Leducate Explains: Privacy and the Law

 

Hint - key terms are defined. Just click on the blue words to see their definitions!

This LedEx article aims to help you understand how to protect your privacy, how private information may be misused, and the Right to be Forgotten.

Introduction

Privacy is a difficult concept in the law and there is no specific ‘right to privacy’. One of the reasons that privacy is so difficult to define in law is because privacy is ‘relational’. Relational means that one person’s privacy relates to another person. For example, a person may have chosen to disclose something to one person, but not to another person. It is therefore private in relation to some people but not necessarily to others. 

Certain events may also affect the nature of the information. Information that was once private may no longer be private if it becomes well known, or publicly available to everyone. The context of where the information is found, or how it is disclosed, will also affect whether it is private or not. 

How can we protect our privacy?

There are two laws that are usually relied on by individuals to protect privacy in the courts: 

  1. Article 8 of the European Convention on Human Rights (“the Convention”)

  2. The law of misuse of private information (a common law tort, explained later!)

What The Convention says:

Article 8 of the Convention essentially says:

1. That everyone has the right to respect (i.e. privacy) for his private and family life, 

2. There should be no interference by a public authority (examples being a government organisation or a charity) in the right to respect for private life except in cases of:

- National security,

- Public safety, 

- A country’s economic well being, 

- Prevention of crime 

- Prosecution of health or morals 

- Protection of others rights and freedoms 

Breaking down Article 8’s impact on UK law:

  • The Human Rights Act

In the UK, the Convention is incorporated into law by way of the Human Rights Act 1998. Public authorities and bodies carrying out public functions must act in a way that is compatible with the Convention rights, and Courts are required to make sure that laws are interpreted in a way that makes them work with the Convention. 

  • What is a qualified right?

Article 8 is a ‘qualified right’. This means that an interference, or restriction, with the right to respect for private life is possible in certain situations, which are provided in the Convention, such as in the interest of public safety. 

  • Bringing a claim

A claim based on breach of the right to private and family life (Article 8) can only be brought against a public authority or body (like your local council). Where individuals want to bring a privacy-related claim against a private individual (like you or me) or a company, usually their options are to either:

  1. Bring a misuse of private information claim 

    and/or

  2. Bring a data protection claim.

Misuse of Private Information

The common law is law that is made by judges through decisions made in cases. The common law, together with legislation made by Parliament, make up the primary source of law in the UK. Misuse of private information is what is known as a ‘tort’. A tort is where a civil wrong has occurred that has caused a claimant loss or harm and for which legal liability is imposed. Not all situations that cause harm give a person (or sometimes a company) a legal right to sue, but particular torts have been developed over time through the courts. 

What is the tort of misuse of private information? 

Misuse of private information is a recent development in the common law formulated by judges in a case in 2004 because they recognised that there was a gap in the law. Before the tort was created it was only possible to bring claims against companies or private individuals under the law of confidence for the unlawful use of confidential or secret information. However, this required there to be a contract between the parties, or a relationship where confidence is assumed (e.g. a lawyer-client or doctor-patient relationship). In many situations this would not apply and so the misuse of private information tort was created to enable individuals to protect private information in the absence of such a relationship.

How is the tort applied? 

The tort of misuse of private information applies where there is a reasonable expectation that specific information will not be made public or disclosed to others. The person who revealed the information can defend a claim on the basis that there is a lawful basis which they can rely on and that it is justified in the circumstances. Courts must balance the competing rights of the person who wants the information to remain private, against the person or company that wants to disclose the information. This sort of claim often arises against the media, but it can be brought against persons who want to, or are, publishing information on the Internet and/or social media.

There can be difficulties in bringing a claim in misuse of private information. First, the information must engage the right to private and family life (Article 8) of the Convention. This means that it must meet a minimum threshold of seriousness and must also be found by the court to be of a type where there is a reasonable expectation of privacy. For example, health information will engage Article 8, but simply a person’s name may not. The test for reasonable expectation of privacy is highly fact specific. Sometimes the information that does not meet the threshold for a misuse of private information claim may still be classified as ‘personal data’ and its use or disclosure could constitute a breach of data protection law.

Second, a misuse of private information claim can only be brought in the High Court. This makes these claims very expensive, and they are often complex.

