Copyright © Media Law International 2020. All Rights Reserved.
Specialist Guide to the
Global Leaders in Media Law Practice
In the past, the English courts have shown reluctance to allow litigants to bypass the law of defamation by seeking remedies for reputational harm via other causes of action. In a 2009 judgment in Quinton v Peirce, Eady J stated that he was “by no means persuaded that it is necessary or proportionate to interpret the scope of [the DPA 1998, the then applicable statute] so as to afford a set of parallel remedies when damaging information has been published about someone, but which is neither defamatory nor malicious”.
However, this reluctance was not uniformly followed. In the 2011 judgment in Law Society v Kordowski, Tugendhat J concluded that a data protection claim could be brought alongside a defamation claim where processing is clearly unlawful. The case of HH Prince Moulay Hicham Ben Abdallah Al Alaoui of Morocco v Elaph Publishing Limited saw these issues being considered by the Court of Appeal. In that case the Court found that there is a right to claim damages for reputational harm outside the law of libel in this jurisdiction. Elaph argued that this was a “profound and far-reaching shift” in English law.
When an individual’s reputation is threatened, defamation law is their natural first port of call. However, certain key elements of the law of defamation, including the enhanced protection for publishers and higher threshold for bringing claims brought in by Parliament in the form of the Defamation Act 2013 (and case law since then), can now potentially be sidestepped by Claimants as a result of the potential availability of redress for reputational harm under the Data Protection Act 2018 (DPA). These are as follows.
The Defamation Act 2013 introduced a 'serious harm' threshold which significantly “raise[d] the bar for bringing a claim so that only cases involving serious harm to the claimant’s reputation can be brought” (Explanatory Notes to Section 1). This requirement was endorsed by the Supreme Court, which has clarified that proof of serious harm to reputation is required as a matter of fact (as opposed to having a tendency to cause serious harm). The threshold for serious harm is intended to serve as a safeguard to prevent claims being brought in circumstances where damage to reputation is trivial. The DPA has no equivalent qualitative threshold in terms of the extent of the harm suffered.
Claims for defamation must be brought within one year of the date of publication of the defamatory statement. A cause of action for defamation arises when a defamatory statement is first published, and subsequent publications of substantially similar statements do not generally give rise to further causes of action. Under the DPA, however, the limitation period is six years.
Under the law of defamation there are also a number of statutory and common law defences available to publishers. These serve to safeguard the strong public interest in protecting the publication of true information and in affording proper protection to freedom of expression. Although the DPA contains exemptions for certain types of data processing, these often do not go as far as the defences under the law of defamation. For example, qualified privilege provides a defence to the publisher of a statement in circumstances where she/he has a legal, social or moral duty or interest to make the publication and where the reader has a corresponding interest in receiving it. Unless malice can be shown, the fact that the statement proved to be untrue is not relevant, whereas in data protection the focus is on the accuracy of the statement as opposed to motive.
In an action for defamation, the court ascribes a meaning to the statement complained of at an early stage in the proceedings, by determining what it considers the statement would convey to ordinary reasonable people. The claimant must establish that the statement has a defamatory meaning and that it has caused (or is likely to cause) serious harm to his/her reputation. Sometimes the literal meaning will be tempered. In a data protection claim, the court takes a literal approach determining the meaning which the words complained of would convey, before deciding whether that meaning is accurate.
Misuse of private information
To establish an actionable claim in the tort of misuse of private information, a claimant must firstly show that she/he has a reasonable expectation of privacy in the information concerned. Sometimes it will be obvious that the information is private. Where it is not, this is a question of whether a reasonable person of ordinary sensibilities would find the disclosure objectionable if placed in the same position as the claimant. If a reasonable expectation of privacy is established, a balancing exercise is to be undertaken of all of the competing rights engaged, including the right of the publisher to impart information and the right of the public to receive the information versus the claimant’s right to privacy.
In contrast, the definition of 'personal data' under the General Data Protection Regulation (GDPR) is broad, and includes “any information relating to an identified or identifiable natural person”. As such, when defending a claim for breach of data protection laws it will commonly be necessary to establish some specific lawful basis for processing or to show that an exemption applies.
There is as yet insufficient case law to draw conclusions as to how the court will approach damages for breach of data protection rights where there may be a parallel action in defamation or misuse of private information. In a couple of reported misuse of private information cases where a data protection claim was also advanced, the courts have concentrated on the misuse claim and avoided assessing the data protection claim separately. Damages awards for misuse of private information have risen in recent years, following the phone hacking litigation and the case of .
