Data Protection Litigation: Pre-action Protocol for Media and Communications Claims

Jane Lambert

 

There has recently been a surge in claims by individuals seeking to enforce their rights under data protection legislation through litigation.  I have appeared in two such claims this week, one in London and another in the Thames Valley.  I have also advised in writing and in conference on several more. A surprising aspect of the surge is that the United Kingdom General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 are much more complicated than the Data Protection Act 1998 and the Data Protection Act 1984, which preceded them. Those Acts also provided rights of action, but they were used much less frequently than the present legislation.  Another surprise is the infrequency with which parties refer to the Pre-action Protocol for Media and Communications Claims, even though that protocol applies to all data protection claims.  In both of the cases in which I appeared this week, observance of the protocol would have made a significant difference to the outcome of the litigation.  

Effective Judicial Remedy

Art 79 (1) of the UK GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation) as modified by The Data Protecion, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) entitles data subjects to an effective judicial remedy if they consider that their rights under the Regulation have been infringed as a result of the processing of their personal data in non-compliance with the regulation.  That includes a right under art 82 (1) to compensation from a controller or processor for any material or non-material damage that may arise as a result of such non-compliance.

Pre-action Protocols

Para 1 of Practice Direction - Pre-action Conduct and Protocols states that pre-action protocols explain the conduct and set out the steps the court would normally expect parties to take before commencing proceedings for particular types of civil claims. Para 2 warns that a person who knowingly makes a false statement in a pre-action protocol letter or other document prepared in anticipation of legal proceedings may be subject to proceedings for contempt of court.  Para 3 states that the objectives of pre-action conduct and protocols are to enable parties to disputes to:

"(a) understand each other’s position;
(b) make decisions about how to proceed;

(c) try to settle the issues without proceedings;
(d) consider a form of Alternative Dispute Resolution (ADR) to assist with settlement;
(e) support the efficient management of those proceedings; and
(f) reduce the costs of resolving the dispute."

Para 4 stresses that a pre-action protocol must not be used by a party as a tactical device to secure an unfair advantage over another party. Only reasonable and proportionate steps should be taken by the parties to identify, narrow and resolve the legal, factual or expert issues.  Para 5 adds that disproportionate costs in complying with any pre-action protocol are likely to be irrecoverable.  Para 6 states that where there is a relevant pre-action protocol, the parties should comply with it before commencing proceedings.  Para 8 reminds parties that litigation should be a last resort. As part of a relevant pre-action protocol, the parties should consider whether negotiation or some other form of ADR might enable them to settle their dispute without commencing proceedings.

Non-compliance with a protocol can be penalized in several ways.  For example, para 16 states that a party at fault may be ordered to pay costs on an indemnity basis or a successful party may be deprived of some or all of his or her costs.

Pre-action Protocol for Media and Communications Claims

Although it is not listed among the "Protocols in Force" in para 18 of PD-Pre-action Conduct and Protocols, para 1.1 of the Pre-action Protocol for Media and Communications Claims states that it applies to data protection claims, including those brought by litigants in person. If a party to a claim becomes aware that another party is a litigant in person, he or she should send a copy of the protocol to the litigant in person at the earliest opportunity.

The aims of the protocol listed in para 2.1 are similar to those of the practice direction, namely enabling parties to prospective claims to:

"(a) understand and properly identify the issues in dispute and to share information and relevant documents;
(b) make informed decisions as to whether and how to proceed;
(c) try to settle the dispute without proceedings or reduce the issues in dispute;
(d) avoid unnecessary expense and control the costs of resolving the dispute; and
(e) support the efficient management of proceedings where court proceedings cannot be avoided."

Para 3.1 requires intending claimants to notify intended defendants of their claims in writing at the earliest reasonable opportunity.   They are also reminded of the need for proportionality in formulating both the letter of claim and response in para 2.2:

"In formulating both the Letter of Claim and Response and in taking any subsequent steps, the parties should act reasonably to keep costs proportionate to the nature and gravity of the case and the stage the complaint has reached."

The following information should be included in the letter of claim: 

• the name of the claimant;
• the nature of and basis for the entitlement to the remedies sought by the claimant;
• any facts or matters relevant to England and Wales being the most appropriate forum for the dispute; and
• details of any funding arrangement in place.

