Privacy law Archives - Legal Cheek https://www.legalcheek.com/tag/privacy-law/ Legal news, insider insight and careers advice Wed, 10 Jul 2024 08:12:56 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.5 https://www.legalcheek.com/wp-content/uploads/2023/07/cropped-legal-cheek-logo-up-and-down-32x32.jpeg Privacy law Archives - Legal Cheek https://www.legalcheek.com/tag/privacy-law/ 32 32 GDPR vs. Freemium: why social media giants are winning https://www.legalcheek.com/lc-journal-posts/gdpr-vs-freemium-why-social-media-giants-are-winning/ https://www.legalcheek.com/lc-journal-posts/gdpr-vs-freemium-why-social-media-giants-are-winning/#comments Wed, 10 Jul 2024 07:37:11 +0000 https://www.legalcheek.com/?post_type=lc-journal-posts&p=206464 Aberdeen law student Iakov Shuvalov assesses GDPR's effectiveness in 'freemium' models, where 'free' services may compromise privacy

The post GDPR vs. Freemium: why social media giants are winning appeared first on Legal Cheek.

]]>

Aberdeen law student Iakov Shuvalov examines GDPR’s effectiveness in regulating ‘freemium’ business models, where ‘free’ services may compromise privacy


In the digital age, data has been regarded as the currency of the future. As a result, data is an asset that has grown in value and in its need for protection, and that is why the European Union (EU) implemented the General Data Protection Regulation (GDPR) in 2018. Aiming to empower individuals with control over their data and establish stricter privacy standards, the GDPR promised a paradigm shift and has received praise. However, a closer look reveals a critical shortcoming: the GDPR’s struggle to effectively apply, particularly to freemium models, a business model with significant presence in the average person’s life due to social media.

In the age of ubiquitous online services, the concept of “free” often comes at a hidden cost: our personal data. Freemium business models, particularly prevalent in social media platforms, thrive on collecting and monetizing user information. The current application of the GDPR falls short in its ability to regulate businesses that rely on data collection and monetization as their core revenue stream. This is because the application of the GDPR suffers from critical flaws in several areas, these being in the initial drafting and wording of the GDPR, in the GDPR’s application, and in the GDPR’s enforcement.

Issues in application

Widespread non compliance

A central argument for the GDPR’s ineffectiveness lies in the demonstrably high rate of non-compliance among websites. A web-scanning service analysing the 100 most popular websites in each of the 28 EU member states revealed a concerning lack of GDPR adherence. This study, while limited in its ability to definitively identify non-compliance within a website’s entire system, clearly demonstrates that many websites lack even the most basic GDPR implementation measures on their public interfaces. This widespread disregard for the regulation casts doubt on the ability of the GDPR to achieve its goals of data privacy protection.

This disregard is particularly worrying within the freemium landscape, where data collection and monetization are central to the business model.  Unlike other websites, data collection and user profiling are core functionalities for freemium services. Non-compliance with the GDPR in these areas directly undermines the service’s ability to operate its business model. But the most significant concern here is that if the GDPR is not effectively enforced within this sector, users are left unaware of how their data is being collected and used.

Issues in enforcement

Disproportionate impact

The GDPR’s application creates a concerning imbalance between small and medium-sized businesses (SMBs) and large corporations, particularly those operating under freemium models. While achieving GDPR compliance is crucial, the resources required – legal expertise, technical security measures, and ongoing data practice maintenance –  pose a significant burden for SMBs. These businesses often lack the financial and technical muscle of their larger counterparts.

This disparity creates a two-tiered system where resource constraints force many SMBs to fall short of full compliance, leaving them vulnerable to legal repercussions while for freemium social media giants whose business models rely heavily on data collection, potential GDPR fines become a mere cost of doing business. Their vast resources allow them to navigate GDPR complexities with relative ease.

This uneven playing field undermines the very purpose of the GDPR – a level playing field for data protection practices.  Currently, the system favours large corporations, particularly those in the freemium space. This stifles competition and innovation within the digital economy, as smaller businesses become discouraged from adopting data-driven technologies for fear of non-compliance.

Overall enforcement issues

The effectiveness of the GDPR in curbing privacy violations by freemium businesses is further hampered by significant challenges in its enforcement. While the GDPR outlines hefty fines for non-compliance, several factors create a lacuna in which freemium giants are less likely to face serious consequences.

One issue is the resource constraints of DPAs. Data Protection Authorities (DPAs) in each EU member state often lack the resources to adequately monitor and investigate the complex data practices of large, international freemium platforms. Furthermore, freemium services often operate across multiple jurisdictions. This makes it difficult for DPAs to determine which authority has oversight and hinders effective enforcement action. In addition to this, investigating large-scale data breaches or complex privacy violations involving freemium models can be a lengthy and time-consuming process. This delays any potential penalties and weakens the deterrent effect.

These enforcement challenges create a scenario where freemium businesses may be more likely to gamble on non-compliance. The potential for hefty fines may seem less threatening when weighed against the vast resources these companies possess and the complexities involved in pursuing enforcement actions. This ultimately weakens the GDPR’s ability to effectively protect user privacy within the freemium landscape.

Want to write for the Legal Cheek Journal?

Find out more

Issues in drafting

Loopholes and subjectivity

The GDPR’s reliance on the concept of “legitimate interest” as a legal basis for data processing introduces a significant loophole and element of subjectivity. While the GDPR outlines situations where “legitimate interest” might apply, it ultimately leaves companies with a degree of discretion in interpreting this clause. This subjectivity creates a risk of freemium services prioritizing their own interests over user privacy.

For example, the concept of “legitimate interest” can be used to justify the placement of certain cookies without obtaining explicit user consent. This raises concerns, as freemium business models can potentially interpret “legitimate interest” broadly to encompass a wide range of data collection activities. The lack of clear guidelines and the potential for abuse of this clause weaken the GDPR’s ability to ensure user control over their data.

