only grant relief where, considering relevant factors, it is strictly necessary and proportionate. It also highlights the rigorous scrutiny such applications attract. The court was troubled by how Gov Data and two...

In this issue: Data protection e Privacy Cybersecurity Reputation management Lex Talk®Information Law: a Lexis®Nexis community Daily and weekly news alerts New and updated content Latest Q& A Data protection Those seeking EU GDPR compensation must prove damage, a second EU court ruling confirms Mlex: The EU’s highest court stated on 25 January 2024 that people pursuing compensation under the bloc’s privacy regime must show they suffered harm from a data breach. The Court of Justice of the European Union ruled that Article 82 of the General Data Protection Regulation, Regulation ( EU) 2016/679, requires evidence of damage before a data controller can be ordered to compensate, reflecting a comparable conclusion in a different case from December 2023. See News Analysis: Those seeking EU GDPR compensation must prove damage, a second EU court ruling...

Mir v Hussain and others [2024] EWHC 56 ( KB) What are the practical implications of this case? The ruling underscores the stringent threshold defendants must meet when pursuing summary judgment on the basis that they are not publishers of defamatory material. Save in the most clear-cut scenarios, summary judgment will be out of reach. Whether a defendant bears responsibility for publication is intensely fact-dependent. The setting and context of dissemination will usually be known to the defendant (and not the claimant), leaving the claimant to seek an inference of participatory publication from circumstantial proof. Where the claimant can adduce enough material to justify such an inference, shutting the case out without a full trial will seldom be proper. The ruling further confirms that a claimant may plead liability by participation in publication, while in the alternative relying upon agency...

‘ A claimant under that provision must prove not just an infringement of that regulation, but also that the breach caused him tangible or non-pecuniary harm,’ the court stated. This conclusion arises from a reference to the EU judiciary by the district court in Hagen, Germany. It raised multiple queries and issues concerning the entitlement and scope to compensation for non-material harm—such as pain, distress or anxiety. Those questions centre primarily on whether an individual pursuing compensation for an EU GDPR breach must adduce proof of such harm in addition to evidence of the breach itself. The court further queried whether handing over a paper record to an unauthorised person is, by itself, sufficient to constitute an infringement of the EU GDPR. The German proceedings currently concern a disagreement about whether a Saturn electronics shop in Hagen contravened the EU GDPR when a member of...

On 12 January 2024, the United Kingdom formally put its name to the 2019 Hague Convention on the recognition and enforcement of foreign judgments in civil and commercial matters (the Hague Judgments Convention). This News Analysis examines what the Hague Judgments Convention sets out, and why the UK’s decision to join it is especially significant for Banking & Finance practitioners in particular. What is the Hague Judgments Convention? The Hague Judgments Convention establishes a shared framework of rules for recognising and enforcing civil and commercial court decisions originating from States that become parties to it (the Contracting States). The EU and Ukraine are, at present, Contracting States to the Hague Judgments Convention; however, a range of other states have signed, among them the US and, now, the UK. The Tracker— Hague Judgments Convention offers details on whether a jurisdiction has signed the...

In this issue: Data protection Cybersecurity Daily and weekly news alerts New and updated content Data protection ICO updates its Opinion on age assurance for the Children's code The Information Commissioner’s Office ( ICO) has released a refreshed Opinion on age assurance under the Children’s code, capturing changes over the last two years. It offers direction on the steps online services should take when their platforms are likely to be used by children, draws attention to technological advances in this space, and sets out legislative progress together with how organisations can satisfy data protection duties whilst also aligning with the Online Safety Act 2023 ( OSA 2023). The Opinion explains how age assurance can form part of a necessary and proportionate strategy to reduce or eliminate risks and comply with the code. In addition, it outlines how the Information Commissioner expects online services to implement age assurance measures that are...

