Celebrities, the Media and the Personal Data Privacy Wars

27 January 2016

Celebrities, the Media and the
Personal Data Privacy Wars

Dr Robin Callender Smith

The Data Protection Act 1998 (DPA) is, currently, the only piece of English legislation which is specifically directed at protecting personal information and an individual's privacy in respect of it. [1] Celebrities were "early adopters", testing its effectiveness with cases like Campbell (Naomi)[2], Douglas (Michael and Catherine Zeta-Jones)[3] and Murray (17-month-old David, son of Dr Neil and Mrs Joanne, aka JK Rowling).[4] In each of these early cases, while the data protection claim was pleaded in the action, it was relegated to being little more than a footnote in the final result. In both Campbell and Douglas the DPA damages were assessed at £50. Supermodels are not the only celebrity litigants to need the prospect of more than that kind of award to get out of bed to litigate.

Then, in the last six months of 2015, the English privacy and data protection landscape changed fundamentally with three key cases and the dawn of a new EU Data Protection Regulation. Two of the cases – Weller (Paul, of Style Council)[5] and Gulati (Shobna, ex-Coronation Street + 7 others)[6] - involved celebrities and the third, Vidal-Hall[7], awaits final resolution at the Supreme Court. The regime created by the shortly-to-be finalised EU Data Protection Regulation will come into force in 2018. The data privacy principles remain constant but transgressions may lead to fines of between 2 – 4 per cent of world-wide turnover or €100m.

Breach of confidence and misuse of private information were the litigation issues which received the lion's share of the judicial and academic attention leaving the data protection breaches relegated to a "technical" area of the process which did nothing to bring to data protection the celebrity status it has recently achieved as a result of the Vidal-Hall, Hegglin[8], Mosley (Max)[9] and Google Spain[10] decisions. That begs the question about how and why the Act had remained so moribund for so long as an active privacy remedy. The answer may be, partly, because of the DPA created a Regulator - the Commissioner - who has both Regulatory and Enforcement powers through a variety of civil and criminal procedures at his disposal. But the key factor was the in-built limitation on damages.

The DPA is not an elegant or easily accessible piece of Parliamentary drafting. It has been considered almost as an ugly relation in the law of privacy and its occasional appearances in law reports "tell of maverick claims and paltry damages". [11] One lawyer with experience of the Act having worked at the Commissioner's Office characterised it thus:

An individual who wishes to use the Act to take action against the press will need deep pockets, a robust constitution and preferably a favourable life expectancy. [12]

Whatever the practical limitations or failures that exist within the drafting, enforcement and operation of the Act, developments both now and in the future are likely to encourage the operation of a regime of personally-enforceable data protection rights rather than what has appeared until recently to be a well-intentioned but inert set of data protection principles.

The Protected Rights in the Act

The Core Rights

The core rights in relation to personal data protected within the Act are set out in the Schedule containing the Data Protection Principles. [13] "Personal data"[14] means data (including sensitive personal data) relating to a living individual who can be identified from those data on its own or from those data when combined with other information in the possession of – or likely to come into the possession of – the data controller. "Data" itself covers information which may be held in five different ways[15] and "data controller"[16] means someone who either alone, jointly or in common with other persons, determines the purpose for which and the manner in which any personal data are – or are to be – processed. While data is defined in this way as "information" it follows that "personal data" includes expressions of opinion recorded about an individual and any indication about the intentions of the data controller or any other person in respect of that individual. The regime established by the Act creates rights belonging to individuals in respect of information being held about them. This gives the individual data subjects rights of access to, control over and compensation for misuse of information held and used by others about them. These key rights are access to what is held on them (s.7)[17], a requirement – on notice - not to process personal data where it could cause damage to the data subject (s.10), the right to compensation for damage or distress (s.13) and for rectification, blocking, erasure and destruction (s.14).

An individual who suffers distress because of any contravention by the data controller of any of the requirements of the Act is entitled to compensation from the data controller for that distress if (a) individual also suffers damage because of the contravention or (b) the contravention relates to the processing of personal data for the "special purposes". [18] The data controller has a defence if he can show that he took such care as, in all the circumstances, was reasonably required to comply with the requirement concerned.[19] Section 14 applies where the data subject satisfies the court that personal data of which he is the subject are inaccurate. The data controller can be ordered to rectify, block, erase, or destroy those data and any other personal data in respect of which he is the data controller and which contain an expression of opinion which appears to the court to be based on inaccurate data.[20]

So, in an English Google Spain scenario, repetitive linking by a UK-based search engine of a data subject who was not a celebrity of any category or any kind of public figure to a report of a long-satisfied County Court judgement or to criminal proceedings that actually led to an acquittal could be breaches under the Act. This is not a right to be forgotten, as the Google Spain judgement has been characterised. It is a right to have information that was correct at the time - but which has been satisfied and superseded through the passage of the years – treated correctly and proportionately according to the law.[21]

A worked example of some of the elements described above is a High Court claim by Mr Benny Steinmetz, an international entrepreneur and billionaire. Steinmetz and others v Global Witness Limited[22] involved a claim under the Act brought by Mr Steinmetz[23] the Chairman of a mining conglomerate.[24] The claim was against the Nobel-prize winning NGO, Global Witness (GW).[25] Subject access requests were made under s.7 of the Act in respect of personal data held by GW about four claimants. Complaints were then made to the Commissioner about GW's non-compliance with the requests.[26] The claim used the Act to mirror a libel claim[27] by inviting the High Court to make findings on the truth of the corruption allegations reported by GW.[28]

For its part, GW maintained that the claim has been brought for collateral and illegitimate purposes [29] – that it was an abuse of process - and was an unwarranted attack on its Article 10 freedom of expression right.[30] It relied on the s.32 media exemption in relation to processing for the purposes of journalism, emphasising that the High Court had its s.3 HRA 1998 duty to interpret s. 32 DPA in a manner which is compatible with Article 10.

This claim – and the defence to it - confronted the issue of where the balance should be struck under the Act between the privacy rights of a billionaire entrepreneur, with the resources to litigate the matter fully, and the Article 10 rights of GW as an NGO to inform and bring matters to the attention of the public. The Information

Commissioner decided that GW was entitled to rely on this 'journalism' exemption of the Act. This – subject to any appeal – is a decision that has major implications for journalists inside and outside the mainstream media. Online campaigning journalists now have a greater chance of being able to argue that the s.32 exemption applies to them.

Section 13 Damages

On the issue of damages and operation of s.13, and the results of claims under the Act, the situation had, until recently, been clouded with doubt. This may all have changed with Vidal-Hall. The Claimants had used Apple devices to access the internet and various Google services. Undisclosed software had allowed Google to monitor their personal data and to target "tailored" advertising at them. Tugendhat J decided that "damage" in s.13 included non-pecuniary damage. He adopted Hugh Tomlinson QC's submission that "moral damage" was a recognised EU concept indicating the right to compensation for breach of individual rights where the rights were non-pecuniary or non-property based. The Court of Appeal confirmed that approach:

Additionally, Article 8 of the Charter of Fundamental Rights of the European Union ("the Charter") makes specific provision for the protection of the fundamental right to the protection of personal data: "everyone has the right to the protection of personal data concerning him or her". It would be strange if that fundamental right could be breached with relative impunity by a data controller, save in those rare cases where the data subject had suffered pecuniary loss as a result of the breach. It is most unlikely that the Member States intended such a result. [31]

Importantly, the Court of Appeal also took the unusual – but not unprecedented -course of using its editing pencil to dis-apply s.13 (2). [32] This power to dis-apply statutory provisions which conflict with EU provisions comes from the European Communities Act 1972 (ECA).[33]

Article 8 EU Charter of Fundamental Rights and Google Spain

Introduction

Article 8 of the EU's Charter of Fundamental Freedoms (the Charter) is embodied in the Treaty of Lisbon and has been effective in the EU (and the UK) for the last six years. [34] It contains a clear, independent and free-standing right in relation to the protection of personal data in its Article 8.[35] Rights and freedoms in the Charter can be limited but only subject to the principle of proportionality.[36]

Directive 95/46/EC – by Article 1 - requires Member States to protect the fundamental rights and freedoms of natural persons and, in particular, their right to privacy with respect to the processing of personal data. Article 13 (1) (g) of the Directive permits exemptions to restrict the scope of the data protection provisions when they constituted a necessary measure to safeguard the protection of the rights and freedoms of others. [37]

Google Spain

Particularly when matters involved celebrities – and linkage in internet searches - the actual result in Google Spain (rather than the reasoning) should have come as no great surprise. Google in France had repeatedly claimed it was difficult to remove egregious material from its systems yet it been ordered to block links to images from the former News of the World video of the "orgy" involving Max Mosley.[38] It contended that the search engine was merely a platform delivering links to independent content. The court decided Google must find a way to remove links to the nine images of Mr Mosley with the prostitutes. Google said it would require building a new software filter to catch new versions of the posted images continuously and remove them. Mr Mosley pointed out that Google could remove them automatically as it did for content such as child pornography. Pre-Google Spain this confirmed that the persistence of individual celebrities with substantial financial and legal resources – with the stamina for the litigation required in different jurisdictions – could successfully test and challenge the law in relation to the misuse of their personal information in the context not just of the domestic press and media but also on the internet. It is, after all, on the internet where the damaging linkage occurs.

Google Spain created global attributed celebrity status for Mario Costeja González, providing this most up-to-date data protection example of the Streisand effect. As a result of the decision celebrities of all categories may seek shelter in the incorrectly categorised "right to be forgotten" elements of the decision.[39] But – as has already been pointed out – the role an individual has played in public life will be one of the factors in determining whether:

the interference with his fundamental rights is justified by the preponderant interest of the general public in having [via a search link] access to the information in question. [40]

Curiously the concept of "playing some part in public life" was not further articulated in the decision. Neither were any Charter Article 11 freedom of speech considerations. This leaves a degree of uncertainty together with the danger that what equates to the "public interest" bar remains vague and has been set too low. The court found Google Spain was established in Spain as a controller (not processor) and that the activities of Google Search (also a controller) were "inextricably linked" to those of Google Spain.[41]

Specifically:

….it cannot be accepted that the processing of personal data carried out for the purpose of the operation of the search engine should escape the obligations and guarantees laid down by Directive 95/46, which would compromise the Directive's effectiveness and complete protection of the fundamental rights and freedoms of natural persons which the Directive seeks to ensure…. [42]

Google Spain in English litigation

The first case to come before the English courts, following Google Spain, dealt with linkage and jurisdiction to entertain the claim. Hegglin[43] related to the internet "trolling" of a Hong Kong-based businessman with UK connections. The claimant wanted Google to ensure that abusive material posted about him did not appear in search results on or Google-controlled websites.[44] He relied on sections 10 and 14 of the DPA in respect of his right to prevent data processing likely to cause damage and distress, and rectification, blocking, erasure and destruction, to require Google to remove material about him placed on the internet by an anonymous individual. After initial litigation the matter settled in November 2014.[45]

Then came Mosley v Google Inc.[46] Mitting J declined to strike out Mr Mosley's claim, based on linkage to the video footage, concluding, at [55]:

....it seems to me to be a viable claim which raises questions of general public interest, which ought to proceed to trial.

That did not happen because the matter settled in May 2015. [47] This settlement leaves a number of questions unanswered about the application of data protection rights in the online world. For instance, can the RTBF operate so as to force internet search engines not only to de-index individual URLs on request but also to block access to the offending data globally?[48]

The Regulator

Originally named the Data Protection Registrar he became the Data Protection Commissioner [49] before finally arriving at his present title of Information Commissioner[50] to reflect his role under the Freedom of Information Act 2000 (FOIA). He has duties to educate and inform the public about data protection as well as specific regulatory powers.[51] In his regulatory role he can serve enforcement, information, and monetary penalty notices, and bring prosecutions. He has an important role in European cooperation and the associated obligations under related conventions and is also responsible for encouraging good practice and codes of practice. He is required to lay an annual report before Parliament dealing with the exercise of his functions under the Act.[52]

Here – in the context of the celebrity privacy issues – only the issues arising from Operation Motorman 1 and 2 (Motorman) are examined.

Motorman

The history of Motorman [53] is set out over 12 pages in the Leveson Report.[54] It involved the Commissioner's officials, from 2002 onwards, investigating the activities of a private detective called Steve Whittamore. They uncovered a mass of documentation detailing an extensive trade in personal information. When analysed it showed a clear audit trail between the requests, supply and payment for personal information about celebrities of all categories and others. Mr Whittamore's customers included a significant number of journalists employed by a range of newspaper and magazine titles.

The implications of this material were so significant that the Commissioner presented two reports to Parliament summarising the investigations' findings: What Price Privacy? and What Price Privacy Now? The reports also called for stricter penalties for those engaged in unlawful activities, in particular for breach of s.55 of the Act. Such changes are still awaited.

No journalists were ever interviewed by the Commissioner in relation to Motorman.[55] The Commissioner intended to prosecute Mr Whittamore and five others under s.55 of the Act. However the CPS first prosecuted them – and others – with corruption offences.[56] Given the conditional discharges received by the accused the Commissioner discontinued his prosecutions on public interest grounds. Leveson LJ commented, because the maximum sentence for a breach of s.55 was a financial penalty, that it was not an unrealistic decision.

Motorman, however, was the tip of an iceberg of data protection breaches affecting celebrities and others. The practical effects of these failures, and the industrial-scale of newspapers' hacking and blagging, were played out in Gulati and the damages awarded to eight representative claimants in the recent action against MGN.[57]

Damages claimed and awarded against MGN

Claimant

Claimant's Proposed Damages

Damages Awarded

Alan Yentob

£250,000

£85,000

Lauren Alcorn

£366,000

£72,500

Robert Ashworth

£654,000

£201,250

Lucy Taggart

£652,000

£157,250

Shobna Gulati

£520,000

£117,500

Shane Roche

£520,000

£155,000

Paul Gascoigne

£866,000

£188,250

Sadie Frost

£1,059,000

£260,250

Permitted Interference

Six chapters [58] of Volume III of the Leveson Report deal with the media and the Act. As a general comment, however, while the Press itself may temporise over regulatory structures and paradigms there is arguably a much greater challenge to the way in which it may be permitted to operate in terms of the collection, retention and publication of personal data about celebrities and others in the future. This results from evidence received, comments made and recommendations formulated by Leveson about altering the perceived inequalities in the proportionality of the Article 8 and Article 10 balancing exercise which results from the application of s.32 of the Act. As was pointed out, the development of this aspect of the Act's case law had been to "push personal privacy law in media cases out of the data protection regime and into the more open seas of the Human Rights Act."[59] That had happened because of the "slowness of the legal profession to assimilate data protection law" and, tellingly in the case of the judiciary, judges' greater familiarity with and preference for the "latitude afforded by the human rights regime over the specificity of data protection".[60] That development was undesirable, Leveson suggested, because the data protection regime was "much more predictable, detailed and sophisticated in the way it protects and balances rights"[61] and "significantly reduced the risks, uncertainties and expense of litigation concomitant on more open-textured law dependent on a court's discretion".[62]

Where the law has provided specific answers, the fine-nibbed pen should be grasped and not the broad brush. The balancing of competing rights in a free democracy is a highly sophisticated exercise; appropriate tools have been provided for the job and should be used. [63]

Section 32: "Journalistic, literary or artistic material"

By s.32 (1) DPA personal data which are processed only for the "special purposes" are exempt if (a) the processing is undertaken with a view to the publication of any journalistic, literary or artistic material, (b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and (c) the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes. [64] Section 32 (3) states that, in considering whether the belief of a data controller was or is a reasonable one, "regard may be had to his compliance with any code of practice".[65] Where, at the relevant time[66] the data controller claims, or it appears to the court, that any personal data to which the proceedings relate are being processed only for the special purposes, and with a view to the publication[67] of any journalistic, literary or artistic material which, at the time twenty-four hours immediately before the relevant time, had not previously been published by the data controller, then the court "shall stay the proceedings until either of the conditions in subsection (5) is met".[68] This exemption currently recognises the importance of Article 10 ECHR - freedom of speech – in the Act, reflecting Article 9 of 95/46/EC. It acknowledges that journalists and the media must be allowed to process data about individuals without having their activities, including newsgathering, investigations and publication, stifled by the Act's requirements. However the Act does not define what the public interest means. What it does say is that, in considering whether a data controller's belief was "reasonable", then there may be reference to any relevant code that falls within the Statutory Instrument.

Two of the leading cases that explored how the courts have interpreted section 32 have already been identified: Campbell and Douglas. Section 32 of the Act will always be fact-sensitive. Surreptitiously-taken photographs of celebrities are always going to attract particular scrutiny.[69] Any personal information that is obtained through a subterfuge or by deception may not have been processed "fairly"[70] in terms of the first data protection principle.[71] This was a point pressed by Robert Jay QC in questions to Richard Thomas and Christopher Graham (past and current Commissioners) in respect of illegally obtained ex-directory celebrity telephone numbers.[72] He wanted to know why, in the light of information about this kind of activity from Operation Motorman, the Commissioners had not served s.43 Information Notices on newspaper titles under the Act and in pursuance of their duty under s.51 to promote good practice. The answers were, from Mr Thomas: "I can't think of any occasions I was personally involved in where this power was used" and from Mr Graham:

…if the point is …that Section 32 covers the writing of this piece, but it doesn't cover the obtaining of the evidence, I find that, well, a challenging distinction about which I would need to think further.

When the additional hurdle of lawful processing is factored in then the apparent burden on the media appears onerous. Practically this is not the case because of the structure of the way this section operates.

The Dynamics of s.32

If the tests in s.32 (1) are met, and the newspaper – as data controller - reasonably believes that compliance with the relevant data protection provision means that either publication of the material which it would be in the public interest to publish would not be possible or that he would be unable to do so effectively or fully, then he is not bound by the particular data protection provision (except principle 7, the security principle). This allows the editor to disregard the prohibition on processing sensitive personal data, the requirement for legitimacy of processing and the prohibition on overseas transfer if there is a reasonable belief that the s.32 (1) tests are made out. The balancing test – assessing whether the publication is in the public interest and whether the relevant data protection provision would be incompatible with publication – is likely to be difficult where the editor seeks to avoid compliance with these fundamental provisions but the effect of s. 32 (4) puts off the examination of all of this until after publication of material.

This inbuilt restriction on prior restraint continues to apply to any processing which is undertaken "with a view to publication" and lasts for as long as there is an intention to publish. This allows the media to resist proceedings brought by an individual to enforce rights under sections 7, 10, 12 or 14 (1) – (3). The media can insist that the individual's proceedings are halted until the Commissioner has made a determination that the processing is no longer carried out for the special purposes or is not carried out only for the special purposes. The practical effect of this is to allow the media to have proceedings stayed until after publication of the relevant material.

This introduces a novel situation, which does not appear to be reflected in any other area of English law, where specific factual issues are transferred from the jurisdiction of the court to a regulatory official – the Commissioner – for an external determination on whether the exemption was correctly applied. The Commissioner's determination [73] is limited to whether the personal data were or were not being processed only for the special purposes. If he decides that the special purposes test is not met then he can lift the stay on the court proceedings. At that stage the media can appeal to the Information Rights Tribunal against that determination. As one commentator has noted:

It is not apparent why Parliament decided that the determination has to be made by the Commissioner. It would be far simpler for the courts to make appropriate determinations as to whether the processing was being carried out for the special purposes. The court seized of the matter would be able to hear witnesses on the claim and cross-examination on the issue. The Commissioner is not in a position to do this. [74]

Even if, on complaint by a celebrity data subject, the Commissioner considered issuing a s.44 notice [75] on the media to enable him to make an advance determination under s.45 he would need to have reasonable grounds for suspecting the media of malpractice in respect of that specific individual. In effect, the Commissioner faces a difficult evidential burden before he can even seek information from the media. The media, however, can assert the exemption in court proceedings as of right without exposing their processes and procedures to the scrutiny of the court before claiming the statutory stay. The proportionality of the effect of this is particularly strained – even in defence of the media's Article 10 rights - because the right of the media to appeal the Commissioner's s.45 determination to the Information Rights Tribunal (with further appeals possible against the Tribunal's decision) adds in additional time that could be measured in years rather than weeks or months.

Summary

The data protection regime in the UK is now in a state of active practical development. It is a slowly maturing set of principles and civil remedies which increasingly will aid celebrities and private individuals to protect their privacy and reputations as well as the integrity and security of personal data and sensitive personal data held and being processed about them. Until recently the practical realities did not match this potential.

While much of the press focus now concentrates on its self-created regulator IPSO there had been less media coverage about what that Report stated about the lack of vigour and vigilance in terms of the protection of personal data by the Commissioner at the time.

At a domestic level the recently-clarified litigation and jurisdictional issues should help provide additional clarity to untested areas involving proportionality generally and specifically to celebrity data protection rights. Google Spain – and its transforming effect of English case law - is as significant for its jurisdictional aspects as the practical effects of the result itself.

