Although there is no express right to privacy under English law – and therefore no civil action available for a purported breach of such a right – there are a number of rights that, in various ways, relate to privacy.
Privacy and the Human Rights Act 1998
The Human Rights Act 1998 (the “Act”) incorporated the European Convention on Human Rights (the “Convention”) into UK law. Article 8(1) of the Convention provides that “everyone has the right to respect for his private and family life, his home and his correspondence.”
That right is, however, subject to some qualifications. Article 8(2) of the Convention provides that:
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, or for the protection of the rights and freedoms of others.
So the Act and the Convention confer a right of “respect for” private life, and provide a number of reasons why a public authority would be justified in interfering with that right. Some have argued that this is tantamount to a “right to privacy” but the courts – in England, at least – have rejected that notion.
No right to privacy
In the case of Wainwright v Home Office, the House of Lords held that there is no cause of action under English law for “invasion of privacy.” In addition, the court said that Article 8 of the Convention does not create any such cause of action. It said that in interpreting the Convention in cases involving privacy, the concern of the European Court of Justice has simply been whether the law in the UK provides an adequate remedy in circumstances where there has been an invasion of privacy in breach of Article 8(1) that is not justified under Article 8(2).
Thus in the Wainwright case, the House of Lords reasoned that although there have been cases where the European Court has found that the law in the UK did not provide a claimant with an adequate remedy for an unjustified breach of Article 8(1) of the Convention, that does not mean that a new, general cause of action for invasion of privacy is required in order to provide such a remedy.
Breach of confidence
Although the Wainwright case made it clear that there is no cause of action for invasion of privacy, many legal commentators have observed that the influence of Article 8 of the Convention has caused the courts in the UK to broaden the scope of the cause of action for breach of confidence. In its broader form – now referred to as “misuse of private information” – this cause of action might be said to be coming close to conferring a right to privacy.
Traditionally, to bring a claim for breach of confidence, the claimant had to establish that there was a confidential relationship between the claimant and the defendant. The logic to that is easy to follow: A gives B certain information in confidence. B spills the beans and A suffers damages as a result. A sues B for damages on grounds of breach of confidence.
By contrast, to bring a claim for misuse of confidential information, the claimant need only establish that he had a reasonable expectation of privacy in relation to the information in question. The relationship with the defendant is not particularly relevant. For instance, when John Terry applied for an injunction to restrain the publication of certain details about his romantic life, the “defending” parties were “persons unknown” who might publish certain information.
Although, in John Terry’s case, the judge did not prohibit publication, he said that if he had determined that there was a real risk that intrusive details about Mr Terry’s relationship would be published, he would have ordered that publication be prohibited. That would have been on the grounds that publication would be a misuse of confidential information in which Mr Terry had a reasonable expectation of privacy. The fact that there was no confidential relationship with the prospective publishers (being “persons unknown”) did not matter.
So it may be that the development of the cause of action for misuse of confidential information is beginning to resemble some kind of right to privacy. The John Terry case illustrates, however, that in enforcing such a right, the courts must balance it against the rights of others – such as the right of the newspaper publishers to freedom of expression (which is covered in Article 10 of the Convention).
The law relating to data protection is perhaps less dramatic than celebrity cases involving the misuse of confidential information, but it is likely to be directly relevant to nearly everyone’s privacy.
The Data Protection Act 1998 sets out eight principles with which people must comply when they collect, store, retrieve or organise data. For example, the seventh principle requires that:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
The fifth principle provides that:
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
In addition to those principles, the Act gives you certain rights – such as the right to prevent others from using your personal data in a way that causes damage or distress. The Act also includes provision for individuals to recover compensation from someone (a processor of data) who has used your personal data in contravention of the Act. There have been a number of high-profile cases where individuals have recovered amounts – albeit generally quite modest sums – from people who have not observed the requirements of the Act.
The principles and remedies set out in the Date Protection Act apply to online activities in the same way that they apply when someone collects data from you in person or over the telephone. In fact, since electronic data can be transmitted, copied and sent almost instantaneously, and is more permanent than a paper record that can be easily destroyed, anyone who carries out online transactions needs to be especially vigilant.
Fingerprints and DNA samples
Under legislation passed in recent years, the police in the UK have authority to retain fingerprints and DNA samples from people who have been arrested on suspicion of having committed a crime, but never charged with (and therefore never convicted of) the crime in question. The European Court for Human Rights has found that this practice is inconsistent with Article 8 of the Convention, and as a result the UK government had to modify the law to make it compatible with the Convention.
The Crime and Security Act 2010 therefore provided that the police may retain DNA samples (and other information) from people who have not been charged or cautioned, but must destroy it after six years. Some commentators believe that even this six-year retention period contravenes Article 8 of the Convention, and the new government had suggested – prior to the election – that they might go further than this, and require that such samples be destroyed even sooner.
In this area, then, the law in the UK seems to be evolving rapidly, and further developments seem likely.