I. INTRODUCTION TO DATA PROTECTION AND PRIVACY
Table of Contents
The need for a law of privacy 1–001
Developments in information technology 1–012
Legislative history 1–020
The Younger Report 1–026
The Lindop Report 1–027
European Convention on Data Protection 1–031
Data Protection Act 1984 1–034
EU Data Protection Directive 95/46/EC and the Data Protection Act 1998 1–036
Defamation and malicious falsehood 1–040
Data protection 1–044
Freedom of information 1–045
Interception of communications 1–046
Human rights 1–048
Reports and Reviews into the development of law as to privacy 1–049
Council of Europe 1–050
Younger Report 1–051
McGregor Report 1–052
Lindop Committee 1–053
Calcutt Report 1–054
The law of confidence and its development 1–056
The impact of Douglas v Hello! Limited 1–057
Distinguishing breach of confidence from privacy 1–058
Expanding breach of confidence 1–059
Douglas II 1–060
Campbell v MGN 1–061
Private life 1–063
Necessary and proportionate 1–064
Real and serious risk 1–065
Freedom of expression 1–066
The ultimate balancing test 1–067
Public interest 1–068
The European perspective 1–070
The horizontal effect 1–071
Court discretion 1–072
Human Rights Act not limited to vertical cases 1–073
Ústerreichischer Rundfunk 1–074
Passenger Name Records (“PNR”) 1–080
I. INTRODUCTION TO DATA PROTECTION AND PRIVACY
(Privacy sections contributed by John Cooper)
The need for a law of privacy
“I have no hesitation in saying that in my judgment the defendants in publishing the advertisement in question,
without first obtaining Mr Tolley’s consent, acted in a manner inconsistent with the decencies of life and in so doing
they were guilty of an act for which there ought to be a legal remedy.” This quotation from the judgment of Green
L.J. in the Court of Appeal in Tolley v Fry 1 illustrates the intuitive sense of injustice which an invasion of privacy
provokes. Fry, the chocolate manufacturer, had published a lighthearted advertisement incorporating a likeness of
Tolley, an amateur golfer, without Tolley’s consent. Tolley sued but was successful only on the ground of defamation
because the publication carried an innuendo that he had received a fee for the use of his name and likeness, thus
impugning his status as an amateur golfer. Tolley’s complaint had been that use of his likeness without his consent was
actionable, as an invasion of his privacy or personalty. French law, and the law of some states within the United States
based on the wrongful appropriation of personalty for the purposes of trade, 2 provide remedies in such circumstances,
but until 1998 English law did not recognise a general right of privacy as such. 3
On October 2, 2000 the Human Rights Act 1998 came into force, so giving statutory recognition in the United
Kingdom to the European Convention on Human Rights, Art.8 of which provides a right to respect for private and
family life. In Douglas and Others v Hello! Ltd 4 the Court of Appeal (per Sedley L.J.) said that the law recognises and
will appropriately protect a right of privacy. However, in B & C v A 5 the Court of Appeal, after considering the
conflicting rights to privacy under Art.8 of the European Convention on Human Rights and the right to freedom of
expression under Art.10 of the Convention, with s.12 of the Human Rights Act 1998, referred to and affirmed the
principle stated in Kaye v Robertson that no free-standing right to privacy subsists under English law. This principle
has been confirmed by the House of Lords in Wainwright v Home Office, 6 where Lord Hoffman described privacy as a
value of a kind which underlies the existence of a rule of law, and which may point the direction in which the law itself
should develop, rather than a principle of law in itself.
Between 1961 and 1984, the absence from English law of a right of privacy, described by Judge Cooley in the
United States in 1888 as “the right to be let alone”, provoked a series of no less than seven parliamentary bills, two
parliamentary reports and two White Papers on the subject of privacy and its derivative, data protection, as well as a
Law Commission working paper and draft bill on the law of confidence. This activity culminated in the enactment of
the Data Protection Act 1984, a limited but innovative essay in
the development of that branch of the law of privacy which is concerned with the rights of individuals over information
which relates to them and which is processed automatically by third parties. The 1984 Act was followed by the Access
to Personal Files Act 1987, which gave the Secretary of State power to make regulations for access to, and rectification
of, certain personal information, including manual records, held by local housing and social services authorities, and by
the Access to Medical Reports Act 1988 and the Access to Health Records Act 1990. See Part 2 (paras 2–172 to 2–234
1  A.C. 333.
2 A common law “right of publicity” has been recognised in the United States, protecting well-known performers and others
from unauthorised use of their names and likenesses, see Midler v Ford 849 F. 2d 410 (9th. Circuit, 1988).
3 Kaye v Robertson  F.S.R. 62, CA. But see Lord Scarman’s judgment in Morris v Beardmore  A.C. 446 and
The Times, March 7, 1995, p.35.
4  All E.R. 289.
5  EWCA Civ 337.
6  UKHL 53, and see para.1–046, below.
below) for copies of these statutes and Part 3 (para.3–001) for copies of secondary legislation under the Data Protection
Act 1984 and these statutes.
The Data Protection Act 1984 was repealed in its entirety when the Data Protection Act 1998 was brought into force.
The 1998 Act also repealed the Access to Personal Files Act 1987 in its entirety and made partial repeals of a number of
other statutes, including the Access to Health Records Act 1990, referred to above. 7 The 1998 Act received the Royal
Assent on July 16, 1998, and a commencement order became effective on March 1, 2000. A copy of the 1998 Act is
provided in Part 2 (at paras 2–263 to 2–463) below. Although neither the 1984 Act nor the 1998 Act make any
reference to the term “privacy”, the Council of Europe Convention for the Protection of Human Rights and
Fundamental Freedoms of 1953 (Treaty No. 71), to which the United Kingdom is a signatory, provides (Art.8) that
“everyone has the right to respect for his private and family life, his home and his correspondence”, and that “there shall
be no interference by a public authority with the exercise of this right except such as is in accordance with the law and
is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the
country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights
and freedoms of others” (see para.7–001 below). The Human Rights Act 1998, which was enacted on November 9,
1998 and came into force on October 2, 2000, gave effect in the United Kingdom to the rights and freedoms guaranteed
under the Convention, including the Art.8 rights referred to above, and require a court or tribunal determining a
question which has arisen with any such Convention right to take into account judgments, decisions, declarations and
advisory opinions of the European Court of Human Rights. A copy of the Human Rights Act 1998 is provided at
para.2–464 below, and see para.1–060 below.
The concept of privacy as a basic human right is well recognised, but difficult to define. Privacy means different
things to different people and has facets which can impact on other basic rights. Most significantly, the concept of
privacy in relation to information conflicts with the concepts of freedom of speech and freedom of information. As
copyright is a negative right to prevent copying and certain other restricted acts, privacy is seen as a negative right not
to be intruded upon. But a right not to be intruded upon by the press and television conflicts with the freedom of the
press and the right of the public to be informed. The conflict between the right to privacy and the right to freedom of
expression was considered, in the context of publication in the press of photographs taken secretly at a wedding, by the
Court of Appeal in Douglas and Others v Hello! Ltd (see above) and in B & C v A. This latter decision confirmed the
Court of Appeal’s earlier judgment in Kaye v Robertson 8 that English law does not recognise a free-standing right to
privacy. In[NEXT TEXT PAGE IS 1025]
7 See Data Protection Act 1998, Sch.16.
8  F.S.R. 62, CA.
Wainwright v Home Office 9 in the House of Lords Kaye v Robertson has been further endorsed by Lord Hoffman who
described privacy as a value which underlies the existence of a rule of law rather than a principle of the law itself.
In 1972 the Younger Report on Privacy (Cmnd 5012 at p.10) described the right of privacy as having two main
(a)freedom from intrusion upon oneself, one’s home, family and relationships;
(b)privacy of information, that is the right to determine for oneself how and to what extent information about oneself
should be communicated to others. Having categorised privacy into its physical or quasi-physical forms and its
information-related forms, Younger concluded that a general right of privacy could only be stated by statute in wide
terms, leaving it to the courts to develop a general policy through particular decisions. It was recognised that this slow
process would be at risk of failing to reflect the current views of contemporary society in an area in which rapid change
In 1990, the Report of a Committee on Privacy and Related Matters, chaired by David (now Sir David) Calcutt Q.C.,
was laid before Parliament and concluded that an overwhelming case for introducing a statutory tort of infringement of
privacy had not so far been made out 10 : but the Report also concluded that it would be possible to define such a
statutory tort. 11 In his subsequent Review of Press Regulation, published in January 1993, Sir David Calcutt
recommended that the Government should now give further consideration to the introduction of a new tort of
infringement of privacy. 12 In response to this recommendation the Lord Chancellor’s Department and the Scottish
Office issued a Consultation Paper on Infringement of Privacy inviting comment on the suggestion that a new civil
wrong be introduced, and setting out issues for consideration. 13 Although both Younger and initially Calcutt felt
unable to recommend the recognition by statute of a general right of privacy, the informational aspects of privacy and in
particular the problems of breach of confidence, eavesdropping, technical surveillance and the use of computers to
handle personal information were identified by Younger as areas where existing law should be extended and new laws
should be introduced. 14 Calcutt made recommendations directed primarily at the press, including restrictions on press
reporting, the introduction of a right of reply, the strengthening of self-regulation of the press and establishment of a
Press Complaints Commission. Notwithstanding Calcutt’s recommendation, there was no further attempt to introduce a
general right of privacy into English law until enactment of the Human Rights Act 1998.
EU Directive 95/46 EC concerning the protection of individuals in relation to the processing of personal data was
adopted on October 24, 1995 and provided for the extension of Community data protection regulation, including a
subject access right, to any set of personal data which were structured and accessible in an organised collection
according to specific criteria. This Directive required the United Kingdom to extend data protection to manual files and
records, and was transposed into UK law by the Data Protection Act 1998. The original proposal for a Directive was
welcomed, with reservations, by the Select Committee appointed by the House of Lords to consider European
Community proposals. The Committee’s report acknowledged that the right of privacy is a matter of concern to the
twentieth century. 15
The importance of informational privacy has grown with the widening use of computers. Younger noted that,
according to a computer survey for March/April 1981, the total number of computers in use or on order in the United
Kingdom for all purposes in April 1971 was 6,075. Of these, it was estimated that only about 4,800 had any
implications for privacy. By contrast, the Data Protection Commissioner (“the Commissioner”) estimated in June 1995
that at least 500,000 data users were obliged to register under the Data Protection Act 1984. In June 1999 the
9  UKHL 53.
10 Cm. 1102 (1990), para.12.5.
11 Cm. 1102 (1990), para.12.17.
12 Cm. 2135 (1990). Recommendation 3 and para.7.420.
13 Lord Chancellor’s Department, July 1993.
14 See para.7–937, below.
15 Protection of Personal Data: Report of the Select Committee on the European Communities. HL. Paper 75–1, March 1993.
See para.4A–099, below.
Commissioner reported 16 229,693 entries on the Register, relating to 188,584 data users. This scale of increase in
computer usage would have been difficult to predict when the Younger Report was published in 1972. Since then, the
older and narrower concept of electronic data processing which was largely related to the management of accounting
and other numerically-based records has been extended into the wider field of information processing. In consequence,
informatics and information technology have become significantly more important as disciplines, as industries in their
own right and as services to commerce and industry. Just as escalation of the use of office copiers, computer programs
and databases have highlighted shortcomings in the law of copyright, so the widespread use of computers and data
communications has increased public awareness of their implications for privacy.
