d
c

If proof was needed that GDPR is everywhere, then this case is it. The case involved an application for a Norwich Pharmacal Order or NPO (basically an order requiring an innocent party to disclose names of potential defendants and so-called because of the case that first established the availability of these orders). In this case the applicant sought an order requiring the disclosure of the names and addresses of tens of thousands of residential broadband subscribers who were accused of infringing copyright by downloading explicit pornographic films.

The application was contested on a number of grounds including that if it was granted, the discloser of these names would offend against the data protection principles set out in the General Data Protection Regulation (GDPR).

The effects of the GDPR have been both significant and far reaching with recent fines in the tens or even hundreds of millions being levied against organisations who have suffered data breaches. The recent consolidated cases of Mircom International Content Management and Consulting Ltd and Ors and Golden Eye International Ltd and Ors v Virgin Media Limited and Persons Unknown [2019] EWHC 1827 (Ch)  (Mircom v Virgin Media) considered the GDPR in a different light. Specifically, how it relates to NPOs where the subject of the order is personal data (as it often is in the cases).

Background:

The Claimants, companies which produced pornographic films and other companies involved in obtaining disclosure orders, sought to obtain a NPO against Virgin Media to compel them to provide the names and addresses of their residential broadband customers that had downloaded adult films of which the Claimants were the copyright owners.

Golden Eye were relying on their prior success against Telefonica/O2 back in 2012, stating their belief that the precedent set by the case of Golden Eye v Telefonica Ltd was still the correct legal approach. This was decided in the same way as any other application for a NPO, for which the requirements are as follows:

  1. There exists a good arguable case that wrongs have been committed against the Applicant;
  2. the Respondent to the application is mixed up in those wrongs;
  3. the Claimant is genuinely intending to seek redress for the wrongs;
  4. disclosure of the information sought is necessary for the Applicant to pursue the aforementioned redress;
  5. the order sought is proportionate having regard to the privacy and data protection rights of the intended defendants;
  6. the court should exercise its discretion in favour of granting relief.

In seeking to resist the application for an NPO, Virgin argued, amongst other things, that this was no longer the correct approach in the current circumstances following the coming into force of the GDPR in May 2018.

The effect of the GDPR

  • Derogation for Court Orders

Virgin’s interpretation of the law was not shared by the Court who stated that “nothing turns on the GDPR”, citing Schedule 2, Part 1 of the Data Protection Act 2018 (the DPA). This schedule makes a number of the provisions in the GDPR inapplicable for several purposes connected to legal proceedings. Specifically, “where disclosure of the data is required by… an order of a court” or where disclosure is “necessary for the purposes of establishing, exercising or defending legal rights”. Thus, where litigants receive personal data as part of the disclosure process, many of the more stringent provisions of the GDPR will not apply.

  • Data controller v data recipient

In addition, the court felt that it was necessary to determine whether if the NPO was granted, the Claimants would become “data controllers” within the meaning of article 4(7) of the GDPR, or would instead be “data recipients” within the meaning of article 4(9), of the GDPR. The court appears to have accepted the Claimants’ argument that even if disclosure was made, the Claimants would still not determine “the purposes and means of the processing of personal data” as is a requirement for being considered a controller under Article 4(7) of the GDPR. It was therefore decided that as the purposes and means of processing would be determined in accordance with the order and the Civil Procedure Rules, the claimants would be “recipients” instead of “controllers”.

Comment

This aspect of the case is a little baffling and we don’t think that many people would have previously considered that there would be a separate category of “data recipient” who were neither “data controllers” or “data processors”. Our view is therefore that this aspect of the Court’s decision is probably a little questionable, and that a better analysis might have been that the Claimants would have been both data recipients and data controllers for the purposes of the GDPR, albeit in circumstances where the effect of Schedule 1 Part 1 of the DPA was such as to disapply many of the provisions of the GDPR with respect to this personal data. In any event, the GDPR ultimately had little effect on the decision, although it will be interesting to see whether future cases pick up on the distinction between a “data recipient” and a “data controller” that the court drew in this case. It might even be something that the ICO wants to try to clarify with some guidance.

The outcome

Nevertheless, the order in this case was not granted as the evidence provided by the Claimants was deemed inadequate and thus failed on the basis that the they did not have a good arguable case. Further, the court considered how the Claimants had actually used the information provided in the previous case. However, this was not addressed by the evidence presented by the Claimants, although it was not cited as a reason for refusing to grant the order.

Conclusions

Whilst the GDPR has not significantly changed the law in relation to Norwich Pharmacal relief, there are a number of other notable points to come from the case that need to be considered in light of this judgment.

One such point relates to the potential of the court to review the Claimants’ practices in relation to any information received as a result of the granting of previous orders and whether the Claimant genuinely sought redress. Moreover, future applicants for Norwich Pharmacal relief should consider the clarity and comprehensiveness of any evidence they intend to submit for consideration by the court in relation to the order.

If you have any questions regarding this topic, please contact Nick Phillips, or any other member of the Intellectual Property Team.

Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.

Latest Blogs See All

Share by: