When Mr Patel complained to Unite about the postings, Unite took the forum offline and released a statement that the allegations against Mr Patel were unfounded; but Unite failed to respond to Mr Patel’s request for the identification of those responsible.

The BASSA website was subject to terms of use, which warned users that their personal data might be disclosed subject to data protection and privacy law.

Mr Patel successfully applied to the High Court for a “Norwich Pharmacal” order, which required Unite to provide the identities, addresses and Internet Protocol addresses of the users responsible. Instead, Unite provided an expert’s report to show that the information requested had in fact been deleted. Mr Patel and his solicitors pushed Unite to make further efforts to recover the information, without success. Mr Patel therefore sought a further Norwich Pharmacal order for an independent expert to be given access to Unite’s database on the grounds that the continued failure to provide the information must be, at best, as a result of incompetence or technical ignorance. Unite objected to a further order on data protection grounds.

The High Court ruled that Unite had not provided sufficient evidence that it had carried out the reasonable search required by the first Norwich Pharmacal order, and Unite had not shown that it had actually followed up the information provided by Mr Patel in order to carry out that search. The High Court noted that the additional order that Mr Patel was asking for was intrusive, but that it was proportionate and necessary to give the order so that Unite would comply with Mr Patel’s information request. The High Court considered the fact that the website terms of use warned users that Unite might disclose a user’s identity, subject to data protection and privacy law, and that, without the order, those responsible would not be identified. Whilst the order was given by the High Court, it was strictly limited to an expert appointed jointly by both parties and only to the disclosure of the information which would identify those responsible, or which explained why identification was not possible.

The guidance advocates a cookie audit to identify the cookies used, distinguishing between session, persistent and third party cookies, look at how privacy-intrusive each cookie is and how clear information is provided to users.

The ICO has also given further guidance on obtaining consent. It says that website operators should have minimal use of cookies until users have consented. Implied consent is not a viable option at the moment, but as users become more aware of cookies, that could be used. It also advocates contractual obligations between third parties and website owners governing the collection of consent for the third party cookies.

The ICO’s report and the guidance can be found here:  http://www.ico.gov.uk/news/latest_news/2011/must-try-harder-on-cookies-compliance-says-ico-13122011.aspx.

Viagogo – the website – had objected to the hand over, saying that to do so would be disproportionate and infringe its users’ data protection rights. The Court of Appeal disagreed. The rights had to be balanced and the RFU was entitled to know about who was infringing its contract terms. The Court of Appeal therefore ruled that it was right to grant the RFU a “Norwich Pharmacal Order” against Viagogo to reveal the data. Whether or not the England rugby body used that data to take action against the sellers or the people who had provided the tickets to the sellers was irrelevant to the ruling.

The changes to the guidance largely reflect the revisions made to the Privacy and Electronic Communications Regulations in May 2011, under which electronic communications providers must inform the ICO about all data protection breaches. The main difference is the recommendation to provide a monthly report rather than simply to maintain a record of breaches which can be audited by the ICO for compliance.

Paul Gershlick, a Partner and Head of the Pharmaceutical and Life Sciences sector at Matthew Arnold & Baldwin LLP, says, “It is absolutely crucial to protect patient data. However, privacy groups again appear to be pursuing a single concern agenda – ie privacy. What about improving patient care and improving or saving lives? Instead of criticising the Government’s healthcare data strategy for being pursued too fast, people worried about privacy should instead be working with the Government to make sure the privacy safeguards are in place so that the health benefits can be achieved as soon as possible. The longer any delays take, the fewer number of people who will benefit from any reforms. When people’s lives are at stake, there should be no time to lose.”

The fine follows a similar incident last year where public parts of a document about another child were sent to the same member of the public by the council. The ICO admonished the council, with the council promising to improve its processes.

In addition to the fine, the council has been ordered to retrain all staff in relation to data protection before the end of March 2012, with refresher training to follow every three years.

