Category: Privacy

It’s good to TalkTalk – Part 2: negligence claims for data breaches

| No Comments
| Data Protection, Privacy, Privacy, Tort

It's still good to TalkTalk

1. Introduction

Two recent cases demonstrate two very different privacy issues arising out data breaches suffered by the telecommunications company TalkTalk in 2014 and 2015. Smith v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB) (27 May 2022) concerned claims for damages for both breaches; whilst Sterritt v Telegraph Media Group Ltd [2022] NIQB 43 (09 June 2022) concerned the privacy of one of the hackers involved in the second breach. In my previous post, I looked at the limits of claims for misuse of private information for both breaches in Smith. In this post, I want to look at Smith (again) and at Sterritt, to consider the limits of a claim in negligence in such cases.

2. Negligence claims in Smith

The main problem in Smith is that TalkTalk did not take steps to secure the data involved in the 2014 breach and the 2015 hack. This sounds like a failure to take reasonable care. But a negligence claim in such circumstances was not pleaded, as it was probably precluded by authority.

In Swinney v Chief Constable of Northumbria Police Force [1997] QB 464, [1996] EWCA Civ 1322 (22 March 1996), the plaintiff saw a car which had hit and killed a police officer, and provided that information to the police.…

Read More »

It’s good to TalkTalk – Part 1: misuse of private information claims for data breaches

| 6 Comments
| Data Protection, Privacy, Privacy

It's good to TalkTalk

1. Introduction

Two recent cases demonstrate two very different privacy issues arising out data breaches suffered by the telecommunications company TalkTalk in 2014 and 2015. Smith v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB) (27 May 2022) concerned claims for damages for both breaches; whilst Sterritt v Telegraph Media Group Ltd [2022] NIQB 43 (09 June 2022) concerned the privacy of one of the hackers involved in the second breach. In this post, I want to look at the limits of claims for misuse of private information for both breaches in Smith. In the next post, I will look at Smith (again) and at Sterritt, to consider the limits of a claim in negligence in such cases.


2. Smith and the 2014 TalkTalk breach: no misuse of private information

In Smith v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB) (27 May 2022) (noted on Panopticon), in September 2014, TalkTalk customers began to receive scam calls purporting to be from TalkTalk, which were ultimately traced to data obtained by users of Wipro, a third party providing network services to TalkTalk. However, Wipro put no adequate controls in place to prevent unauthorised access by its users to the data supplied by TalkTalk.…

Read More »

Dystopia and dysaguria on the fourth birthday of the GDPR’s application

| No Comments
| Dysaguria, GDPR

Several years ago, a photo was widely shared on social media showing a CCTV camera outside 22 Portobello Road, George Orwell’s first London home. The image had been created by artist and photographer Steve Ullathorne, as part of his series Restyles of the Dead and Famous, in which he tweaked images of homes of the dead and famous. Here’s the dystopian image as shared:

CCTV outside Orwell's house

Read More »

Seán Quinn, the Streisand Effect, and improving the operation of the right to be forgotten – updated

| 5 Comments
| GDPR, Right to be Forgotten

Google search RtbF notice

I have just conducted a search on a popular search engine for “Seán Quinn”, and the above message – that Some results may have been removed under data protection law in Europe – appears at the bottom of each page of results. Over the past weekend, there was widespread media coverage of attempts by Seán Quinn to rely on the EU’s right to be forgotten to remove newspaper articles from search listings that highlighted significant aspects of his bankruptcy and of his family’s lavish pre-bankruptcy lifestyle. This attempt at reputation management backfired spectacularly on him, and stands as an example of the Streisand effect, which is:

… a phenomenon that occurs when an attempt to hide, remove, or censor information has the unintended consequence of increasing awareness of that information, often via the Internet. It is named after American singer Barbra Streisand, whose attempt to suppress the California Coastal Records Project photograph of her residence in Malibu, California, taken to document California coastal erosion, inadvertently drew greater attention to it in 2003.

On Saturday, in the Irish Independent, Shane Phelan published the following story:

Revealed: Quinn family succeeds in campaign to erase press coverage of lavish lifestyle

Google delists dozens of articles on court battles and even €100,000 wedding cake

Members of ex-billionaire Seán Quinn’s family have mounted a successful campaign to have press coverage about their past ‘forgotten’ by Google.

Read More »

GDPR and remote working, Ross O’Carroll Kelly-style

| 3 Comments
| GDPR

WFH Monitoring RO'CK; via Pixabay (modified)Ross O’Carroll-Kelly is the protagonist and narrator of many novels and a weekly satirical newspaper column in the Irish Times. He is a hugely self-confident South Dublin celtic tiger rugby cub who never grew up; his slightly dippy wife tolerates his legendary foibles and even-more-legendary indiscretions; and his terrible children take daily advantage of his boundless stupidity.

In last week’s column (audio here), he complained that his neighbour was power-washing the patio again, when he’s supposed to be working from home, but he gets away with it, because he gets his wife to move the cursor on his work laptop so it doesn’t go to sleep. Thanks to the pandemic, remote working is here to stay: in January of this year, the Government published its Making Remote Work – National Remote Working Strategy, “to ensure that remote working is a permanent feature in the Irish workplace in a way that maximises economic, social and environmental benefits”. It will create many benefits. For example, in this week’s column, Ross’s two eldest children, Ronan (Ro) (Ross’s illegitimate son, with many criminal connections) and Honor (Ross’s daughter-from-hell), go into the business of monitoring shirking remote-workers, without the need to microchip employees:

“So,” Honor goes, “a lot of you have, like, businesses, right?

Read More »

Happy birthday, GDPR

| 1 Comment
| GDPR

Happy birthday GDPR

Article 99(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) provides:

It shall apply from 25 May 2018.


Bonus (1): From the Discworld & Terry Pratchett Wiki:

Glorious Revolution

Truth, Justice, Freedom, Reasonably Priced Love, and a Hard-Boiled Egg!

Terry Pratchett memorial lilacThe People’s Revolution of the Glorious Twenty-Fifth of May is depicted in Night Watch. … A few streets around Treacle Mine Road were barricaded at first. Soon more people started barricading streets, barricades were moved forward and merged together, covering at least a quarter of the city – including the food industry. The resulting area was called The People’s Republic of Treacle Mine Road. …

Following Terry’s announcement about Alzheimer, calls have been made to wear lilac on the 25th of May as a tribute, and to raise money for Alzheimer research. …

May 25th is also national Geek Pride Day and Towel Day, a day in honour of Douglas Adams. This has led to some fans having to choose between the two, until someone came up with the lilac towel [additional link; possible source].…

Read More »

Compensation for non-material damage pursuant to Article 82 GDPR

| 7 Comments
| GDPR

Compensation Article 82 GDPRThe General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 [the GDPR]) provides both for public enforcement by data protection authorities and for private enforcement by any person who has suffered damage as a result of an infringement of the Regulation (on this inter-connection, see Johanna Chamberlain & Jane Reichel “The Relationship Between Damages and Administrative Fines in the EU General Data Protection Regulation” 89 Mississippi Law Journal (forthcoming 2020; SSRN)). As to private enforcement by means of damages claims, Article 82(1) GDPR provides that “[a]ny person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. CMS legal are tracking fines levied by data protection authorities in the EU – they record that, so far, 186 fines have been levied, for a total of almost €460m (the EDPB gives different numbers (pdf, pp33-34), discussed here). However, there is as yet no equivalent tracker for compensation claims, in part because there have been very few. So far as I can find, there have been eight judgments considering substantive claims for damages pursuant to Article 82 (though there have been other cases in which such compensation was claimed but the substantive issue was not reached).…

Read More »

© cearta.ie 2023. Powered by WordPress