33 judgments interpreting, applying, or limiting the provisions of this Act. Sorted by court tier then reverse-chronologically.
If a company unlawfully handles your personal data you cannot claim compensation just because it happened. You have to show real harm — money lost or genuine distress — before the courts will give you anything.
Decided under the DPA 1998 but anchored by the Court to the broader concept of "personal data" and "damage" that the DPA 2018 carries forward in section 3: mere loss of control over personal data, divorced from any provable distress or material loss, is not itself "damage" within the data-protection compensation regime, and Lord Leggatt's reasoning supplies the controlling gloss on the s.3 definitions for DPA 2018 purposes.
Holding. For statutory data-protection compensation the data subject must prove material loss or distress; the bare fact that a controller has processed their personal data unlawfully does not, of itself, constitute damage.
An employer is not automatically on the hook when a rogue employee leaks colleagues' data out of spite. There must be a real connection between the leak and the job — not just personal vendetta on a frolic.
Vicarious liability is in principle available for breaches of the data-protection regime and is not excluded by the statutory scheme — a holding which carries directly into section 168 / Article 82 — but the close-connection test bars liability where the employee's wrong (here, a malicious leak motivated by a grudge against the employer) is on a frolic of his own and not in the field of activities entrusted to him.
Holding. An employer can in principle be vicariously liable for a data-protection breach by its employee, but is not so liable where the employee's wrongful disclosure is motivated by personal vendetta and falls outside the field of activities entrusted to them.
Data that looks anonymous on its own can still be personal if it can be linked back to people by combining it with other records. Companies must guard against that aggregation risk, not just obvious identifiers.
Extends the section 155 / Article 32 security duty: appropriate technical and organisational measures must be calibrated to the risk that information held by a controller can be linked to identifiable individuals through aggregation, even where the records compromised do not on their face contain obvious personal identifiers.
Holding. For the purposes of the security duty under the DPA 1998 / DPA 2018, "personal data" includes data which can be linked to identifiable individuals on aggregation; the controller's measures must address that linkage risk.
When you appeal an ICO enforcement notice, the burden lies on the Commissioner to prove the breach. The tribunal makes its own findings and does not start from a presumption that the notice was correct.
Tribunal-procedure ruling read through section 197: on a section 162 appeal, the Commissioner bears the burden of proving the contravention underlying her enforcement notice, and the FTT must reach its own findings of fact rather than treating the notice as creating any presumption — a procedural rule about appeals that, by virtue of section 197, shapes the practical operation of every enforcement / penalty review.
Holding. Tribunal procedure on a section 162 appeal (governed by section 197) places the burden of proof on the Commissioner; the FTT must make its own factual findings and is not bound to defer to those recorded in the notice.
You cannot run a single representative action on behalf of every NHS patient whose records were shared with a tech firm. Some had no real privacy expectation and damages would differ — so each case must be brought individually.
Follows Lloyd v Google to dismiss an opt-out representative action under CPR 19.8 founded on the tort of misuse of private information arising from NHS data-sharing with DeepMind: a uniform per-capita claim is impossible because some represented patients had no reasonable expectation of privacy and any damage would have to be individually assessed — the same obstacle that defeats representative section 168 claims.
Holding. A representative action under CPR 19.8 cannot succeed in a data / privacy claim where the same-interest requirement is defeated by the need for individualised assessment of expectation of privacy and damage — confirming Lloyd v Google in the misuse-of-private-information context.
If the ICO investigates your complaint and decides to take no further action, you cannot ask the tribunal to second-guess that decision. The tribunal can only step in when she ignores you or drags her feet.
Section 166 affords only a procedural remedy: once the Commissioner has given the complainant a section 165 outcome, the FTT has no jurisdiction to require her to reach a different conclusion or to investigate further — the substantive merits of the complaint are matters for the Commissioner's discretion alone.
Holding. Section 166 is a procedural backstop directed at delay or failure to inform; it does not entitle the Tribunal to review whether the Commissioner properly assessed or resolved the underlying data-protection complaint.
Ministers cannot strip migrants of data-protection rights through a vague exemption that leaves the safeguards to civil-servant practice. The protections have to be written into law, not left to internal policy.