The “Article 29 Working Party”, which is a committee of national regulators from each EU State (including the UK’s Information Commissioner’s Office), will provide the basis for the new board. The board will offer support to each country’s regulator and, it is hoped, will bring about more harmonisation between the data protection laws in each Member State.

The EU has proposed several changes to the current data protection regime, including granting individuals a “right to be forgotten” by allowing them to force organisations to delete personal data they hold and making non-EU based organisations subject to EU data protection law if they store personal data of EU citizens in the “cloud” (i.e. storing the data on an Internet-based network rather than on local servers).

The Culture Minister responded that:

-          A “right to be forgotten” would give the public false expectations. His argument was based on the ease and speed with which data can be copied and circulated on the Internet, to the extent that the Government would be unlikely to pass a law into force that it was impossible to enforce.  After all, how could one organisation promise that someone’s photos had been permanently deleted when someone else may have copied them from that original site?

-          It was questionable how feasible it would be to enforce EU law against non-EU organisations and there was the possibility that the law would stifle innovation and economic growth in the sector.

The full text of the speech can be found here.

ENISA also expressed concern in relation to security and privacy risks from such practices. The report suggests that users are becoming increasingly dependent on websites storing their personal information to make their future visits quicker and easier; whilst this is a benefit to a user, it makes fraud and unauthorised access easier, with the potential for not only financial loss but also possible reputational harm, discrimination and even exclusion from websites altogether.

The report suggests that the other effect of the practice is that website operators are being put under increasing pressure to store and protect personal information in a legally compliant way, which they may not have the knowledge or financial means to undertake.

ENISA suggested that privacy-friendly mechanisms should be incorporated into new websites and software, with clear instructions for users explaining the risks involved in a personalised service.

The World Wide Web Consortium (W3C) has published two draft standards to allow users to express privacy preferences in relation to cookies.  W3C released details of:

1. the “Tracking Preference Expression”, which defines mechanisms for users to express cross-site tracking preferences, and for websites to indicate whether these preferences are complied with; and
2. the “Tracking Compliance and Scope Specification”, which defines the meaning of a “Do Not Track” mechanism for notifying websites of a preference and set out best practice for website compliance.

It is hoped that the documents will culminate in the development of software that can be used and developed further by browser operators to protect users from cookies and tracking mechanisms. It is intended that the new standards will allow a user to express a preference for how their data is collected for tracking purposes and alert users as to whether a website honours their preferences or not.

The documents have been developed by a working group within W3C which includes representatives of Apple, Facebook, Google, IBM, Microsoft and Yahoo.

W3C is hopeful that the standards will be in operation in 2012.

The Information Commissioner’s Office (ICO) have been informed of the breach and the business secretary, or his office, could be liable for a fine of up to £500,000 if the ICO finds that data protection law has been seriously breached.

The ECJ ruled that those individuals that were the subject of stories published online not only had the choice of suing the publisher either in the country where the publisher is based or in the country where the individual had their “centre of interests”, but they also had the choice of bringing the claim in a country where the story or content was accessible (although only for the damage suffered in that country). In such an instance, the ECJ ruled that the relevant national courts could not apply a stricter law to the case than that applied by the courts in the country where the publisher was actually based.

In an age where content spreads so easily on the Internet, the waters have suddenly become more muddied for a publisher – it is now much easier than previously thought for a person who is the subject of a story to take action.

The 65 requests received in that period covered more than 300 individual items, and came from the UK government and courts. Six of the requests related to videos that raised national security concerns on YouTube, and several other were court orders relating to defamation and privacy.

Details of the requests can be found here.

The first report considered how 14 social networking websites had implemented the 2009 agreement. This second report considered nine social networking websites, which included a range of blogging, gaming, file-sharing and personal social-networking functionality, and found that only two of the websites had default settings which made a child’s information visible only to approved contacts; the other websites shared a large amount of that information beyond a child’s approved contacts.

The EC has said that it will take into account the two reports when it undertakes a comprehensive initiative to empower and protect children when using new technologies, which is set to take place later this year.

