The legal grounds for protecting privacy and confidentiality in England and Wales are the Human Rights Act 1998 and the European Convention on Human Rights.

European Convention of Human Rights

The key provisions of the European Convention on Human Rights regarding privacy are Articles 8 and 10, as follows.

• Article 8(1) sets out that everyone has the right to respect for their private and family life, their home and their correspondence. Article 8(2) provides that there shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society:
1. in the interests of national security, public safety, or the economic well-being of the country;
2. for the prevention of disorder or crime;
3. for the protection of health or morals; or
4. for the protection of the rights and freedoms of others.
• Article 10 states that everyone has the right to freedom of expression (albeit that the exercise of this right may be subject to restrictions, including the protection of the reputation or rights of others and preventing the disclosure of information received in confidence).

Human Rights Act 1988

The Human Rights Act 1998 incorporated the European Convention on Human Rights into domestic law. Therefore, under Section 6(1) of the Human Rights Act, UK courts and tribunals are obliged to act in a way that is compatible with Articles 8 and 10 of the European Convention on Human Rights when carrying out their functions.

For a claimant to establish a case for misuse of private information, they would need to satisfy a two-stage test, as follows.

Stage 1 ‒ reasonable expectation of privacy

Here the claimant must prove that they objectively have/had a reasonable expectation of privacy in relation to the relevant information. The factors that the court is likely to consider when assessing whether a person has a reasonable expectation of privacy are:

• what a reasonable person of ordinary sensibilities would feel if they were placed in the same position as the claimant and faced with the same publicity; and
• whether there is a reasonable expectation of privacy ‒ this is a broad question, which takes into account all the circumstances of the case, including:
1. the qualities/attributes of the claimant;
2. the nature of the activity in which the claimant was engaged;
3. the place where it was happening;
4. the nature and purpose of the intrusion;
5. the absence of consent and whether it was known or could be inferred; and
6. the impact on the claimant and the circumstances under which/the purposes for which the information has come into the possession of the publisher.

Stage 2 – balancing exercise

If the claimant is able to establish a reasonable expectation of privacy, the court will then assess whether that expectation is outweighed by the defendant’s right to freedom of expression under Article 10 of the European Convention of Human Rights by conducting a balancing exercise of the competing interests. For further details of the criteria that is to be applied during the balancing exercise, please refer to 1.3 Privacy Deadlines and Defences.

Confidential Information

In respect of confidential information, there is an equitable doctrine in England and Wales that a person who receives information in confidence cannot take unfair advantage of it. For a claimant to establish a case for breach of confidence, they must demonstrate that:

• the information has the necessary quality of confidence;
• the information has been imparted in circumstances importing an obligation of confidence; and
• there has been an unauthorised use of that information to the detriment of the rights of the claimant.

It is worth noting that there are some limitations to this protection – for example, where information has been (or is deemed to have been) read in open court, or where the public interest in disclosure outweighs confidentiality.

The main remedies available in the English courts for misuse of private information or breach of confidence are as follows.

Interim Injunctions

These are temporary injunctions that are intended to last for a defined period of time – commonly until the trial of the action. An interim injunction can be obtained before the publication of the private information. However, it will not be granted by the court on mere suspicion or apprehension of disclosure of private information; the court must be satisfied that there is clear evidence for such a fear. The claimant must also prove that they are “more likely than not” to be successful at trial (Cream Holdings v Banerjee) in order to justify the intrusion of the defendant’s rights under Article 10 of the European Convention of Human Rights to freedom of expression pre-publication, which can be a difficult hurdle to surpass.

Final Injunctions

A final injunction may be granted to a successful claimant in an action for misuse of private information (or breach of confidence), either to prevent the continuation of the wrongful publication or to prevent a threatened publication. The court has discretion as to the terms and length of the injunction.

