Skip to main content


Lexis Nexis interview: Using the GDPR in a privacy claim

Information Law analysis: Iain Wilson, managing partner at Brett Wilson LLP, comments on the utility of the GDPR in privacy cases in light of the recent case brought by the Duke of Sussex, which was settled out of court.

How can someone use the GDPR to battle an invasion of privacy?

Where private information is published or even retained, then the General Data Protection Regulation (EU) 2016/679 (GDPR) is likely to be engaged (subject to any applicable exemption). This is because an individual’s private information will normally also constitute their personal data.  Early examples of concurrent privacy and data protection claims include Campbell v Mirror Group Newspapers Ltd [2004] UKHL 22, [2004] All ER (D) 67 (May) (in which supermodel Naomi Campbell successfully sued the Mirror for publishing photographs of her leaving a Narcotics Anonymous meeting) and Douglas v Hello! Ltd [2005] EWCA Civ 595, [2005] All ER (D) 280 (May) (in which Hello Magazine was ordered to pay Michael Douglas and Catherine Zeta-Jones damages for publishing unauthorised photographs of their wedding). A more recent example is Secretary of State for the Home Department and another v TLU and another [2018] EWCA Civ 2217, [2018] All ER (D) 85 (Jun), where various claimants successfully sued the Home Office for leaking a list of individuals earmarked for deportation.  The information included names and addresses, which was held to be both private information (for the purposes of the tort of the misuse of private information) and personal data (under data protection legislation). All above cases were brought under the Data Protection Act 1998 (DPA 1998), which has now been replaced by the GDPR regime.

What do similar cases reveal about when a photograph may be personal data?

Crudely put, personal data is, information which is biographical. In the recent case involving the Duke of Sussex, a helicopter had flown over his home at a low altitude allowing paparazzi on board to take photographs. While at first blush, some may find it surprising that photographs of inanimate objects can amount to personal data, the photographs were taken through windows capturing both the living room and main bedroom—arguably a very private and personal ‘sanctuary’. Nevertheless, it is important to note that the case was settled and so does not set any

Would the outcome have been any different under the preceding DPA 1998?

Not necessarily. DPA 1998 prohibited the unfair, unlawful or excessive processing of personal data and contained provision permitting civil claims for breaches. It should also be remembered that the Duke of Sussex’s claim was not a standalone GDPR claim. A concurrent—and seemingly indefensible—claim was brought under the tort of misuse of private information. Thus far, stand-alone GDPR damages claims have been conspicuous by their absence. I am not aware of any precedent yet dealing with a claim for damages under the GDPR, although with only 12 months since the inception of the GDPR it may be a little early to draw any conclusions.

Is this settlement likely to herald a trend in the GDPR being used in privacy claims and how is this likely to influence development of the law in this area?

Elements of the press have suggested that this case might deter newspapers from publishing pictures of anyone or anything. It should not—more often than not, photographs of inanimate objects are unlikely to amount to personal data.

Similarly, personal data—including photographs of individuals—may be processed lawfully in many instances and the press enjoy broad exemptions (although not as broad as they often assert).

Moreover, the case settled and so it simply demonstrates that practitioners are asserting concurrent data protection claims. This has been happening for some time in both privacy and libel, including under DPA 1998. There are some advantages to a claimant in doing this—for example personal data need not be private for data protection rights to be engaged (similarly, a claim for inaccurate data processing can effectively circumvent the serious harm threshold in defamation claims). The GDPR also contains rights such as the right to erasure and the right for information about how data is being processed. However, as above, it remains to be seen to what extent standalone claims for damages might be brought under the GDPR. In many instances, counsel form the view that a GDPR claim adds nothing to a privacy claim. This is particularly so as there is little case law on damages and what there is tends to be either out of date or suggests damages are lower than for privacy claims.


Iain Wilson was interviewed by Lucy Karsten.

This article was first published on Lexis® PSL on 4 June 2019 and is reproduced with permission and thanks. 


Legal Disclaimer

Articles are intended as an introduction to the topic and do not constitute legal advice.