The High Court has ruled that the information contained in the article published was, in principle, protected by article 8. However, the High Court also ruled that there was a public interest in the publication of the article, based on:

1. an objective consideration of the public interest and what was significant to modern society, in particular that Ferdinand had occupied a high-profile position and the article published called into question his suitability for that position;
2. previous case law which suggested that the position of captain of the England football team was a role from which a higher standard of behaviour from the occupant was needed. This was particularly true at a time when the previous captain of the England football team, John Terry, had lost the position to Ferdinand for an extra-marital affair with the partner of a teammate; and
3. the fact that Ferdinand had, for some years, professed to be faithful to his wife – the article published had additional public interest if it proved that public claim to be false.

The High Court ruled that the article had not excessively infringed Ferdinand’s private life, and that the publisher’s right to freedom of expression outweighed Ferdinand’s right to privacy, with the justification based on public interest. The High Court has previously ruled in favour of people who have had their private lives exposed in many previous cases, so it is interesting to see a successful use of the public interest argument in practice.

It seems that Ferdinand’s own goal in seeking to project a particular public image may have cost him victory this time.

The paper states that the principles of cloud computing, where file and programs are stored effectively on the Internet, must comply with the strictest principles of data protection and privacy. It goes on to argue that a watchdog body should be formed to regulate cloud computing services, with an emphasis on transparency of cloud computing operations.

More to the point, though – how can WikiLeaks cry foul over breach of confidentiality, when leaks have been the whole basis of its publications?

Amanda Smith issued proceedings against Headline Publishing alleging fraud, breach of contract, misrepresentation and negligence on the grounds that Headline Publishing had deliberately attempted to get a negative report from a barrister that would allow it to refuse to publish the book. She alleged that there had been a breach of contract because the book had not been published.

The High Court ruled that Headline Publishing had not committed any fraud, misrepresentation, breach of contract or negligence by failing to publish the book. Due to the privacy and libel issues the book contained, Headline Publishing was entitled not to publish the book.

So all’s well that ends well – as far as the publisher is concerned anyway.

The ICO has now completed the audit and has said that Google has taken ‘reasonable steps’ to improve its privacy policies and that it has taken action in all the areas in which it had agreed to do so. The ICO has now asked Google to continue its improvements and to better inform its users of its privacy policies.

The Court of Appeal has dismissed the ex-employee’s appeal. Although Article 8 could be engaged, it did not follow that he had a reasonable expectation of privacy, particularly after his public quarrel. However, even if he had a right to privacy (which was borderline), it had to be balanced against NGN’s competing right to publication in the public interest and NGN’s Article 10 strong rights outweighed any privacy rights in this case. Of course, any allegations had to be proved and stand up to the law of defamation. In relation to any privacy rights, the Court emphasised that anyone conducting their arguments in public might find it harder to later distinguish between what was public and what was legitimately private, and this applied regardless of whether they were public figures or not.

The Regulations mean that, in basic terms, consent must be obtained from a website user before a website operator can place a cookie on the user – if a user refuses to give their consent, the cookie cannot be placed. Various means of obtaining consent have been suggested, but the ICO went for the straightforward route on its own website – a tick-box when you arrive on the website homepage telling you that, unless you give your consent, certain parts of the website will not work properly.

Under the Freedom of Information Act, a member of the public can request that certain information be disclosed by a public body. In this instance, a member of the public asked the ICO to disclose figures of who was giving their consent to the placement of the cookie. The information disclosed showed that 90% of users refused to give their consent. The cookie was a Google Analytics cookie and, as a result, 90% of users disappeared from the ICO’s analytics.

It’s easy to ignore this information – what would the ICO want this information for anyway? The importance, however, is in the fact that other websites who use cookies and have to ask for consent are likely to see a similar pattern, and those websites might use the information collected for advertising purposes – analytics for advertising may see the information they have to use drastically reduced, and many Internet businesses that rely on advertising for revenue may be operating at a handicap.