Damages

This is an available remedy for successful claimants in order to compensate for the invasion of privacy and for the distress, injury to feelings and loss of dignity that may have arisen as a result of the breach of privacy or confidence – as well as for financial loss or, in specific cases, for the loss of control over the commercial exploitation of the claimant’s image.

The normal range of financial awards for misuse of private information varies greatly and is largely fact-specific. In early cases, such as Campbell (2002), awards were low. Model Naomi Campbell was awarded GBP2,500 in general damages and GBP1,000 in aggravated damages. However, in 2018, Sir Cliff Richard was awarded general damages totalling GBP210,000 in relation to the British Broadcasting Company (BBC)’s reports that he was being investigated about historic allegations of child sexual assault (Richard v BBC (2018)).

The limitation period for bringing a claim for the misuse of private information and breach of confidence is generally six years from the relevant private or confidential information being published. However, the right to the remedy of an injunction can be lost if a claimant does not pursue the claim promptly.

The right to freedom of expression (Article 10 of the European Convention of Human Rights) is most commonly relied upon by media defendants in claims brought against them for misuse of private information. The balancing exercise between Article 8 and Article 10 is conducted by the court.

In Von Hannover v Germany (no 2) and Axel Springer GmbH v Germany, Application No 39954/08, the ECHR set out the criteria that is to be applied during the balancing exercise. These include:

• public interest – the extent to which the publication would contribute to a debate of public interest;
• the extent to which the person concerned is in the public eye;
• the subject matter of the publication;
• prior conduct in relation to the information publicised;
• the content, form and consequences of the publication; and
• the method used by the defendant to obtain the information.

Defendants may also seek to rely on the defence that the “private” information was already in the public domain.

For breach of confidence claims, the iniquity defence may apply where the public interest overrides express or implied duties of confidentiality. This may include where confidentiality is used in order to hide criminal activity, mislead the public or cover up financial irregularities.

In England and Wales, the general rule is that hearings are to be held in public, in accordance with the principle of open justice. However, under Rule 39.2 of the Civil Procedure Rules 1998 (CPR), parties may apply for a private hearing – although a hearing will only be held in private if the court is satisfied that a private hearing is necessary to secure the proper administration of justice and that one of the following criteria apply:

• publicity would defeat the object of the hearing;
• the hearing will involve matters relating to national security;
• the hearing will involve confidential information;
• a private hearing is necessary to protect the interests of any child or protected party;
• the hearing is of an application made without notice and it would be unjust to any respondent for there to be a public hearing;
• it involves uncontentious matters arising in the administration of trusts or of a deceased person’s estate; and
• the court considers a private hearing to be necessary, in the interests of justice.

A party can also apply for an anonymity order. However, the court will only order for the identity of a person not to be disclosed where the court considers non-disclosure necessary to secure the proper administration of justice and in order to protect the interests of that person (39.2(4) of the CPR).

In terms of bringing proceedings for misuse of private information in this jurisdiction, the courts of England and Wales generally have jurisdiction where the misuse of private information or/and the resulting damage has taken place within the jurisdiction. Other factors, including where the defendant is based, are also relevant.

The general rule is that the successful party pays the losing parties’ costs. However, the court can depart from the general rule and – even when the losing party is ordered to pay the successful party’s costs ‒ recovery is usually between 60–70% of total costs.

The availability of the pre-publication injunction makes the UK an attractive jurisdiction for claimants. When pursuing a privacy injunction against a media publisher, there will often be dialogue concerning the possibility of undertakings and/or agreements as to what – if anything – may be publishable or restrained.

There are two types of defamation, which are:

• libel –  relates to the publication of a statement in permanent form, such as in writing, but also includes broadcasts or stage productions.
• slander ‒ relates to the temporary publication of a statement, such as by way of speech, but also includes gestures or conduct.

Libel

The law of defamation is based on common law, but is accompanied and modified by acts of Parliament – most recently and significantly, the Defamation Act 2013 (but also the Defamation Act 1996).

