You would have to be a monk or, at any rate, in an entirely internet-free zone, not to have had your recent days troubled by endless GDPR traffic. The tiniest charity holding your name and email address up to the data behemoths have asked, in different ways, for your consent for them to hold your personal data. You may have observed the frankness and simplicity of the former’s requests and the weaseliness of the latter’s, who try to make it rather difficult for you to say no, indeed to understand what precisely they are asking you to do.
Just in case you have not looked at it, here is the Regulation. It is actually a good deal easier to understand than a lot of the summaries of it.
This lack of transparency in these consent forms/privacy statements had not gone unnoticed by one of Europe’s more indefatigable privacy sleuths. Max Schrems, an Austrian lawyer, who, at 30 years of age, has already been to the EU top court twice (see here and here), moved fast. By the end of GDPR day last Friday, 25 May, he sued global platforms with multibillion-euro complaints. 3 complaints said to be valued at €3.9 billion were filed in the early hours against Facebook and two subsidiaries, WhatsApp, and Instagram, via data regulators in Austria, Belgium and Germany. Another complaint valued at €3.7 billion was lodged with France’s CNIL in the case of Google’s Android operating system.
This blog has covered a number of claims for damages arising out of the misuse of private information. The Mirror Group phone hacking case is one example (see my post here and the appeal decision here), and the fall-out from the hapless Home Office official who put private information about asylum-seekers on the Internet, being another – (Gideon Barth’s post on TLT here). See also below for related posts.
But this post is to give a bit of context, via the wider and scarier cyber crime which is going on all around us. It threatens the livelihoods of individuals and businesses the globe over – and has given and will undoubtedly give rise to complex spin-off litigation.
So let’s just start with the other week. On 21 October 2016, it seems nearly half the Internet was hit by a massive DDoS attack affecting a company, Dyn, which provides internet services infrastructure for a host of websites. Twitter, Reddit, Netflix, WIRED, Spotify and the New York Times were affected. DDoS, for cyber virgins, is Distributed Denial of Service, i.e. an overloading of servers via a flood of malicious requests, in this case from tens of millions of IP addresses. No firm culprits so far, but a botnet called Mirai seems to be in the frame. It is thought that non-secure items like cars, fridges and cameras connected to the Internet (the Internet of Things) may be the conscripted foot soldiers in such attacks.
And now to the sorts of cases which have hit the headlines in this country to date.
In December 2015, the European Court of Human Rights, by 6 votes to 1, dismissed a Romanian national’s appeal against his employer’s decision to terminate his contract for using a professional Yahoo Messenger account to send personal messages to his fiancé and brother.
Mr Barbulescu contended that his employer had breached his Article 8 right to respect for his private life and correspondence, and that the domestic courts had failed to protect his right. The Court found that there had been no such violation because the monitoring of the account by his employer had been limited and proportionate.
Mr Barbulescu’s employers asked him to create a Yahoo Messenger account for responding to client enquiries and informed him that these communications had been monitored. The records showed that he had used the Internet for personal purposes, contrary to internal regulations. The employer’s regulations explicitly prohibited all personal use of company facilities, including computers and Internet access. The employer had accessed the Yahoo Messenger account in the belief that it had contained professional messages. Continue reading →
Richardson v Facebook  EWHC 3154 (2 November 2015) – read judgment
An action in defamation and under the right to privacy against Facebook has been dismissed in the High Court. The Facebook entity named as defendant did not “control” the publication so as to allow liability; and even if it did, no claim under the Human Rights Act could lie against FB as it could not be described as any sort of a public authority for the purposes of Section 6 of the Act.
The claimant, acting as a litigant in person, sought damages in respect of the publication in 2013 and 2014 of a Facebook profile and a posting on the Google Blogger service. The Profile and the Blogpost each purported to have been created by the claimant, but she complained that each was a fake, created by an impostor. She claimed that each was defamatory of her, and infringed her right to respect for her private life under Article 8 of the European Convention on Human Rights (ECHR). Continue reading →
Brett Wilson LLP v Person(s) Unknown, Responsible for the Operation of the Website solicitorsfromhell.co.uk, 7 September (Warby J)  EWHC 2628 (QB) – read judgment
This was a claim in libel by a firm of solicitors who acted for another firm which also claimed against the operators of SFHUK, causing the original site to be shut down (Law Society v Rick Kordowski ). In this case the words complained of appeared on a new site, but despite efforts by the present claimants, it was not possible to find out who was operating it. The site alleged various aspects of mismanagement, including incompetence and fraud. It also quoted a client of the claimant firm who alleged overcharging and who refused to pay their fees. (It is worth noting that the site appears to have been taken down since default judgement was given in this case)
Google Inc v Vidal-Hall and others  EWCA Civ 311 (27 March 2015) – read judgment
This case concerned the misuse of private information by an internet provider based in the United States. Google had secretly tracked private information about users’ internet browsing without their knowledge or consent, and then handed the information on to third parties (a practice known as supplying Browser-Generated Information, or ‘BGI’).
The issue before the Court of Appeal was twofold:
Was the cause of action for misuse of private information a tort, specifically for the purposes of the rules providing for service of proceedings out of the jurisdiction?
The Bussey Law Firm PC & Anor v Page  EWHC 563 (QB) – read judgment
The facts of this case are simple. A defamatory comment was posted on the claimant’s Google maps directional page, implying that he was a “loser” as a lawyer and that his firm lost “80%” of cases brought to them. The defendant claimed that someone must have hacked in to his own Google account to put up the post.