Information is key to the ongoing development of the advertising-run Internet, but also to the business that rely on the Internet for revenues, whether advertising based or not. A commercially viable option for obtaining consent to place cookies is an essential tool going forward for any Internet-dependent business.

The new law has been attacked for providing little privacy benefits to users, whilst adversely affecting their online experience and adding red tape and cost to website operators as well as potentially operating their viability with advertising revenue affected. This development will surely only add to those concerns.

The ICO has recently given website operators a one year window to comply with the new law, but has warned of action against anyone not taking appropriate steps to prepare. Meanwhile, the European Commission has now thrown down the gauntlet to industry to create industry standards by June 2012 that will create standard ways of gaining user consent to cookies. Neelie Kroes, a European Commissioner, has threatened to use all available means to protect citizens’ privacy if this does not happen. So far, only six countries (including the UK) across the European Union have implemented the new cookies opt-in law.

If you would like to discuss what options you have in order for your business to comply with the Regulations, please contact us on mark.weston@mablaw.com, paul.gershlick@mablaw.com or simon.weinberg@mablaw.com.

CCTV images can be considered as personal data, and the ICO’s action came after CCTV footage of a shopper from the website was posted on YouTube. The ICO has made it clear that such disclosure of personal data should take place only where ‘necessary’ i.e. for the purposes of crime detection, rather than just for entertainment, as it was here.

The ICO criticised Internet Eyes for not encrypting CCTV images it shared with its members, and it was also not tracking member activity meaning that it could not trace who had posted the video on YouTube. The ICO has made sure that the website has signed an undertaking to ensure encryption and sufficient tracking, and has also requested that the website not allow a member to access CCTV footage taken within a 30 mile radius of the member’s registered location, in an attempt to decrease the likelihood that those people visible in the footage are identifiable to a particular member.

His comments come as Twitter users posting the name of a footballer at the centre of anonymity orders over his private life led to the footballer being named by a Member of Parliament and then further widespread reporting of that. Battle lines have been drawn recently between celebrities and courts on one side and newspapers and social media users on the other, with Parliamentarians joining in on each side.

This case shows that some people in the personal injury industry are taking “ambulance chasing” to another level. It is one thing to take part in activity that may leave a bad taste in the mouth.  It is another to break the law when doing so.

• the necessity for data retention as provided in the Directive has not been sufficiently demonstrated;
• data retention could have been regulated in a less privacy-intrusive way;
• the Directive leaves too much scope for member states to decide on the purposes for which the data might be used, and also for establishing who can access the data and under which conditions.

The Directive provides that communications service providers must retain various communications data for a period of between six and 24 months for the purposes of investigation, detection and prosecution of serious crime. In April 2011, the European Commission reviewed the Directive, and criticised its effectiveness in a report due to the fact that it had been interpreted in different ways in different Member States, leading to inconsistency and confusion for telecoms operators.

The EDPS has called on the European Commission to consider repealing the Directive in order to harmonise data retention laws across Europe, which was the primary intention of the Directive. Data retention periods currently differ across Europe, benefitting some communications service providers but not being a disadvantage to others. Privacy lobbyists are also likely to respond well to the EDPS’s opinion as they have long argued that the blanket data retention requirement infringes a data subject’s right to privacy.

The claim for contempt was brought by the woman with whom Goodwin was alleged to have had an affair. ANL had published a pixellated photograph of the woman in The Daily Mail, and she claimed that, together with the information contained in the accompanying article, she could be identified, which was in breach of the anonymity order previously made by the High Court. The article also contained a number of statements relating to the applicant that were alleged to be false. The applicant claimed that the article and picture clearly broke the terms of the anonymity order granted to protect her.

The High Court ruled that the effect of the false information was that it might lead the public to believe that disclosing the identity of the applicant would be in the public interest. However, the High Court stated that it did not believe that a referral to the Attorney General would actually assist the Attorney General. The High Court did not refer the case to the Attorney General, but added that the applicant was free to make the referral herself.