Para 3.4 adds that letters of claim in data protection cases should also include:

•  "any further information necessary to identify the data subject;
• the data controller to which the claim is addressed;
• the information or categories of information which is claimed to constitute personal data including, where necessary, the information which is said to constitute sensitive personal data or to fall within a special category of personal data;
• sufficient details to identify the relevant processing;
• the identification of the duty or duties which are said to have been breached and details of the manner in which they are said to have been breached, including any positive case on behalf of the Claimant;
• why the personal data ought not to be processed/further processed, if applicable;
• the nature and any available details as to any particular damage caused or likely to be caused by the processing/breach of duty complained of; and
• Where a representative data protection claim is intended to be brought on behalf of data subjects, the letter of claim should also: set out the nature of the entity which intends to bring the claim and explain how it fulfils the relevant suitability criteria – see Article 80 of the General Data Protection regulation (GDPR); include details of the data subjects on whose behalf the claim would be brought; and, confirmation that they have mandated the representative body to represent them and receive compensation, where applicable."

Defendants are required by para 3.6 to provide a full response to the letter of claim, as soon as reasonably possible. If a defendant believes that he or she will be unable to respond within 14 days (or such shorter time limit as specified in the letter of claim), then he or she should specify the date by which he/she intends to respond.

Para 3.7 requires letters of response to include:

• "whether or to what extent the Claimant’s claim is accepted, whether more information is required or whether it is rejected;
• if the claim is accepted in whole or in part, the Defendant should indicate which remedies it is willing to offer;
• if more information is required, then the Defendant should specify precisely what information is needed to enable the claim to be dealt with and why;
• if the claim is rejected, then the Defendant should explain the reasons why it is rejected, including a sufficient indication of any statutory exemptions or facts on which the Defendant is likely to rely in support of any substantive defence;
• in a defamation or malicious falsehood claim, the defamatory or false imputation(s) the Defendant contends was conveyed by the statement complained of, if any; and
• where the Claimant to a proposed action has indicated his/her intention to make an application to bring the claim anonymously, the Defendant should indicate whether the Defendant accepts such an order would be appropriate and give an indication of the basis for the Defendant’s position."

Para 3.8 reminds parties that litigation should be a last resort, while para 3.9 suggests the following options for parties to data protection disputes:

"(a) without prejudice discussions and negotiations between the parties;
(b) mediation – a form of facilitated negotiation assisted by an independent neutral third party; [and]
(c) early neutral evaluation (ENE) – a third party giving an informed opinion on the dispute (for example, a lawyer experienced in the field of [data protection] or an individual experienced in the subject matter of the claim)......."

Para 3.10 mentions the need to consider offers under CPR Part 36.  If a dispute is not settled, para 3.11 encourages parties to undertake a further review of their respective positions, to consider the state of the papers and the evidence in order to see if proceedings can be avoided and, at least, narrow the issues between them which can assist efficient case management.  

Finally, parties are referred to other provisions which they might find useful, such as CPR Part 25: Interim Remedies and Security for Costs and CPR PD48 paragraphs 3.1 and 3.2: Part 2 of the Legal Aid, Sentencing and Punishment of Offenders Act 2012 Relating to Civil Litigation Funding and Costs.

Further Information
Anyone wishing to discuss this article further may call me on 020 7404 5252 during UK office hours or send me a message through my contact form at any time.

Privacy and Electronic Communications - Leave.EU Group Ltd v The Information Commissioner

Author Mrmw Public Domain CCO 1.0

Jane Lambert

Court of Appeal (Sir Geoffrey Vos, Master of the Rolls, Lord Justice Lewison and Lady Justice Asplin) Leave.EU Group Ltd & Anor v The Information Commissioner [2022] EWCA Civ 109 (8 Feb 2022)

On 1 Feb 2020, the Information Commissioner issued a monetary penalty notice for £45,000 against Leave.EU Group Ltd. under s.55A of the Data Protection Act 1998 and an assessment notice under s.146 of the Data Protection Act 2018.  She issued those notices because Leave.EU Group Ltd. had sent email newsletters to some of its supporters that contained unsolicited marketing material relating to Eldon Insurance Services Ltd.   It appears that Eldon Insurance Services Ltd is now known as Somerset Bridge Insurance Services Ltd.

Leave.EU and Eldon appealed unsuccessfully to the First-Tier Tribunal (General Regulatory Chamber) (see Leave.EU Group Limited Eldon Insurance Services Limited v The Information Commissioner 2020 WL 01140646). They appealed to the Upper Tribunal which upheld the First-Tier Tribunal (see Leave.EU Group Limited and another v The Information Commissioner [2021] UKUT 26 (AAC)).  With the Upper Tribunal's permission, they appealed to the Court of Appeal.  On 1 Feb 2022, when the appeal was due to be heard, the Information Commissioner's legal representatives turned up at court but there was nobody from Leave.EU.

