You don’t expect to see Prince Harry and the GDPR in the same sentence, but it was reported this week that the Duke of Sussex has settled High Court claims against the paparazzi agency Splash News (Splash), in a case which was based partly on breaches of the GDPR.
The Duke of Sussex brought claims against Splash in relation to photographs taken of a house that he was renting. Whilst details of the relevant legal arguments have not been released, Splash’s apology statement noted that “[t]his matter concerns a claim for misuse of private information, breaches of The Duke’s right to privacy under Article 8 ECHR and breaches of the General Data Protection Regulation and Data Protection Act 2018.”
With photographs potentially constituting personal data (in this matter it was suggested that the photo contained data such as the Duke’s home address), these images could then attract the full protection of the GDPR and Data Protection Act 2018 (DPA). Whilst the case was not heard in court, we can assume that there would at least have been analysis of the relevant lawful bases (if any) for taking and releasing the photographs, along with consideration of the Article 5 requirement that data be processed “fairly in a transparent manner”. This use of the GDPR may serve as an indication that people are starting to think more creatively about the potential uses of data protection legislation, and we may expect an increasing overlap between data protection, human rights, privacy and even defamation.
This overlap is particularly pertinent as the first major legal challenge to the use of automated facial recognition by the police commences in Cardiff today. Ed Bridges is claiming against South Wales Police over use of the technology when he was out Christmas shopping in December 2017. The crowdfunded privacy claim will include arguments that South Wales Police breached data protection legislation when collecting these facial images. In the same vein, we are also awaiting results of the ICO investigation into police use of facial recognition commenced in December 2018.
The current focus on the interplay between privacy and data protection serves as a reminder that data controllers should ensure in particular that they are comfortable with the lawful bases upon which they process personal data, and the fairness and transparency of such processing. We also wait to see whether these matters lead to any further guidance on how tests such as the legitimate interests balancing test apply where privacy rights are engaged.
HSF will provide further updates once the facial recognition case and ICO investigation are resolved.