InfoRM Privacy Law Update – August 2016

Home Insights InfoRM Privacy Law Update – August 2016

In this edition of InfoRM:

The cutting edge of privacy

Recently, decisions in the United States and the United Kingdom demonstrate how important privacy arguments have become to fundamental issues of personal autonomy, the state exercise of state powers, and even, despite the media blizzard of salacious gossip in the age of click-bait and reality TV, the role of the media.

In the United Kingdom, the Supreme Court issued a resounding victory for celebrities in the ongoing battle for control over gossip in holding that “there is not, without more, any public interest in the legal sense” in stories about private sexual encounters and “any such disclosure or publication will on the face of it constitute the tort of invasion of privacy”, as will repetition of such disclosure (see story below). Meanwhile, a jury in the United States awarded Terry Bollea (aka Hulk Hogan) US$140 million in damages against Gawker Media and associated individuals for the violation of his privacy over the publication of a sex tape involving him.

In another apparent victory for privacy advocates, and a clear win for technology companies, Microsoft has won its high-profile appeal of an order requiring it to provide to the US Government emails stored on Microsoft's servers in Ireland, with the Second Circuit Court of Appeals’ unanimous ruling that US warrants cannot apply to information held overseas (see our previous coverage in InfoRM). The case is perhaps most significant for its demonstration that technology companies are increasingly willing to resist the demands of law enforcement. Numerous supporting briefs were filed from companies such as Apple (who had its own high-profile dispute with the FBI recently) and Amazon. At heart the case is one of statutory interpretation, and its significance should not be exaggerated. Lynch J, in a concurring judgment, described the privacy arguments as a “red herring” and concluded that he had no “illusion that the result should even be regarded as a rational policy outcome, let alone celebrated as a milestone in protecting privacy”.

On the other side of the ledger, the UK Supreme Court has upheld the state’s right to collect biometric data from convicted criminals and store it indefinitely (see story below). In that case, the benefits to law enforcement were held to outweigh the accepted interference with private life.

What these cases show is the constant calibration by the Courts between individual and community or state interests.

UK Supreme Court says that ‘kiss and tell stories’ are not (legally) interesting

The conflict between privacy and the right to know has played out very publicly, again, with the UK Supreme Court reinstating the year’s most (in)famous injunction. The case is significant, beyond its gossip-factor, for reassessing the force of an injunction in the interconnected world, and, as noted above, for some strong statements about the primacy of privacy.

An individual known as AB claims to have been involved in an extramarital affair with a celebrity, PJS. PJS is a married man with several children, living in England and Wales.

AB approached a UK newspaper with the story, who was prevented from publishing it by an injunction. AB sold the story to US newspapers and, although it was ‘geo-blocked’, the story soon spread across social media. One source cited by the Court states that 20 per cent of the population of England and Wales knows the identity of PJS.

UK newspapers were predictably unhappy at the continuing order, particularly in light of the fact that it does not apply to competitors in other countries including Scotland and Ireland. There were two substantive objections to continuation of the injunction:

  • there is a public interest in publication because it would “correct the image” of PJS as a monogamous individual; and
  • the information was so widespread that a permanent injunction would be pointless and so would not be upheld at trial.

Few courts apply much weight to the public interest argument in celebrity gossip, and this case is no exception. Lord Mance, issuing the decision for the majority, called them “kiss and tell stories of no public interest in a legal sense”. The media are entitled to criticise the conduct of individuals but this cannot be a pretext for invasion of privacy if there is no legally recognisable public interest. He further commented that although freedom of expression is capable of protecting any form of expression, this type of expression must be at the bottom end of the spectrum of importance and is incapable by itself of outweighing PJS’ right to privacy. His Lordship determined that an injunction would prevent enough harm by preventing print copies of the story to circulate that the interim injunction should continue.

Lady Hale opined in a separate judgment that more weight ought to be given to the interests of the children.

As to the second question, the majority held that upholding the injunction would serve a purpose: the exposure through publication in English papers would be qualitatively different to that available to date.