Younger reported that less than 1 per cent of those interviewed in the Committee’s survey of public attitudes to
privacy had said that their privacy had been invaded by means of a computer or databank and that, whatever fears there
may have been at that time that informational privacy would be compromised by the use of computers, there was no
evidence to suggest any then current risk. Nevertheless, 87 per cent of those interviewed during the Younger survey
said that they would regard details of their private lives being recorded on a big central computer, with any of the
information being available to anyone who asked for it, as an invasion of privacy and 85 per cent thought that such a
possibility should be prohibited by law. If public concerns of this kind were to have caused a boycotting of computers
or the imposition of rules of law which might compromise their use or impose unreasonable restraints on their users,
both those dependent on computer usage and the information technology industry itself could have been adversely
affected and the economic advantages available from widening the use of computers throughout the economy
compromised. The result of failure to react sensitively to public concern, or in the alternative of an inappropriate or
excessive reaction, could have been serious and widespread. In view of the public attitudes disclosed by Younger’s
survey, the existing pressures for change in the law could not have been safely ignored. In the event, these pressures
continued, and in addition to pressures at home, the United Kingdom became a signatory to the Council of Europe’s
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (see para.1–011
below). The enactment of the Data Protection Act 1984 was thus the combined result of domestic pressures for change
and the United Kingdom’s treaty obligations flowing from its ratification of the Council of Europe Convention (see
paras 1–013 and 7–161, below).
The adoption in 1995 of EU Directive 95/46 EC on the protection of individuals with regard to the processing of
personal data and on the free movement of such data 17 required the UK to transpose the Directive into UK law not later
than October 24, 1998. A paper setting out the Government’s proposals was published in July 1997. 18 In addition, the
Government stated its intention of incorporating the European Convention on Human Rights into UK law. 19 This was
achieved by enactment of the Human Rights Act 1998, which came into force on October 2, 2000. 20 This Act
‘‘brought home’’ to the UK the Convention rights established by the European Convention on Human Rights (the
‘‘ECHR’’), which are set out in Sch.1 to the Act. These rights include:
a right to respect for private and family life; and
a right to freedom of expression.
In each case, these rights are subject to qualifications which include requiring the protection of the rights and freedoms
of others, so that both rights are potentially in conflict with one another. Broadly, the right to freedom of expression
will prevail where it is in the public interest that it should do so. Section 2 of the Act requires a court or tribunal
determining a question which has arisen in connection with a Convention right to take into account judgments,
decisions, declarations and advisory opinions of the European Commission of Human Rights, and certain other
decisions taken under provisions of the Convention. Section 3 of the Act requires that, so far as it is possible to do so,
UK primary and subordinate legislation shall be read and given effect in a way which is compatible with the
Convention rights. Section 12, relating to freedom of expression, applies if a court is considering whether to grant any
relief which, if granted, might affect the exercise of the Convention right to freedom of expression. Any such court
must have particular regard to the importance of the right to freedom of expression, and there are provisions set out in
the section where the proceedings relate to material which the respondent claims, or which appears to the court, to be
journalistic, literary or artistic material to the extent to which the material has, or is about to, become available to the
public or the extent to which it is, or would be, in the public interest for the material to be published.
Developments in information technology
16 Fifteenth Report of the Data Protection Commissioner (June 1999) (see para.4–2605, below).
17 See para.7–937, below.
18 See Data Protection: the Government’s Proposals at para.4A–438, below.
19 See para.7–001, below.
20 See para.2–464, below.
Since the publication of the Younger Report in July, 1972 there have been dramatic changes in information and
communications technology. These changes have created new capabilities and markets for information processing and
for access to information. It has become possible for large volumes of information to be transferred internationally and
to be interrogated selectively by public authorities, private businesses and individuals at costs which are continuing to
fall. The necessary equipment continues to fall in price at an annual rate of about 30 per cent, computing skills have
become more widely spread, and database services are aggressively marketed. The boom in home micro-computers in
1980s has developed into an equivalent boom in small business systems. The older concept of stand-alone computer
installations is giving way to clusters and networks of machines which can be used as readily as the telephone to access
each other and to access remote databases through the public telephone network. Digital telephone networks and
exchanges, now replacing older analogue telephone systems, are able to handle high volume flows of digitised
information as easily as telephone conversations. Computer-generated messages represented by a flow of digitised
electrical charges are as transportable as human conversation but can carry meaning and intelligence in greatly
increased volumes and with greater accuracy. The Internet, and intranets based on its infrastructure, provide cheap, fast,
high volume global transmission of digitised data, much of which is regulated under a variety of national laws but is in
practice at present incapable of effective control by governments or regulations. The individual commercial manager’s
workstation, and the private subscriber’s home computer both link with databases all over the world, so that personal
information held on such databases is at risk of transfer to and access from countries and people who, in earlier years,
would have found access impracticable even if they had been aware of the information’s existence. The market in
databases for selling goods and services, and for credit referencing, continues to grow in size, value and importance. In
1989 the European Commission estimated the worldwide turnover for on-line databases and real-time information
services at 8.5 billion ECU, with a share of 2 billion ECU for Europe. 21
Less acceptable uses of information technology have also emerged. Briefcases containing hidden tape recorders,
miniaturised self-activating radio transmitters and directional microphones have made technological eavesdropping
easier. Devices hidden in cases in the highway can pick up, record and interpret the electronic impulses generated from
adjoining buildings by office word processors. Hackers access networks and can intercept and corrupt electronic
messages. Once intercepted, confidential information in the wrong hands can be used and passed as readily as any other
information. Encryption devices have made the wrongful use of transmitted information less likely, but not impossible.
Electronic forgery of a message is more difficult to detect than manual forgery. Technology has not yet made generally
available a cheap and certain way of identifying an individual accessing a network, and even if an individual user is
correctly identified, the misuse of a computer keyboard to send an unauthorised message is not as obviously a form of
forgery as a signature on a written document. However, in R. v Bow Street Metropolitan Stipendiary Magistrate Ex p.
Government of the United States of America, the Court of Appeal held, reversing a decision of the Divisional Court and
the decision in Director of Public Prosecutions v Bignall, 22 that to secure unauthorised access of the American Express
computer system by causing a computer to enable such access was an offence under s.1 of the Computer Misuse Act
1990 even though the person operating the computer had authority to use it for other purposes. While automated teller
machines in banks and electronic funds transfer at point of sale (EFT-POS) terminals in retail shops are convenient for
banks, traders and their customers, such devices present opportunities for fraudulent abuse. 23
Packet switching, a method of transmitting non-voice messages by telephone, has increased the speed and reduced
the cost of data transmission. Widening use of the internet, fibre optics and satellites is having a similar effect.
Increasing use of data communications provides new opportunities for “electronic burglary” by hacking and the
unauthorised extraction of confidential information. Once a database is connected to a network, the risk of wrongful
access is heightened and the need for security increases. 24 In recognition of this risk new criminal offences of
unauthorised access to, and unauthorised modification of, computer material were created by the Computer Misuse Act
21 Proposal for a Council Directive on the legal protection of databases:  O.J. C156/4.
22 See para.6–643, below.
23 See Banking Services: Law and Practice. Report by the Review Committee under the chairmanship of Professor R. B.
Jack, February, 1989. Cmnd. 622.
24 See Law Commission Report, No. 186 on Computer Misuse, Cmnd. 819 (1989).
In his Ninth report in June 1993 the Commissioner expressed concern about the existence of a market in personal
data, and in particular third parties gaining unauthorised access to individuals’ bank accounts. In March 1994, Earl
Ferrers, Minister of State at the Home Office, stated in the House of Lords the Government’s intention to seek
legislation to make it an offence to obtain unauthorised access to personal data by deception. The Criminal Justice and
Public Order Act 1994 25 created new offences by a person who procures disclosure to him of personal information
knowing or having reason to believe that the disclosure will be in contravention of subss.(2) or (3) of s.5 of the Data
Protection Act 1984, or who sells or offers to sell information the disclosure of which has been so procured. 26 These
offences have been re-cast and repeated in the Data Protection Act 1998. 27
The Commissioner’s Twelfth Report 28 recognised the effects of further technological change in relation to Electronic
Data Interchange (EDI), cryptography, electronic government involving the transfer of personal data between
government departments, and the development of information superhighways including the internet. The Report
included a paper on the protection of personal data in an electronic data interchange environment, and a hopeful
reference to privacy enhancing technologies (PETs) which can be used to protect rather than to erode privacy. The
Thirteenth Report 29 included an appendix on the use of PETs and suppression markers on internet addresses, and a
response by the Commissioner to the Government’s public consultation paper on detailed proposals for legislation on
the licensing of trusted third parties for the provision of encryption services. 30 The Fifteenth Report contained as an
Appendix 31 a Memorandum of the Data Protection Commissioner submitted to the Select Committee on Trade and
Industry on Electronic Commerce, which drew attention to the surreptitious collection of personal information as a
result of electronic transactions, the increased security risks from electronic trading, and issues relating to lawful access
by law enforcement agencies to encrypted and unencrypted information provided or created as a result of electronic
In her Fourteenth Report 32 in June 1998, the Commissioner highlighted the use of automated dialling systems to
generate unsolicited marketing faxes. This raised a particular concern for the Commissioner as the sender of the fax had
no information from which it could identify the recipient, and therefore personal data were not processed. The
Telecommunications Data Protection Directive, 33 transposed into UK law by the Telecommunications (Data Protection
and Privacy) Regulations 1999 34 has now been replaced by Directive 2002/58 on Privacy and Electronic
Communication. 35 This latter Directive has been transposed into UK law by the Privacy and Electronic
Communications (EC Directive) Regulations 2003 which came into force on December 11, 2003. 36
The Fourteenth Report also highlighted the increasing prominence of CCTV surveillance. The Commissioner
produced a Guidance Note to help ensure the operation of CCTV schemes is within the terms of the Data Protection Act
1984, 37 and the First Report, published in July 2000, included a Commissioner’s Code of Practice on CCTV. 38 In the
Fourteenth Report the Commissioner warned against the introduction of “look-up” services in the United Kingdom. The
Commissioner noted that these services were already well established in the United States. The services bring together
extensive collections of personal data about individuals and make them available to any person on payment of a fee.
The concern is that the collection is only partial and is not as accurate as an official record. The Commissioner also
26 See para.1–279, below and Eleventh Report (at para.4–972) and Appendix 5 (para.4–1001, below).
27 1998 Act, s.55.
28 See para.A4–1489, below.
29 See para.4–1863, below and the Commissioner’s Guidance on registration for internet users (April 1997): see para.A4–
30 URN97/669 DTI.
31 Fifteenth Report, Appendix 7 at p.104. See paras 4–2572 et seq., below.
32 See para.A4–2022, below.
33 Dir.97/66  O.J. L24/1.
34 SI 1999/2093.
35  O.J. L201/37. See para.7–2285 below.
36 See para.3–535 below.
37 See para.A4–414/247, below.
38 See para.5–600, below.
gave further examples of new databases which might pose a threat to privacy, including a proposal by insurance
companies to set up a database of insured drivers, to be made available to the police at the roadside.
The Fifteenth Report 39 referred to other surveillance concerns, including proposals for the development of a Road
User Charging System. This system is at an early stage of development and, says the Commissioner, raises data
protection and privacy issues leading to fears of encroaching surveillance. Against this background of accelerating
growth in the technology and its use and abuse, Younger’s distinction between physical privacy and informational
privacy takes on a new significance. The opportunities for physical intrusion have, in general, remained constant.
Conversely, the opportunities for, and categories of, abuse of informational privacy have magnified and are continuing
to grow at a rate which Younger would have found difficult to predict.