Breach of data protection law
Claims can be brought for alleged distress and reputational harm caused by the publication of inaccurate personal information by way of a claim for breach of the DPA or GDPR. Article 5(1)(d) of the GDPR requires that “personal data shall be … accurate”. Where data is not processed in accordance with this requirement, a claimant will have an actionable claim. Damage in a data protection claim can be to reputation.
Article 82(1) GDPR provides for the right to compensation: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”, and Recital 85 confirms that damage includes reputational damage. Where the information is not inaccurate, a claim may be brought where the data controller has no lawful basis for processing. The strict liability approach is, however, subject to a balancing exercise and to exemptions which may apply.
In that context, the trend towards the use of data protection claims is throwing more light on the journalistic purposes exemption available under the DPA (Schedule 2, Part 5, paragraph 26).
A data controller is exempt from complying with the rights and obligations under GDPR if the following criteria are met: (1) the data in question must be being processed with a view to the publication of journalistic material, (2) the data controller must reasonably believe that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and (3) the data controller must reasonably believe that the application of the listed GDPR provision would be incompatible with its journalistic purpose. Generally, there is unlikely to be a real debate over the first two criteria for media defendants. The third may be the more contentious area; the exemption will apply only insofar as the GDPR provisions are reasonably believed to be “incompatible” with journalism.
Notwithstanding the journalistic exemption, the potential to bring a data protection claim opens up the possibility for publishers to be inundated with DPA claims in circumstances where a defamation claim would be manifestly untenable. Even if the exemption will be found to apply at trial, the potential volume of claims could exert a significant chilling effect over freedom of expression and important public interest journalism.
The mere threat of proceedings under the DPA may lead to the removal of a significant volume of non-libellous material, particularly by smaller publishers and media organisations that cannot afford to incur the costs of defending legal claims even where they would ultimately have a strong defence under the DPA. The important protection afforded by the ‘serious harm’ threshold under the Defamation Act 2013 may therefore be stripped of much practical effect, entirely contrary to the public policy considerations which caused Parliament to introduce that threshold.
DPA claims continue to be brought together with publication actions, with the inter-relationship between these regimes becoming ever more entwined. We may see a trend towards the data protection element of such claims becoming more prominent as a consequence of the lower thresholds highlighted above, with the traditional torts turned to for guidance on how to approach the relevant issues. GDPR’s prominence in the headlines only reinforces the likelihood of data protection remaining at the forefront of claimants’ minds as an effective overlapping cause of action for reputational damage and privacy claims.
UK - ENGLAND
The Convergence of Data Protection Claims with Traditional
Alongside traditional causes of action in reputational and privacy disputes, media defendants in the UK are increasingly finding themselves faced with an additional cause of action: breach of data protection legislation. This trend can be attributed to claimants having awoken to the possibility of circumventing the higher bars for more established media torts such as defamation and misuse of private information. It remains to be seen whether the statutory exemption for processing for journalistic purposes will offer a sufficiently robust shield to claims of this type.
Beth Durkin is a solicitor at Pinsent Masons, based in London. She works within the firm's TMT Disputes team, having joined the firm in 2016. Beth specialises in advising clients in relation to disputes in the fields of technology, media, privacy and data protection. Beth has advised on media and data protection disputes in respect of online content, including defending claims in relation to the “Right to Be Forgotten”, defamation and misuse of private information. Beth completed a secondment to a large technology company where she assisted with handling media law issues, amongst other legal issues. Beth also advises clients on contractual technology disputes and cyber incidents, including managing regulatory investigations and advising in relation to data subject claims arising out of data breaches (including group actions).
David Barker is a partner at Pinsent Masons, based in London. David is a litigator with more than 20 years' experience dealing with complex technology and media disputes. He leads Pinsent Masons' TMT Disputes Team in London. He has acted for Google in relation to a number of high-profile “Right to Be Forgotten” cases and represented the BBC in the Paradise Papers litigation. Currently he is acting for a party in Supreme Court proceedings in relation to a novel attempt to bring what is effectively an opt-out class action in relation to alleged data privacy breaches. David was named in The Lawyer's "Hot 100" for 2019 for his ground-breaking work in data privacy litigation. Legal 500 says that David’s team has 'rapidly established itself at the very top of the media law field, with a burgeoning portfolio of major clients and a central involvement in some of the most important media and information law cases currently proceeding before the English courts’.