Reed Smith In-depth


2023 was a tumultuous year in politics, global affairs and regulatory developments and we also saw various key new case law developments in data and privacy in the UK. This included one of the first cases to consider the “legal proceedings” exemption under the Data Protection Act 2018 and cases clarifying positions on representative actions and the calculation of damages in privacy and data proceedings.

As with our previous annual roundups from 2021 and 2022, we summarise some of the key cases related to data protection and privacy to have taken place over 2023, along with key takeaways.

作者: Elle Todd Jonathan J. Andrews Alicja Lysik


Riley v. Student Housing Co (Ops) Ltd [2023] 2 WLUK 278

In this case, a former employee of the defendant, Mr Courtney Timoney Riley, launched proceedings alleging breach of Article 5 of the UK GDPR (GDPR) arising from the mishandling of his personal data as part of the defence of an employment tribunal claim raised by another former employee, and seeking £75,000 in damages. The defendant argued that its disclosures of Mr Riley’s personal data were permissible, as they were executed in the context of legal proceedings for the purpose of defending their position.

Mr Riley argued that the defendant should have provided him with the copies of documents related to the tribunal proceedings and invited him to submit a witness statement. He argued that the defendant’s failure to do so constituted a failure to handle his personal data in a fair and transparent manner, and that the processing of his personal data was incompatible with the purpose for which it was collected.

The case was dismissed, citing Paragraph 5(3) of Schedule 2 of the Data Protection Act 2018 (DPA), which asserts that GDPR provisions do not apply when their application would impede the controller from making necessary disclosures. The court also ruled that the claimant failed to provide details regarding which personal data was processed, or to establish that any material or non-material damage suffered had resulted from the defendant’s acts.

Key takeaways

  • In its judgment, the court reiterated the importance of maintaining a balance between data subjects’ rights under the GDPR and controllers’ rights to conduct litigation and to a fair trial.
  • This decision is believed to be one of the first, if not the first, to consider the “legal proceedings” exception under the DPA and, whilst it is a Scottish case, this exception of course applies across the UK.
  • This case is a reminder to those pursuing data protection claims that they must make sure to provide enough detail to allow the court to carry out a thorough assessment of any alleged breach of rights.


Stoute v. News Group Newspapers [2023] EWCA Civ 523

In this appeal from the High Court, the claimants, Richard and Sarah Stoute, applied for an interim injunction to restrain further publication of certain photographs pending a trial for misuse of private information. The High Court judge refused the injunction on the basis that the claimants were unlikely to be able to successfully argue their case at trial.

The underlying claim concerned whether the claimants had a reasonable expectation of privacy in respect of photographs taken of them by paparazzi on a public beach and published by the defendant, News Group Newspapers Limited (NGN) in The Sun on Sunday. The claimants were owners of Full Support Health Care Ltd, a company selling personal protective equipment. The company was established in 2002; however, it made substantial profits during the COVID-19 pandemic when it secured government contracts worth around £2 billion, simultaneously generating increased press interest in the claimants.

The claimants argued that, although they were in a public place, they were celebrating a private family occasion (their child’s birthday), and did not anticipate photos of their vacation appearing in the national press.

The Court of Appeal upheld the judgment, reaffirming the refusal of the interim injunction.

Key takeaways

  • Although the judge recognised that the fact that the appellants were in a public place did not preclude them from having a reasonable expectation of privacy, he did stress that such scenarios are highly fact sensitive. Individuals pursuing claims for misuse of private information should remember that the expectation of privacy is less likely to be established in cases where the event occurred in a public place, particularly if there are no other additional elements that would be inherently private.
  • For those defending (or pursuing) cases for misuse of private information involving photographs, the court has helpfully set out the long-standing case law on the topic. In doing so, the court emphasised that photographs require special consideration when it comes to privacy cases, as it is a more intrusive medium for conveying information. However, it was also noted that claimants are more likely to succeed where photographs (i) are taken in a private place; and/or (ii) involve the depiction of something sensitive.
  • Parties seeking interim injunctions will find a cautionary tale in this case, emphasising the importance of carefully considering, and even scrutinising, prospects of success at trial as well as the situations in which their privacy may be protected.

Prismall v. Google UK Limited and Deepmind Technologies Limited [2023] EWHC 1169 (KB)

This case concerned the alleged mishandling of medical records belonging to 1.6 million patients. The records were transferred to DeepMind, a subsidiary of Google specialising in artificial intelligence research and development. The primary objective behind this data transfer was to aid in the development of an application designed to assist health care professionals in identifying and treating individuals with acute kidney injury.

Andrew Prismall, who brought the representative action, was one of the affected patients. Mr Prismall argued that the transfer of the data without seeking prior specific consent from the patients constituted misuse of private information, and sought damages for loss of control over his data and the data of those represented. Mr Prismall also brought an action for breach of data protection legislation; however, it was discontinued following the decision in Lloyd v. Google LLC [2021] UKSC 50, included in our 2021 roundup.

Whilst the court acknowledged the claimant’s concerns, it dismissed the claim, determining that there was no realistic prospect of establishing a reasonable expectation of privacy among the members of the claimant’s class, and that the diverse nature of the class members’ circumstances precluded the feasibility of pursuing a representative action.

The case is currently pending appeal.

Key takeaways

  • This judgment further clarifies the position on representative actions in relation to data disputes, and highlights the importance of the representative claimant having the “same interest” as the members of the claim.
  • This and other cases demonstrate that courts will diligently scrutinise whether all the necessary thresholds are met.
  • The case is yet another reminder for defendants that it may be worth applying for summary judgment at the earlier stages of the proceedings. Opting for summary judgment not only expedites the case but also mitigates the risk of accumulating substantial legal fees in the later stages of litigation.


Bekoe v. Islington LBC [2023] EWHC 1668 (KB)

This claim concerned the misuse of private information and breaches of the GDPR by a local authority, Islington LBC (Islington), which mishandled private and confidential details pertaining to Mr Bekoe’s finances by accessing and sharing them during legal proceedings. Mr Bekoe claimed that this information was obtained without legal basis. He also alleged that Islington had breached the GDPR by mishandling a data subject access request (DSAR) which he submitted, with Islington providing incomplete disclosure and responding with a four-year delay, and that Islington was liable for the loss or destruction of the legal file and failures to provide adequate security over personal data.

The court determined that Islington had demonstrated shortcomings in safeguarding data and privacy rights and had failed to demonstrate that the expectation of privacy was outweighed by other interests. Consequently, Islington had violated Mr Bekoe’s GDPR rights, and he was awarded £6,000 in damages.

Key takeaways

  • Given the frequency of claims for breaches of data protection legislation and for misuse of private information being brought as part of the same action (as was the case here), this case serves as a useful reminder that the courts have discretion to consolidate damages for both claims into a single figure. The court also determined that a thorough compilation of the claimant’s financial data met the requisite seriousness threshold for awarding damages, and factored in Islington’s conduct, which led to aggravated damages due to the recurrent failures to disclose information.
  • The court held that an award of compensation for misuse of private information requires fewer hurdles to be successful than under the GDPR, stating that “claimants can receive damages for the loss or diminution of the right to control their private information, independently of any distress caused” – which those finding themselves defending (or, indeed, bringing) such claims should bear in mind.
  • The case also emphasises the importance of timely and accurate disclosure in response to DSARs, which are often submitted during or just before legal proceedings.