Netsafe named HDCA Approved Agency

At the end of May, Justice Minister Amy Adams announced that NetSafe had been appointed as the ‘Approved Agency’ under the Harmful Digital Communications Act 2015. Appointed under section 7, the Approved Agency is designated as an advisor on the steps people can take to resolve a problem and is also given a dispute resolution role. NetSafe’s new responsibilities are expected to commence in November 2016.

The appointment of an Approved Agency also heralds the beginning of the civil enforcement regime under the Harmful Digital Communications Act. If someone has failed to achieve a satisfactory outcome through liaising with the Approved Agency, they can then apply to the court for a remedy where a digital communication threatens a person’s safety or causes harm. The range of remedies available is broad but includes orders to take down the material; to cease and desist; to publish a correction, apology or a right of reply; to release the identity of a source; and name suppression.

While a court will not have the power to impose financial sanctions at the first stage, failure to comply with an order under the Act is an offence punishable by up to six months in prison or a $5,000 fine for individuals, and fines of up to $20,000 for companies.

Rick Shera, chairperson of NetSafe’s Board, welcomed the new responsibility, saying that NetSafe looks forward to working with the Ministry of Justice, the District Court, the Ministry of Education, industry and enforcement partners “to further develop our processes and implement the [role of the Approved] Agency”.

While a small number of cases under the Harmful Digital Communications Act’s criminal provisions have made their way to the District Court, we are yet to see any substantive argument over the merits of the cases themselves, with most proceeding by way of a guilty plea.

Around the World of Privacy:

A right to be forgotten, everywhere?

A person’s online ‘right to be forgotten’ is a highly contested issue both from a principled and practical perspective.

Two years ago, the European Court of Justice ruled that anyone with connections to Europe can ask Google and other search engines to remove links about themselves from online searches. The links can be removed if they appear to be inaccurate, irrelevant or no longer relevant. Those in the public spotlight, such as politicians, cannot apply.

Fast forward two years, and the French privacy regulator has fined Google €100,000 for failing to remove links in its online search engine to people who have legitimately asked for them to be removed. However, Google had removed the links in their European domains, such as, but the links still appear in search results from other domains (eg

Google argues global removal would infringe people’s freedom of expression and could set a precedent for more repressive governments to demand technology companies to further limit what content is available in their countries. The French privacy regulator argues its citizens’ rights to privacy can only be upheld if the removal of the links is global.

The appeal will be heard by France’s highest administrative court in the coming months.

Northern Ireland (Gaughran v Chief Constable of the Police Service of Northern Ireland [2015] UKSC 2

The UK Supreme Court has held that the public benefits of retaining biometric data collected from convicts outweighs the interference with individual rights.

The appellant was convicted of driving with excess alcohol, a recordable offence, and his biometric data lawfully collected. He challenged the indefinite retention of the DNA profile, fingerprints and photograph on the basis it was a breach of his right to respect for private life protected by article 8 of the European Convention on Human Rights.

The majority of the Supreme Court agreed that indefinite retention interfered with article 8 rights but concluded that the interference was proportionate. The public benefits of retaining the DNA profiles of those convicted of offences was “potentially very considerable” and could also benefit the individual by excluding them from suspected offending.

Lord Kerr, in his dissent, held that there was no rational connection between the legislative objective and the retention policy and no objective evidence that retention of the data would make a significant contribution to the identification of future offenders. He held that a “far more nuanced, more sensibly targeted policy” could be devised to create a system of review and differing retention periods to reflect the seriousness of the offence.

America (LinkedIn thought a man was a white supremacist)

The ‘Connections in the News’ feature of networking site LinkedIn may do more harm than good to users’ reputations. The feature sends users email updates about their connections’ recent appearances in the media based on an algorithm that determines whether the person named in a publication is the same person the user receiving the update is connected to.

However, LinkedIn acknowledges that its algorithm for generating these emails is “not perfect” and updates include a disclaimer that LinkedIn does not guarantee that new articles are accurate or even about the correct person.

The hazards of this feature were highlighted recently when the connections of a school teacher in New York City were sent an update that included the teacher's face above an article about the political activities of a white supremacist of the same name.

Users can opt out of the feature so that their connections will no longer receive updates about them through the privacy settings of their LinkedIn account. However, this case serves as a warning over the use of automatic algorithms.

This publication is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.

Related Expertise