In order to bring a claim in defamation, the claimant needs to demonstrate the following.

• Publication – the words complained of must have been published to a third party.
• Defamatory – the claimant needs to demonstrate that the single “natural and ordinary” meaning of words complained of are defamatory, which requires the satisfaction of two elements:
1. that the meaning of the complained of statement “tends to lower the claimant in the estimation of right-thinking people generally”; and
2. the “threshold of seriousness” ‒ the statement complained of must be one that would tend to have a “substantially adverse effect” on the way that people would treat the claimant.
• Serious harm ‒ the statement complained of must cause (or be likely to cause) serious harm to the reputation of the claimant, as specified within Section 1(1) of the Defamation Act 2013. This is expanded upon in Section 1(2), where it is outlined that harm to the reputation of a body that trades for profit is not “serious harm” unless it has caused or is likely to cause serious financial loss.

The common law (see, in particular, Jameel v Dow Jones & Co Inc (2005)) requires that a defamation claim must involve the commission of a “real and substantial tort”. If the claimant does not satisfy this element, the claim will be struck out by the court on the basis that allowing it to proceed would cause an abuse of the court’s process.

Moreover, case law has found that the publisher of a defamatory statement is not limited to the original author. By way of example, secondary publishers – who did not take an active editorial role but facilitate the availability of the defamatory content to third parties – potentially may also be responsible for publication. Secondary publishers could include social media platforms, bookshops, libraries and newsstands. Nonetheless, the Defamation Act 2013 has provided more protection to intermediaries (such as social media platforms).

Slander

In order to bring a successful claim for slander there is an additional element. The claimant needs to establish “special damage” arising as the direct, natural and reasonable result of the publication of the words.

However, in some cases, it is not necessary to demonstrate special damage – namely, where:

• the words impute a crime for which the claimant can be made to suffer physically by way of punishment; or
• the words are calculated to disparage the claimant in any office, profession, calling, trade or business held or carried out by the claimant at the time of publication.

These two categories are set out in Section 14 of the Defamation Act 2013.

Damages

The current ceiling for awards is approximately GBP350,000. However, awards tend to be far lower than this. To be at the top end of awards, the libel needs to be extremely serious (eg, imputations of murder or terrorism).

Compensatory damages

A successful claimant is likely to be awarded compensatory damages, which aim to remedy the claimant’s distress, vindicate their reputation, and reinstate any loss that occurred as a result of the libel. Factors that the court will take into account when determining the level of compensatory damages include the gravity of the libel, the injury caused to the claimant’s feelings, the extent and nature of the publication, and whether there are any mitigating factors.

Aggravated damages

This category of damages is intended to compensate a claimant for additional injury to their feelings resulting from poor conduct on the part of the defendant. In assessing aggravated damages, the court can consider all of the defendant’s conduct – from the time the libel is published up to and including the trial. Owing to the “injury to feelings” element of these damages, they are not available to companies.

Exemplary damages

Exemplary damages are punitive in nature and therefore are only awarded in exceptional circumstances, where appropriate to punish a defendant for deliberate conduct. The defendant’s state of mind is a key element when the court is considering exemplary damages.

Injunctions

In defamation cases, pre-publication interim injunctions that restrain a defendant from publication pending the trial of an action are generally unavailable, as the defendant only has to put forward an arguable defence for publication if challenged. Also known as the rule against “prior restraint” of defamatory statements, it is centred on the principle that it is in the public interest to protect freedom of speech. Moreover, if a publisher does get it wrong, substantial damages are seen to be an adequate remedy.

Nevertheless, final injunctions may be granted after trial to restrain further or future publication of the words complained of. The court must be satisfied that the words complained of are injurious to the claimant and there is reason to believe that the defendant may publish them further.

The limitation period for issuing a claim for defamation in the courts of England and Wales is generally one year.

Four main defences are available, as follows.