The United Kingdom is a party to the Universal Declaration of Human Rights and the European Convention for the
Protection of Human Rights and Fundamental Freedoms. Article 12 of the Universal Declaration provides that “No one
shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his
honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” Other
general references to privacy are contained in the European Convention, but as is usual in international treaties of this
kind, the definition and implementation of a right to privacy is left to individual legislatures. 40
The United Kingdom is also a party to the Council of Europe Convention for the Protection of Human Rights and
Fundamental Freedoms, signed in Rome on November 4, 1950. 41 Art.8 of the Convention provides that “everyone has
the right to respect for his private and family life, his home and his correspondence”. The United Kingdom ratified this
Convention on March 8, 1951, and its terms have been transposed directly into United Kingdom law by the Human
Rights Act 1998. 42 In June 1997, the European Court of Human Rights, established under the Convention, held that
Alison Halford, a former Assistant Chief Constable of Merseyside, had had her telephone calls at work intercepted in
breach of her rights under the Convention. She had had a reasonable expectation of privacy in making and receiving
telephone calls at work, and there was no evidence she had been warned that her calls might be intercepted. No warrant
for tapping calls had been required under existing United Kingdom law because the calls concerned involved an internal
telephone system outside the scope of the Interception of Communications Act 1985. The monitoring had not been
occasional to prevent abuse, or for other justifiable cause. The European Court held that, since Miss Halford had not
been warned about the tapping of her telephone, there had been a breach of Art.8 of the Convention.
Mr Alexander Lyon’s Bill published in February 1967 was intended to protect a person from any unreasonable and
serious interference with his seclusion of himself, his family and his property from the public. The Bill proposed a
general right to preserve seclusion, which was not defined but the infringement of which was to be extended to include
written, spoken and visual publications in a speech, newspaper, periodical, book or broadcast. Any of these
infringements was to give rise to a cause of action but it was to be a defence to show that the infringement was
reasonably necessary to comment fairly upon a subject of reasonable public interest in which the plaintiff, his family or
property were directly involved.
Mr Brian Walden’s Bill to “establish a right of privacy, to make consequential amendments to the law of evidence
and for connected purposes” and published in November 1969 proposed that any substantial or unreasonable
infringement of a right of privacy should be actionable. “Right of privacy” was to be defined as the right of any person
to be protected from intrusion upon himself, his name, his family, his relationships and communications with others, his
property and his business affairs. “Intrusion” was to include the unauthorised use or disclosure of facts (including the
39 See para.4–2430, below.
40 In his 1989 Review (Part B of his Fifth Report, para.251) the Commissioner has identified a conflict between the Universal
Declaration’s requirement for privacy in relation to correspondence and the subject access right under s.21 of the Data Protection Act
1984. He suggests that more consideration be given to the problem.
41 See para.7–0001 et seq., below.
42 See para.1–060, below. The text of the Human Rights Act 1998, which came fully into force on October 2, 2000, is set out
at para.2–464, below.
plaintiff’s name, identity or likeness) calculated to cause him distress, annoyance or embarrassment, or to place him in a
In 1969, Mr Kenneth Baker proposed a Data Surveillance Bill, in 1971 Mr Leslie Huckfield proposed a Control of
Personal Information Bill, and Lord Mancroft’s Bill, published in February 1971, was an attempt to introduce a general
law of informational privacy. This latter Bill’s objective, as stated in its explanatory memorandum, was to give every
individual such further protection against invasion of his privacy as may be desirable for the maintenance of human
dignity while protecting the right of the public to be kept informed in all matters in which the public may be reasonably
concerned. The Bill was information-related, and proposed to give a right of action to any person about whom words
were published in a newspaper, film or broadcast relating to his personal affairs or conduct if the publication was
calculated to cause him distress or embarrassment. The publisher was to have a good defence if, amongst other
circumstances, he could show that the matter published was the subject of reasonable public interest. The concept of
justifiable public interest, as opposed to unjustifiable public curiosity, has some appeal but Younger pointed out that the
importance of privacy was not a constant value, any more than was the importance of publishing news in the public
interest: and that at the lower end of the scale an invasion of privacy may be justified for entertainment or to satisfy
curiosity. It would be difficult to determine at what point the importance of the news obtained and published would
exceed the importance of the privacy abused.
The National Council for Civil Liberties prepared a draft Right of Privacy Bill which included in the meaning of
“right of privacy” rights to solitude, intimacy, anonymity and reserve but which expressly excused infringement
consisting of any written, spoken or visual publication in a newspaper, periodical, book or broadcast and not being by
way of advertisement. “Justice” also prepared a draft Right of Privacy Bill which followed a broadly similar pattern.
The Younger Report
All these proposals were considered in 1972 by Younger, who concluded that on balance there was no need at that
time for a general law of privacy. Younger made recommendations relating to the press largely concerned with the
constitution and practice of the Press Council, and relating to the BBC’s Programmes Complaints Commission, the
activities of credit rating agencies, banks, staff records and interviews, students’ records, medical records, private
detectives, technical surveillance devices and computers. Under this latter head, Younger listed 10 principles which
were recommended to be observed in handling personal information by computer, and components of these
recommendations are reflected in the data protection principles set out in Sch.1 to the Data Protection Act 1984. Some
of the provisions of Mr Kenneth Baker’s 1969 Data Surveillance Bill and of Mr Leslie Huckfield’s 1971 Control of
Personal Information Bill are also reflected in the 1984 Act: Mr Baker’s Bill referred to a Commissioner as a registering
agency, and Mr Huckfield’s to a tribunal. Control of databanks was to be exercised through entries on a register, and
databanks were to operate only in accordance with their particulars as registered. The Commissioner was to have power
to remove a databank from the register, or to refuse its original registration. It is in these two Bills, and in Younger’s
chapter on computers, that the roots of the 1984 Act are to be found.
The Lindop Report
Younger was followed in 1975 by a White Paper entitled Computers and Privacy (Cmnd. 6353) and its supplement
Computers: Safeguards for Privacy (Cmnd. 6354). In July 1976 the then Home Secretary announced the establishment
of a Data Protection Committee under the chairmanship of Sir Norman Lindop “to advise the Government on the
permanent control machinery needed to secure that all existing and future computer systems holding personal
information, both in the private and public sectors, are operated with appropriate safeguards for privacy; and to consider
and refine the objectives to be incorporated in legislation establishing permanent safeguards” (Home Office Press
Release: July 22, 1976). Lindop’s report, presented to Parliament in December 1978, is the watershed between the
attempt to develop a general English law of privacy with a sub-set of informational privacy rules, and the creation of a
data protection law directed exclusively to data relating to individuals proposed to be processed automatically and as a
framework for balancing the interests of the individual, the data user and the community at large. Lindop developed
some of the ideas suggested by Younger, rejected others and formulated a structure which to a large extent has been
retained. Lindop’s report may fairly be called a blueprint for the legislation, backed by impressive research into the
diverse contributing fields of law and technology of which a co-ordinated understanding was necessary before a
coherent policy could emerge.
It is to Lindop’s credit that so many of the proposals in his report were ultimately accepted. Lindop’s
recommendation for the establishment of a Data Protection Authority with powers to establish statutory codes of
practice, breach of which were to be criminal offences, was seen as a proposal for a major extension of the criminal law.
The Data Protection Authority would have held primary responsibility for drafting the new codes of practice, and so
new offences could have been created by an independent body appointed directly by the Crown and not accountable to
ministers. Parliament’s control over the new codes, and so over the creation of new offences, would have been reduced
to a power of veto. A change of administration did not help: Lindop had been appointed under a Labour government,
and the report, though presented to a Labour Home Secretary, fell to be considered by a Conservative administration.
To create a new arm of the State with quasi-legislative power to extend the criminal law in relation to the handling of
information had Orwellian overtones which were inconsistent with a political philosophy concerned to roll back the
frontiers of the State and to increase individual freedom.
Meanwhile, the international tide of data protection legislation was in flood. By 1978 Canada, Sweden, the United
States and West Germany had already enacted either privacy or data protection statutes and bills were in progress in
Austria, Belgium and Luxembourg. The United Kingdom could not ignore either the tide or the new forms of protection
which other states were giving to their own data subjects: transborder dataflows were growing, and the data protection
lobby was aware of differences in the levels of protection available elsewhere. Lindop (Appendix 10, p.411) had
analysed the then available foreign acts and bills in several specific areas, and in particular:
(a) whether regulation extended to the public sector, the private sector, or both; (b) whether regulation applied to
automatic data processing only, or to both automatic and manual systems; (c) whether regulation applied to data
relating to individuals only, or to individuals, bodies and associations; (d) whether each national data protection
agency established was regulatory or advisory, and their respective powers; and (e) the existence or otherwise of
criminal sanctions and/or civil remedies.
The wide spread of variations, in a field without established international protocols or accepted practices, fuelled the
public debate. Positions were taken by bodies and individuals with divergent interests. Even basic principles, as for
example whether the new law should extend to manual records or not, were disputed. No solution was likely to please
everyone, and there was some prospect that any solution would contain so many compromises as to please nobody.
There remained, and remains today, a body of opinion that advocates the introduction of a general statutory right to
privacy, of which informational privacy and data protection would be sub-sets. Although the Calcutt Committee,
reporting to Parliament in June 1990, recommended against a statutory tort of infringement of privacy, it did so on the
conclusion that an overwhelming case for introducing such a tort had not so far been made out, so implying that the
recommendation was temporary only. 43 Public concern prompted an inquiry by the Culture, Media and Sport
Committee of the House of Commons into privacy and media intrusion. Reporting in May 2003, the Committee
recommended that the Government bring forward legislative proposals to clarify the protection that individuals can
expect from unwarranted intrusion by anyone, not only the press, into their private lives in order to satisfy the
obligations on the UK under the European Convention on Human Rights. In June 2003, Tessa Jowell, the Minister
responsible, reiterated her support for the current system of self-regulation of the press and said that the Government
had no intention of legislating on privacy. Since the Human Rights Act 1998 has “brought home” the right to respect
for private and family life set out in Art.8 of the ECHR, the Courts’ repeated rulings that English law does not recognise
any free-standing right to privacy are less significant: more significant is uncertainty as to the extent to which, and the
circumstances in which, the ECHR, Art.10 right to freedom of expression should override the Art.8 right to respect for
private and family life, and whether and in what circumstances the overriding public interest in freedom of expression
can be equated with interest of the public in press reporting information about individuals who are in the public eye.
This reflects concerns about press intrusion of the kind which provoked Warren and Brandeis to write their 1890s
seminal article on the US common law right to privacy.
European Convention on Data Protection
In 1980, the Council of Europe completed work on a Convention for the protection of individuals with regard to
automatic processing of personal data. 44 The Convention was opened for signature in January 1981 and was signed by
the United Kingdom that May. In September that year the United Kingdom also endorsed the OECD’s Guidelines for
the Protection of Privacy and Transborder Flows of Personal Data. 45 The purpose of the Convention, as recited in its
Art.1, was to secure in the territory of each party State for every individual, whatever his nationality or residence,
43 Report of the Committee on Privacy and Related Matters Cm. 1102 (1990), para.12.5.
44 Also known as “Treaty 108”: see para.7–161, below.
45 See para.7–223, below.
respect for his rights and fundamental freedoms, and in particular his right to privacy with regard to automatic
processing of personal data relating to him. This particular right to privacy was called “data protection”, and related
only to data processed automatically: it did not extend to manual records. The Convention’s scope (Art.3) permitted a
party State to extend the Convention’s provisions to personal files which were not processed automatically, but such
extension was not obligatory.