Section 15 and Schedule 2 paragraph 4 (the immigration exemption) were, as originally enacted, unlawful: a restriction on data-subject rights under Article 23 UK GDPR must itself contain the specific safeguards listed in Article 23(2), and the paragraph 4 exemption left those safeguards to administrative practice rather than legislative measure.
Holding. An exemption from data-subject rights made under section 15 / Schedule 2 must itself prescribe the Article 23(2) UK GDPR safeguards; the immigration exemption as drafted in 2018 failed that requirement and was unlawful.
When police share information about you with private crime-reduction schemes, the whole arrangement — common-law powers plus the published protocol — must together be clear, predictable and limited enough to be lawful. Courts look at the package, not isolated rules.
On a Part 3 challenge, the section 34 over-arching principles (lawfulness and fairness) and the Article 8 "in accordance with the law" test are co-extensive: a police information-sharing arrangement with a business crime-reduction partnership satisfies section 34 only where the legal framework, read with the operating protocol and underlying common-law and statutory powers, is together sufficiently accessible, foreseeable and constrained.
Holding. Police data-sharing with a private crime-reduction partnership engages section 34 lawfulness; the combination of common-law police powers and the partnership's published protocol can supply the necessary legal basis, but the regime must be examined holistically rather than provision by provision.
A foreign news website that simply writes about a UK resident is not automatically caught by UK data-protection law. You can only sue under the Act if the publisher actively targets UK users or monitors their behaviour.
On permission-to-serve-out, the Court of Appeal held that the UK GDPR (read with the DPA 2018) applies to a US news organisation only where the processing is related to the offering of goods or services to data subjects in the UK or to the monitoring of their behaviour; the publication of journalism about a UK-resident does not, of itself, satisfy Article 3(2), narrowing the territorial reach of section 168 compensation claims against overseas defendants.
Holding. Article 3(2) UK GDPR territorial application requires processing related to the offering of goods or services in the UK or behavioural monitoring; the bare publication of journalism about a UK resident by a non-UK publisher is not enough to engage the DPA 2018 jurisdictionally.
Police cannot rely on a vague public-interest justification to scan faces in public. They need a written policy that actually limits who goes on the watchlist and where the cameras are deployed — generic words are not enough.
Reliance on a Schedule 1 condition for sensitive biometric processing (here, the substantial-public-interest condition for crime prevention) requires an appropriate policy document under section 42 that meaningfully constrains who can be put on a watchlist and where the technology can be deployed; generic public-interest language without those specifics will not satisfy Schedule 1.
Holding. A Schedule 1 condition for sensitive processing is engaged only when paired with an appropriate policy document that, on its terms, constrains the discretionary choices the controller is actually making; a generic public-interest assertion is insufficient.
The journalism exemption protects a newspaper that genuinely believes its processing is for journalism — judges cannot tighten the test by rewriting the statute, even to bring it closer to human-rights standards.
Construing the journalism exemption then in section 32(4) DPA 1998 (re-enacted, for journalistic, academic, artistic and literary processing, through section 15 read with Schedule 2 Part 5 DPA 2018), the majority held that the stay mechanism could not be read down to cure its Charter-incompatibility; the case remains the leading domestic authority on the scope of the journalism exemption.
Holding. The pre-publication stay for processing for the special purposes is engaged on the controller's reasonable belief, not on objective necessity; a court cannot conjure a more restrictive condition by reading-down to achieve Charter-compatibility.
Not every document that mentions you is personal data — it has to actually be about you. And if a subject-access request is over-the-top or being used to harass, a court can refuse to enforce it.
Confirms the Durant/Edem approach to the meaning of "personal data" in section 1 DPA 1998 (carried into section 3(2) DPA 2018) — information is personal data only if it is biographically significant of, or focused on, the data subject — and lays down the framework for proportionality and abuse-of-rights resistance to subject-access requests now reflected in the section 7 / Article 15 regime.
Holding. Personal data must relate to and be biographically significant of the data subject; the court retains a residual discretion to refuse to enforce a subject-access request that is disproportionate or an abuse of the right.
Even if a website never learns your name, the data it collects about your device and browsing still counts as personal information about you. That brings tracking and advertising firmly inside the data-protection rulebook.
Browser-generated information collected through tracking cookies is "personal data" within section 1 DPA 1998, and the same purposive reading is preserved by section 3(2) DPA 2018: data which permit a data subject to be singled out, even via a device identifier, are personal data even if the controller does not know the subject's name.