The Court asked the Information Commissioner's counsel what they should do. He replied that the Court could either dismiss the appeal for non-prosecution or decide the appeal on the Commissioner's oral and written submissions and Leave.EU's skeleton argument. The Commissioner was neutral as to the course that the Court should adopt but her counsel emphasized the importance of the issues under appeal. The Court decided (i) that it would not be just or appropriate to hear the substantive appeal in the absence of Leave.EU, (ii) that the Court was satisfied that Leave.EU was aware of the appeal hearing and had decided not to attend, and (iii) the appeal should be dismissed and that it would give its reasons in writing later.

The Information Commissioner and the tribunals below had found that Leave.EU and Eldon had contravened art 13 (1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201, 31.7.2002, p. 37–47. Leave.EU has appealed on the following grounds:

"First it contended that paragraph 22 did not prohibit the inclusion of any direct marketing information in an email which was otherwise solicited and not sent for direct marketing purposes, such as the political newsletters in this case. Secondly, Leave.EU contended that the FTT was wrong to hold that the subscribers had not freely consented to receive marketing information from Eldon, since they had consented to receive such material as Leave.EU felt might interest its subscribers. Thirdly, Leave.EU contended that the Information Commissioner ought to be regarded as having been required to give reasons for her decision, despite the absence of a statutory requirement to do so."

In its reasoned judgment which was delivered on 8 Feb 2022, The Master of the Rolls described those issues as "important and in some respects novel" at para [19]. He was satisfied that the Court had power to hear the appeal in the absence of the appellant under CPR 52.20 and rule 38 of the Tribunal Procedure (Upper Tribunal) Rules 2008 as well as its inherent jurisdiction but thought it undesirable in the circumstances of this case to try to decide such important questions at the level of the Court of Appeal without full oral argument.

Lord Justice Lewison and Lady Justice Asplin agreed.

According to the Commissioner's counsel, Eldon had been sold to a third party on 31 Jan 2022 who had consented to judgment and reached an agreement with the Commissioner (see her Statement on an agreement reached between Somerset Bridge Insurance Services Limited and the ICO of 1 Feb 2022). The solicitors who had acted for both appellants had applied to come off the record a few days earlier. The Court had tried to communicate with Leave.EU's sole director but he did not respond to its approaches.

The failure of Leave.EU to take any steps in the appeal in the days leading up to the hearing is regrettable.  As Sir Geoffrey Vos noted at [19] an appropriately qualified panel of the Court of Appeal had been ready to hear this case for many months.  The issues upon which the Court had been asked to decide are likely to concern other parties and cases of this kind do not come before the Court of Appeal often. 

Anyone wishing to discuss this article or the procedural or standard issues may call me on 020 7404 5252 during normal business hours or send me a message through my contact form.

Introduction to the GDPR

Standard YouTube Licence

Jane Lambert

This is the first of a series of articles that I am writing on the GDPR. So much has been written about the topic by lawyers, computer consultancies, government agencies and others that you might think that we need some more articles on GDPR like we need a hole in the head. But we probably do as I found out while looking for materials on the subject for a presentation that I am giving to a local authority on Monday because much of what has appeared to date has been alarming, confusing or even downright misleading.

The initials GDPR stand for the words “General Data Protection Regulation”. That is the short title for a law officially known as Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. That is a bit of a mouthful but the title states exactly and precisely what the law is and what it does.

First, it is a regulation of the European Parliament and the European Council. The European Parliament and Council are the legislature of the European Union. The European Parliament consists of 751 members directly elected by the citizens of the European Union 73 of whom represent constituencies in the United Kingdom while the Council consists of representatives of national governments including our own. The European Parliament and Council make three kinds of laws known respectively as regulations, directives and decisions.

 Regulations are laws that come into being upon adoption by the European Parliament and Council with equal effect throughout the European Union without any intervention from the governments of the member states. Directives are instructions from the Parliament and Council to national governments to make or amend their national laws so that they comply with an agreed text. 

 A good example of a directive is Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Data Protection Directive”) which required the EU member states to enact data protection regulation by 24 Oct 1998. The United Kingdom implemented the Data Protection Directive by enacting the Data Protection Act 1998 which regulates the processing of personal data in this country in accordance with that directive. 

 Decisions are laws of less importance. One that has been in the news lately is Decision No 445/2014/EU of the European Parliament and of the Council of 16 April 2014 establishing a Union action for the European Capitals of Culture for the years 2020 to 2033 and repealing Decision No 1622/2006/EC which set out the procedure for selecting the European Capital of Culture between 2020 and 2023 which I discussed in Jane Lambert European Capital of Culture 28 Nov 2017 NIPC Brexit. The GDPR is a law that will come into effect on 25 May 2018 throughout the European Union including the United Kingdom as we shall still be in the European Union on that day without any further intervention from the British or any other national government.