Narrowing of the field to data processed automatically, at least in terms of the United Kingdom’s international
commitments, helped to stop the national debate from slipping back into a discussion of a general right of privacy for
personal data, whether processed automatically or held on manual records, and the Convention carried the formulation
of Lindop’s proposals further by substantially repeating some of the safeguards for personal data suggested by Lindop.
The Lindop Committee had kept in touch with the Council of Europe during the period prior to publication of the
Lindop report, and it is not surprising to find Lindop’s ideas reflected in the Convention. But in one respect the
Convention went further than Lindop: Lindop had not recommended a general right of data access for data subjects, and
had proposed that data subjects should only be able to know what data relating to them were handled and to verify
compliance with the data protection rules (Lindop, p.250). The Convention expressly provided (Art.8) that any person
should be enabled, not only to establish the existence of an automated personal data file and its main purposes as well as
the identity and habitual residence or principal place of business of the controller of the file, but should also have the
right to obtain at reasonable intervals, and without excessive delay or expense, confirmation of whether personal data
relating to him were stored in the automated data file and communication to him of such data in an intelligible form.
This provision has been duly reflected in the Data Protection Act as the seventh data protection principle.
As at May 1992 the Convention had been signed and ratified by 12 states, namely Austria, Denmark, Finland,
France, Germany, Iceland, Ireland, Luxembourg, Norway, Spain, Sweden, and the United Kingdom. A further seven
states have signed but not yet ratified the Convention: Belgium, Cyprus, Greece, Italy, Netherlands, Portugal and
Turkey. The Convention first came into force on October 1, 1985, following the fifth ratification by the Federal
Republic of Germany, but did not enter into force in respect of the United Kingdom until December 1, 1987 (following
ratification on August 26, 1987). On October 24, 1995 the European Union adopted a General Directive on Data
Protection which broadly follows, but goes beyond, the terms of the European Convention (see para.7–937, below).
Data Protection Act 1984
Signature of the Convention by the United Kingdom Government had substantially committed the United Kingdom
to prepare and enact a Data Protection Bill, and in April 1982 a White Paper entitled “Data Protection: the
Government’s Proposals for Legislation” (Command Paper 8539) was published. The White Paper said that legislation
was needed partly because of the threat to privacy posed by the rapid growth in the use of computers, and partly
because the Convention, when it came into force, would enable countries with data protection legislation to refuse to
allow personal information to be sent to other countries which did not have comparable safeguards. For this latter
reason, data protection legislation was needed to protect the United Kingdom’s substantial international trade in
information which would otherwise be at risk. There was also a risk, which was not canvassed by the White Paper, that
without data protection legislation the United Kingdom would attract the processing of personal data by methods
forbidden under other national laws, and so become a country of convenience for internationally outlawed data-
The publication of the White Paper was followed by the introduction of the first Data Protection Bill in the House of
Lords in December 1982 but after passing through the Commons this Bill failed to achieve enactment before the 1983
General Election. A new Bill was introduced, again into the House of Lords, and after a difficult passage and with
substantial amendments the Bill finally received the Royal Assent on July 12, 1984. Areas which attracted amendments
in the Bill included the provisions relating to compensation for inaccuracy and the exemptions. The Bill’s passage
highlighted the difficulties inherent in the creation of an entirely new body of law based on a concern for fundamental
rights which are recognised but undefined, and new difficulties of this kind are continuing to emerge as experience of
the practical operation of statutory data protection regimes grows. Examples are the debates concerning the concepts of
“fair obtaining” and “fair processing”, as required by the first data protection principle, in relation to the use of personal
data for marketing purposes, the use of third party information for credit referencing purposes, the use of customers’
personal data by utility companies for non-supply purposes and the use of personal data in the context of employment. 46
46 See the Commissioner’s Thirteenth Report (June 1997), Ch. 4 (para.4–1815, below).
EU Data Protection Directive 95/46/EC and the Data Protection Act 1998
This Directive, 47 adopted in October 1995, was required to be transposed into UK law not later than October 24,
1998. The Data Protection Act 1998 received the Royal Assent on July 16, 1998, and was brought into force on March
1, 2000, when it entirely repealed and replaced the Data Protection Act 1984. 48
Privacy by John Cooper QC, 25 Bedford Row
Historically, different branches of law have afforded some protection to a person’s privacy. Such protection has been
provided by both common law and equity. At the turn of the last century, the Court of Appeal were providing for a right
of action for invasion of privacy in the case of Trespass and Wrongful Interference with Goods, but only if the victim
was a legal occupier and the property was physically interfered with.
In Hickman v Maisey, 49 the owner of land allowed a racehorse trainer to work with his animals on his property. The
land owner brought an action in trespass against the publisher who wrote about “the doings of race horses in training”,
seeking to prohibit him from entering upon the land. As Romer L.J. observed 50 :
“No doubt, if what the defendant did had been done by him on soil which was not vested in the plaintiff, the latter
would have had no legal right to complain”. 51
A mere licensee has no right to sue. 52
Observation from a reasonable height is not actionable in trespass. In Bernstein v Sky Views, 53 the Court observed
that “there is no law against taking a photograph”. However, they went on to observe 54 that constant surveillance might
be a nuisance.
Persistent watching may be a nuisance, as may persistent telephoning. 55
J Lyons & Sons Ltd v Wilkins revolves around an industrial dispute at the plaintiff’s factory whereupon pickets
“watched and beset” the factory, trying to turn away workers and, similarly, turned their attentions to the plaintiff’s
house. Lord Lindley M.R. distinguished “watching and besetting” from attending “in order merely to obtain or
communicate information”. 56
Defamation and malicious falsehood
In 1930, the Court of Appeal recognised that the law of defamation could provide a remedy for invasion of privacy. In
Tolley v J S Fry & Sons Limited, 57 the defendants, a firm of chocolate manufacturers, issued as an advertisement of
their product a caricature of the plaintiff, a prominent amateur golfer, showing him as playing golf, with a packet of
their chocolate protruding from his pocket. The plaintiff brought an action in libel, asserting that no amateur golfer of
47 See para.7–937, below.
48 See paras 1–020 and 2–263, below.
49  1 Q.B. 752. Distinguished in Randall v Tarrant  1 All E.R. 600.
50  1 Q.B. 752 at 759.
51 See also the Younger Committee on Privacy at para.85.
52 See Hunter v Canary Wharf  A.C. 655. But note Pemberton v Southwark LBC  W.L.R. 1672, distinguishing
and holding that a tolerated trespasser could sue in nuisance.
53  Q.B. 479 at 483.
54  Q.B. 479 at 484.
55 See Lyons & Sons v Wilkins  1 Ch. 255 and Telecommunications Act, s.43.
56  1 Ch. 255 at 269.
57  A.C. 333, HL.
integrity would demean himself by advertising for gain such a product. Importantly, the plaintiff had never been asked
for his permission to use his name.
Lord Tomlin 58 stated:
“It is for the judge to determine whether the writing or picture complained of is capable of a defamatory meaning,
and in this connection, it is to be observed that that which is prima facie innocent may become capable of a
defamatory meaning by reason of the circumstances surrounding its publication”.
There was a similar partial remedy articulated in Kaye v Robertson. 59 Here, malicious falsehood was argued, that is
the malicious publishing of words calculated to cause pecuniary damage. In this case, Gorden Kaye was a well-known
actor who suffered a serious injury to his head and brain as a result of a motorcar accident. Whilst Kaye was in hospital,
there was a limit put on those who could visit him and the notice of permitted visitors was pinned on the outside of his
The defendant, an editor of a Sunday newspaper, instructed a journalist and a photographer to attend at the hospital
whereupon the plaintiff was interviewed and photographed. It was later stated in evidence that Kaye had been in no fit
condition to give permission for either the interview or the photographs to be taken. The essentials of malicious
falsehood are that a defendant has published about the plaintiff words which are false, that they are published
maliciously, and that special damages followed as a natural result of their publication. As to special damage, the effect
of the Defamation Act 1952, s.3(1), is that it is sufficient if the words published are calculated to cause pecuniary
damage to the plaintiff. Malice will be inferred if it be proved that the words were calculated to produce damage and
that the defendant knew when he published the words that they were false or was reckless as to whether they were false
Lord Justice Bingham, 60 stated that:
“The defendant’s conduct towards the plaintiff here was ‘a monstrous invasion of his privacy’ (to adopt the
language of Griffiths J. in Bernstein v Sky Views Limited (1978) Q.B. 479 at 489G). If ever a person has a right to
be let alone by strangers with no public interest to pursue, it must surely be when he lies in hospital recovering
from brain surgery and in no more than partial command of his faculties. It is this invasion of his privacy which
underlines the plaintiff’s complaint. Yet it alone, however gross, does not entitle him to relief in English law”.
Lord Justice Bingham goes on to state that an action in malicious falsehood does exist but then continues:
“But even that obliges us to limit the relief we can grant in a way which would not bind us if the plaintiff’s cause
of action arose from the invasion of privacy of which, fundamentally, he complains. We cannot give the plaintiff
the breadth of protection which I would for my part, wish. The problems of defining and limiting a tort of privacy
are formidable, but the present case strengthens my case that the review now in progress may prove fruitful”.
Lord Justice Bingham’s observations are enforced by his brother judge in this case, Lord Justice Leggatt, who states:
“We do not need a First Amendment to preserve the freedom of the press, but the abuse of that freedom can be
ensured only by the enforcement of a right to privacy. This right has so long been disregarded here that it can be
recognised now only by the legislature”.
There is no overall pattern in this area, and indeed some aspects of legislation overlap. However, several Acts have
afforded some protection of privacy to varying degrees.
The Broadcasting Act 1996 set up the Broadcasting Standards Commission, following the Broadcasting Act 1980
which enacted the Broadcasting Complaints Commission (modified in the Broadcasting Acts of 1981 and 1990). This
plethora of legislation is now superseded by the Communications Act 2003 which set up OFCOM and which was
enacted on March 19, 2002.
The Broadcasting Standards Commission was established by the Broadcasting Act 1996. 61 In 2003, its functions
were transferred to OFCOM whose duty it is to purvey a code of guidance as to principles to be observed and practices
to be followed where allegations are made of unwarranted infringement of privacy in, or in connection with, the
obtaining of material included in programmes. 62 A complaint may be made by an individual or by a body of persons,
58  A.C. 333 at 349.
59 (1991) F.S.R. 62.
60 (1991) F.S.R. 62 at 70.
61 S.106(1) (repealed subject to the transitional provisions specified in the Communications Act 2003, Sch.18, para.13 and
subsequent transitional provisions in that Act at Sch.19, para.1 specified in SI 2003/3142).
62 Broadcasting Act 1996, s.107(1) (amended by Communications Act 2003, s.360(3), Sch.15, para.132(1) and (2)).
whether incorporated or not, but will not be entertained more than five years after the death of the complainants unless
it appears in the particular circumstances appropriate to do so. 63
The Copyright, Designs and Patents Act 1988 (CDPA) applies itself to the law of privacy of photographs and films
commissioned for private and domestic purposes. 64 This protection lasts as long as the copyright vested in the material
lasts. Infringement is actionable as a breach of statutory duty owed to the person entitled to the right. 65 The right to
privacy of certain photographs and films which is conferred by the CDPA does not apply to photographs taken or films
made before August 1, 1989. 66 This right of privacy in joint commissions confers a right on each person who is
commissioned for the making of the work. Therefore waiver by one does not affect the right of the other. 67
The Data Protection Act 1998 has of course general application to those who “process” “personal data”. The material
needs to be on a computer or a “relevant filing system”. Media dealings with information are unaffected under this
The processing of certain personal data is exempt from the provisions of the Data Protection Act 1998: if the material
is of journalistic, literary or artistic substance and the data controller reasonably believes it is in the public interest for
freedom of expression that there be publication, then in certain restricted circumstances such publication will not
transgress the Act.