• Truth – this is a complete defence (see Section 2 of the Defamation Act 2013). The defendant needs to demonstrate that the statements made and published have been proven truthful (this does not mean that the proof of every single word as truthful is required, but the defamatory “sting” needs to be proven to be true). The burden of proof within this context is on the publisher, rather than on the claimant, to prove that the statements are false.
• Honest opinion ‒ this is a statutory defence found in Section 3 of the Defamation Act 2013. The defendant must prove that:
1. the statement complained of was a statement of opinion;
2. the statement indicated, whether in general or specific terms, the basis of the opinion; and
3. an honest person could have held the opinion on the basis of any fact that existed at the time the statement was published.

However, Section 3(5) states that the defence is can be defeated by the claimant if they prove that the opinion was in fact not held by the defendant. This defence does not apply where the statement is one of fact, rather than of opinion.

• Publication on a matter of public interest ‒ Section 4 of the Defamation Act 2013 provides that a defendant will have a defence if they can demonstrate that the statement complained of was, or formed part of, a statement on a matter of public interest (and that the defendant reasonably believed that publishing the statement was in the public interest).
• Privilege – privilege can be “absolute”, such as statements made as part of judicial proceedings, or “qualified” (statutory or common law). Statutory qualified privilege relates to various forms of report, such as reports of proceedings at a general meeting of a listed company or reports from a government-appointed public inquiry. Common-law qualified privilege captures situations where there is a reciprocal relationship of duty and interest between publisher and publishee. It is worth noting that a defence of common-law qualified privilege may be defeated if the claimant can prove that the statement was published with malicious intent.

See 1.4 Privacy Proceedings Forum Choice.

In terms of jurisdiction, the place of publication is an important factor. Where a defendant is domiciled elsewhere, the courts of England and Wales do not have usually have jurisdiction unless the court is satisfied that – of all the jurisdictions where publication has taken place – England and Wales is the appropriate place to bring the action. Various factors are taken into account when determining this, including the extent of publication in each jurisdiction and the amount of damage in this jurisdiction.

See 1.5 Privacy Costs.

Defamation proceedings are becoming increasingly rare, given the “serious harm” test introduced by the Defamation Act 2013 and given the cost and complexity of the claims. It has become usual for the determination of meaning to follow immediately after a claim is issued, which can result in a delay of at least six months passes before a defence is filed.

Also, as mentioned in 4.5 SLAPPs, the UK has recently seen the introduction of the concept of SLAPPs (strategic litigation against public participation), which originated in the USA. Lawyers who deploy the law of defamation in order to restrain publication of information that may be in the public interest must ensure that they do so carefully and not in way that may include illegitimate or heavy-handed threats. In addition to facing censure in the courts, UK solicitors can see regulatory investigation and sanctions arising from reports of SLAPPs.

The Protection from Harassment Act 1997 provides a legal basis in England and Wales to bring a civil claim for harassment, where a person pursues a course of conduct that amounts to harassment of another and which said person knows or ought to know amounts to harassment ( Section 1(1)). Section 1(2) of the Protection from Harassment Act 1997 states that the person whose course of conduct is in question ought to know that it amounts to or involves harassment of another if a reasonable person in possession of the same information would think the course of conduct amounted to or involved harassment of the other.

The Protection from Harassment Act 1997 creates both a criminal offence (Section 2) and civil offence (Section 3) of harassment and stalking. Although the Protection from Harassment Act 1997 fails to explicitly define harassment, common law has defined harassment to be a persistent and deliberate course of unacceptable and oppressive conduct – targeted at another person – that is calculated to and does cause that person alarm, fear or distress.

If a claimant is successful, the court may award damages for anxiety caused by harassment and for any financial loss arising from the harassment.

Under Section 3 of the Protection from Harassment Act 1997, the court may grant an injunction for the purpose of restraining the defendant from pursuing any conduct that amounts to harassment. The order made by the court may prohibit specific conduct and/or harassment in general. An exclusion zone can also be ordered by the court, forbidding the defendant to go within a specified area around the claimant’s home or place of work where it is necessary to make the injunction effective. In particularly urgent cases, an interim injunction may be obtained.