The technology automatically recognises users in photographs where a person in the photograph has been ‘tagged’ and then applies the technology to other photographs to automatically suggest a name to tag the person in the photograph, but without the subject’s consent. The technology has been switched on but as far as the user’s privacy settings are concerned, this has been done on an ‘opt-out’ rather than ‘opt-in’ basis.

The concern stems from the fact that Facebook has not told users how the information collected by the technology will be used nor obtained prior consent, and the fact that privacy settings are not as clear as they might be. The use has been criticised by the European Union’s Article 29 Working Party, which represents the ICO and its counterparts across the EU. The ICO has suggested that users should be given more information about the technology and the ability to refuse consent to its use in relation to their profile.

In this case, C and GC had been arrested on suspicion of offences and either no charges were pressed or they were acquitted without charge. They sought judicial review against the indefinite retention of their DNA, fingerprints and photographs.

The Supreme Court has made a declaration that the retention was unlawful and contrary to the Human Rights Act. The Court did not consider it was necessary to go further and order their destruction at this stage as Parliament was already looking into amending the law. The Court added that if Parliament did not produce revised guidelines in a reasonable time, the applicants could ask for judicial review again for destruction of the data, and their claims would be likely to succeed.

Having fought the battle to the highest court in the country, the decision would hardly give the applicants what they would have wanted now, but at least it should give them some comfort that the current data retention position will not last forever.

This case can be contrasted with the injunction involving the celebrity who had maintained the order preserving his anonymity, despite a name being given under Parliamentary privilege. In this case, the person at the centre of the order actually voluntarily accepted the variation of the order.

Geo-location services involve any services related to the actual location of a particular device, and the people linked to that device. The services may be used in any number of growing ways, such as for tagging where a photograph was taken, providing useful information for users as to where a local service such as a restaurant is located, recovering lost or stolen items, identifying where children are or whether friends are nearby. Geo-location data can be gathered in a number of ways, such as through GSM base stations, GPS, WiFi and RFID readers.

The Working Party’s findings are particularly strict and may affect a range of different types of organisation, from network operators to controllers of geo-location infrastructure (such as WiFi access points), to application providers, through to social networking sites that provide location-based functionality for mobile devices. The Article 29 Working Party’s opinion is not legally binding, but it is best practice to do so as it is the body of the European Union’s data protection regulators and so it strongly indicates how the regulators will interpret compliance with data protection legislation.

Viviane Reding was speaking in response to several recent high profile data breaches, such as that by Sony in relation to its PlayStation Network, which affected 100 millions users. She criticised the delay of seven days before users were told of the Sony breach and she said notification of data loss should be immediate.

She added that all companies, even those outside the European Union, should comply with EU data protection laws if they target users based in the EU.

Details of the ruling can be found here: http://www.pcc.org.uk/news/index.html?article=NzEyMA.

The Act has been controversial ever since it was passed in early 2010, when it was rushed through Parliament so that it would become law before the General Election. BT and TalkTalk initially took action as they believed the Act did not comply with European Union Directives on e-commerce and privacy, and that it lacked proportionality. They have argued that the law would require them to restrict or suspend a customer’s Internet access even if someone else from outside that customer’s household, for whom the customer was not responsible, was using that customer’s Internet connection for file-sharing.

In the Max Mosley case against News Group Newspapers in 2008, Mr Justice Eady refused to grant an injunction to protect Mosley’s privacy as the video involving his sexual exploits had already been viewed about one million times on the Internet. He warned at the time that the court should “guard against slipping into playing the role of King Canute” and there could come a point at which privacy orders would not serve a useful purpose. In this latest case, it seems that the same judge is now playing King Canute out of his own defiance towards the civil defiance. He has justified the distinction on the basis that the Mosley video had already been viewed by so many people at the time of the application for the order. The differentiation seems tenuous, as he has now described the benefits of providing some protection from intrusion even if the information had been discussed openly by many.