Holding. Information which enables identification of an individual indirectly (here, through device-level tracking) is "personal data"; and section 13 DPA 1998 (read compatibly with the Charter) permits recovery for distress alone.
HMRC cannot blanket-refuse your request for your own tax data by waving the tax-collection exemption. They must look document by document and only withhold the bits that would genuinely harm tax collection if released.
Section 13 (and the Schedule 2 Part 1 exemption it underpins) does not give HMRC a blanket exemption from subject-access obligations: HMRC must identify the specific tax-collection function whose discharge would be prejudiced and may withhold only the data the disclosure of which would in fact prejudice that function; blanket reliance on the exemption is impermissible.
Holding. The section 13 / Schedule 2 paragraph 2 tax-collection exemption must be applied document-by-document on a prejudice test; only those personal data whose disclosure would be likely to prejudice tax-collection functions are excluded from the right of access.
If a pension provider misaddresses your envelope, you cannot claim compensation just because a stranger might have opened it. You have to plead facts showing someone actually saw or used your information.
In a section 168 / Article 82 mass distress claim, each claimant must plead and prove that the misdirected correspondence was in fact received or opened by a third party; the bare risk that the leaked envelope might have been opened is insufficient and the claim will be struck out where the pleadings cannot make good that allegation.
Holding. A section 168 distress claim cannot survive strike-out unless the individual claimant pleads facts capable of showing actual third-party receipt or use of their personal data; the mere possibility of disclosure is not enough.
When the Government tried to fix the unlawful immigration exemption, it still left the key safeguards in guidance rather than legislation. The court declared it incompatible again and gave Parliament more time to put it right.
Applies Open Rights Group to hold that the Government's revised immigration exemption (the SI 2022/76 redraft of Schedule 2 paragraph 4) still does not contain the specific legislative measures required by Article 23(2) UK GDPR; section 15 cannot save a Schedule 2 exemption whose safeguards remain at policy rather than statutory level.
Holding. The amended paragraph 4 of Schedule 2 remained incompatible with Article 23(2) UK GDPR; a declaration of incompatibility was made and suspended to allow Parliament a further opportunity to legislate compliantly.
If the police log an old unproven allegation against you as if it were fact, that breaches data-protection rules on accuracy and storage. You can get the record corrected and claim compensation for the distress caused.
Police retention of records recording an unproven historic allegation as fact breaches the accuracy and storage-limitation principles in section 34 / Schedule 1 read with the section 168 compensation regime, where the privacy intrusion outweighs any subsisting policing rationale; the proper remedy is rectification and award of distress damages.
Holding. Recording an unproven historic complaint in police data systems as if it were factual contravenes the data-protection accuracy and storage-limitation principles and grounds a section 168 / Article 82 distress claim against the chief officer.
When the CPS publicly says your charging file is still open, that counts as police processing of your personal data — so your right to see it is governed by the police chapter of the Act, not the general rules.
A CPS confirmation that a charging file remains under review constitutes processing personal data for a section 31 law-enforcement purpose, so the rights and safeguards of Part 3 — including the section 45 right of access — govern the disclosure rather than Part 2 of the DPA 2018; on the facts the disclosure was justified by the policing exemptions, but section 45 supplied the controlling framework.
Holding. Public statements made by the CPS describing the live state of a charging file are processing for law-enforcement purposes within Part 3; access to and disclosure of such personal data is governed by section 45 and the Part 3 exemptions, not by the UK GDPR.
After Lloyd, you cannot rescue a mass cyber-attack lawsuit by re-labelling it as misuse of private information. The statutory data-protection claim is the only realistic route, and case management will keep things tight.
Applies Warren and Lloyd to refuse permission to amend a mass section 168 claim arising from the 2015 TalkTalk cyber-attack so as to add misuse-of-private-information claims; the case is the leading case-management illustration of the post-Lloyd narrowing of the DPA 2018 mass-claim landscape.
Holding. Post-Lloyd, mass section 168 cyber-attack claims cannot be re-engineered through misuse-of-private-information claims; the statutory cause of action remains the controlling route, and case-management discipline must be applied accordingly.
Small-money data-breach cases belong in the small-claims court, even if the lawyers add fancy extra claims about misuse of private information. You cannot inflate a modest dispute into a High Court action.