The UK's data protection regime is struggling to become mature and effective. As it tries to do this there is, on the horizon, the prospect of substantial changes as a result of the EU's proposed Data Protection Regulation. That lack of stability – in anticipating its final content and the eventual regime it may create – adds additional uncertainty and lack focus within the current regime. As a regime to protect celebrity privacy by litigation, coupled with effective enforcement by the Regulator, it has all the elements to become an effective remedy for the future. At least Naomi Campbell created the spark that others since have been able to kindle into a potent fire in terms of DPA litigation.

© Professor Dr Robin Callender Smith, 2016

[1] The Act came into force on 1 March 2000, pre-dating by six months the statutory recognition in the HRA 1998 of Article 8 privacy and Article 10 freedom of speech rights which became effective on 2 October 2000. The DPA's genesis was in the European Data Protection Directive 95/46/EC.

[2] Campbell v MGN [2004] 2 AC 457.

[3] Douglas v Hello! [2003] EWHC 786 Ch.

[4] Murray v Big Pictures [2008] EWCA 446.

[5] Weller & Ors v Associated Newspapers Ltd [2015] EWCA Civ 1176 and see R Callender Smith Freedom of UK media to publish pictures of children curtailed after landmark ruling 13 November 2015 https://theconversation.com/freedom-of-uk-media-to-publish-pictures-of-children-curtailed-after-landmark-ruling-51062

[6] MGN v Gulati & Ors [2015] EWCA Civ 1291.

[7] Google Inc v Vidal-Hall & Ors [2015] EWCA Civ 311.

[8] Hegglin v Persons Unknown and Google [2014] EWHC 2808 (QB).

[9] Mosley v Google Inc & Anor [2015] EWHC 59 (QB).

[10] Case C‑131/12 Google Spain and Google Inc v AEPD and González.

[11] Philip Coppel QC: address to Statute Law Society 19 March 2012:
http://www.statutelawsociety.org/__data/assets/pdf_file/0019/103870/19.03.12_P.Coppel_paper.pdf

[12] Rosemary Jay Data Protection Law and Practice 4th Edn Sweet & Maxwell 2012, 556

[13] The key Data Protection Principle in Schedule 1 is the 1st Principle: "Personal Data shall be processed fairly and lawfully and, in particular, shall not be processed unless: (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met."

[14] Data Protection Act 1998 s.1 (1).

[15] Ibid s.1 (1) (a) – (e): (1) information which is being processed by means of "equipment operating automatically in response to instructions given for that purpose"; (2) information which is recorded with the intention that it should be processed by such equipment; (3) information which is recorded as part of the relevant filing system or with the intention that it should form part of such a system; (4) information which forms part of an accessible record (such as an individual's health or educational public record) and (5) information which is recorded information held by a public authority and which does not fall within any of the four preceding categories.

[16] Ibid s.1 (1).

[17] Austen v University of Wolverhampton [2005] EWHC 1635 (QB).

[18] In the Act, by virtue of s.3 and discussed later, "special purposes" means any one or more of the following: the purposes of journalism, artistic purposes and literary purposes.

[19] Section 13 (3).

[20] Section 14 (1).

[21] Case C‑131/12 Google Spain and Google Inc v AEPD and González [81].

[22] The details of the High Court claim are available on http://www.bsgresources.com/bsgr-guinea/bsgr-guinea-analysis-reports/claim-filed-against-global-witness/

[23] Worth £1.7 billion in 2010: http://israel21c.org/culture/israels-10-richest-men-and-women/

[24] BSGR's interests include 50% of the Simandou iron ore reserve in Guinea.

[25] Global Witness – with offices in the UK and US - investigates and reports internationally on natural-resource related conflict and corruption. Since November 2012, it has alleged that BSGR's share in the Simandou reserve, one of the largest and most valuable in the world, was obtained by corruption. Those allegations are currently being investigated by the Government of Guinea and by a US Federal Grand Jury.

[26] In the proceedings the claimants were seeking a disclosure order under s.7 (9) in relation to personal data, an order under s.10 that GW ceased to process any of the Claimants' personal data on the basis that it was obtained without authorisation as well as seeking identification of GW's sources, a s.14 Order against GW requiring it to rectify, block, erase or destroy inaccurate data and s.13 damages for distress.

[27] See, in particular, The Economist's characterisation of the case in the sub-heading Libel laws have become laxer. Try invoking data protection instead http://www.economist.com/news/britain/21599791-libel-laws-have-become-laxer-try-invoking-data-protection-instead-data-lock

[28] For a detailed exposition of the Act's potential as a reputational shield see Dr. David Erdos Filling Defamation's "Gaps": Data Protection and the Right to Reputation Oxford Legal Studies Research Paper 69/2013.