We have come a long way since the courts filled an essential hole by developing the law of privacy out of the birth of the Human Rights Act to protect genuine cases of innocent people whose privacy was clearly violated – for example, when Gorden Kaye, the ‘Allo ‘Allo star, was subjected to gross invasions of his privacy by the press invading his hospital ward as he was recovering from a nasty accident during the Great Storm of 1987.  Genuine privacy needs to be protected, but politicians now feel things have gone too far as judges are routinely using the law to stop the press from being able to report about so much.  Where does it end?

Well Parliament could take a stand by changing the law if they are not happy with the balance currently being struck.  The Human Rights Act derives from the European Convention on Human Rights, but that legislation is not a condition of our membership of the European Union.  So if Parliament feels that the judges’ development of the Human Rights Act has gone in the wrong direction, they could pass a law clarifying how they expect the Act to be interpreted.  Or alternatively, they could repeal and replace the Act with another Act.  But very few people believe that the role of politicians should be to use Parliamentary privilege – which is a rule that allows Parliamentarians freedom to say what they want within Parliament without fear of being hauled before the courts – in total disregard for the court order as the way to name the Premier League footballer worshipped by many who has been at the centre of one of the super-injunctions.

Nevertheless, the position has become ridiculous when the newspapers are unable to report a story that is being repeated and discussed openly by many on Internet message boards and on social networking sites such as Twitter. The position took an interesting turn when the footballer obtained a High Court order against Twitter to reveal the name of the person tweeting his details.  The trouble with that was enforcement – Twitter is based in California and it is questionable whether the order would be enforced.

So when the Internet seems to be a bit of a lawless wild west over what is said there, it all seems a bit pointless stopping the traditional press from reporting on things that other people are freely talking about.  And the row over the super-injunctions and interest over who may be at the centre of them has led to far more publicity than the stars had been intending to suppress.

It is clear that the rules of the game need changing before this particular law looks any more out of touch.

The change reflects EU legislative changes, but after considering the issue over the last couple of years, the Government has suddenly given website operators the news that they had been dreading just before the 26 May deadline: it will not be enough to obtain consent automatically on a general basis through their users’ browsers; other steps will be needed.

This has led to concerns as to how it will affect the user-friendliness of sites. But the law is clear – consent is needed. How to show consent is not clearly set out in the new law. The Information Commissioner’s Office has provided some guidance with suggestions. The type of consent the user must give will vary according to what the cookie contains, at what point in the process it is placed and also according to what the user may already have agreed to.  See here. However, the guidance does not give totally definitive answers.

We have already been advising clients on how to comply with this new law and have come up with some practical suggestions of our own. If you would like to obtain our advice, please contact us on mark.weston@mablaw.com or paul.gershlick@mablaw.com.

UPDATED 26 May: The Information Commissioner stated on 25 May, the day before the law comes into force, that although the law will still come into force on 26 May, his office will not take enforcement action for the first year following implementation against a site not obtaining consent to its use of cookies, provided that the site still provides clear information on the cookies used and it uses a brower-led solution by 25 May 2012.  In the meantime, the Commissioner will be working with Internet browser providers to find a technical solution so that browser-led consent can be provided within that timeframe. 

If websites can obtain consent through other means in the meantime, that would still be preferable, particularly as some people may not access a website through a browser and they would still need to give consent to cookies.

The ECHR ruled that, under the European Convention on Human Rights, the media was not obligated to give any such prior notice. The ECHR went on to say that someone’s right to privacy was protected by access to the courts to claim damages and the ability to obtain an interim injunction. In any event, if pre-notification was to be imposed on the media, the media would have to be allowed a ‘public interest’ exception which would give the media the opportunity to publish whatever they wanted provided they could support their claim that it was in the public interest. Pre-notification would have to be enforced with a fining system, in which case the media could always decide to publish a story in the belief that the benefits of publishing outweighed the impact of a fine. Therefore, the ECHR stated that even if a failure to obtain pre-clearance was an infringement of someone’s human rights (which they did not consider to be the case), any notification system would have serious pitfalls anyway which may render it practically useless.