Cookie notices

The GDPR’s reliance on cookie notices to inform users and gain consent for data collection presents a particular challenge. While intended to empower users, cookie notices often achieve the opposite effect in the freemium context.

As highlighted in a study by Advance Metrics, a staggering 76% of website visitors either ignore cookie banners altogether or simply click through them without engaging with the content. This behaviour stems from several factors such as many cookie notices being intrusive and disrupting the user experience, leading to frustration and a desire to dismiss them as quickly as possible. Another point to note is that the complex nature of cookie categories and the sheer volume of information presented overwhelm users, making it difficult to understand and manage their consent preferences. Finally, when faced with the choice between a seamless browsing experience and delving into complex cookie settings, users often prioritize convenience and sacrifice some control over their data privacy. It is for this reason that as of now there does not exist a lucrative market for businesses to sell enhanced privacy to their customers.

For freemium services, cookie notices become a flawed system that fails to achieve the GDPR’s goals of informed consent and user control over data. The pressure to access the “free” service and the complexity of cookie notices create a situation where users are unlikely to engage meaningfully with them. This ultimately undermines the effectiveness of the GDPR in protecting user privacy within the freemium landscape

Conclusion

The GDPR’s noble aim of protecting user data privacy faces a challenge of growing significance and importance in the freemium landscape created by social media. While the regulation outlines a framework for user control and data protection, its current application struggles to effectively address the practices of freemium business models. The widespread non-compliance, subjectivity of the “legitimate interest” clause, and ineffectiveness of cookie notices all create loopholes that freemium giants can potentially exploit.  Furthermore, the challenges of enforcement leave these companies with a lower risk of facing serious consequences for privacy violations.

It is clear that the current application of the GDPR falls short of its intended purpose. Moving forward, a re-evaluation of the regulation and its enforcement mechanisms is necessary. This may involve strengthening enforcement measures, clarifying subjective elements within the regulation, and exploring alternative approaches that incentivize user privacy alongside innovation. Only through such changes can the GDPR truly empower individuals and create a more secure and transparent digital environment for all.

The ongoing evolution of the digital landscape demands a robust and adaptable data protection framework. By addressing the shortcomings of the GDPR’s application within the freemium space, we can move towards a more balanced approach that protects user privacy without stifling innovation. Only then can the GDPR truly fulfil its promise of empowering individuals and fostering a more secure and transparent online environment, especially for users who rely on valuable “free” services offered by freemium businesses.

Iakov Shuvalov is a final year law student at the University of Aberdeen and has interests in Cybersecurity and Data Privacy Law.

The post GDPR vs. Freemium: why social media giants are winning appeared first on Legal Cheek.

]]>
https://www.legalcheek.com/lc-journal-posts/gdpr-vs-freemium-why-social-media-giants-are-winning/feed/ 1
Deceptive (dating) by design? https://www.legalcheek.com/lc-journal-posts/deceptive-dating-by-design/ https://www.legalcheek.com/lc-journal-posts/deceptive-dating-by-design/#comments Wed, 24 Aug 2022 08:12:17 +0000 https://www.legalcheek.com/?post_type=lc-journal-posts&p=178609 Dating apps may seem like a piece of fun but more sinister goings-on may be at play, such as privacy and human rights breaches, writes third year law student Tanzeel ur Rehman

The post Deceptive (dating) by design? appeared first on Legal Cheek.

]]>
Dating apps may seem like a piece of fun but more sinister goings-on may be at play, such as privacy and human rights breaches, writes third year law student Tanzeel ur Rehman

“I s’pose the other boy’s fillin’ all my dates?”

Early 20th century US columnist George Ade’s fictional character, the heartbroken office clerk named Artie, confronted his ladylove after finding out she had dumped him for someone else. Interestingly, the origins of the word “date” in its romantic sense can be traced to the 1896 pages of the Chicago Record/Herald. With booming industrialisation, the lexicons of love changed, and ‘courtship’ became ‘dating’. Those were days before the two world wars, and human rights issues couldn’t, in the slightest degree, be associated with an amorous subject like “dating”.

Our times are different, and with booming digitisation, the modern concept of dating is being identified by the swipe culture. Dating apps have reorientated how an entire generation meets new people. If one is looking for love, dating apps are the best way to go about it.

Rights at stake

As a student of law, one must wonder, whether these apps are being mindful of the users’ human rights. A damning report published by the Norwegian Consumer Council provides evidence to the contrary. A recent Netflix documentary also provides an insight into the dark and sinister side of the dating app world. Whereas a BBC Three documentary reveals, based on data from the National Crime Agency, that sexual offences linked to dating apps doubled between 2017 and 2020 and that half of the victims who had reported someone, were dissatisfied with the dating platforms’ response.

Business corporations have essential human rights’ commitments. Under the UN’s ‘Protect, Respect and Remedy’ framework, corporations have to adhere to a human rights due diligence. It is the responsibility of business enterprises to identify, prevent, mitigate and remedy any adverse human rights impacts that are directly linked to their operations, products or services. So then, are these corporations behind the popular dating apps really fulfilling their human rights’ commitments?

Sexual and gender-based violence is now being closely linked to the digital realm. The umbrella concept of technology-facilitated sexual violence (TFSV) encompasses all that negative use of technology which enables violence, harassment and abuse. Dating apps are proving to be a suitable avenue for TFSV. This can take many forms. On the platform itself, unwelcome sexual conduct and sexualised comments, including unsolicited sexual images/messages are commonplace. Abuse and violence may also become part of the physical encounters facilitated by these apps. The geolocation features associated with these apps enable crimes such as stalking.

A 2018 survey in Australia concluded that 70% females and 67% gender-diverse persons were at a higher risk of being victims of TFSV. In 2020, A Pew Research Center study reported that 57% of female online dating app users have experienced some sort of harassment on these platforms. In Opuz v Turkey, the European Court of Human Rights highlighted the fact that violence of a gendered type which affects women disproportionately, is also violative of the non-discrimination principle enshrined in Art 14 of the European Convention on Human Rights.

Want to write for the Legal Cheek Journal?

Find out more

Is it really private?

TFSV is just one aspect of the pernicious upshots of the dating app world. The users’ right to privacy is also an inviolable human right. Unfortunately, examples from Egypt, Lebanon and Iran bear witness to the treacherous use of these technologies. State authorities have reportedly used data gathered from these apps to persecute LGBTQ+ individuals for ‘indecency’. According to Human Rights Watch, such snoopy practices, employed to curb dissent, are violative of the users’ multiple fundamental rights. More importantly, there is little being done by the developers to protect their users from such interferences. According to an older report by the UN High Commissioner for Human Rights (OHCHR), as part of the human rights due diligence framework, business enterprises “are expected to communicate transparently with users about risks and compliance with government demands”.

Jurisdictions around the world have had mixed responses when holding platform developers liable. Being intermediaries, platforms have limited or no liability for illegal acts committed by third parties in the US. In a lawsuit against a dating app, it was held that platforms are protected from liability under the infamous section 230 of the Communications Decency Act. Contrastingly, Israeli courts have held these platforms liable for failing to remove fake profiles. In the UK, the government has promised “ambitious plans for a new system of accountability and oversight for tech companies” and wants the country “to be the safest place in the world to go online”.

A 2017 study analyses the new ‘anti-rape’ features which have emerged to address TFSV. In analysing 807 features across 215 different apps, the study notes that these features, being farcical stopgaps, only serve the purpose of improving perceptions. Eighty percent of these features are made ‘to be used during a specific incident’. These features are reassuring, but would most likely be ineffective in a real attack because they do not address the various forms of coercion a perpetrator would probably use, nor are they relevant to the multiple circumstances a victim may face. A more recent study of mainly teenage respondents concluded that such features are only designed to address the common perceptions of sexual abuse, ie gender exclusiveness and generalised safety dilemmas.

The origins of the word “date”, as it appeared in print, had a light-hearted flavour. But the human rights concerns of modern-day app dates, do not. It is highly likely that these dating platforms, in the foreseeable future, will use and augment other emerging technologies (for example augmented or virtual reality) and data from other mediums (for example clothing data, lifestyle preferences, users’ medical conditions, physical proximity and interactions) which could create new rights’ issues.

It is important for all stakeholders to consider a research agenda which assesses the impacts and risks beforehand, in order to develop legislation, regulation, best practices and a more robust due diligence framework. For now, all these emerging (human rights) concerns have been receiving, at best, sporadic attention.

Tanzeel ur Rehman is a third year law student at the University of Sindh, Pakistan.

The post Deceptive (dating) by design? appeared first on Legal Cheek.

]]>
https://www.legalcheek.com/lc-journal-posts/deceptive-dating-by-design/feed/ 2
The need for an international right to obscurity https://www.legalcheek.com/lc-journal-posts/the-need-for-an-international-right-to-obscurity/ https://www.legalcheek.com/lc-journal-posts/the-need-for-an-international-right-to-obscurity/#respond Wed, 26 May 2021 09:17:25 +0000 https://www.legalcheek.com/?post_type=lc-journal-posts&p=163359 With the internet more accessible than ever, Edinburgh Napier law student Lewis Hay calls for a more uniform and transparent approach

The post The need for an international right to obscurity appeared first on Legal Cheek.

]]>
With the internet more accessible than ever, Edinburgh Napier law student Lewis Hay calls for a more uniform and transparent approach

A person’s reputation is without a doubt of immense value. The internet and social media are at the forefront of a person’s repute. Online information and allegations are near enough impossible to get rid of once posted. It used to be if a story about you were printed in a newspaper, it would be novel and important the day it was printed, but the next day it would be forgotten about and thrown away. That no longer rings true. The internet and social media are the first places that anyone looks when it comes to finding out information about an individual and their reputation.

With cases where the right to obscurity is the issue on the rise, the story of Tiziana Cantone has stayed with me. This is a case where a woman committed suicide after a video of her was widely shared on the internet. Cantone won a right to be forgotten case. However, after a long time fighting through the court to have the videos removed, she could not escape the notoriety as the video had been copied and republished thousands of times. With stories like this, the need for international regulation on the right to obscurity has never been more poignant.

The 2014 Google v Spain decision certainly brought the issue into the spotlight. This case involved a man named Mario Costeja González who lodged a complaint against Google Spain, a subsidiary of Google, after an old newspaper article about him was republished on the internet. Gonzalez felt that since the story in the newspaper had been resolved for years, there was no need for that article to be there. The fact the paper was still readily available and was in the search results if you googled his name, was affecting his reputation, infringing upon his privacy, and so requested for the article be taken down. The court held that the operator of a search engine is obliged to remove information found based on a search of a person’s name. Even if this information has been published by a third party. Also, in a case where that name or data is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.

However, an issue I see with the decision is that it doesn’t offer any solution to dealing with the problem in the future. Although, in light of the decision, search engines have responded to the lack of obscurity rights by implementing their own policies to delist or erase people’s private information. It seems from Google’s current policies that they at least acknowledge that people have some right to obscurity. However, the way in which Google makes these policy decisions is not transparent to the users of Google and regulators. It is also incredibly inappropriate for private companies such as Google to be allowed to decide under what circumstances someone may be forgotten, and have their right to obscurity fulfilled. This is because these decisions under normal circumstances are made by governing bodies elected and held accountable by the people. Still, the complex and global need for the right to obscurity presents a multitude of issues regarding jurisdiction, powers and procedures of a singular government body that would make these judgments. We have seen this in the 2016 case of Weltimmo s. r. o. v NNemzeti Adatvédelmi és Információszabadság Hatóság.

