SMO v TikTok judgment

Some interesting remarks/statements – additional info/comments enclosed in brackets () and italics- are extracted from the Judgment:

‘This is a pre-action application for anonymity on behalf of a child claimant in an intended claim for breach of privacy‘.

‘The papers explained that the urgency stemmed from the fact that the end of the Brexit transition period on 31 December 2020 will bring about changes in the law which are, or are at least said to be, relevant to the intended claim. One change relates to the GDPR. It is said that under the law as it stands before the end of the period this Court has jurisdiction over that aspect of the claim and over the Second Intended Defendant, which is a company registered in England and Wales. The position from 1 January 20201 is “less clear”; jurisdiction will be decided on the basis of the common law rules “which may prejudice the ability of the claimant to bring the claim and/or defend any jurisdictional challenge brought by the Intended Defendants (i.e. defendants outside UK. What about the UK GDPR?)’.

‘Some of the claimant’s paperwork devotes attention to the importance of keeping the claimant’s address a secret. I do not regard that as an issue of particular significance in the context of this case. It is said that its disclosure might give rise to a risk of harm, regardless of the facts of the case, as it would increase the risk of attention from people who intend the claimant serious harm. That appears to me to be unsupported by the evidence. In any event, the claimant’s address is not a weighty aspect of open justice, save in so far as it may lead to the identification of the claimant. The real issue is whether the claimant should be identified. If not, an order for non-disclosure of the address would seem to follow.

‘The common law exceptions did not include the rights or interests of children, other than in the context of wardship. But by virtue of the Human Rights Act 1998 there is now, effectively, a statutory exception. The Court must act compatibly with the Convention Rights, including the right to respect for private life protected by Article 8. And Article 6 provides that the general rule of open justice may be departed from
“where the interests of juveniles or the protection of the private life of the parties so require.” This does not provide any automatic protection for children, regardless of the circumstances: see ZH (Tanzania) v Secretary of State for the Home Department [2011] UKSC 4 [46] (Lord Kerr), ETK v News Group Newspapers Ltd [2011] EWCA Civ 439 [19] (Ward LJ). A balance must always be struck, and attention must be paid to the specifics of the individual case, not just generalities. But, as Mr Ciumei QC has pointed out in presenting his client’s case, Article 3(1) of the United Nations Convention on the Rights of the Child and other international and domestic instruments require the Court to accord “a primacy of importance” to the best interests of a child: ZH (Tanzania) ibid. (NB: UNCRC Art 3(1) provides the balancing or tipping act when it comes to a child’s privacy rights).

‘It is reasonable to suppose that some of that attention would be focussed on the claimant, if their identity was known. But that is not enough of itself to justify anonymity. Nor is the mere fact that the claimant is 12 years old. It is necessary to consider the nature of the likely attention, and the harm that it could cause. (NB: the likely attention is a trigger for harm).

‘The Commissioner’s witness statement identifies a risk of direct online bullying by other children or users of the TikTok app; and a risk of negative or hostile reactions from social media influencers who might feel their status or earnings were under threat. Both appear to me to be realistic assessments. That is not to say that such behaviour is inevitable, but it is reasonably foreseeable. (NB: risk associated with social media influencers).

‘…the intended claim involves serious criticisms of what may be key aspects of the platform’s (TikTok) mode of operation’

‘I accept the Commissioner’s evidence that children are particularly sensitive to the sort of attention and scrutiny to which she has referred, and that such attention can have a marked and detrimental impact on a child’s mental health, and emotional and educational development. I would characterise the risk of harm as significant‘

‘The assessment of the parents deserves respectful attention.’

‘The main characteristics of importance appear to be age and use of TikTok, and those are shared with all the represented parties. The evidence is that the damages claim will not be peculiar to the circumstances of the claimant, as for instance with a claim to compensate for distress. As in Lloyd v Google, the claim will be for a standard “tariff” figure to compensate the claimant and each of the represented parties for the abstract “loss of control” over personal data. In all likelihood, the main focus of attention for those who wish to understand and scrutinise the workings of the justice system in the intended litigation will be the activities or alleged conduct of TikTok and the role of the defendant companies in its operation’.

‘…if the Court required the claimant to be named that could have a chilling effect on the bringing of claims by children to vindicate their data protection rights. On that footing, the grant of anonymity supports the legitimate and important aim of affording access to justice, and the order is necessary in order to secure the administration of justice.’

My written prepared talk is shared below.

Privacy and the Individual – What difference will GDPR Make?

Thanks John for the introduction. A warm welcome to all.

Any talk on privacy and the GDPR invariably uses terms or phrases that may be blurry or obscure. So just to set the scene, when I say the ICO I’m referring to the UK’s data protection watchdog – The Information Commissioner’s Office. When I say ‘data’ I’m referring to personal data as described in the GDPR.

Although the GDPR did not reference privacy – itself a complex term, privacy is embedded as information or data privacy and expressed in phrases such as:
‘respect for human rights and fundamental freedoms (Art. 12 – exercise of the rights of the data subject); ‘High risk to the rights and freedoms of natural persons’ (Art. 35 -Data protection impact assessment), and ‘Risks to the rights and freedoms of natural persons (individuals)’ (Recital 75).

It is no longer just about protecting personal data or processing of personal data but data privacy.

With this comes obscure or unclear terms.

What is ‘high risk’? How do you express ‘rights and freedoms’ of natural persons (individuals) especially in the context of privacy impact assessment (PIA) or data protection impact assessment (DPIA)?

We know that the GDPR describes DPIA (Art. 35) and also breach notification (Art. 33 – notify the ICO, and Art. 34 – communicate to the data subjects).

I know fresh in our minds is the recent Facebook-Cambridge Analytica scandal. Flashback to October 2015, anyone here still remembers the TalkTalk data breach incident?

Would you all agree that both Facebook & TalkTalk responded or handled the data breach announcement or notification to affected individuals rather badly or failed to do so in the eyes of the public and the affected individuals?

Certainly, under the GDPR both would be required to notify the ICO within 72 hours and to affected UK individuals without undue delay or ‘as soon as possible’ (Guidelines on Personal data breach notification under Regulation 2016/679)

As we know the GDPR requires organisations to notify the ICO where there is a risk to the rights and freedoms of individuals, and only notify the individuals where there is high risk.

My research examines data incidents response, in particular, the privacy harm to individuals as a consequence of the data incident. I have designed a prototype dashboard and have conducted user evaluation study with industry practitioners. The dashboard is for assessing privacy data harm by addressing the initial breach notification question to notify or not affected individuals and to the ICO during initial data incident response.

There is still fear in organisations when it comes to disclosure of data incidents. However, the GDPR will held organisations accountable e.g. with the fines and penalties, and to be transparent to report data incidents. Affected individuals have the right to know.

The outcome of my study also revealed that it is possible to do an initial data breach assessment even with the unclear terms: ‘high risk’ and the ‘rights and freedoms’ of individuals. The prototype dashboard also shows notification alerts with the countdown to 72 hrs from the point of being aware of the incident. One participant remarked: ‘It (the dashboard) provides a calm objectivity in time of panic & stress. Because you’re going to be stressed, you immediately think your personal reputation and your organisation’s reputation. Would we be fined? And all these things come in rather than actual thinking of the consequences to individuals’.

When the data incident happened, the genie was out of the bottle, out in the wild – the harm was already done.

The GDPR would not bring the genie back into the bottle or stop the harm. So as a matter of good business practice and in the spirit of the law, organisations should notify their customers.

Thank you.
Cher
p.s.
May post a photo taken by John Stevenson (City’s Senior Communications Officer)