The limitation period for bringing an action under the Protection from Harassment Act 1997 is usually six years from the harassing conduct.

There is a statutory defence (Section 1(3) of the Protection from Harassment Act 1997) if it is shown that the course of conduct complained of was:

• pursued for the purpose of preventing or detecting crime;
• pursued under any enactment or rule of law to comply with any condition or requirement imposed by any person under any enactment; or
• in the particular circumstances, held to be reasonable.

Moreover, a course of conduct is required to bring a successful action in harassment. Thus, if there is only a sole event, the action will most likely fail.

Harassment is actionable under civil and criminal law in England and Wales, as set out in the Protection from Harassment Act 1997. Both the civil and criminal route can be pursued in parallel.

In criminal proceedings, if the defendant is found guilty, they may face criminal penalties such as up to six months’ imprisonment (for non-violent harassment) or a fine or both. The criminal route may be preferable for those who wish to focus on the punishment of the offender – rather than compensation for the victim – and on deterrence of future harassment.

As stated in 1.4 Privacy Proceedings Forum Choice, parties can apply for private hearings and anonymity orders. However, these are only ordered in exceptional circumstances.

In civil harassment proceedings, the successful party will usually be ordered to pay the losing parties’ costs by the court.

In criminal harassment proceedings, the court will order that the successful parties’ costs be paid from Central Funds, which is money provided by Parliament.

The Leveson Inquiry investigated the conduct of the UK press in 2011 following the phone-hacking scandal. Even though the Leveson Inquiry recommended a new form of regulation, it was not adopted by the UK press. After the Leveson Inquiry, press misconduct appears to have diminished – although news publishers remain fiercely independent and sometimes intrusive. A number of publishers have suffered financially owing to a loss of advertising revenue and sales. The growing influence of social media has affected the political influence of news publishers.

In the UK, the five most influential news providers – whether online, newspapers or broadcasters ‒ are:

• the BBC;
• The Times;
• The Guardian;
• The Sun; and
• The Daily Mail.

There are currently two press regulators in the UK – namely, the Independent Press Standards Organisation (IPSO) and Impress. However, both are voluntary for publishers and therefore their utility is limited. Many publications have signed up to IPSO, whereas only a small number of publications have joined Impress. Impress is “Leveson-compliant” and was recognised by the Press Recognition Panel (PRP) in October 2016 as an “approved” regulator.

IPSO

The procedure for making a complaint to IPSO is as follows.

• The complainant must make their complaint in writing – for example, through IPSO’s complaints form, or simply by email or post.
• IPSO conducts an initial assessment.
• IPSO requests (if it has not done so already) that the complainant correspond with the publication before they launch an investigation – given that an editor could offer more solutions to their complaint than IPSO is able to through the complaints process (eg, amend posts, make an apology or publish additional coverage).
• However, an editor does not have to resolve the complaint, and – if they do not IPSO – will begin an investigation.
• IPSO would then conduct an investigation, culminating in adjudication by the complaints commission.
• A review of the decision can be requested within 14 days if there is a belief the investigation was flawed.

Impress

Impress provides for the following complaints process.

• Step 1 – in order to make a complaint, the publisher must be regulated by the Impress regulatory scheme. A full list of such publishers can be found on the Impress website. Complaints can be made regarding a publication’s news content or the behaviour or conduct of a journalist working for a publication.
• Step 2 ‒ Impress asks that the complaint is made to the publication directly first, as this could be the fastest way to solve the complaint. Impress-regulated publishers should have a speedy in-house complaints procedure and should resolve the complaint within 21 calendar days of receiving it. Impress are able to contact the publisher on behalf of the complainant, who should email a summary of their complaint along with permission to share their name and complaint details with the publisher.
• Step 3 ‒ if the complainant has completed the previous two steps and is not satisfied with the publisher’s response, the complainant can submit a complaint directly to Impress through completing the form found on their website. The complaint must relate to impress Standards Code and must be made within four months of becoming aware of the content and/or when the action took place, but no later than 12 months following the original date of publication or action.