The Department for Science, Innovation and Technology ( DSIT) and the National Cyber Security Centre ( NCSC) have opened a consultation on a new draft Cyber Governance Code of Practice intended to strengthen businesses’ cyber resilience. The proposed guidance aims to put cyber security at the forefront for businesses and sets out recommendations......

In this issue: Data protection e Privacy Cybersecurity Reputation management Databases Daily and weekly news alerts New and updated content Data protection Consultation on lawful basis for web scraping to train generative AI models opens The Information Commissioner’s Office ( ICO) has started a consultation series on generative artificial intelligence and is asking stakeholders to help shape ICO policy on how the purpose limitation principle applies to the development and deployment of generative AI, and on expectations for complying with the accuracy principle and data subject rights. The first chapter focuses on the lawful basis for training generative AI models with web-scraped data and is accepting responses until 1 March 2024. See: LNB News 15/01/2024 62. European Commission finds 11 existing adequacy decisions may remain in place The European Commission, following its review of the 11 adequacy decisions adopted under Article 25(6) of...

The UK government has revealed it has entered into a new Memorandum of Co-operation with Japan to bolster public–private collaboration in cyber across the UK and Japan. This......

Baroness Lawrence of Clarendon and others v Associated Newspapers Ltd [2023] EWHC 2789 ( KB) What are the practical implications of this case? Although centred on misuse of private information, this ruling carries wider weight for would‑be claimants and defendants invoking, or resisting, a limitation defence under LA 1980, s 32. Limitation exists to promote finality in civil litigation; yet, as Nicklin J explained, section 32 (together with other statutory carve‑outs) tempers the harshness that a strict rule might otherwise produce (at [85]). Under s 32, where wrongdoing has been concealed, the clock starts only on discovery, or when discovery ought reasonably to have been made. The claimants contend they remained in the dark about the unlawful conduct for many years, learning only later-via information from private investigators-that they might have a viable claim. By contrast, ANL placed substantial emphasis on what was already...

In this issue: Data protection Cybersecurity Reputation management Public sector information Daily and weekly news alerts New and updated content Data protection EU Data Act published in Official Journal Regulation ( EU) 2023/2854 of the European Parliament and of the Council, dated 13 December 2023, setting harmonised rules on fair access to and use of data, and amending Regulation ( EU) 2017/2394 and Directive ( EU) 2020/1828 (the EU Data Act), has now appeared in the Official Journal. See: LNB News 22/12/2023 31. CJEU clarifies case on right to compensation for damage under EU GDPR The Court of Justice of the European Union ( Third Chamber) ( CJEU) has confirmed, in case C-667/21, ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts, that Article 82 of the EU General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), serves a...

Dyson v MGN Ltd [2023] EWHC 3092 ( KB) What are the practical implications of this case? A claimant must factor in material that sits outside the impugned publication when judging the strength of a defendant’s honest opinion defence. We are also reminded of the serious harm threshold set by the Supreme Court in Lachaux v Independent Print Media Ltd [2019] UKSC 27. The court adhered to earlier authority that, although a claimant may advance an inferential case on serious harm, this cannot stand in for an evidential process; the building blocks of any inferential case must themselves be supported by sufficient evidence—which, in this instance, they were not. What was the background? On 28 January 2022, MGN ran an article titled ‘ Our government is making young people believe that cheats do prosper’, and the following day it appeared under the headline, ‘ Message to young folks today is...

Baines contended that Mail Online—ranked the UK’s third most visited news site and fifth globally by trade outlet Press Gazette—was breaching privacy laws. Rather than offering a ‘reject all’ option, its banner presents a ‘got it’ button that signifies consent to cookies, alongside a ‘cookie settings’ control to amend cookie preferences. The complaint referenced multiple remarks from ICO officials about cookie banners, among them a June interview deputy commissioner Stephen Bonner granted to MLex. Following a freedom of information request, the ICO released that interview. According to MLex, the ICO has now refused to open an investigation into the matter. In a letter to Baines dated 14 November 2023, the ICO stated that it had passed on the information concerned......

