In honour of the International Association of Privacy Professionals (IAPP) London 2025 conference , we hosted a webinar on European privacy litigation. This post summarises some of the key UK privacy cases we covered in that webinar. Over the past six months, the UK High Court has handed down a number of decisions with important implications for businesses, data controllers and individuals.
Duke v. Moores & Ors [2024] EWHC 2746 (KB)
Key issues: The claimant, a teacher, alleged misuse of private information and breaches of data protection laws after a disciplinary investigation. This was in relation to four categories of information: Facebook messages, WhatsApp messages, references from past employers, and alleged unlawful monitoring and surveillance. The court was asked to decide on an application for summary judgment made by the defendants in respect of a claim for misuse of private information and UK General Data Protection Regulation (GDPR) infringements.
Key decision: The court granted the application for summary judgment, on the basis that the claimant’s case had no real prospect of success. The court found that any reasonable expectation of privacy was significantly outweighed by the need for investigation in the disciplinary process.
Key takeaways: The case serves as a reminder of the courts’ willingness to strike out privacy and data cases which they feel do not have a prospect of success. Viable claims need to pass a ‘threshold of seriousness’ test, which was introduced into GDPR cases by the UK Supreme Court in a seminal privacy case in 2021, and since then has been used as an important filter in damages claims in respect of alleged GDPR breaches. One question relating to the threshold which remains open – to be determined this year by the Court of Appeal in the case of Farley v. Paymaster – is whether or not fear of adverse consequences, without the occurrence of actual adverse consequences, can constitute harm serious enough to warrant the payment of compensation.
Pacini v. Dow Jones & Co Inc [2024] EWHC 2714 (KB)
Key issues: The claimants, two former investigation bankers, brought a data protection claim against Dow Jones, the publisher of The Wall Street Journal. Their claim was that Dow Jones had published two articles, which they alleged contained inaccurate and misleading information which caused them reputational damage. The decision concerned preliminary determinations regarding whether personal information being processed by the defendant was incorrect, as alleged by the claimant. There were two central issues: the meaning of any personal data within the articles and whether any such data is criminal offence data within the meaning of Article 10 of UK GDPR.
Key decision: In determining the first issue regarding the definition of personal data, the court implemented principles from defamation law. The court first applied the ‘single meaning rule’, considering each published article as a whole and interpreting each element in its full context. The court then used this to determine whether the meaning constituted ‘personal data’ under the GDPR. The court also then applied the repetition rule, which treats a party who repeats a defamatory statement as if they made the original statement, to assist with determining whether the publishers were responsible for a breach of the GDPR. With regards to the second issue, the court held that the personal data was not ‘criminal offence’ data within the meaning of Article 10 UK GDPR.
Key takeaways: This is not the first time that a judge deciding a GDPR case which crosses over with media publication has borrowed concepts from defamation law. The judge in this case went to great lengths to make clear that the approach required to interpret meaning might differ significantly in defamation law and data protection law, although it is interesting that a common approach to this was taken here.
RTM v. Bonne Terre Ltd & Hestview Ltd [2025] EWHC 111 (KB)
Key issues: RTM, an online gambler, sued Bonne Terre, a gambling operator, for sending direct marketing materials to him encouraging him to gamble more. RTM claimed he had not consented to the processing of his personal data for this purpose, and that the unlawful processing for marketing purposes had caused him to suffer harm (namely, financial losses and distress).
Key decision: The court concluded that the defendant had not obtained valid consent from the claimant. Despite no argument having been presented by the claimant on this specific point, it held that the claimant’s consent to the processing of his personal data for marketing purposes could not be valid, because it was clear from the evidence that he had a gambling problem. This meant that the claimant’s ability to give valid consent was impaired. The defendant argued that it used the personal data it collected from its customers to assess gambling addiction, in compliance with its safer gambling obligations, and that it had not concluded that RTM was a problem gambler and so had not excluded him from marketing lists. The court dismissed the relevance of this.
Key takeaways: This case is a good reminder of the need for ‘informed’ and ‘freely given’ consent to data processing, although arguably it sets the bar extremely high for data controllers to meet. The net effect of this decision appears to be that, if a data controller seeks consent from customers to process their data, including for marketing purposes, and vulnerable individuals are within the customer group, then there is a risk that their consent will be invalidated by their vulnerability. This in turn would result in unlawful data processing. That risk apparently lies entirely with the data controller, even if they are completely unaware of the vulnerability in question. This has potentially wide ramifications for the entire online marketing ecosystem.
Ashley v. HMRC [2025] EWHC 134 (KB)
Key issues: The claimant, businessman Mike Ashley, was involved in a tax dispute with HM Revenue & Customs (HMRC) and issued a data subject access request (DSAR) to find out which of his personal data they processed. This case explored the meaning of personal data under Article 4(1) of GDPR, the extent to which a controller needs to conduct a search for it to be considered proportionate, and the rules on what context needs to be given around the personal data of a data subject.
Key decision: The court found in favour of the claimant regarding HMRC’s data processing failings, but rejected the wider argument that personal data included all data relating to HMRC’s tax enquiry assessment. The lengthy judgment provided a number of insights as to the meaning of personal data in the context of a DSAR:
- The court held that information that is ‘linked’ to an individual should be construed in a broad way, although there should be a ‘continuum of relevance’ (accordingly, a link which is indirect or tenuous ‘at several removes’ is unlikely to make the grade). It also confirmed that data can concern an object rather than an individual, and that subjective opinions, reasoning and assessments concerning an individual can be personal data where interlinked with or connected to information that more specifically relates to the individual.
- For a ‘reasonable and proportionate’ search, the court made clear that it is up to a data controller to demonstrate a search would not be proportionate, and that, where a controller processes large amounts of data, it is their obligation under GDPR to design systems which can cope with DSARs in such circumstances.
- On the provision of data itself, the court emphasised the need to do so in a transparent and intelligible manner, noting that decontextualised snippets (e.g. in a schedule of extracts, which is becoming standard practice) are unlikely to be adequate. It concluded that a data controller does not have to provide whole documents, but does have to provide enough additional information to enable the data subject to understand the context of the processing. However, it underlined what should be provided should be no more than what is necessary to achieve this.
Key takeaways: Businesses need to be mindful of the approaches they are taking in answering DSAR requests and should ensure their teams are trained on the most up-to-date guidance as to what constitutes personal data.
For a deeper dive into these cases, please check out our recent Privacy Litigation webinar and, as always, reach out if you have any questions about how these developments might affect your business.
Authors
Bryony Hurst, Partner, London
Enrique Capdevila, Special Counsel, London