There are statutory defences for third-party hosts in the following legislation.

• Regulation 19 of the Electronic Commerce (EC Directive) Regulations 2002 – there will be a defence where the defendant did not and does not have actual knowledge of unlawful activity or information and was not (and is not) aware of facts or circumstances from which it could have been apparent to the defendant that the activity or information was unlawful.
• Section 1 of the Defamation Act 1996 – operators of a website will have a defence where:
1. they are not the author, editor or publisher;
2. they took reasonable care in relation to publication; and
3. they did not know and had no reason to believe that what the user did caused or contributed to the publication of a defamatory statement.
• Section 5 of the Defamation Act 2013 – this defence is applicable where the website did not post the statement on the website and the claimant has not established that it is not possible to identify the person who posted the statement. It is important to note that the claimant can defeat this defence if it gave the website notice of the complaint and the operator failed to respond to the notice in accordance with regulations.
• Section 10 of the Defamation Act 2013 – if the claimant fails to demonstrate that it is not reasonably practicable to bring the action against the author, editor or publisher, the court will not have jurisdiction to hear and determine the action.

The Economic Crime and Corporate Transparency Act 2023, which came into force on 26 October 2023, contains provisions designed to combat SLAPPS brought in response to reports of economic crime.

There is currently no legislation in relation to non-economic crime SLAPPs, but the Solicitors Regulation Authority (SRA) can refer serious misconduct to the Solicitors Disciplinary Tribunal, which has unlimited fining powers. The SRA has also published a warning notice for solicitors along with its thematic review conclusions, which provide guidance for lawyers.

There is no equivalent of the USA’s Securing the Protection of our Enduring and Established Constitutional Heritage (SPEECH) Actin England and Wales.

The legal grounds for protecting data subjects’ rights are contained in the Data Protection Act 2018, which incorporates the principles of the EU General Data Protection Regulation (GDPR) post-Brexit.

Civil Claims

In terms of a civil claim, the Data Protection Act 2018 and the UK GDPR provide a statutory cause of action ‒ for example, where a data controller has processed a claimant’s personal data in a way that does not comply with the data protection principles.

Regulatory Grounds

If an individual makes a complaint directly to the organisation that has been processing their data and ‒ after one month ‒ the organisation has refused to respond, that individual can make a complaint to the Information Commissioner’s Office (ICO). Once the complaint has been processed, the ICO may:

• do nothing;
• recommend action;
• log the compliant but simply keep a record of it without further action at that stage;
• tell the organisation to do more work to resolve the complaint; or
• take regulatory action (only in the most serious of cases).

In the UK, the following remedies are available to data subjects in the event of a breach of their data privacy rights:

• compensation – where an individual has suffered material or non-material damage resulting from the infringement of the UK GDPR, they can seek compensation.
• a complaint can be raised with the ICO; and
• exercising various rights – to withdraw their consent to processing, be provided with fair processing of information, to have data erased, or to restrict or object to processing.

Data privacy damages are normally in the low thousands. The UK Supreme Court in Lloyd v Google marked a significant setback in data privacy representative actions.

The limitation period for bringing a data protection claim for compensation is usually six years from the date of the breach. Provided there is an underlying public interest behind the publication, the Data Protection Act 2018 and the UK GDPR contain an exemption for journalists/the media.

See 1.4 Privacy Proceedings Forum Choice for information relating to private or anonymised court proceedings.

The Data Protection Act 2018 contains provisions for various criminal offences that can be prosecuted in the criminal courts, with maximum penalties of an unlimited fine.

See 1.5 Privacy Costs.