Low-value section 168 compensation claims (here, the resale of an unwiped television) belong on the small-claims track; pleading misuse of private information and breach of confidence does not justify allocation to a higher track when the substance of the dispute is a modest data-protection breach.
Holding. Section 168 / Article 82 claims of modest value should be transferred to the County Court small-claims track, even if framed alongside misuse of private information and breach of confidence pleadings.
A marketing rep who briefly glanced at your maternity-ward form without copying anything down has not done enough to count as processing your data. Without recording or using it, there is no claim to bring.
Even the lower DPA threshold of "processing" is not crossed by a marketing representative's brief glance at part of a maternity-ward form; without an act of recording, retrieval or use of personal data, there is no DPA contravention and no section 168 / Article 82 compensation claim.
Holding. Inadvertent sight of personal data, without any consequent recording, retrieval or onward use, does not constitute "processing" under the data-protection legislation; the section 168 / Article 82 claim therefore fails at the threshold.
Low-value data-breach claims belong in small claims, and asking the court for a formal declaration on top of damages will not win you bigger costs. The track allocation reflects the real worth of the dispute.
Confirms the Stadler/Johnson line: a small-value section 168 claim should be allocated to the small-claims track, and declaratory relief adds nothing where the substantive compensation claim is resolved — a costs-management corrective to inflated DPA pleadings.
Holding. Small-value section 168 claims belong in the small-claims track; declaratory relief is not a vehicle for circumventing that allocation or for securing inter-partes costs that the substantive claim could not.
A single mis-sent email about your tenancy is not a High Court case. The courts will move it to small claims and refuse to let extra causes of action be tacked on just to keep it in a bigger forum.
Applies the Jameel-abuse and case-management jurisdiction to a section 168 claim arising from a single mis-sent email: such low-value data-protection claims belong in the County Court small-claims track and the addition of common-law causes of action does not preserve High Court allocation.
Holding. A modest section 168 claim arising from a single inadvertent disclosure is to be transferred to the County Court small-claims track; pleading misuse of private information and negligence to inflate the apparent value of the claim is an abuse and will not be permitted.
A single misaddressed email that the recipient quickly deletes is not worth suing over. The courts will throw out trivial data-breach claims as an abuse of the system, no matter how dressed up they are.
Applies a de minimis filter to section 168 / Article 82 compensation claims: a single misaddressed email containing limited personal data, promptly retrieved and confirmed deleted by the recipient, falls below the seriousness threshold and is liable to be struck out as a Jameel abuse where pursued for low-value distress.
Holding. Trivial data-protection breaches that cause no more than minimal distress are subject to a de minimis bar; the High Court will strike out such claims as an abuse of process.
If suing over a data leak would itself expose the very information you want kept private, the court will let you bring your claim anonymously. Otherwise the legal process would defeat the privacy interest you came to protect.
Anonymity orders are properly granted in mass section 168 / Article 82 distress claims against a public body where the personal data the claimants seek to vindicate would themselves be re-disclosed by being named in proceedings — a procedural application of the section 168 right to substantive protection.
Holding. Where the very fact of bringing a data-protection claim would expose the personal data alleged to have been compromised, anonymity should be granted; without it the section 168 remedy would itself defeat the privacy interest.
If your data is stolen by hackers, you cannot also sue the company for misuse of private information or breach of confidence. Your only route is the statutory data-protection claim — the company did not itself disclose anything.
Where personal data are stolen by a third-party cyber-attack, there is no parallel common-law cause of action: misuse of private information, breach of confidence and the tort of negligence cannot be pleaded alongside the section 168 / Article 82 claim because the controller has not used or disclosed the data — the only viable cause of action is the statutory data-protection breach.
Holding. A controller whose systems are penetrated by an external attacker commits no actionable misuse of private information or breach of confidence by the fact of the breach itself; data-protection claimants are confined to their statutory remedy under the DPA.
An intelligence firm that publishes a dossier full of second-hand claims about you must take reasonable steps to check the facts first. If it does not, you can claim compensation for the distress of being misrepresented.
Decided under the DPA 1998 but expressly read by the Court as the controlling authority on the accuracy principle now in Schedule 1 to the DPA 2018: a controller processing intelligence reports must take reasonable steps to verify the second-hand information it relies on before publishing inaccurate personal data, and a failure to do so grounds a section 13 (now section 168) award of damages for distress.