The Right to be Forgotten

The ‘Right to be Forgotten’ (“RTBF”) was established in a landmark case for privacy in the Court of Justice of the European Union (“CJEU”) in 2014. The judgement was handed down before Brexit and still applies in the United Kingdom through the UK GDPR. The right enables individuals to make a request to a search engine, website, or company to remove information about themselves. It is most often used to request that a search engine de-list a particular website that appears against a search of a person’s name. 

There are two types of requests: 

  1. to a search engine or website that is indexing the URL, and

  2. to a company, website or organisation that is publishing (or ‘processing’ in data protection terminology) the information on a webpage.

It is important to note that the Right to be Forgotten is not an automatic right, unless it was information that was posted by a person when they were still a child (under 13 years old, for data protection purposes) on an Internet platform. Otherwise, if the information was published by someone else, anywhere on the Internet, or if the person who wants the information removed is an adult, there are certain factors that must be present. These factors are based in data protection law. 

Who can make a RTBF request?

Only a natural person – a living human being – is able to bring a RTBF request about their own personal data. This person is referred to as a ‘data subject’. 

What can you ask to be removed?

The information must be classified as personal data. Personal data is given a broad definition in the UK GDPR and includes any information that relates to a person, or from which a person can be identified. In data protection, even information such as an Internet Protocol address (‘IP address’) is considered to be personal data. 

What is happening to the information?

The information must be being ‘processed’ by automated means. Anything done to data, such as collecting, recording, organising, storing, adapting, publishing electronically and erasing come within this definition.

Who does it apply to?

The RTBF can be requested from search engines, online indexing sites, and any organisation or company that is processing your personal data. Where personal data is being processed, the company or organisation processing the data is referred to as a ‘controller’. Individuals who are using personal data in a personal capacity are exempt, although in certain circumstances it can apply to them too.

On what basis can a RTBF request be made?

There are six grounds under which a RTBF request can be made. Most often a data subject will request removal of information on the basis that it is out of date, or where there are no legitimate grounds for the controller to continue to process it. For example, in relation to a webpage on the Internet, a person may ask for it to no longer appear on the basis that it contains information about them that is old and no longer relevant.

Can a RTBF be refused?

There are a number of possible exemptions that a controller can rely on to refuse a RTBF request. Most common is for exercising the right of freedom of expression and information under Article 10 of the Convention. The controller may be required to process the personal data because of a legal obligation, to defend itself against legal claims or for historical research purposes. It could also argue there are legitimate reasons for it to continue to process the personal data that outweigh the data subject’s rights under data protection law. Public authorities may also be exempt under provisions in the Data Protection Act 2018, for example in the areas of crime, immigration, and social services.

Is it possible to challenge a decision not to accept a RTBF request?

If a data controller does not agree to a RTBF request, it is possible to make a request to the Information Commissioner’s Office to review the decision. A civil claim could also be brought against the controller. Unlike for misuse of private information claims, data protection claims may be brought in a county court, although complex cases will be transferred to the High Court.

A second part to this series, about Data Protection, is coming soon!


 

Glossary box

Brexit: When the United Kingdom left the European Union.

Common Law: The part of English law that is formulated, developed and handed down by judicial precedent rather than through statutes laid down in Acts of Parliament.

Controller: The individual, company, organisation or public body that processes personal data by automated means.

Disclose: to make available information to another person(s) or to the public.

GDPR: Regulation (EU) 2016/679 (the General Data Protection Regulation).

Indexing: a method of storing in a structured form, webpages and its contents in an accessible way on the Internet.

Information Commissioner’s Office: Often referred to as the ‘ICO’, which is the UK’s data protection authority that is responsible for overseeing the data protection regime.

Internet Protocol (“IP”) address: A unique address that identifies a device on the Internet or local network.

Legal Liability: you are legally liable for something if you should be held responsible, by law, for it. 

Personal Data: any data that relates to, or identifies, a living person.

Processing: An action done to personal data by automated means. For example, emailing, storing on a computer, editing, deleting, adapting data.

Tort: A civil wrong that causes loss or harm for which another is legally liable.

URL: A Uniform Resource Locator is the address of a particular webpage that enables a person to access it.