A person’s reputation falls within Article 8 (the right to private life) of the European Convention of Human Rights (ECHR). Recent authority from the European Court of Human Rights has shown this. In the 2005 case of Radio France v France, the court noted that the right to reputation is safeguarded by Article 8 of the Convention as an element of the right to respect for private life.

Want to write for the Legal Cheek Journal?

Find out more

Naturally, one of the things that is forefront in someone’s mind when there is sensitive information available about them on the internet is their reputation. So, when someone wants that information taken down, they do so to protect their reputation. If someone was convicted of a drink driving offence years ago, and now has been sober since the offence and is an exemplary driver, that person in question should be able to have that information taken down as to protect their reputation and be forgotten. Otherwise, that person’s right to privacy is being infringed upon as their reputation is being affected, despite the person being fully reformed. This suggests that the Right to Obscurity might already exist under Article 8 of ECHR. This is because the concept of someone’s reputation being protected under Article 8 coincides with someone wanting to protect their reputation by being forgotten about and acting on their Right to Obscurity.

Since European courts already know how to deal with these issues, a blueprint that shows how to approach this issue at an international level has been provided. This blueprint would help adapt and devise an international treaty to help incorporate the right to obscurity as an international human right.

However, some issues arise when dealing with the right to obscurity. Earlier was mentioned a hypothetical example of a drunk driver. Today that is news, legal, and justifiable, especially if his actions were to have caused harm to someone or property was damaged. This is when it is in the public interest to know something about someone. Also, who is able to define what level of criminality can be forgotten? Should this be shoplifting? Theft? Murder? Who can decide any applicable period in which the right to obscurity becomes law? Domestic governance on the issue is sure-fire not going to work. Companies like Google are almost definitely going to lobby against legislation that incorporates the right. Economically, companies like Google and Facebook thrive off of personal data. So, legislation enabling people to be able to hide information, and be forgotten is going to have a significant impact on these company’s revenue. Further, with more and more people surfing the web through the use of VPNs and bypassing local jurisdiction, there is no feasible way to enforce the right in other countries. This is why international legislation is required.

An international treaty would be advantageous in this case since this matter should not be solely governed at a domestic level. David Hume, in his 1793 book A Treatise of Human Nature, divides the law of nations into two types. First are laws that deal with international matters, such as declarations of war and human rights issues, with the second being general natural law. The Right to Obscurity belongs in the first category. Private companies should not be able to determine under what circumstances a person’s right to obscurity should or should not be granted; it is highly inappropriate. An international treaty on the right to obscurity would extend the notion of justice among countries.

With increasing globalisation, technological innovation and the internet more accessible than ever, an international treaty on the right to obscurity is necessary in order to deal with the increase in global interaction and interdependence.

Lewis Hay is a first year law student at Edinburgh Napier University. He is an aspiring lawyer and his interests lie in constitutional and contract law. In his free time he enjoys playing the guitar and bagpipes.

The post The need for an international right to obscurity appeared first on Legal Cheek.

]]>
https://www.legalcheek.com/lc-journal-posts/the-need-for-an-international-right-to-obscurity/feed/ 0
What’s next in Meghan Markle’s privacy claim against Associated Newspapers https://www.legalcheek.com/lc-journal-posts/whats-next-in-meghan-markles-privacy-claim-against-associated-newspapers/ https://www.legalcheek.com/lc-journal-posts/whats-next-in-meghan-markles-privacy-claim-against-associated-newspapers/#respond Tue, 17 Nov 2020 10:05:36 +0000 https://www.legalcheek.com/?post_type=lc-journal-posts&p=155804 Northumbria law grad and aspiring barrister Benjamin Ramsey considers the former Suits actress' causes of action and chances of success if her case goes to trial

The post What’s next in Meghan Markle’s privacy claim against Associated Newspapers appeared first on Legal Cheek.

]]>
Northumbria law grad and aspiring barrister Benjamin Ramsey considers the former Suits actress’ causes of action and chances of success if her case goes to trial

Meghan Markle

“The modern law of privacy is not concerned solely with information or ‘secrets’: it is also concerned importantly with intrusion.”

— Mr Justice Eady, CTB v News Group Newpapers Ltd & Anor [2011]

Following the news that Meghan Markle’s privacy claim against Associated Newspapers Limited (ANL) has been adjourned to autumn 2021, now is the perfect time to consider her causes of action and chances of success. Any defences ANL may have are also discussed here. Finally, while the trial originally listed for January 2021 has been vacated, Mr Justice Warby did grant permission for Markle to make a summary judgment application in its place. The test for summary judgment will be considered below along with the chances of the application being successful.

The facts

Markle’s claim against ANL concerns the publication of five articles, three in the MailOnline and two in the Mail on Sunday in February 2019; ANL being their parent company. The articles disclosed excerpts of what Markle calls a “private and confidential” letter sent to her estranged father in August 2018.

While there are various rights which can be utilised, there are three underlying causes of action in this case:

1. Misuse of private information;
2. Breach of duty under the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (DPA 2018); and
3. Copyright infringement.

Markle had previously made allegations of dishonesty and other misconduct on the part of ANL; however, these allegations were struck out in May 2020 as they were found not to be adequately particularised and irrelevant to the pleaded causes of action. Markle was also ordered to pay ANL’s legal costs of £67,888 for that hearing along with her own costs.

Misuse of private information

Privacy law, unlike many other areas of media and information law, is not governed by statute. Instead, the law in this area has developed over the last 15 years through case law.

The leading case in this area is Campbell v Mirror Group Newspapers Ltd [2004]. Campbell established that a claim could be brought under Article 8 ECHR (Right to Privacy) and led to the establishment of ‘misuse of private information’. Misuse of private information has now been confirmed as a tort in its own right and can now be regarded as having two core components:

1. Unwanted access to private information (confidentiality component); and
2. Unwanted intrusion into one’s personal life (intrusion component).

