Fiona Brimblecombe and Helen Fenwick

In England and Wales protection from one threat to privacy – from unconsented-to disclosures/misuse of private information online – is covered by both the established tort of misuse of private information and now by a recently enhanced data protection scheme, arising under the United Kingdom (UK) General Data Protection Regulation 2016 (GDPR) (relied on by the Data Protection Act 2018). The previous scheme ran alongside the tort, in an uneasy relationship which until recently saw its marginalisation in the privacy context under consideration. The result was that the data protection jurisprudence in this context is impoverished, while the tort jurisprudence and scholarship flourished.

This research set out to show that merely noting that the two causes of action are available and may arise in the same claim would provide a limited response to their potential, and discarded the idea of focusing on one while disregarding the other. With the advent of the UK GDPR, and the rise in the dangers to protection of private information posed by the ‘tech’ companies, it presented a new argument in opposition to the two separate silos into which scholarship in this area has fallen. But, more importantly, it set out to argue in favour of the opportunities the two actions provide for addressing the range and variety of privacy claims, especially against online ‘intermediaries’, including from non-celebrities. To that end it probed the differences between the designs of the key (substantive) elements of the two actions which could render one more apt or able to provide privacy protection, depending on the situation, than the other, especially in the online context. It also considered as a warning potentialities within both that could detract from their efficacy.

The research found that the threat to protection of personal information is changing – it is now coming from the tech companies as much as from the traditional media bodies. So the research set out to re-evaluate the opportunities presented by the availability of both these areas of liability in the online context, especially under an expansive approach, and of their ability to protect persons from various forms of online privacy invasion. It focused on one particular aspect of the fundamental right to privacy, reflecting the value often viewed as at the core of informational autonomy, the preserving of control over unconsented-to disclosures/use of personal information, especially online. The research envisaged an increasing court-based reliance on both areas of liability in the digital era and foreshadowed the nature of the jurisprudence that is beginning to arise. The current and future roles of both actions in relation to online privacy invasion now requires reflection, which our article in the Northern Ireland Legal Quarterly sought to provide.

The article considered the legal context under the European Convention on Human Rights (ECHR) and EU Charter of Fundamental Rights, emphasising that a number of the relevant rights align and that Strasbourg jurisprudence is relevant to the interpretation and application of European Union (EU) laws due to inter-court comity between the Court of Justice of the EU (COJ) and the European Court of Human Rights (ECtHR). So, it pointed out that even after ‘Brexit’, the interpretation of the UK GDPR, as a retained provision, will still be influenced by interpretations based on the relevant article 8 and 10 ECHR jurisprudence. But, despite these commonalities in human rights terms, some differences between the two causes of action were emphasised in relation to the scope of their privacy protection, but much less so in relation to the protection they provide for freedom of expression, so in this blog post it is that scope which is focused on.

The article considered which online actors are susceptible to attracting liability under the tort. That issue is clearly less problematic under the GDPR: online blogging, or postings on social media including personal information, clearly amount to data-processing; intermediaries  hosting unconsented-to third-party disclosures of personal information are also viewed as data controllers, and potentially within scope of liability. The article explored the position under the tort as more complex and currently developing: it also clearly covers the online publisher of the information, and it is now apparent, although not yet firmly established, that the platform itself can incur tortious liability if it has notice of the content and therefore could not utilise an intermediary defence under the E-Commerce Directive (which ceased to apply from January 2021). Once a search engine has decided to maintain links despite a request to remove them on privacy grounds, tortious liability could potentially arise (Townsend v Google); it could also arise where the engine has collected browser-generated information without consent with a view to its disclosure for private gain: Google v Judith Vidal-Hall.

In the digital era, therefore, protection for private information under the tort is receiving more expansive interpretations of its scope. But, while the tort is now beginning to adapt itself to the online environment in potentially applying to intermediaries, as well as publishers, the article questioned whether the nature of the jurisprudence affecting the current determinations as to whether information is ‘private’ – linked to an extent to determinations regarding the traditional media – could potentially play a part in inhibiting the creation of tort liability in respect of some disclosures of private information online. The domestic judges, while paying lip-service to recontouring the tort with the Strasbourg jurisprudence in mind, have not absorbed the Von Hannover principle of covering all information related to an adult’s private/daily life into domestic law. In so far as that is the case, the GDPR/DPA would provide the more appropriate cause of action for some privacy claimants, given the very broad concept of ‘personal data’ under article 4(1). But the article pointed out that for the purposes of covering information that would in reality be likely to be the subject of erasure requests (article 17) or compensation, it is the area of convergence between article 4(1)’s account of personal data and the area of private life-linked information covered by article 8(1) that is significant: an area that is currently of greater breadth than the area covered by the tort.

The article found that the tort, together with the UK GDPR/DPA, is entering a new era in terms of privacy protection, providing the judges with an opportunity to affirm the applicability of the actions to misuse of private information online, one they are – in many instances – currently grasping with alacrity. An exception is provided by the very recent decision of the Supreme Court in Google v Lloyd, published after the article was already at proof stage.

It might have been anticipated that the ascendancy of the tort and marginalisation of data protection in the privacy context under discussion that occurred until recently in the pre-digital era would be reversed under the GDPR/DPA. The article sought to demonstrate that that is not the case. It argued that there are differences between the two causes of action, but that the availability of both provide effective opportunities for privacy claimants to vindicate their claims. The differences may mean that such a claimant may turn to one cause of action as opposed to the other: for example, in relation to apparently innocuous private information. Also, court action is not essential to invoke the right to erasure under article 17, and in any event reliance on the GDPR may in some circumstances lead to a more rapid and less costly resolution of an online privacy claim. But our article concluded that there is room for optimism as to the ability of both causes of action to meet the challenges of confronting the privacy-invading potentialities of the tech companies in the coming years, satisfying in many instances the objective of guarding informational autonomy online.