Secondly, the title makes clear that the regulation protects the interests of living human beings when data that relates to them are processed by computer or otherwise. The need to control the way such data are collected, collated and used has been recognized ever since the end of the 1960s. In the United Kingdom, the problem was considered by a committee chaired by Sir Kenneth Younger which produced the Younger Committee Report on Privacy (Cmnd 5012) in 1972 and Sir Norman Lindop who wrote a follow-up report on data protection shortly afterwards. Sir Norman wrote:

"The speed of computers, their capacity to store, combine, retrieve and transfer data, their flexibility, and the low unit cost of the work which they can do have the following practical implications for privacy:
(1) they facilitate the maintenance of extensive record systems and the retention of data in these systems,
(2) they can make data easily and quickly available from many distant points;
(3) they can make it possible for data to be transferred quickly from one information system to another;
(4) they make it possible for data to be concealed in ways that might not otherwise be practicable,
(5) because the data are stored, processed and often transmitted in a form which is not directly intelligible, few people may know what is in the records or what is happening to them" (see para 7 of the Report of the Committee on Data Protection (Cmnd 7341)).

Those problems have become even more serious with the growth of the internet.

The third aspect of the law is contained in the words “the free movement of [personal] data. The Younger and Lindop reports might have been left on the shelf to gather dust had the Swedish parliament not enacted a data protection law in 1973. That law, like all subsequent data protection laws, contained a provision restricting the transmission of personal data to countries that did not provide similar protection for such data. When a Swedish local authority wanted to export personal data to a British company that had won an order to make identity cards for the authority, the Swedish data protection authority blocked the transfer because there was no data protection law in the United Kingdom at that time. Even in the 1970s information flows were vital for international business particularly for financial services which have always been important for the UK. The need to protect personal data was quickly perceived as an impediment to business which required a prompt solution.

The OECD proposed a set of guidelines known as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data on 23 Sept 1980 that allowed international data flows to continue on the understanding that data controllers would process personal data in accordance with those guidelines. The US government encouraged businesses in the USA to follow those guidelines voluntarily on the basis that it was in their interests to do so and many did so. Successive US administrations always believed that self-regulation and encouraging best practice is a more effective way of protecting personal data than legislation and for that reason, it has never enacted a federal data protection statute although several states have done so. 

Europe has followed a different approach. On 28 Jan 1981, The Council of Europe proposed a regional convention as a model for national data protection laws known as the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and it was this latter model that the UK followed when we enacted our first Data Protection Act 1984. I wrote about the origins of data protection law in Jane Lambert Another Data Protection Act! "You're joking! Not another one!" - A Short History of Data Protection Legislation in the UK 23 Sep 2017 NIPC Law. 

 The policy of the OECD Guidelines and the Council of Europe were very similar. Both aimed at protecting personal data while safeguarding data flows. That policy is reflected in art 1 of the GDPR:

“Subject-matter and objectives
1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.”

The GDPR is thus a law to protect the interests of living individuals throughout the EU with regard to the processing of data by which they may be identified while safeguarding the free flow of information throughout the EU. It will come into being with equal effect in every member state without further intervention of the governments of those states.

The final element of the title is the phrase “repeating Directive 95/46/EC”. The recitals to the GDPR state that the objectives and principles of the Data Protection Directive remain sound, but the directive has not always prevented fragmentation in the implementation of data protection across the EU, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. It was feared that differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the member states could prevent the free flow of personal data throughout the EU. It was also feared that those differences might constitute an obstacle to the pursuit of economic activities at EU level, distort competition and impede authorities in the discharge of their responsibilities under EU law.

Para (10) of the recitals declared that in order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the EU, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. A regulation was necessary to:

• ensure a consistent level of protection for natural persons throughout the EU, 
• prevent divergences hampering the free movement of personal data within the internal market, 
• provide legal certainty and transparency for economic operators, including micro-businesses and SME, 
• provide natural persons in all member states with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, and ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. 

Art 94 (1) of the GDPR repeals the Data Protection Directive from the day when the regulation takes effect. It will not automatically repeal the Data Protection Act 1998 or other national statutes that were enacted to implement the diective (though the primacy of EU law would have that effect as the statute would be disregarded wherever the act and the regulation conflict) but that will be done by the new Data Protection Bill after it receives royal assent.

Should anyone wish to discuss this or any of my other articles on data protection, call me on 020 7404 5252 during office hours or send me a message through my contact form.

Further Reading

Date	Author and Title	Publication
1 Dec 2017	GDPR Index	NIPC Data Protection
11 Aug 2017	Data Protection Glossary	NIPC Data Protection