Markle would only have to successfully argue that one of these two components has arisen to be successful in her claim. The effect of the intrusion component is significant as, if ANL can establish that the content of the letter was already in the public domain, thereby dealing with confidentiality, her claim can still be successful if she did have a reasonable expectation to privacy in the circumstances.

In addition to showing that the letter was in the public domain, ANL would also seek to establish Markle as a ‘public figure’, being a member of the Royal Family. Therefore, it was in the public interest that the letter was published. However, RocknRoll v News Group Newspapers Ltd [2013] confirmed that a reasonable expectation of privacy is not necessarily diminished because the individual is a public figure.

Ultimately, all these factors will be incorporated into a balancing exercise between the competing rights to privacy and freedom of expression under Articles 8 and 10 of ECHR.

Breaches of GDPR

Protection of personal information received a dramatic overhaul in 2018 with the introduction of GDPR and the DPA 2018. GDPR and the DPA 2018 must be read together and impose broad obligations on those who collect personal data, as well as protects individuals whose data is collected.

As the new law is still in its infancy, it remains untested by the courts in connection with privacy law. However, the now-repealed Data Protection Act 1998 was often used as an alternative cause of action in privacy claims (See Vidal-Hall v Google Inc [2015]).

Markle claims that the information contained within the letter constitutes ‘personal data’ within the meaning of the Regulations. Failure by ANL to acquire Markle’s consent has led to that data being unlawfully and unfairly processed, which is in breach of Article 5(1)(a) of the Regulations.

Want to write for the Legal Cheek Journal?

Find out more

ANL will likely seek to rely on the journalism exception. In the interest of preserving freedom of expression, the journalism exception is provided for by paragraph 26 of Part 5 to Schedule 2 of the DPA 2018 and applies to the GDPR. Once again, it would be necessary for ANL to show that the publication was in the public interest.

Copyright infringement

Copyright laws in the UK are governed by the Copyright, Designs and Patents Act 1988 (The 1988 Act). The 1998 Act protects a wide range of works, from artistic works to databases. Importantly, the 1998 Act also protects “literary works” which includes protection of private letters.

The 1998 Act confirms that copyright arises from the creation of the work and subsists in its author (i.e. Markle) not in the recipient of the letter, her father. As such, Markle controls the reproduction of the letter; with any publishing of the letter requiring her consent.

Copyright infringement occurs when certain prohibited acts (outlined at sections 16-21 of the 1988 Act) are carried out without the permission of the author. ANL appears to have carried out the following prohibited acts:

• Copying the work;
• Issuing copies to the public;
• Communicating the work to the public; and
• Making adaptations of the work.

It is clear that these acts, subject to any defence from ANL, would amount to copyright infringement.

There are certain circumstances where a third party can use copyrighted works without the permission of the author. The most pertinent in this case is for the purposes of criticism, quotation or review (section 30 of the 1998 Act). However, ANL will likely seek to rely on the fair dealing exception. When considering fair dealing, the court’s main issue would be to determine whether the publication of the extracts was “fair”. The courts will look at a variety of factors including whether the contents of the letter were already in the public domain at the time of publication. ANL will seek to rely on interviews given by friends of Markle’s to an American magazine in which they allegedly talk about the letter and its contents. Markle states that this is incorrect and even if they did, they did not have her permission to do so. Ultimately, we return to the need for ANL to show that there is a legitimate public interest in the letter. If ANL can prove this, the claim will likely be dismissed. However, it must be noted that just because something can be deemed to be of interest to the public, does not mean it is in the “public interest” and they, therefore, need to know it.

Summary judgment

As mentioned above, permission has been granted for Markle to make a summary judgment application in January 2021.

The test for summary judgment is outlined in Part 24.2 of the Civil Procedure Rules (CPR) and states the following:

The court may give summary judgment against a claimant or defendant on the whole of a claim or on a particular issue if:

(a) it considers that–

(i) that claimant has no real prospect of succeeding on the claim or issue; or

(ii) that defendant has no real prospect of successfully defending the claim or issue; and

(b) there is no other compelling reason why the case or issue should be disposed of at a trial.

As Markle would be making the application, the burden would be on her legal team, now headed by Justin Rushbrook QC of 5RB, to show that the defendant has no real prospect of defending the claim and that there is no other reason for a trial. In doing this, the court will not conduct a mini-trial (Swain v Hillman & Anor [2001]) but instead, look at the strength of each party’s case. Should ANL show that their case is “realistic” as opposed to merely arguable, then the application would be dismissed, and the case would proceed to trial. It is also entirely plausible that any summary judgment application could be dismissed, only for ANL to then lose at trial.

It would not be the first time a member of the Royal Family had been successful in obtaining summary judgment against ANL. In 2006, Prince Charles was granted summary judgment following the publication of contents of a journal describing the handover of Hong Kong in 1997. On appeal, Lord Phillips found that there had been clear breaches of copyright and confidence.

It would appear ANL has not learned their lesson following their defeat in 2006. Despite this, there is a clear difference between the Duchess of Sussex’s case and the Prince of Wales’ case which suggests that Markle’s copyright claim is stronger. Prince Charles’ journal was connected with his official duties as a “public figure”, whereas Markle’s letter was likely a private and personal piece of information.

Conclusion

A successful summary judgment application would almost certainly bring these proceedings to a close, pending any appeal by ANL. There is every chance that an application could be successful, with Markle relying on Prince Charles’ case in support. Although this outcome would likely derive the public of what would be the most significant privacy claim to date.

It appears that Markle has a strong chance of success across all causes of action. However, the issues in the case will likely revolve around ANL’s defence and the classic balancing act of Articles 8 and 10 ECHR. Should Markle be successful, it is unlikely ANL, and the media as a whole will stop skirting the edge of what are acceptable practices. It appears a case of not if, but when will another high-profile privacy case emerge. Only time will tell.