Max Mosley has the right to appeal but it is, as yet, unclear whether he will do so. He may just have to accept that he has lost this particular race.

The survey can be found here: http://www2.lse.ac.uk/media@lse/research/EUKidsOnline/ShortSNS.pdf.

As part of the reforms, the ICO will also be given greater investigatory powers, under which the ICO will be able to demand information from Internet service provides (ISPs) and telecommunications companies to assist with investigations into possible breaches of the Regulations. The ICO will also be able to audit ISPs and telecommunications companies to ensure that they assist the ICO in these investigations.

The IABE guidelines can be found here: http://www.iabeurope.eu/media/51094/iab%20europe%20self%20regulation%20for%20online%20behavioural%20advertising%20140411%20f.pdf.

The main change implemented by the EU Directives will be in relation to the use of cookies – small text files placed in users’ browsers by websites to track their movements on the Internet. Websites will need to obtain a user’s permission before a cookie can be used. It had been hoped that it would be possible to use browser settings to meet the EU requirements, but the Government has suggested that consent through current browser settings would not be explicit enough. The Government is in discussions with browser manufacturers to see how browser settings can be enhanced to comply with the EU laws and give the explicit consent that is required.

However, the enhancements are unlikely to be active by 25 May. In the meantime, the Government has said that websites must self-regulate to ensure compliance with EU laws through easily available and recognisable icons on the website, privacy notices and clear explanations of adverts, their origins and an option to reject the cookie. The Government has not yet given prescriptive guidance as to how websites should self-regulate to comply with the new law, but that it intends to release the guidance before 25 May that will help. However, this may leave website owners with little time to understand and comply with the guidance by 25 May. Website owners should watch this space carefully, and be prepared to take urgent compliance steps to avoid enforcement action, so that they obtain users’ consent in accordance with the new laws.

Once the guidance has been released, we will be more than happy to help website owners with this compliance – please contact us for specific advice.

Whilst the Court of Appeal did not disagree with the High Court’s conclusions on that, it said that the male celebrity’s teenage children’s privacy rights tipped the balance in favour of privacy rather than publication. Children’s rights would be a primary consideration, although would not always act as a trump card if there was sufficient public interest justifying publication. However, this was not such a case. The public interest in reading about the story would not be so great as to warrant the children’s embarrassment and playground bullying that would inevitably follow.

The RFU applied to the High Court for a “Norwich Pharmacal order” to be made against Viagogo – a court order that requires the disclosure of certain documents by the respondent to the applicant, including details of third parties against whom the applicant may have a legal claim. In this case, RFU wanted Viagogo to disclose personal data of those who advertised or sold tickets on its website in order to seek redress against wrongdoing.

The High Court granted the order, ruling that the RFU was genuinely seeking redress for the alleged wrongdoing. Viagogo had argued that the RFU was actually trying to damage Viagogo’s business, but this was rejected by the High Court. The High Court justified the grant of the order on the grounds that there was no straightforward or alternative means for the RFU to obtain the information in order to take action. Whilst the High Court took into account the provisions of Viagogo’s privacy policy, the High Court ruled that it was not breached by the order.

The High Court refused to grant the order. The judge dismissed the comments as no more than ‘pub talk’ and it was fanciful to suggest that a reasonable reader would take them in any other way. It was also worth noting that the short uninformed comments should be seen in context at the end of an article that she had described as excellent, and there was nothing to suggest that the comments were part of a concerted campaign against her. In addition, they had only been discovered about a year after the original article. The newspaper’s published privacy policy would also need to be considered. Taking everything into account, the judge noted that the posters’ rights to privacy were engaged under the Human Rights Act 1998 and in the particular circumstances it would have been disproportionate to have granted the application.