Holding. Inaccurate intelligence-report processing of second-hand information about a data subject without reasonable verification breaches the accuracy principle and entitles the data subject to compensation for distress under the data-protection compensation regime.
When a public body accidentally leaks sensitive personal information, courts award compensation for distress on a case-by-case basis — typically a few thousand pounds — weighing the sensitivity of the data and the vulnerability of the people affected.
Sets the leading methodology for quantifying damages for distress under data-protection legislation — awards of £2,500–£12,500 for an inadvertent Home Office disclosure of asylum-seekers' identities — a tariff regularly applied as the starting point under section 168 / Article 82 for negligent disclosures by public authorities.
Holding. Distress damages for an unlawful disclosure of personal data are assessed on an individualised basis taking account of the sensitivity of the information, the vulnerability of the data subject and the foreseeable consequences of the leak; awards in the low-thousands range are appropriate for a serious but contained negligent breach.
Your right to complain to the ICO is a right to an answer, not a right to the answer you wanted. The tribunal can chase procedural failures but cannot rerun the substantive investigation for you.
The FTT's jurisdiction under section 166 is confined to the three narrow procedural failings listed in section 166(1) — failure to take appropriate steps, to provide a section 165 outcome, or to update; it cannot be used to review the substantive adequacy of the Commissioner's investigation, the GDPR-Article-77 right being one to obtain a result, not to obtain a particular result.
Holding. Section 166 confers a procedural remedy only; the FTT may not assess whether the Commissioner correctly evaluated the merits of a data-protection complaint.
You cannot rush to the tribunal the moment you complain to the ICO. You have to give the Commissioner a reasonable chance to deal with it first; only then can you challenge her handling of the process.
An application to the FTT under section 166 may only be made after the Commissioner has had a reasonable opportunity to handle the complaint; the section is not a free-standing first-instance remedy and a fresh complaint to the Commissioner is required before a renewed section 166 application can be made.
Holding. A section 166 application must be preceded by a section 165 complaint; the FTT will not entertain an application until the Commissioner has had a reasonable period to respond.
A company that scrapes faces only to help foreign police and spies sits outside what the UK regulator can punish. The ICO can only act on processing that has a real UK connection.
Where the only operative processing in the UK takes the form of matching scraped biometric data on behalf of foreign criminal-law / national-security clients, section 10 DPA 2018 (and Article 9 / Article 2 UK GDPR) does not apply because the activity falls outside the material scope of the UK GDPR; the special-category protections cannot be invoked to assert jurisdiction the regulator would otherwise lack.
Holding. Processing biometric special-category data wholly in support of a foreign state's criminal-law or national-security functions is outside the material scope of the UK GDPR and DPA 2018, so the Article 9 / section 10 conditions never engage.
A big retailer is not automatically liable for a fine just because hackers got in. Security duties are judged against the company's risk profile and what the industry was doing at the time of the attack.
On the section 155 / DPA 1998 monetary penalty appeal arising from the Currys / PC World point-of-sale cyber-attack, the Tribunal worked through what "appropriate technical and organisational measures" require for a large retailer's payment infrastructure under DPP7 (and Article 32) and revisited the Commissioner's £500,000 penalty, providing the leading guidance on the security duty in a complex retail estate.
Holding. Compliance with the security duty in the data-protection principles (DPP7 / Article 32) is judged against the controller's specific risk profile and the contemporaneous state of industry practice; a retailer is not in breach simply because a sophisticated attacker eventually penetrated its systems.
When the ICO fines a business, the tribunal does not just rubber-stamp the figure. It works through the statutory factors itself — including the company's finances — and can substantially cut a penalty that is out of proportion.
On the first appeal against a section 155 monetary penalty under the DPA 2018 / UK GDPR, the Tribunal reduced the Commissioner's £275,000 penalty to £92,000, holding that the Article 83(2) factors — in particular the controller's financial position and the comparator of contemporaneous DPA 1998 penalties — must be expressly worked through before a proportionate figure can be fixed.
Holding. When reviewing a section 155 monetary penalty, the FTT must itself apply the Article 83 / Schedule 16 factors to set a proportionate figure; it is not confined to asking whether the Commissioner's discretion was reasonably exercised.