Personal data is a concept we all know but we all seem to have different interpretations of. What exactly does it mean? And how does the law interpret it? The UK court, for the first time, was asked to determine the interpretation of the meaning of “personal data” as a preliminary issue in a data protection case, without related defamation claims.
Background
This High Court case involves two former senior executives of the XIO Group who were suing the Wall Street Journal for data protection violations related to them seeking the removal of two articles published in 2017 and 2018.
The first article detailed a civil claim by Chinese billionaire Xie Zhikun, who accused the executives of conspiring to defraud him of nearly $1 billion. The second article questioned the transparency of XIO’s acquisition of JD Power. The claimants argue that the articles contain misleading personal data that harms their reputations and affects their ability to secure funding for their investment business.
They also assert that the continued publication of the articles breaches UK GDPR and the Data Protection Act 2018, and are seeking damages. The court has rejected the defendant’s argument that the claim is a disguised defamation case and will hold a hearing to address two preliminary issues: the nature of the personal data in the articles and whether it constitutes criminal offence data under EU regulations.
Legal Framework and Court’s Decision
The court applied the approach in the case NT1 v Google LLC [2018] EWHC 799 (QB), utilised the ‘single meaning rule’ to determine the meaning of the data, and the ‘repetition rule’, which is an established principle in defamation law, to assess the inference meaning.
The Court stressed that it should be applied in the consideration of data protection claims to interpret law consistently and fairly. In the judgement, the court clarified the interpretation of personal data, concluding that the news articles implied that Xie Zhikun had initiated a civil lawsuit against XIO executives for conspiracy to defraud him, and that one of the claimants was receiving undisclosed profits from the alleged fraud.
The court then considered ‘criminal offence data’ under the UK GDPR and in accordance with Article 10 of Assimilated Regulation (EU) 2016/679, It found that the articles reported allegations from civil proceedings, indicating that the true situation was unclear. As a result, the court ruled that the personal data of the claimants did not qualify as ‘criminal offence data’ under Article 10, meaning the stricter protections for processing such data under the UK GDPR were not applicable. This decision clarifies the limits of what constitutes ‘relating to’ criminal convictions or offenses.
Conclusion
The implication of this judgement is profound: it establishes a way for claimants to pursue data protection claims to address reputational harm without needing to demonstrate ‘serious harm’ as required by the Defamation Act 2013. However, this also poses risks as it may allow personal data claims to bypass the stricter defamation law requirements, potentially undermining freedom of expression. Publication of public interest with unproven criminal allegations or settled civil cases will need to be justified, as failure to do so may lead to personal data claims even after defamation claim limitations have expired.
Have questions? Get in touch today!
Call us on 020 7928 0276, we will be taking calls from 9:30am to 6:00pm.
Email us on info@lisaslaw.co.uk.
Use the Ask Lisa function on our website. Simply enter your details and leave a message, we will get right back to you: https://lisaslaw.co.uk/ask-question/
For more updates, follow us on our social media platforms! You can find them all on our Linktree right here.