[29] GW sought to stay the proceedings by using s.32 (4) of the Act, requiring the Commissioner to decide on the application of s.32 to the disputed data.

[30] http://www.globalwitness.org/library/global-witness-fights-misuse-data-laws-threatens-journalistic-freedom

[31] Google Inc v Vidal-Hall & Ors [2015] EWCA Civ 311 [78].

[32] Ibid [93 – 94 and 105].

[33] Section 2(4) and 3(1) ECA give effect to the doctrine of the supremacy of EU law, as interpreted by the Court of Justice, over national law; and where EU law is in doubt, requires UK courts to refer the question to the Court of Justice. As a consequence of the rule of construction in section 2(4) all primary legislation enacted by Parliament after the entry into force of the ECA on 1 January 1973 is to be construed by the courts and take effect subject to the requirements of EU law. This obliges the courts to disapply legislation which is inconsistent with EU law. It first happened in Factortame (No 1) [1990] 2 AC 85; Factortame (No 2) [1991] 1 AC 603 when Part II of the Merchant Shipping Act 1988 was held by the House of Lords to be inconsistent with EU law and therefore disapplied. The same principle was followed by the House of Lords in dis-applying discriminatory provisions in the Employment Protection (Consolidated) Act 1978. In neither Act was there any provision expressly providing for the later enactment to apply notwithstanding the ECA.

[34] In force from 1 December 2009.

[35] (1) Everyone has the right to the protection of personal data concerning him or her. (2) Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. (3) Compliance with these rules shall be subject to control by an independent authority.

[36] Article 52 (1).

[37] In the Act the Government chose to use this to exempt the data protection provisions in circumstances required by law or made in connection with legal proceedings (s.35).

[38] Google had a decision from Paris's Tribunal de Grande Instance, arguing that it was being required to set up a "censorship machine" that could damage internet freedom.

[39] Google's Chief Legal Officer, David Drummond, announced the creation of an advisory "council of experts" to make recommendations about how it should deal with requests for the removal of links from search results and explained its post-judgement approach on 10 July 2014 in The Guardian. The criteria included whether information related to a politician, celebrity or other public figure; if it was from a reputable news source, and how recent it was; whether it involved political speech; questions of professional conduct which might be relevant to consumers; the involvement of criminal convictions which were not yet spent; and if the information was being published by a government. http://www.theguardian.com/commentisfree/2014/jul/10/right-to-be-forgotten-european-ruling-google-debate

[40] C – 131/12 Google Spain [97].

[41] Ibid [45 – 60]: arguably it overstated or misrepresented the law.

[42] Ibid [58].

[43] See Hegglin v Person(s) Unknown & Anor [2014] EWHC 2808 (QB) (31 July 2014), Hegglin v Person(s) Unknown & Google Inc [2014] EWHC 3793 (QB) (14 November 2014), Hegglin v Person(s) Unknown & Google Inc [2014] EWHC 3798 (QB) and http://www.medialawyer.press.net/article.jsp?id=10217173

[44] Hegglin v Person(s) Unknown & Anor [2014] EWHC 2808 (QB) (31 July 2014) per Bean J: [1].The claimant is a businessman and investor who previously lived in London and worked at Morgan Stanley in London but is currently resident in Hong Kong. He continues to have very close connections with the United Kingdom where he has a house and carries out substantial business. He is a director of a company which is in the process of preparing to list on the London Stock Exchange. [2]. An anonymous individual, or possibly group of individuals, has been posting on a large number of internet websites abusive and defamatory allegations about the claimant. It is alleged by way of example that he is a murderer, a Nazi, a Ku Klux Klan sympathiser, a paedophile, a corrupt businessman who has accepted bribes from state officials, an insider trader, and that he has laundered money on behalf of the Italian Mafia. There is no evidence to suggest that any of this is true.

[45] http://www.bbc.co.uk/news/uk-30172110

[46] Mosley v Google Inc [2015] EWHC 59 (QB).

[47] http://next.ft.com/7aab1264-faff-11e4-9aed-00144fe...