Freedom of information
The Freedom of Information Act 2000 respects the privacy of journalists’ material. 69
Interception of communications
The Regulation of Investigatory Powers Act 2000 deals with the legal framework controlling the interception of
electronic communications which includes activities such as recording, monitoring or diverting communications in the
course of their transmission over a public or private telecommunications system. Those who seek to interfere with
communications in this way, and in particular the police and law enforcement authorities, are presented with a strict
code of conduct involving the provision of authority from senior officers before such activity can be commenced in the
interests of law enforcement.
The Act clearly communicated a right enabling senders and recipients of electronic communications to sue for
damages or an injunction if someone acting with the express or implied consent of the controller of the private
telecommunications network, such as an employer, accessing communications in its network without lawful authority.
It is still right that interference with communications by post or by means of a public telecommunications system is a
criminal offence under the Interception of Communications Act 1985 subject to the provisions of the 2000 Act. There
are also a number of provisions under the Wireless Telegraphy Acts 1967 and 1969 and the Post Office Acts 1963 and
1969 relating to the use of communication which may indirectly protect or affect privacy of communications.
Section 2 of the Post Office (Data Processing Service) Act 1967 makes it an offence for an officer of the Post Office
to disclose information which he obtains from the Post Office’s data processing services and s.45 of the
Telecommunications Act 1984 (as amended by the Interception of Communications Act 1985) makes it an offence
improperly to disclose information about the use made of telecommunication services. The Telecommunications Act
1984, s.43(1)(b) makes it an offence to send a message via a public telecommunications system for the purpose of
causing annoyance, inconvenience or needless anxiety to another.
63 See Broadcasting Act 1996, s.111(4) (amended by Communications Act 2003, Sch.15(2), para.133).
64 See s. 85.
65 See s.103(1).
66 See s.170, Sch.1, para.24.
67 See s.88(6).
68 S.38 creates an exemption for the media. See also Campbell v MGN Limited (2002) E.M.L.R. 30 where sanctions under the
Act include compensation for distress regardless of actual damage.
69 See Sch.1, Pt VI: see also s.58 which prevents breach of confidence.
On the same subject of harassment, harassment of a tenant by acts calculated to interfere with the peace or comfort of
the occupier of rented residential property or a member of his household is an offence under s.1 of the Protection from
Eviction Act 1977As amended by the Housing Act 1988, s.29(1) and (2). and harassment of debtors is an offence under
the Administration of Justice Act 1970, s.40. Similarly, molestation within the family may be prohibited under the
Domestic Violence and Matrimonial Proceedings Act 1976 and, in Scotland, by the Matrimonial Homes (Family
Protection) (Scotland) Act 1981.
It is possible that privacy claims may be brought before the English courts under the Human Rights Act 1998 based on
Art.8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, the Physical
Integrity Article. This enshrines the right to respect for a person’s private and family life, his home and correspondence.
It will be interesting to see the application of Art.10 of the Convention, which enshrines the right of freedom of
expression, and this may conflict with an application of Art.8. The Human Rights Act 1998 provides that it is unlawful
for a public authority to act in a way that is incompatible with the rights guaranteed under the European Convention on
The term “public authority” includes a court or tribunal and “any person certain of whose functions are functions of a
public nature”. Accordingly, the courts will be required generally to enforce the Convention rights though it appears
that both the Press Complaints Commission and the Broadcasting Standards Commission may be held to be “public
authorities” under the Act. The Act also includes under s.12 a special provision protecting the right of freedom of
expression. Where proceedings relate to material which the respondent claims, or which appears to the court, to be
journalistic, literary or artistic material, or to conduct connected with such material, the court must have particular
regard to: (1) the extent to which the material has become, or is about to become, available to the public; or (2) the
extent to which it is, or would be, in the public interest for the material to be published; and (3) to any relevant privacy
Reports and reviews into the development of law as to privacy
Over the years there have been numerous reports and reviews commissioned by various bodies as to the potential
growth of this fast-developing area of law.
Council of Europe
In 1970, the Consultative Assembly of the Council of Europe adopted a resolution 70 which contained a declaration on
mass communication, media and human rights, and at Article C included provisions designed to protect the individual
against interference with his right of privacy. It stated:
“There is an area in which the exercise of the right of freedom of information and freedom of expression may
conflict with the right to privacy protected by Article 8 of the Convention on Human Rights. The exercise of the
former right must not be allowed to destroy the existence of the latter”.
The resolution acknowledged that a particular problem arises with regards to the privacy of persons in public life but
“The private lives of public figures are entitled to protection, save where they may have an impact upon public
events. The fact that an individual figures in the news does not deprive him of a right to a private life”.
In 1974 the Committee of Ministers of the Council of Europe recommended 71 that the minimum protection to the
individual in relation to the media should include an effective remedy against interference with privacy and attacks on
dignity, and honour, and reputation, subject to overriding public interest.
Following the death of Diana, Princess of Wales in 1997, the Parliamentary Assembly of the Council of Europe
called for all governments to adopt laws specifically protecting the right to privacy. 72
70 Resolution 428 (1970).
71 See Resolution (74) 26 on the Right of Reply.
72 See Resolution (1165) (1998).
The Younger Report 1972 73 considered the need for legislation to protect the individual citizen, commercial and
industrial interests against intrusion into their privacy, the impetus being public concern about the impact of
technological developments, including surveillance devices. In their Report the Committee recommended that there be
legislation to create a new offence in order to deal with the new threats to privacy from such technical devices. It was
further recommended that administrative controls be established over particular kinds of activity such as credit rating
agencies. Nevertheless, the Committee concluded that there was no need for a general law of privacy and that in
particular the existing law of breach of confidence provided an effective relief for intrusion of one’s privacy. They went
on to say that the task of defining privacy under public interest was one which had “defied the best efforts of scholars
and of successive draftsmen of parliamentary bills”. 74
Nevertheless, the McGregor Report of 1977 75 differed with the conclusions in the Younger Report, in particular as to
the conduct of the press where it recommended that if there were a legal remedy which it considered effective and
understandable and practical, it would recommend it.
The Lindop Committee which reported in December 1978 considered that there should be legislation extending to all
automatic handling of data in the United Kingdom and many of these recommendations have been adopted in the Data
Protection Act 1984.
As complaints of press intrusion into privacy mounted, the Calcutt Report of 1990 considered press intrusions into
privacy. In its report on Privacy and Related Matters, the Committee stated that they could find not reliable evidence to
show whether unwanted intrusion into individual privacy had or had not risen over the last 20 years. Nevertheless, they
accepted that there was a problem. The Committee recommended the introduction of the offences covering acts
involving, inter alia, placing a surveillance device on private property without the consent of the lawful occupant with
intent to obtain personal information with a view to its publication and taking a photograph or recording the voice of an
individual who is on private property without his consent with a view to its publication and with intent that the
individual shall be identified. The Committee also recommended that it should be a defence to any of these proposed
offences that the act was done for the purpose of preventing, detecting or exposing the commission of any crime, or
other seriously antisocial conduct or for the protection of public health or safety or under any lawful authority. The
Report acknowledged again that it would be impracticable to create a general wrong of infringement of privacy but felt
that it would be possible to define a tort directed towards the publication of personal data to the world at large.
Nevertheless, the Committee were uneasy about the effect of any new law on press freedom but rejected the
argument that Art.10 (freedom of expression) could not be reconciled to any articulated tort of privacy. They finally
concluded that improved self-regulation would be the way forward and a new code was drawn up under which the Press
Complaints Commission began to operate. When Sir David Calcutt reviewed the Press Complaints Commission’s work
in January 1993, he concluded that self-regulation had failed and that the Press Complaints Commission should be
replaced by a statutory body.
In 1993, the Lord Chancellor’s Department 76 and the National Heritage Select Committee 77 both recommended the
creation of a new tort of infringement of privacy.
73 Report of the Committee on Privacy (Cmnd 5012, 1972) chaired by Kenneth Younger.
74 Younger Report, para.660.
75 Royal Commission on the Press (Cmnd 6810, 1977).
76 See the Joint Consultation Paper with the Scottish Office, Infringement of Privacy (HC291–1, 1993).
77 See Fourth Report, Privacy and Media Intrusion (HMSO, 1993).
The law of confidence and its development
The case of Prince Albert v Strange, 78 is often cited as an illustration of the protection of privacy by the law of
confidence. In this case, privacy was abused and the effect of the relief given was to protect that privacy but the effect
was incidental to relief given for breach of confidence. Had the element of breach of confidence been absent, relief
would probably not have been available.
In this case, Strange had printed and circulated a catalogue which contained particulars of private etchings made by
Queen Victoria and Prince Albert. The catalogue was based on unauthorised impressions from the etched plates, which
impressions come into the possession of Strange’s co-defendant. An injunction was granted to restrain the circulation of
the catalogue. Prince Albert had had a right of property in the unpublished, and confidential, etchings and was entitled
to prevent details of them being published in the catalogue because the etchings come into the possession of the
defendants as a result of a breach of trust, confidence or contract.
During argument, the Solicitor General, on behalf of Prince Albert, argued that as a matter of general principle the
court will protect every person in the free and innocent use of his own property and will prevent anyone from
interfering with that use, to the injury of the owner. Nevertheless, the Lord Chancellor, in his judgment, was at pains to
point out that:
“the importance which has been attached to this case arises entirely from the exalted station of the plaintiff and
cannot be referred to any difficulty in the case itself”.
Clearly, the Lord Chancellor was not mindful of making new law in that case.
In Hellewell v Chief Constable of Derbyshire, 79 the duty of confidence was held to have arisen when a police
photograph was taken of a suspect at a police station. Consent of the suspect was not needed for the taking of the
photograph, but the duty of confidence nevertheless arose. The photograph could then only be used for the purpose of
prevention or detection of crime.
In R. v Department of Health Ex p. Source Informatics Limited, 80 the Court of Appeal held that medical prescription
data relating to an identifiable patient were confidential to the patient when held by the dispensing pharmacist, but that
the pharmacist was not in breach of confidence in disclosing details of the prescription provided that he did not also
disclose the identity of the patient.
Information relating to details of a sexual relationship between individuals could be treated as confidential. In
Michael Barrymore v Newsgroup Newspapers Limited, 81 the defendant publishers of the Sun newspaper published an
article about the alleged homosexual relationship between Barrymore and another. The article included portions of a
letter or letters written by Mr Barrymore. The court held that there was a strongly arguable case that the details of the
relationship between these individuals should be treated as confidential.
It is clear that the course of action for breach of confidence has developed since this early case law as an equitable
doctrine based on conscience which gives rise when breached to equitable remedies. It was not considered to be a tort.
In addition to confidentiality as to facts concerning sexual relations, other cases have established that there will be
given protection to: a person’s address 82 ; photographs of the interior of a home 83 ; details of domestic household
arrangements 84 ; photographs of the nude 85 and semi-clothed 86 body; and of a child’s face used without permission in a
local authority brochure. 87
The impact of Douglas v Hello! Limited
For an action to be established under breach of confidence, the claimant must effectively argue that the information is
prima facie capable of protection and that it must have been imparted in circumstances importing an obligation of
confidence. 88 Circumstances importing such an obligation could arise, for instance, through an established relationship
78  41 E.R. 1171, CA.