Benjamin Ramsey is a first class law graduate from Northumbria University. He completed the BPTC as part of his degree and was called to the bar in 2018. He currently works as a county court advocate for LPC Law, and is actively seeking pupillage.

The post What’s next in Meghan Markle’s privacy claim against Associated Newspapers appeared first on Legal Cheek.

]]>
https://www.legalcheek.com/lc-journal-posts/whats-next-in-meghan-markles-privacy-claim-against-associated-newspapers/feed/ 0
Who is responsible for our data and how do we get it back? https://www.legalcheek.com/lc-journal-posts/who-is-responsible-for-our-data-and-how-do-we-get-it-back/ https://www.legalcheek.com/lc-journal-posts/who-is-responsible-for-our-data-and-how-do-we-get-it-back/#respond Wed, 29 Apr 2020 11:04:20 +0000 https://www.legalcheek.com/?post_type=lc-journal-posts&p=145638 Data controllers have weaponised consent by using privacy policies written in legalese and dark patterns to hide privacy-protecting options, argues St Andrews PhD student Janis Wong

The post Who is responsible for our data and how do we get it back? appeared first on Legal Cheek.

]]>
This article is the best-in-category winner entry to the Justis International Law and Technology Writing Competition 2020, from the category of ‘social media, data and privacy’

In our data-driven society, every piece of technology that connects us to the internet collects our personal data (any information relating to an identified or identifiable natural person), building elaborate profiles on what we are doing, where we are, and even who we are.

As data subjects (those about whom personal data are collected), we can no longer hide from data controllers (those who collect and determine what these data are used for). With every data breach and data sharing revelation from Cambridge Analytica to Google’s Project Nightingale, our personal data is becoming less personal, where data attached to our identity are no longer in our control and becomes harder for us to identify who is responsible.

The data subject’s struggle

Recognising the need to protect privacy as an individual’s right, data protection attempts to rebalance power between data subjects and data controllers. The European General Data Protection Regulation (GDPR) [1] grants data subject rights such as the right of access [2], right to be forgotten [3], and right not to be subject to a decision based solely on automated processing [4]. Data controllers must also follow the principles of data protection by design and by default [5]. However, even with the GDPR, data subjects still lack the extra hours and cognitive capacity to exercise these rights. Only 15% of EU citizens feel completely in control of their personal data [6]. Additionally, while there are multiple means for lawful processing of personal data [7], data controllers have weaponised consent by using privacy policies written in legalese and dark patterns to hide privacy-protecting options, obfuscating how data subjects’ data are reused, aggregated, and anonymised to make decisions about them.

Everyone is a data controller

Responsibility over personal data is further complicated where judgements have expansive interpretations of who could be considered a data controller. A user who administers a Facebook Group or Page [8], a website operator who has a Facebook ‘like’ button or other social plug-ins [9], and a religious community whose congregation conducted preaching activities and collected personal data [10] are ‘joint controllers’ who are all liable if one controller breaches requirements on those data. This significantly increases the number of data controllers and people responsible for personal data, where not all joint controllers need to have access to the data for joint controllership to occur. While these judgements introduce more responsibility, they also disperse where data responsibility lies, increasing the ambiguity over who can share, reuse, and repurpose data.

From my data to our data to your data

Beyond the individual, initiatives such as Decode encourage public institutions to be more responsible with its citizens’ data. However, governments continue to watch over its people through social credit scoring, criminal sentencing, and partnerships with privately-owned, pervasive technologies. In the age of surveillance capitalism, where personal experiences are translated into free raw material for behavioural data, our personal and derived data are collectively used against us. Although data protection and information rights enable some forms of transparency and accountability, our data are still often used without our knowledge and without legal recourse as decisions are made using unexplainable black-box algorithms [11].

Want to write for the Legal Cheek Journal?

Find out more

Reclaiming our personal data

In order to better understand how our personal data is being used and abused, we need to look beyond data protection on an individual level. Instead, privacy should represent an ecosystem that requires legal and socio-technical collaboration between lawyers, technologists, policymakers, and most importantly, us as data subjects.

Firstly, stronger regulation beyond data protection is required to fully realise the responsibility data controllers have over our personal data. While the European Data Protection Board established guidelines to clarify the GDPR, further regulatory guidance has only been provided by academics and has yet to be codified. Regulators should do more to prevent ‘ethics washing’, whereby data companies use ethics boards and policies to limit regulation. Competition law in particular may help us escape the grasp of digital behemoths. Looking beyond fines, Margrethe Vestager, the EU’s competition commissioner, plans to regulate industries such as artificial intelligence and gig economy companies to return the ethos of ‘consumer is king’ back to data subjects. Other mechanisms include using legal data Trusts to empower data subjects by facilitating access to pre-authorised, aggregated data and remove key obstacles to the realisation of the potential underlying large datasets.

Secondly, although many of the challenges described are driven by the business models of data controllers, technology should be considered part of, and not excluded from, solutions that help data subjects better understand how our data are processed and managed. Tools such as Databox, Jumbo Privacy, and DoNotPay are already beginning to challenge the data protection practices of Big Tech companies, providing alternatives to existing services and mechanisms for control.

Finally, in considering how personal data should be best protected, data protection must be considered beyond the individual. Data protection should look beyond privacy as control and be expanded to include the ability to participate and engage with other individuals and groups, crowdsourcing information and solutions to personal data challenges. Philosophical discussions surrounding group privacy can be put into practice. Developing a data protection public sphere and commons, regulators, lawyers, and technologists can support data subjects in minimising the risks involved in the public use of anonymised personal data [12] and establish the necessity for collective rights [13] before and after data are collected. The protection of data subjects with regard to the processing of personal data can only be achieved where legal frameworks and technological mechanisms include input from data subjects to respect their data protection requirements.

The responsibility over our personal data should not burden data subjects. As data protection matures, this responsibility should be shared with all stakeholders that benefit from the personal data, not only with those about whom personal data are collected. It is only with legal and technical collaboration that data subjects can be collectively protected, governing the data protection landscape for the benefit of our current and our future selves.