There were jurisdictional complications in that the firm is situated in Colarado but these need not concern us here as Sir David Eady, sitting as a High Court judge, allowed the trial to go ahead in England. The real question was why any third party would have gone to the trouble of hacking into the defendant’s Google account in order to post the offending review; if the objective were merely to hide the hacker’s identity from the claimants, there would be the simpler option of setting up an anonymous Google account. This would in itself render the would-be publisher untraceable, and especially if it were done from a public computer. Continue reading →
Chief Constable of Greater Manchester v Calder  EWHC B11 – Read judgment
Adam Wagner represented Scott Calder in this case. He is not the writer of this post.
The Greater Manchester Police (‘GMP’) have been unsuccessful in an attempt to obtain an Injunction to Prevent Gang-Related Violence (‘IPGV’ or ‘Gangbo‘) against Scott Calder. The application was based on police intelligence and the lyrics of Mr Calder’s YouTube Grime Rap videos. On 14 January 2015, Mr Justice Blake dismissed the GMP’s appeal to the High Court, and in doing so laid out guidance on the purpose and ambit of the IPGV legislation, which is currently being substantially amended by Parliament.
The below is based on the Judge’s ex tempore judgment (i.e. given at the hearing). We will post the full judgment when it is available.
Keynote speech by Lord Neuberger at 5 RB Conference on the Internet, 30 September 2014
The President of the Supreme Court has delivered a very interesting address on the protections that should be afforded to what might be termed the “new Fourth Estate” – journalism on the internet. The following summary does not do justice to his speech but is meant to act as a taster – download the full text of his talk here.
Lord Neuberger explores the interrelationship of privacy and freedom of expression, particularly in the light of developments in IT, and especially the internet. He recalls a colourful eighteenth century figure who contributed a series of letters to a widely disseminated journal under the pseudonym of “Junius”. He managed to make such effective attacks on public figures he brought about the resignation of the Prime Minister, the Duke of Grafton, in 1770. Because of his anonymity this character was able to make criticisms of the powerful for which others of his time faced prosecution.
Junius offered a voice of firm if sometimes scurrilous criticism, prompting both political and legal change. He is rightly remembered as one of the greatest political writers in an age dominated by great figures, yet his identity [still] remains a mystery.
And it is this lack of traceability that links Junius with today’s bloggers. Print journalists are – with the exception of writers for The Economist – known figures. But forty percent of the world’s population use the internet, and despite initial expectations that bloggers and tweeters could hide behind pseudonyms, it has turned out to be extremely difficult for internet writers to maintain their anonymity. The public and the courts increasingly recognise the press’ interest in publishing the names of individuals in appropriate circumstances. Continue reading →
Welcome back to the UK Human Rights Roundup, your regular lightening rod of human rights news and views. The full list of links can be found here. You can find previous roundups here. Links compiled by Adam Wagner, post by Celia Rooney.
In recent human rights news, the ECJ finds against Internet giant Google, strengthening the so-called ‘right to be forgotten’. In other news, the UK awaits to see if it will be prosecuted before the ICC in relation to allegations of war crimes in Iraq, while the Court of Appeal confronts the issue of legal aid cuts in serious fraud cases as the Operation Cotton scandal continues.
Delfi AS v Estonia (Application no. 64569/09) 10 October 2013 – read judgment
This case concerned the liability of an Internet news portal for offensive comments that were posted by readers below one of its online news articles. The following summary is based on the Strasbourg Court’s press release.
The applicant company owns one of the largest internet news sites in Estonia. In January 2006, Delfi published an article on its webpage about a ferry company. It discussed the company’s decision to change the route its ferries took to certain islands. This had caused ice to break where ice roads could have been made in the near future. As a result, the opening of these roads – a cheaper and faster connection to the islands compared to the ferry services – was postponed for several weeks. Below the article, readers were able to access the comments of other users of the site. Many readers had written highly offensive or threatening posts about the ferry operator and its owner. Continue reading →
Case C-131/12: Google Spain SL & Google Inc. v Agencia Española de Protección de Datos (AEPD) & Mario Costeja González – read Opinion of AG Jääskinen
This reference to the European Court of Justice (CJEU) concerned the application of the 1995 Data Protection Directive to the operation of internet search engines. Apart from demonstrating the many complications thrown up by this convoluted and shortsighted piece of regulation, this case raises the fascinating question of the so-called right to be forgotten, and the issue of whether data subjects can request that some or all search results concerning them are no longer accessible through search engine.
HL (A Minor) v Facebook Incorporated, The Northern Health and Social Care Trust, The Department of Justice for Northern Ireland and others  NIQB 25 (1 March 2013) – read judgment
In this somewhat chaotic action, the Plaintiff sued ten defendants, in anonymised form by her father and next friend.
The Writ stated that the Plaintiff, aged 12, had been engaged in posting and uploading sexually suggestive and inappropriate photographic images of herself onto Facebook, and that she had been doing so vis-à-vis several different accounts with differing profile names. She had been involved with the social services from the age of 11. From July 2012 to January 2013 she was the subject of a Secure Accommodation Order. She currently resides in a specialised unit, is a grade below secure accommodation.
This was clearly a bid by the father to bring his wayward daughter under control by restricting her access to the internet.
The Court of Appeal has ruled that in principle, an internet service provider that allowed defamatory material to remain on a blog hosted on its platform after it had been notified of a complaint might be a “publisher” of this material, although in this case the probable damage to the complainant’s reputation over a short period was so trivial that libel proceedings could not be justified.
This interesting case suggests there may be an opening for liability of Google for defamation, if certain steps have been taken to fix them with knowledge of the offending statement. Mr Tamiz, who claimed to have been defamed by comments posted on the “London Muslim Blog” between 28 and 30 April 2011, appealed a decision in the court below to decline jurisdiction in his claim against the respondent corporation and to set aside an order for service of proceedings on Google out of the jurisdiction. Continue reading →
This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.