79  4 All E.R. 473.
80 CA, December 21, 1999;  1 All E.R. 786.
81  F.S.R. 600.
82 Mills v News Group Newspapers  E.M.L.R. 41.
83 Beckham v MGN, June 28, 2001, Eady J. (unreported).
84 Blair v Associated Newspapers HQ0001236.
85 Theakston v MGN Limited  E.M.L.R. 398.
86 Holden v Express Newspapers, (unreported) June 7, 2001.
87 Jacqueline v Newham LBC (2001) WL 1612596.
88 See Coco v AN Clarke (Engineers) Limited  R.P.C. 41 at 47. See also Lady Archer v Williams  EWHC 1670;
Deloitte Touche LLP v Dracson  EWHC 721.
of trust between the two parties 89 or, for instance, through an express agreement of confidentiality or a promise to that
effect by the recipient. Nevertheless, it is right to say that people will rarely form a relationship of trust and confidence
with the paparazzi and it seems important that an obligation of confidentiality can be imposed simply on the basis of the
private nature of the material itself.
In Douglas v Hello! Limited, 90 Lord Justice Sedley said:
“What a concept of privacy does, however, is accord recognition to the fact that the law has to protect not only
those people whose trust has been abused (as in confidence cases) but those who simply find themselves subjected
to an unwarranted intrusion into their personal lives”.
The facts of Douglas v Hello! Limited centre around the selling of photographic rights to OK! magazine of the
marriage between Michael Douglas and Catherine Zeta-Jones which was of its nature a significant celebrity event.
Hello! gatecrashed the event and took photographs of the nuptial celebrations. Interestingly, the Court of Appeal
acknowledged that the complainants’ argument was more in terms of privacy than in breach of confidence. 91
In fact, Lord Justice Keene’s concession was born of pragmatism. The identity of the photographer was uncertain. If
it had been a guest or employee of the company working at the reception, an action in breach of confidence would have
been maintained, without any difficulty whatsoever, against the guest, because the invitation to the wedding informed
guests that no photographs were to be taken and against the contractor’s employees in that they also had knowledge of
the extensive security arrangements. The defendants were aware of this aspect of the case and argued that Hello! had
also notice of the arrangements, in essence avoiding the need to argue before the Court of Appeal the imposition of a
new privacy regime. The Court of Appeal acknowledged that the photographs could have been the work of an intruder
with no relationship of trust or confidence. Lord Justice Sedley recognised the increasing social need to allow people
“some private space”. But again, the perennial question was asked whether this recognition of a social need finds
protection in a refined law relating to breach of confidence or a new law of privacy.
Some argue that the title is unimportant, what is vital is the protection of the right as it was expressed, for instance, in
Hellewell v Chief Constable of Derbyshire. 92
Distinguishing breach of confidence from privacy
The court in Douglas v Hello! Limited did make an attempt to distinguish a law relating to breach of confidence to a
right of privacy, but this analysis does not rule out a developed breach of confidence law providing adequate protection.
Lord Justice Sedley observed:
“The law no longer needs to construct an artificial relationship of confidentiality between intruder and victim: it
can recognise privacy itself as a legal principle drawn from the fundamental value of personal autonomy”. 93
Indeed, in an apparent attempt to shore up breach of confidence jurisprudence so that it is robust enough to face
modern arguments, Lord Justice Keene observed that there existed persuasive dicta to the effect that a pre-existing
confidential relationship between the parties is not required for a breach of confidence action. 94 For instance, the nature
of the subject-matter or the circumstances of the breach and the defendant’s activities may be sufficient in some
instances to give rise to liability for a breach of confidence.
In Douglas v Hello! Limited, confidence can clearly be seen to have been broken by the taking of the photographs
and the case did not take that crucial step to grant relief outside the limits imposed by a requirement are a relationship of
confidence, artificial or otherwise. As in Kaye v Robertson, 95 the Court was invited to take such a step and declined to
Expanding breach of confidence
It is therefore apparent that the courts are content to expand the concept of confidentiality of information so as to allow
the law to develop in accordance with modern demands.
In Blair v Associated Newspapers, 96 the fact that one print run of The Mail on Sunday carrying the offending article
had already been distributed was held not to have deprived the information of its confidential quality.
89 See W v Edgell  Ch. 59 (doctor/patient relationship).
90  Q.B. 967.
91 See Keene L.J. at para.164.
92  2 W.L.R. 804 at 807H.
93 At para.126.
94 See para.166.
95  F.S.R. 62.
Nevertheless, in Theakston v MGN Limited, 97 Ouseley J. doubted that information relating to encounters with
prostitutes in a brothel was capable of being confidential because “it is likely that other customers and a number of
prostitutes will see who comes and goes”. 98 This seems to fly in the face of the well-established principle hitherto cited
to the effect that knowledge by a small number of people of information does not prevent it from being confidential. 99
In essence, the Court held that it was unlikely that the nature of details of sexual activities engaged in within the brothel
were confidential, and the case for saying that they were private was not strong. Ouseley J. went on to lay down the
parameters as to confidentiality for sexual relationships. He stated 100 :
“Sexual relations within marriage at home would be at one end of the range or matrix of circumstances to be
protected from most forms of disclosure; a one night stand with a recent acquaintance in a hotel bedroom might
very well be protected from press publicity. A transitory engagement in a brothel is yet further away”.
The case of Mills v Newsgroup Newspapers Limited, 101 also articulated the principle that although information may
be known to a limited number of members of the public, that did not of itself prevent it having and retaining the
character of confidentiality. 102
Indeed, in Mills the court found that the threatened publication of the applicant’s address in the Sun newspaper raised
a serious issue of invasion of privacy and breach of confidence although on the facts relief was withheld.
In Douglas II, 103 Hello! was found liable in damages for breach of confidence. In that case, Lindsay J. was faced with
the argument that the wedding of Michael Douglas and Catherine Zeta-Jones could not be considered a confidential
occasion because of the fact that the couple did not choose to have a private wedding attended discreetly by a few
family members, but instead close to have a guest list in the hundreds. Lindsay J. stated 104 :
“To the extent that privacy consists of the inclusion only of the invited and the exclusion of all others, the wedding
was as private as was possible consistent with its being a socially pleasant event. The important principle being
enunciated here is that the Court must take into account the level to which the subjects of the occasion seek to exert
control and choice over who can observe that occasion. If there is such control, then it is argued that the occasion
may be deemed private and of a confidential nature. If to the contrary the subjects allow uncontrolled observation
of the event then in that case it will not be in such a confidential category”.
See also Peck v UK 105 which does not focus upon the issue of control over the original participants or witnesses of
the event in question but rather treats as decisive the issue of control over the use made of the information by any
observer. This matter was further elucidated in R. v BSC Ex p. BBC 106 which was a case examining the clandestine
filming of a transaction in a shop. Hale L.J., considering whether there was a breach of the BSC privacy code stated “I
also attach particular weight to the context, which is not only the secret filming without consent but also the potential
use in the mass media without consent”.
Campbell v MGN
The claimant in this case 107 was an internationally known fashion model and celebrity. The defendant, publishers of
the Mirror newspaper, published two articles revealing that contrary to her previous assertions, the claimant was a drug
addict and that she was attending meetings of Narcotics Anonymous in order to overcome her addiction.
The articles were accompanied by photographs of the claimant leaving a meeting of that association. The claimant
claimed that as a result she suffered distress, embarrassment and anxiety which were aggravated by later publications in
the Mirror. She brought proceedings seeking damages for breach of confidence and for compensation under s.13 of the
Data Protection Act 1998 in respect of the original two articles. The case reiterated that to establish a claim for breach
of confidence the claimant had to show three things. First, that the details given in the articles of her attendance at
97  E.M.L.R. 398.
98 See para.62.
99 See also Peck v UK (2003) 44647/98 which indicates that Theakston is out of line with Art. 8.
100 See para.60.
101  E.M.L.R. 957.
102 See para.25.
103  EWHC 786, Ch D, April 11, 2003. Reversed in part by Douglas v Hello! No.6  EWCA Civ 595.
104 At para.66.
105 (2003) 44647/98, above.
106  Q.B. 885 at 899. Also applied in R. (on the application of Ford) v PCC  EWHC 683.
107  E.M.L.R. 30.
Narcotics Anonymous meetings had the necessary quality of confidence about them. Secondly, that those details were
imparted in circumstances importing an obligation of confidence and, thirdly, that the publication of the details was to
the claimant’s detriment. The Court held that the details of the claimant’s attendance at Narcotics Anonymous meetings
did have the necessary quality of confidence about them.
They had been obtained surreptitiously assisted by covert photography when the claimant was attempting to be
discreet. Moreland J. stated 108 :
“Although many aspects of the private lives of celebrities and public figures will inevitably enter the public
domain, in my judgment it does not follow that even with self-publicists every aspect and detail of their private
lives are legitimate quarry for the journalist. They are entitled to some space of privacy”.
The case eventually went to the House of Lords. 109 Here, the majority observed that the claimant’s claim was framed
as a traditional confidence claim and the Court in its majority expressed the view that there was no need to create a new
course of action. It was unanimously concluded in the House of Lords that there was no longer any need for a
confidential relationship and what was important was the nature and quality of the information at issue and the
reasonable expectations of the person to whom it related. Lord Hoffmann observed 110 that this change represented a
“shift in the centre of gravity”.
In essence, this articulation of the law bears no resemblance whatsoever to a traditional definition of “confidence”. 111
What has developed from Campbell is a definition if not a title of a new cause of action with marked differences from
the old breach of confidence. Indeed, Lord Hope and Lord Carswell concluded 112 that the Mirror publication
constituted “an infringement of [the claimant’s] right to privacy”. Lord Nicholls stated 113 that “the essence of the tort is
better encapsulated now as misuse of private information”.
In Von Hannover v Germany 114 the applicant, Princess Caroline of Monaco, a member of the ruling family of Monaco,
sought to prevent the publication of photographs taken without her consent. Paparazzi photographs showed the claimant
as she went about her everyday activities, for instance, collecting her children from school, shopping, or eating in
restaurants. Although the German courts restricted publication of a small number of the photographs, the domestic
jurisdiction offered no remedy for photographs taken in public places. Under German law, the claimant was only
entitled to privacy if she could show that she had gone to a “secluded place” so that she would be left alone by the press.
The European Court of Human Rights did not support this interpretation and in an action alleging infringement of her
right to respect for her private and family life guaranteed by Art.8 of the Convention, the court held that her privacy had
been infringed. The court emphasised 115 that the case involved photographs of the applicant in scenes of her daily life,
“thus engaged in activities of a purely private nature”. The court was also anxious to point out 116 that the applicant as a
member of Monaco’s ruling family did not exercise any function within or on behalf of the State of Monaco or one of
The court considered that a fundamental distinction needed to be made between reporting facts, even controversial
ones, capable of contributing to a debate in a democratic society relating to politicians and the exercise of their
functions, for example, and reporting details of the private life of an individual who, moreover, did not exercise official
functions. They stated 117 :
“While in the former case the press exercises its vital role of ‘watchdog’, in a democracy by contributing to
imparting information and ideas on matters of public interest, it does not do so in the latter case”.