Janis Wong is a PhD student in computer science at the Centre for Research into Information, Surveillance and Privacy (CRISP), University of St Andrews. She holds a LLB from the London School of Economics and a MSc in computing from the University of St Andrews.


The Justis International Law and Technology Writing Competition is in its third year. This year, the competition attracted entries from students at 98 universities in 30 countries. Judging was conducted by a panel of industry experts and notable names, including The Secret Barrister and Judge Rinder.


Sources:

[1]: Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.
[2]: ibid art 15.
[3]: ibid art 17.
[4]: ibid art 22.
[5]: ibid rec 108.
[6]: Bart Custers, Alan M. Sears, Francien Dechesne, Ilina Georgieva, Tommaso Tani, and Simone van der Hof, ‘Conclusions’ in Bart Custers, Alan M. Sears, Francien Dechesne, Ilina Georgieva, Tommaso Tani, and Simone van der Hof (eds), EU Personal Data Protection in Policy and Practice (T.M.C. Asser Press 2019).
[7]: General Data Protection Regulation, art 6.
[8]: Case C‑210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH ECLI:EU:C:2018:388.
[9]: Case C-40/17 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV ECLI:EU:C:2019:629.
[10]: Case C-25/17 Tietosuojavaltuutettu v Jehovan todistajat — uskonnollinen yhdyskunta ECLI:EU:C:2018:551.
[11]: Frank Pasquale, The Black Box Society: The Secret Algorithms That Control Money and Information (Harvard University Press 2015).
[12]: Luciano Floridi, ‘Group Privacy: A Defence and an Interpretation’ in Linnet Taylor, Luciano Floridi, and Bart van der Sloot (eds), Group Privacy: New Challenges of Data Technologies (Springer International Publishing 2016).
[13]: Joseph Raz, The Morality of Freedom (Oxford University Press 1986).

The post Who is responsible for our data and how do we get it back? appeared first on Legal Cheek.

]]>
https://www.legalcheek.com/lc-journal-posts/who-is-responsible-for-our-data-and-how-do-we-get-it-back/feed/ 0
Privacy, celebrities and the media https://www.legalcheek.com/lc-journal-posts/privacy-celebrities-and-the-media/ https://www.legalcheek.com/lc-journal-posts/privacy-celebrities-and-the-media/#respond Tue, 12 Nov 2019 10:10:02 +0000 https://www.legalcheek.com/?post_type=lc-journal-posts&p=137605 It's a fine balance between the freedom of the press and the privacy of individuals, says newly qualified solicitor Aisha Hussain

The post Privacy, celebrities and the media appeared first on Legal Cheek.

]]>
It’s a fine balance between the freedom of the press and the privacy of individuals, says newly qualified solicitor Aisha Hussain

The Duke and Duchess of Sussex have announced they’re bringing legal action against British tabloids for the “painful” impact of intrusive press coverage, as Prince Harry makes comparisons between the treatment of his wife to that of his late mother, Princess Diana, and his “deepest fear… that history is repeating itself”.

Meghan Markle is suing the Mail on Sunday and its parent company, Associated Newspapers, for publishing the contents of a private letter sent to her estranged father, claiming her right to privacy and family life were breached. Prince Harry is also suing The Sun and the Daily Mirror over alleged phone hacking, thought to be historic.

Historically, the judiciary has developed the law in this area in an incremental fashion, which has gained momentum in recent years, as a result of a number of highly publicised cases. There are various rights which can be utilised including breach of confidence, misuse of private information, breach of General Data Protection Regulation (GDPR) and claims under the Human Rights Act 1998.

Breach of confidence

The expansion of privacy laws came by the doctrine of breach of confidence. In order to successfully claim under this cause of action, it must be established that; the information has the necessary quality of confidence, imparted in a manner which imposed an obligation of confidence and the unauthorised use of the information was to the detriment of the owner.

Breach of confidence gained traction, with the decision in Douglas v Hello! Ltd (No.3) [2005] EWCA Civ 595. This case involved a celebrity couple (Michael Douglas and Catherine Zeta Jones) who entered into an exclusivity agreement with OK Magazine to print photos of their wedding. A rival magazine, Hello magazine, obtained and printed photos of their wedding, without the couple’s permission. An interim injunction was granted and damages awarded for breach of confidence and data protection. This was one of the first cases of its kind, setting a precedent and a slew of other ‘celebrity’ cases.

The infamous phone hacking scandal, where it was found that journalists and newspapers had hacked into the phones of high profile people, called into question the ethics and standards of the media. The scandal led to the courts granting hundreds of claims under misuse of private information, breach of confidence and breach of Article 8 rights of the European Convention on Human Rights (ECHR). The high profile investigation ultimately led to the closure of the News of the World in 2011 and millions of pounds in payouts.

Media and the freedom of expression

Article 10 of the ECHR encompasses the right to freedom of expression and is often the main argument posed in defence of any claim brought against the media. The right to express yourself freely and hold your own opinions, even if they are unpopular is fundamental to our democracy.

It is noted within case law (Axel Springer AG v Germany No.39954/08) that journalists’ right to freedom of expression was subject to the journalist acting in good faith and on an accurate factual basis, providing “reliable and precise” information in accordance with the ethics of journalism.

Importantly, it was also noted in Rock n Roll v News Group Newspapers Ltd [2013] EWHC 24 (Ch) that a reasonable expectation of privacy is not necessarily diminished because the individual is a public figure.

The case law

Ali v Channel 5 Broadcast [2018] EWHC 298 (Ch) — This case involved the Channel 5 show Can’t Pay, We’ll Take It Away, which filmed the claimants being evicted from their home in a state of distress. It was held that the focus of the programme was on the conflict between the parties to make “good television” and not on matters of public interest and that the infringement of privacy went beyond what was justified.