Agile enforcement When the UK Information Commissioner’s Office ( ICO) served Snap with a preliminary enforcement notice on 6 October 2023, potentially forcing its AI chatbot off the UK market, it illustrated the regulator’s renewed focus on ‘agile’ enforcement (see: LNB News 06/10/2023 31). Edwards said it is a capability they must become more comfortable exercising. He noted the Snap action mattered because issues were spotted in March, when the product first went live. The ICO asked questions, formed a team and accelerated the process. In the past, reaching that stage might have taken three to four years. This time, the authority arrived there in around six months, reflecting what Edwards called a ‘culture change’ that will let the ICO apply a wider spectrum of responses to data protection concerns. In some scenarios, such as Snap’s ‘ My AI’ chatbot, it enables faster...

France’s Data Protection Authority ( CNIL) imposed €600,000 penalty on Groupe Canal+, publisher of channels and distributor of pay-television services, for infringing Articles 12, 13, 14, 15, 21, 28, 32 and 33 of the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU......

Meta Platforms Inc (formerly Facebook Inc) and other companies v Bundeskartellamt ECLI- EU- C-2023-537 What are the practical implications of this case? This Court of Justice ruling signals a shift in competition enforcement, centring on data-gathering practices that may weaken competition. It recognises that control over personal data is now a key competitive parameter in the digital economy, and that compliance with data protection rules helps to prevent abuse of dominance. Consequently, dominant online platforms that accumulate extensive data for personalised advertising, both on and off their services, can expect their processing to be examined by multiple regulators. The Court’s narrow reading of contractual ‘necessity’, and of Meta’s claimed legitimate interests in processing Facebook users’ data, mirrors the enforcement taken against Meta by the Irish Data Protection Authority in December 2022 (see LNB News 04/01/2023 27). It likewise aligns with obligations for firms in strong market...

The EU Data Act The EU Data Act seeks to hand people using Internet‑connected products, from fridges to smartphones, greater control over the information they generate. EU lawmakers approved it in June 2023 after fraught negotiations centred on safeguarding trade secrets, and it is slated for formal adoption before the close of 2023. Negotiators aimed to balance wider data access with protection of trade secrets. A study financed by the Computer and Communications Industry Association, a technology lobby, argues the package will significantly, even dramatically, reshape the landscape for digital commerce in Europe and further afield. It foresees substantial consequences for leading US digital service providers that the European Union has designated as “gatekeepers”—large platforms expected to comply with regulatory duties—as well as for these firms’ hundreds of millions of trans‑ Atlantic European business and individual customers. From the EU’s General Data Protection...

Tanya O’ Carroll, a human rights advocate and senior fellow at Foxglove, a non-profit dedicated to fairness in the use of technology, launched a High Court action against Meta in November 2022. She asked the court to uphold the General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), invoking the ‘right to object’ to data being collected for targeted advertising. The EU GDPR grants individuals the right to object to the processing of their data, although in many areas this is subject to exemptions. Direct marketing, however, carries no exemptions, making it an ‘unqualified’ right. In its June 2023 defence, Meta argued that O’ Carroll’s portrayal of targeted advertising as direct marketing is mistaken, and therefore it does not have to......

Stoute and another v News Group Newspapers Ltd [2023] EWCA Civ 523 What are the practical implications of this case? Applications for interim injunctions in claims like misuse of private information are a familiar feature of the media and communications list. This decision sets out the statutory framework and the leading European and domestic authorities on privacy, addressing the balancing act between rights under Articles 8 and 10 of the European Convention of Human Rights when determining whether a reasonable expectation of privacy exists, with a particular emphasis on situations where photographs are taken in public following paparazzi targeting. It also explores the different thresholds for obtaining interim relief before and after publication, indicating that pre-publication orders are more readily achieved, as earlier publications may properly be treated as a relevant, albeit not conclusive, factor when evaluating the likelihood that further...