The court held that photographs of the claimant going about her daily activities in public places fell within her private
108 At para.71.
109  E.M.L.R. 15.
110 At para.51.
111 See paras 13 and 14.
112 See paras 125 and 171.
113 At para.14.
114  E.M.L.R. 21.
115 See para.61.
116 See para.62.
117 See para.63.
This interpretation is far more restrictive than that established in the Campbell cases. 118 In the Campbell line of
authorities, publication of photographs taken in public places is actionable only in exceptional circumstances.
Von Hannover v Germany seems to indicate that the European Court of Human Rights applies greater weight to Art.8
than does English domestic case law. It follows from this that there will be a significant burden upon the press and
media to justify the publication of private information obtained without consent. The case emphasises that even famous
individuals have a right to their privacy even when they are in public places and that if, for instance, indiscriminate
photographs are taken of them the media must ask themselves what legitimate purpose publication will serve.
Necessary and proportionate
Photographs of a different kind were the subject of litigation in R. (on the application of Stanley, Marshall and Kelly)
v Metropolitan Police Commissioner. 119
The three claimants in this case sought judicial review of a decision allowing the London Borough of Brent and the
Metropolitan Police to distribute leaflets and publicise other material carrying the claimant’s images, names and ages
and detailed antisocial behaviour orders (ASBO) issues against them. The publicity material also identified four other
men who are not party to the proceedings. In his conclusions, Lord Justice Kennedy accepted that when the question of
publicity arises, it should have been recognised that publicity of the nature experienced in that case might
infringe the rights of the claimants under Art.8.
If there had been such a recognition, the police and the local authority, it was held, should have gone on to consider
whether the publicity which they envisaged was necessary and proportionate to their legitimate aims. The High Court
accepted that the publicity in this case was intended to inform and to assist in the enforcement of the ASBOs. The
applications for judicial review by the claimants were therefore dismissed.
In Peck v UK 120 the applicant was recorded on CCTV walking in a town centre in obvious distress and then
attempting suicide by cutting his wrists. Some part of this footage was supplied to a programme entitled “Crime Beat”.
The European Court of Human Rights held that Peck’s right to respect for private life had been infringed but part of the
reason was the fact that the distribution far exceeded the degree of exposure that would be foreseeable to a person
walking in the area (the programme had 9.2 million viewers). 121
The monitoring of the actions of an individual in a public place by the use of photographic equipment which does not
record the visual data does not give rise to an interference with the individual’s private life. 122 On the other hand, the
recording of the data and the systematic or permanent nature of the record may give rise to considerations of privacy.
The compilation of data by security services on particular individuals, even without the use of covert surveillance
methods constitutes an interference with the applicants’ private lives. 123
In the cases of Lupker v The Netherlands 124 and Friedl v Austria, 125 which were decided by the Commission, and
which concerned the unforeseen use by the authorities of photographs which had been previously voluntarily submitted
to them and the use of photographs taken by the authorities during a public demonstration, the court decided that
relevance should be attached to whether the photographs amounted to an intrusion into the applicants’ privacy (as, for
instance, by entering and taking photographs in a person’s home), whether the photographs related to private or public
matters and whether the material thus obtained was envisaged for a limited use or was likely to be made available to the
general public. The Commission attaches weight to the fact that photographs may maintain the anonymity of the subject
or that personal data recorded and photographs taken were not entered into a data processing system.
Real and serious risk
118 See above at para.1–025.
119  EWHC 2229 (Admin.).
120  E.M.L.R. 15. Considered in Wainwright v Home Office  UKHL 53.
121 This case may have relevance in relation to the internet where, for instance, a digital record can be on a website instantly
and kept forever, therefore, foreseeability is especially important.
122 See Herbecq v Belgium, December 14.1.98 DR 92—A, page 92.
123 See Rotaru v Romania, paras 43 and 44, application no. 28341/95 and Amann v Switzerland (2000) 30 E.H.R.R. 843, paras
65–67. See also PG and JH v United Kingdom, application no. 44787/98 at paras 59 and 60 which establishes that the permanent
recording of the voices of defendants which were made while they answered questions in a police cell as police officers listened to
them and the recording of their voices for further analysis meant that the processing of personal data about them amounted to an
interference with their right to respect for their private lives.
124 Application no.18395/91, December 7, 1992.
125 (1996) 21 E.H.R.R. 83, paras 49–52.
If there is a real and serious risk faced by any claimant of their right to life being infringed (Art.2) and/or degrading
and inhuman treatment (Art.3),
then the court will be most likely to prevent publication of information which would permit the identification of
individuals subject to this risk. In Venables v Newsgroup Newspapers 126 the two juveniles convicted of killing Jamie
Bulger were granted injunctions against the whole world to prevent publication of what the court regarded as
confidential information. The case was, on the face of it, decided on the basis of privacy but the significant risk of
attacks on the claimants weighed heavily in the court’s decision to grant the injunction.
The court indicated that if the only threat had been to “respect for private life”, then the injunction might not have
been granted. The test applied by the judge was that of a “real possibility of significant harm”.
In an application brought by Heather Mills, Paul McCartney’s then-fiancée, against Newsgroup Newspapers, 127 the
court indicated that if there was a genuine physical threat to the claimant, then an injunction would have been granted.
In Home Office v Mary Jane Wainwright and Alan Joseph Wainwright, 128 the claimants, a mother and her son, were
strip-searched by prison officers causing them distress and humiliation. Lord Woolf C.J. 129 observed:
“English law however recognises a tort of breach of privacy, independent of any change introduced by the Human
Rights Act 1998 ... that tort, described as an aspect of trespass to the person, had been committed in relation to Mrs
Nevertheless, the court were of the opinion that it was not open to them to grant relief to the claimants on the basis of
an invasion of their privacy. 130 Lord Woolf stated 131 :
“The right not to have another stare at one’s naked body, save by consent or in clearly defined situations of
necessity, would be unambiguously regarded as a matter of privacy. But what of the obtaining of information that
(on the assumptions made to justify the extension of the law of tort into new situations of privacy) is not covered
by the law of confidence? What of the making of true statements about others, hitherto rigorously excluded from
the law of defamation? What of the whistleblower?
And, indeed, what of a preference to have photographs of your wedding in one publication rather than another?
... as is well accepted, in none of these cases can a right of privacy be absolute? But that is only the start.
What needs to be worked out is the delicate balance, particularly in the area of the publication of information,
between the interests on the one hand of the subject and on the other of someone entering his private space, or of
the publisher and the latter’s audience”.
Freedom of expression
If information is private in nature the next consideration of the courts is to ask whether its disclosure is legitimate in
the particular circumstances. The existence of a reasonable expectation of privacy is not the end of the matter. In short,
a balancing exercise has to be constructed between the guidance in Art.8 (privacy) and that in Art.10 (freedom of
The ultimate balancing test
In Re S (A Child) 132 this end is achieved by a process known as “parallel analysis” or an application of the “ultimate
balancing test”. 133
This will involve an analysis of the following questions:
(a)whether the publication would pursue a legitimate aim and be a proportionate interference with the privacy interest;
(b)whether publication of, or any other sanction in respect of publication, would serve a legitimate aim and be
proportionate interference with freedom of expression.
126  E.M.L.R. 10. Distinguished by X (formerly known as Mary Bell)  EWHC 1101. Applied by Mills v News
Group Newspapers Ltd  E.M.L.R. 41.
127 Chancery Division, June 4, 2001.
128  EWCA Civ 2081. Affirmed by Wainwright v Home Office  UKHL 53. Applied by Taylor v Ashwood
Residential Developments Ltd  C.L.Y. 279.
129 At para.74.
130 See para.106.
131 At para.107.
132  EWCA Civ 963. Affirmed in Re S (A Child) (Identification Restriction on Publication)  UKHL 47.
133 See para.17.
In Von Hannover v Germany, 134 the court emphasised that the protection of private life has to be balanced against the
freedom of expression guaranteed by Art.10 of the Convention. The court stressed the importance of freedom of
expression in this context. 135
The European Court of Human Rights again reiterated that the press play an essential role in a democratic society and
although it must not overstep certain bounds, in particular in respect of the reputation and rights of others, it has a duty
to impart in a manner consistent with its obligations and responsibilities information and ideas on all matters of public
interest. 136 Freedom of information also extends to the publication of photographs and the court, again, has to balance
the protection of private life against the freedom of expression contained in photographs that may contribute to a debate
of general interest. In Von Hannover v Germany, the court held that the photographs did not make any contribution to a
debate of general public interest since the applicant exercised no official function and the photographs and articles
related exclusively to details of her private life.
In R. (on the application of Stanley, Marshall and Kelly) v Metropolitan Police Commissioner, 137 the court observed
that there was a competing interest between Art.8 privacy and the freedom of expression articulated in Art.10 which
required the publication of photographs of individuals the subject of ASBOs.
In A v B Plc, 138 the court considered the public interest in receiving information about the claimant professional
footballers’ affairs with two women. The court referred to Venables 139 as a case where there was arguably a
strong public interest in knowing the new identities of the two applicant juvenile killers but that had to be balanced
against the risk to their persons and lives if they were identified. The court also added that there was a public interest in
their being rehabilitated. 140
The court were of the view that where the public interest and public benefit in the publication of the matter is great,
any justification for suppressing that publication must be very strong in order to prevail. Conversely, where the public
interest in publication is very slight, or non-existent, a lesser justification may be sufficient. Nevertheless, the court will
always be cautious in restricting freedom of expression.
Where there is the possibility of a genuine public interest in publication of a child’s details and there is a
countervailing risk to the welfare of the children, a balancing exercise is necessary. In Re S (A Child), 141 the court
acknowledged that the public interest which the media seek to further can often and perhaps largely be satisfied without
identifying a child. The law of breach of confidence was evoked in the case of Mary Bell, the child murderer who was
herself a child at the time of the killing, in order to protect her rights under Art.8.
The European perspective
The Human Rights Act 1998 is regularly relied on by the courts in privacy type cases.
Article 8 appears to be concerned only with interference with privacy by the State and not by private individuals or
organisations (see the use of the words “public authority” in the Article). Much academic debate has centred around
whether the Human Rights Act 1998 has a so-called horizontal effect, making it possible to be enforced against
The horizontal effect
134 See above at para.1–062. Applied in Re KT  EWHC 3428.
135 See para.58.
136 See Observer and Guardian v United Kingdom, judgment of November 26, 1991, Series A, number 216, pages 29 and 30,
137 See above at para.1–064.
138  E.M.L.R. 21, CA. Distinguished by Lady Archer v Williams  EWHC 1670.
139 See above at para.1–065.
140 See also Bladet Tromso v Norway (1999) 29 E.H.R.R. 125 which lays down some useful guidance as to the role of the
141 See above at para.1–067. Affirmed in Re S (A Child) (Identification Restriction on Publication)  UKHL 47.
Even before the present round of cases in this area, the European Court of Human Rights has made its position clear
on whether such horizontal violations can occur.
They consider that they can. In the 1988 case of Plattform “Arzte fur das Leben”, 142 which concerned a private group
that intimidated pro-life doctors in Austria to the point where they could not speak freely, the European Court held that
the Austrian Government was guilty of a violation of the right of free speech because of its failure to protect the
doctors’ freedom of speech.
There could be two readings of a decision of this nature, the first being that the court accepts the conceptual
possibility that actions of private parties may comprise a violation of rights and thus open the way to a horizontal
interpretation of the Act, or a second narrower interpretation that the individuals did not themselves violate the rights,
but the Government did in failing to prevent or punish their actions.