[48] Internet Search Engines (ISEs) already do this when images of child pornography are identified. See also Anya Proops http://www.panopticonblog.com/2015/05/18/mosley-v-google-rip/ where she raises the issue of data subjects – like Mr Mosley - who garner significant public attention within the online environment. "The difficulty for such individuals is that online stories or comments about them can proliferate on the internet at such a rate that they cannot practicably achieve the online amnesia they crave. No sooner have they requested that the relevant internet search engine remove a number of privacy-invasive links, than the story has sprung up in a raft of other different locations on the net, with the result that the individual is effectively left trying to capture lightening in a bottle."

[49] 1 March 2001.

[50] 30 January 2002.

[51] His powers and role are set out in Part VI of the Act.

[52] In 2006 he used his power to lay other reports before Parliament when he raised the problems about the unlawful trade in personal data in What Price Privacy? and What Price Privacy Now? arising from Operation Motorman 1 and 2: see 6.4.1.

[53] Ironically it was named after the large operation carried out by the British Army in Northern Ireland on 31 July 1972. That aimed to retake the "no-go areas" controlled by Irish republican paramilitaries that had been established in Belfast, Derry and other large towns.

[54] Leveson Vol I Ch 3, 257 – 269.

[55] In his evidence about Motorman to the Leveson Inquiry on 17 November 2011, former DI Alexander Owens – a Senior Investigating Officer from 1999 – 2005 at the ICO – said the serial breaches of the Act came from access to personal data held on the DVLA via the Police National Computer (PNC). He felt Richard Thomas, the Commissioner, was unwilling to take on the press involved and that "was a wrong decision….certainly not based on any advice given by Counsel or on any lack of evidence, as ICO would have everyone believe." See also Leveson Vol III Part E Chapter 3 257 – 268 and Vol III Part H Chapter 2 1003 – 1025, [1.1 – 1.9].

[56] The indictment at Blackfriars Crown Court was amended to include s.55 offences. Mr Whittamore and another investigator pleaded guilty and – for reasons explained in the sentencing remarks by HHJ Samuels - received conditional discharges.

[57] MGN is seeking permission to appeal to the Supreme Court.

[58] The entirety of Part H covering six chapters and 114 pages (997 – 1111).

[59] Leveson Vol III Part H 2.12, 1070.

[60] Ibid. This observation, in polite terms, suggests that the judiciary itself is not sufficiently comfortable with the provisions of the Act.

[61] Ibid.

[62] Ibid.

[63] Ibid, 1071.

[64] By s.32 (2) this relates to (a) the data protection principles except the seventh data protection principle; (b) section 7; (c) section 10; (d) section 12, and (e) section 14(1) to (3).

[65] Such as the IPSO Code, or one designated by the Secretary of State: Data Protection (Designated Codes of Practice) (No. 2) Order 2000/1864.

[66] Under section 7(9), 10(4), 12(8) or 14 or by virtue of section 13 of the Act.

[67] s.32 (6) "publish", in relation to journalistic, literary or artistic material, means make available to the public or any section of the public.

[68] s.32 (5): the conditions are (a) that a determination of the Commissioner under section 45 with respect to the data in question takes effect, or (b) in a case where the proceedings were stayed on the making of a claim, that the claim is withdrawn.

[69] On this point, the arguably unperceivable differences – save the conflicting results - between von Hannover 1 (2005) 40 EHRR 1 and von Hannover 2 40660/08 [2012] ECHR 228 turn on whether the photographs were taken surreptitiously: R Callender Smith From von Hannover (1) to von Hannover (2) and Axel Springer AG: do competing ECHR proportionality factors ever add up to certainty? Queen Mary Journal of Intellectual Property Vol.2 No.4 2013 388–392.

[70] Note the conflict that now exists on this between Von Hannover I and Von Hannover II noted above and the issues raised by phone hacking pre- and post-HRA 1998.

[71] A recent example is the "blagging" call made by two Australian radio's 2DayFM presenters on 5 December 2012 to the King Edward VII hospital in London where the Duchess of Cambridge was a patient.

[72] Respectively Day 14, 9 December 2011, evidence transcript p 18 line 24 and p 19 line 1 and Day 32, 26 January 2012, p 31 lines 3 – 7.

[73] Under s.45 of the Act.

[74] Rosemary Jay Data Protection Law and Practice 4th Edn Sweet & Maxwell 2012, 580.

[75] A special information notice under s.44 can only be served where one of two conditions applies. Either the Information Commissioner has received a request under s.42 or a stay has been claimed under s.32.