ABC v Telegraph Media Group [2018] EWCA Civ 595 — The Court of Appeal granted an interim injunction to prevent the publication of confidential information disclosed in breach of confidence. It was noted that “confidentiality once breached is lost forever”. The judgment balances the parties competing rights: the right to privacy against the freedom of expression. It was further noted that the Article 10, freedom of expression, is not an unqualified right and Article 10(2) states that in the exercise of freedoms, it carries with it duties and responsibilities which may be subject to restrictions and penalties.

Cliff Richard v. The British Broadcasting Corporation [2018] EWHC 1837 (Ch) — In this case, the home of Sir Cliff Richard was searched in connection with allegations of historic child abuse. The BBC broadcast extensive coverage of the search. It was noted that the BBC was less concerned with the public interest element and more concerned with their chance to “scoop a big story”. The judgment also clarifies that damage to reputation can be litigated as a breach of privacy right under Article 8 as well as defamation.

A change in attitudes

In an extremely rare show of solidarity and an unprecedented move in British politics, 72 female British MPs signed an open letter in support of the Duchess of Sussex reading:

“As women MPs of all political persuasions, we wanted to express our solidarity with you in taking a stand against the often distasteful and misleading nature of the stories printed in our national newspapers concerning you, your character and your family. On occasions, stories and headlines have represented an invasion of your privacy and have sought to cast aspersions about your character, without any good reason as far as we can see. With this in mind, we expect the national media to have the integrity to know when a story is in the national interest, and when it is seeking to tear a woman down for no apparent reason. You have our assurances that we stand in solidarity with you on this. We will use the means at our disposal to ensure that our press accept your right to privacy and show respect, and that their stories reflect the truth”.

Conclusion

The bold approach taken by the Duke and Duchess of Sussex, in bringing joint claims against British news publications, is a direct attempt to send a stark warning to the media, in relation to their “ruthless campaign” against them.

If the matter proceeds to trial, it is likely to be the most significant privacy case heard in the UK courts to date. The trial would likely receive global coverage, cost millions of pounds to fund and could potentially be quiet damaging for the royal pair. The case is likely to take many months to proceed to trial and no doubt set some form of precedent in respect of the publication of sensitive/personal correspondence and provide further guidance on the element of public interest.

From a review of the case law and comments made by MPs, there appears to be a real change in social and cultural attitudes as to what is acceptable, in terms of an infringement of privacy. Judicial comments make a clear distinction that journalists are not simply allowed to wash over a person’s right to dignity and privacy merely because they are a well known or famous individual. The wave of case law suggests that the criteria of public interest should legitimately be met and not met solely for the interests of selling a magazine, to “make good television” or “scoop a big story”.

It will be interesting to see how the courts address the fine balance between the freedom of the press and the privacy of celebrities.

Aisha Hussain is a newly qualified solicitor, with a keen interest in commercial litigation and current affairs.

The post Privacy, celebrities and the media appeared first on Legal Cheek.

]]>
https://www.legalcheek.com/lc-journal-posts/privacy-celebrities-and-the-media/feed/ 0
Law and tech writing competition sees students vie for £2,000 cash prize https://www.legalcheek.com/2019/10/law-and-tech-writing-competition-sees-students-vie-for-2000-cash-prize/ Tue, 01 Oct 2019 10:11:07 +0000 https://www.legalcheek.com/?p=135357 Entries for Justis’ annual comp open today

The post Law and tech writing competition sees students vie for £2,000 cash prize appeared first on Legal Cheek.

]]>
Entries for Justis’ annual comp open today

Justis is back for a third consecutive year with its popular student writing competition.

The legal publishing giant’s annual law and tech writing competition which, in previous years, has received entries from students across the globe, tasks young wordsmiths to write a 1,000 word essay on one of three topics. This year the topics are: technology and the future of legal practice; social media, data and privacy; and access to justice and technology.

Will bitcoin, blockchain or artificial intelligence be the focus of your article? Or perhaps it’s the tension between social media and privacy law, a topic which garnered worldwide attention in the wake of the Cambridge Analytica scandal, that you’d like to explore. Maybe it’s the rise of online courts, fuelled, in part, by cuts to legal aid and court closures.

Whatever your topic of interest, entries open today, on 1 October 2019, which gives students ample time to put on their thinking caps and ponder the newsy subjects. The competition is open to undergraduate and postgraduate students of any discipline at any university.

The winner will receive a £2,000 cash prize as well as publication in the Legal Cheek Journal.

Dr Matthew Terrell, head of marketing at Justis, who is overseeing the competition, said:

“Moving from university to the workplace can be challenging and very competitive, and we hope this competition can help students stand out from the crowd with their ability to produce professional, thought-provoking articles. Last year we received so many fantastic entries and I am hoping we receive even more this year.”

Three further cash prizes of £250 will be awarded to the authors deemed ‘Best in Category’ by a panel of top judges, who include: Judge Rinder; The Secret Barrister; Legal Cheek reporter Aishah Hussain; Dr Liz Dowthwaite, research fellow, specialising in online data, privacy and social media at the University of Nottingham; Tom Bangay, director of content at Juro; Masoud Gerami, managing director of Justis, a vLex company; Emily Allbon, creator of tldr.legal and senior lecturer, at City, University of London; Roger V. Skalbeck, associate dean for library and information services at the University of Richmond; and David Wills, editor of Legal Information Management and Squire Law Librarian at the University of Cambridge.

Alongside the winning submission, the top three best in category articles will be published on the Justis and vLex (a Justis parent company) blogs, and included in its international newsletter.

The deadline for submissions is 8 December 2019. The shortlist and winners will be announced at the start of spring 2020.

Find out more about the competition, including guidance on the topics and entry requirements, and enter now.

The post Law and tech writing competition sees students vie for £2,000 cash prize appeared first on Legal Cheek.

]]>