This too, will give effect to a horizontal interpretation of the Act. This is
also in harmony in respect of the positive obligations of the State to remedy domestic law, for instance, regarding
corporal punishment of children. 143
In Venables and Thompson, 144 Dame Elizabeth Butler-Sloss held that the court was obliged as a public authority to
apply Art.10 to the case before her but was at pains to point out that the Convention did not create a
freestanding cause of action between private individuals and that the court simply had a duty “to act compatibly with
Convention rights in adjudicating upon existing common law causes of action, and that includes a positive as well as a
negative obligation”. 145 One of the problems with an unencumbered horizontal approach is that of quality control. There
is a big difference between an uncontrolled paparazzo hounding a celebrity without just cause and a child suing her
parents for invading her privacy. It would be for the court, in its discretion, to control a petty and litigious society from
taking the law into areas where it has no place.
In Von Hannover v Germany, 146 it was held that although the object of Art.8 was essentially that of protecting the
individual against arbitrary interference by public authorities. It did not merely compel the State to abstain from such
interference: in addition to this primary negative undertaking, there might be positive obligations inherent in an
effective respect for private or family life.
These obligations might involve the adoption of measures designed to ensure respect for private life even in the
sphere of the relations of individuals between themselves. There needed to be a fair balance between the competing
interests of the individual and of the community as a whole. In this context, the State enjoys a margin of appreciation. 147
Human Rights Act not limited to vertical cases
The parties in Douglas v Hello! Limited, 148 represented a horizontal litigation between private parties, rather than an
attempt to make a privacy-based claim vertically against a public authority. In all three cases, the judges expressed a
willingness to consider the application of Art.8 of the Convention and it seems that the impact of the Human Rights Act
1998 will not be limited to vertical cases.
As Brooke L.J. noted in the Douglas case, although the Convention rights appear to presuppose enforceability only
against the State, the European Court has held in a number of cases that national law-making bodies are required, by
Art.1, to take positive steps to permit individuals to enjoy their Convention rights in horizontal, as well as vertical,
situations. It can be argued that Art.1 requires English courts to develop a concept of privacy, and to provide for its
enforcement not only against private parties but public authorities as well. 149
The broader European perspective has emerged in a number of cases before the European Court. In the cases of
Ústerreichischer RundfunkJoined Cases C-465/00 Rechnugshof and Osterreichischer Rundfunk and others and C-
142 (1991) 13 E.H.R.R. 204.
143 See A v UK (1998) 27 E.H.R.R. 61 at para.21.
144 See above at para.1–065.
145 At para.4.
146 See above at para.1–062.
147 See para.H11.
148 See above at para.1–057.
149 See also s.6 of the Human Rights Act 1998 which requires that all public authorities, including courts of law, act
compatibly with Convention rights. Although this was doubted by Sedley J. and Keene L.J. in Douglas v Hello! Limited.
138/01 Christa Neukomn and Osterreichischer Rundfunk and C-139/01 Joseph Lauermann and Osterreichischer
Rundfunk (May 20, 2003). and LindqvistBodil Lindqvist v Kammaraklagaren (Case C-101/01). the cases have been
referred for rulings under Art.234 where the national provisions adopted to comply with a Directive are argued to be
impossible to reconcile with the fundamental principles of Community law. The ECJ may also be asked to rule upon
the legality of acts adopted by the Council or other institution under Art.230 in relation to the agreement with the United
States over the transfer of Passenger Name Records (‘‘PNR’’). ECJ cases are of prime importance in interpreting the
national law arising from a directive. Lindqvist has been covered earlier in the commentary.
In Ústerreichischer Rundfunk the Court was asked to consider the boundary between the rights of informational
privacy for those employed by the State and the disclosure of information about their emoluments as a matter of public
interest. The Court refused to make a substantive decision on the actual, proposed, disclosure but confirmed that the
relevant information should be regarded as personal data, albeit generated in the course of employment and related to
the employment of the individuals rather than their private life. The Court held that the question of mandatory
disclosure was for the State to decide and that the State had to be satisfied that the disclosure would serve a proper
public interest and apply proper principles of proportionality. It seems to have been little regarded in the UK. In the
PNR case the European Court of Justice was asked to rule on whether actions of the Council and the Commission were
compatible with Community powers. The Court found that in making a finding of adequacy and entering into an
Agreement with the US (to allow the transfer of PNR to the US for security purposes), the actions of the Commission
were not compatible with Community powers and in doing so distinguished the actions of a non-State body from
activities of the State.See Chapter 1 [para.xxx] for a full analysis of this aspect of the case.
Austrian legislation required public bodies subject to the oversight of the Austrian State audit body (the
Rechnungshof) to provide it with the names and payment details of those who received salaries or pensions in excess of
a specified value. This information was included in an annual report (the ‘‘Report’’) which was published. The
legislation itself did not specify that the names of the persons concerned and the amount of annual remuneration
received must be included in the Report. Several public bodies supplied the information in anonymised form and
refused to co-operate in providing access to the original documentation on the payments. Proceedings were brought
before the Austrian constitutional court seeking a ruling on the interpretation of the provision. The Austrian court in
turn referred the point to the ECJ.
The questions referred to the ECJ were:
‘‘1. Are the provisions of Community law, in particular those on data protection, to be interpreted as precluding
national legislation which requires a State body to collect and transmit data on income for the purpose of
publishing the names and income of employees of:
(a)a regional or local authority,
(b)a broadcasting organisation governed by public law,
(c) a national central bank,
(d)a statutory representative body,
(e)a partially State-controller undertaking which is operated for profit?
2. If the answer to at least part of the above question is in the affirmative
Are the provisions precluding such national legislation directly applicable, in the sense that the persons obliged to
make disclosure may rely on them to prevent the application of contrary national provisions?’’para.23—this is the
question as phrased on Case C-465/00; the questions as phrased by the other cases were essentially the same
The question clearly has significance for any jurisdiction that is subject to a statutory access regime.
The Court dealt with the applicability of the Directive as a preliminary issue. It pointed out that Art.3(1) defines
scope in very broad terms. It would follow that any processing of personal data other than that which is outside the
scope—because it falls under the exceptions in 3(2)—will be covered by the Directive. It went on to hold that the
provisions were not necessarily in breach but the question depended on the justification for them: if the disclosures were
not proportionate then the national legislation would be incompatible with both the Convention rights and the Directive.
The Court held that the information about the payments to named individuals relates to identified or identifiable natural
persons and is therefore personal data. There is no reason to justify excluding activities of a professional nature from the
scope of personal data. The Court observed that, while the retention of such data by the employer is not an
infringement of Art.8 rights, the communication of such data to third parties amounts to an interference, irrespective of
whether the information would amount to sensitive personal data. On this basis, the provisions of the Directive must be
interpreted in the light of Convention rights. Thus, where the Directive permits derogations from rights it provides,
and actions carried out in reliance on those derogations would amount to an interference with the Art.8 right, the actions
must have a legal basis and the interference must be justified and proportionate. This includes the requirement that the
law must be sufficiently precise and foreseeable. It was for the national court to determine whether the provisions met
the test of foreseeability.
The objective of exerting pressure on public bodies to keep salaries within reasonable limits was, the Court observed,
a legitimate aim which could be capable of justifying interference with Art.8. National authorities enjoy a margin of
appreciation in determining the balance between the social needs and the interference with private life in issue. The
Court concluded that it is for the national courts to ascertain whether this interference is proportional
and it could only be satisfied on this point if the wide disclosure of names and income is necessary for and appropriate
to the aim of keeping salaries within reasonable limits. On the second question asked by the Austrian court, the Court
also affirmed that where the provisions of a directive are unconditional and sufficiently precise they are ‘‘directly
applicable’’, that is they may be relied upon directly by individuals and applied by national courts. The provisions of
Art.6(1)(c) and Art.7(c) and (e) fall into that category and can, therefore, be used by national courts to oust the
application of national rules which are contrary to those provisions.
Passenger Name Records (“PNR”)Joined Cases C-317/04 and C-318/04 (May 2006).
Soon after the terrorist attacks on September 11, 2001, the Unites States passed legislation providing that air carriers
operating flights to, from or through United States territory, must provide the United States customs authorities with
electronic access to that data contained in their automatic reservation and departure control systems, known as
Passenger Name Records (‘‘PNR’’). The Commission entered an agreement with the US Administration in relation to
the transfer of PNR and the treatment of such data by the Bureau of Customs and Border Protection (‘‘CBP’’) of the
Department of Homeland Security. The mechanism to reach the agreement was for the Commission to make a finding
under Art.26(6) that the transfer of the PNR to the CBP on the terms agreed between the Council and the US would
provide an adequate level of protection for the personal data (which it did on May 14, 2004) followed swiftly, on May
17, by a Decision of the Council using its powers under Art.95. This decision had the effect of implementing the terms
of the agreement.
The Data Protection Directive is an internal market measure. The finding of adequacy was predicated on the basis
that the PNR agreement was related to the functioning of the internal market and the transfer of the PNR data to the US
was within the scope of the Directive. The European Parliament challenged the basis of the arrangement before the
European Court of Justice. The Court ruled that the Agreement was outside the scope of Art.95, thus the Council’s
purported Decision was a nullity. The transfer of personal data for the purposes of security was not covered by
Directive 95/46/EC and thus the Commission had no power to make a finding of adequacy in respect if it. The
Agreement related to the transfer of data for the purposes of preventing and combating terrorism and other serious
crimes. As such the processing operations were excluded from the scope of the Directive and the Decision could not
have been validly adopted on the basis of Art.95. While the Court accepted that PNR data are initially collected by
airlines in the course of an activity which falls within the scope of Community law, namely sale of an aeroplane ticket
which provides entitlement to a supply of services, it took the view that the data processing taken into account in the
decision on adequacy was quite different in nature. The data processing in question was not necessary for a supply of
services, but data processing regarded as necessary for safeguarding public security and for law enforcement purposes.
The Court did not immediately nullify the adequacy finding but preserved
it for a period of 90 days, until September 30, 2006. It pointed out that the Community could not use its breach of its
own laws as a reason for terminating the Agreement but would have to take action under the relevant provision of the
Agreement. This provision allowed either party to terminate the Agreement at any time, with the termination taking
effect 90 days from the date of notification to the other party.
The Opinion of the Advocate General also covered the question of whether the Agreement with the US Government
for the transfer of PNR to the CBP was in breach of Art.8. The Advocate took the view that the entire Agreement and
linked provisions should be examined together. While he agreed that there was an interference with private life by
reason of the transfer he considered that the legal basis was made out and was sufficiently accessible to those affected.
He was clear that the transfer pursued a legitimate aim and went on to deal with the question of the margin of
‘‘the scope of which will depend not only on the nature of the legitimate aim pursued but also on the particular
nature of the interference involved’’ibid. para.26, citing Leander v Sweden, ECtHR. He further observed that:
‘‘The review of proportionality by the European Court of Human Rights varies according to parameters such as the
nature of the right and activities at issue, the aim of the interference and the possible presence of a common
denominator in the States’ legal systems.
As regards the nature and activities of the rights at issue, where the right is one which intimately affects the
individual’s private sphere, such as the right to confidentiality of health-related personal data, the European Court
of Human Rights seems to take the view that the State’s margin of appreciation is more limited and its own judicial
review must be stricter.
However where the aim of the interference is to maintain national security or to combat terrorism the European
Court of Human Rights tends to allow States a wider margin of appreciation.’’ibid. paras 228–230, citing cases Z v
Finland, Leander and Murray v UK.He went on to suggest that the margin of appreciation should be limited to
determining whether there was any manifest error of assessment in making the decision. On the facts of the case he
did not regard the number of data items required or the retention time as manifestly unreasonable. [NEXT TEXT
PAGE IS 1051]