Privacy & data protection case law

• United Kingdom
• EU — Court of Justice (CJEU)
• ECtHR (Article 8)

United Kingdom

• Durant v Financial Services Authority

  [2003] EWCA Civ 1746 · Court of Appeal · 2003

  What it's about: A man unhappy with the financial regulator asked to see everything it held that mentioned him. The court said not every document with your name in it is your “personal data” — it has to be genuinely about you, not just mention you in passing.

  Why privacy pros should care: It set an early, narrow idea of what counts as personal data and how far a subject access request reaches. Later EU/GDPR case law widened the definition again — so know it, but cite it carefully.

  Read the judgment on BAILII →

• Campbell v MGN

  [2004] UKHL 22 · House of Lords · 2004

  What it's about: A newspaper published photos of supermodel Naomi Campbell leaving a Narcotics Anonymous meeting. The court said this intruded on her private life.

  Why privacy pros should care: This is the case that built the modern UK “misuse of private information” right — the legal backbone for claims about leaked or published private information.

  Read the judgment on BAILII →

• Common Services Agency v Scottish Information Commissioner

  [2008] UKHL 47 · House of Lords · 2008

  What it's about: A request for childhood-cancer statistics raised the question of when data is “anonymous enough” to release without identifying real children.

  Why privacy pros should care: A still-cited reference point on anonymisation — when altering or aggregating data takes it outside data protection rules, and when it doesn't.

  Read the judgment on BAILII →

• Vidal-Hall v Google

  [2015] EWCA Civ 311 · Court of Appeal · 2015

  What it's about: iPhone users sued Google for secretly tracking them through Safari. The court let the claim proceed and accepted that pure upset — with no money lost — could still be compensated.

  Why privacy pros should care: It confirmed you can claim for distress alone, and treated misuse of private information as a proper civil wrong. It opened the door to “data distress” claims in the UK.

  Read the judgment on BAILII →

• Gulati v MGN

  [2015] EWCA Civ 1291 · Court of Appeal · 2015

  What it's about: Phone-hacking victims were awarded damages not just for their distress, but for the very fact their private information had been taken and misused.

  Why privacy pros should care: It established that losing control of your private information is itself a compensable harm — directly relevant to how breach claims get valued.

  Read the judgment on BAILII →

• Various Claimants v WM Morrisons

  [2020] UKSC 12 · Supreme Court · 2020

  What it's about: A disgruntled employee leaked the payroll data of ~100,000 colleagues out of a personal grudge. Staff sued the employer; the court said Morrisons wasn't automatically on the hook.

  Why privacy pros should care: It sets the limits of when an employer is automatically (“vicariously”) liable for a rogue employee's breach — key for breach-liability and insurance thinking.

  Read the judgment on BAILII →

• R (Bridges) v Chief Constable of South Wales Police

  [2020] EWCA Civ 1058 · Court of Appeal · 2020

  What it's about: Police scanned crowds with live facial recognition. A campaigner challenged it, and the court ruled the way they used it was unlawful.

  Why privacy pros should care: The leading UK case on facial recognition and biometrics — it shows that a weak impact assessment and too much unguided discretion can make a surveillance tool unlawful.

  Read the judgment on BAILII →

• Lloyd v Google

  [2021] UKSC 50 · Supreme Court · 2021

  What it's about: A campaigner tried to sue Google on behalf of millions of iPhone users at once over secret tracking, asking for a flat sum each without proving individual harm. The Supreme Court refused.

  Why privacy pros should care: It effectively blocked US-style opt-out class actions for data breaches in the UK, and said “loss of control” isn't automatically worth compensation — you need real damage or distress. The key case on mass-claim exposure.

  Read the judgment on BAILII →

• ZXC v Bloomberg

  [2022] UKSC 5 · Supreme Court · 2022

  What it's about: A businessman under criminal investigation but not charged objected to a news outlet naming him. The court agreed he had a reasonable expectation of privacy.

  Why privacy pros should care: People under investigation generally have a privacy expectation before charge — relevant whenever you handle or disclose information about investigations.

  Read the judgment on BAILII →

• Prismall v Google & DeepMind

  [2024] EWCA Civ 1516 · Court of Appeal · 2024

  What it's about: An attempt to bring a mass claim over NHS patient data shared with DeepMind failed, because the people in the group hadn't all suffered the same identifiable harm.

  Why privacy pros should care: It confirms, after Lloyd, that group data claims remain very hard to run in the UK — reassuring for organisations facing the threat of mass health-data litigation.

  Read the judgment on BAILII →

EU — Court of Justice (CJEU)

• Lindqvist

  C-101/01 · Court of Justice of the European Union · 2003

  What it's about: A Swedish church volunteer put colleagues' names and some health details on a parish website. The court said that's “processing personal data” — and naming someone's health gets extra protection.

  Why privacy pros should care: An early reminder that ordinary web publishing is regulated processing, and that health information is always treated as sensitive.

  Read the judgment on curia.europa.eu →

• Digital Rights Ireland

  C-293/12 & C-594/12 · Court of Justice of the European Union · 2014

  What it's about: EU law had forced telecom firms to retain everyone's call and location data. The court struck it down as far too sweeping.

  Why privacy pros should care: A landmark on proportionality — keeping everyone's data “just in case” is unlawful. It shapes data-retention rules across Europe.

  Read the judgment on curia.europa.eu →

• Google Spain v AEPD & González

  C-131/12 · Court of Justice of the European Union · 2014

  What it's about: A Spanish man wanted outdated information about old debts to stop showing up in Google searches of his name. The court said he could ask.

  Why privacy pros should care: This created the “right to be forgotten” — search engines are controllers and can be made to de-list results. Foundational for erasure and de-referencing requests.

  Read the judgment on curia.europa.eu →

• Ryneš

  C-212/13 · Court of Justice of the European Union · 2014

  What it's about: A man installed a home security camera that also filmed the public pavement. The court said that isn't purely “household” use exempt from the rules.

  Why privacy pros should care: Home and security cameras that capture public space fall within data protection law — directly relevant to any CCTV advice.

  Read the judgment on curia.europa.eu →

• Breyer v Germany

  C-582/14 · Court of Justice of the European Union · 2016

  What it's about: The question was whether a dynamic IP address is personal data when the website itself can't identify you, but someone else (your ISP) can.

  Why privacy pros should care: It established “relative identifiability” — data is personal if anyone could realistically combine it to identify you. Central to anonymisation, online identifiers and tracking.

  Read the judgment on curia.europa.eu →

• Schrems I

  C-362/14 · Court of Justice of the European Union · 2015

  What it's about: An Austrian activist challenged Facebook sending EU data to the US. The court tore up the “Safe Harbor” EU–US transfer arrangement.

  Why privacy pros should care: The first big blow to easy EU–US transfers — it began the pattern of courts striking down transfer deals that don't protect EU data from US surveillance.

  Read the judgment on curia.europa.eu →

• Schrems II

  C-311/18 · Court of Justice of the European Union · 2020

  What it's about: The same activist returned; the court struck down the replacement deal (“Privacy Shield”) too, and said standard contract clauses only work if you actually check the destination country is safe.

  Why privacy pros should care: The single most important transfer case — it's why you must run a transfer risk assessment and add safeguards for US and other third-country transfers.

  Read the judgment on curia.europa.eu →

• Fashion ID

  C-40/17 · Court of Justice of the European Union · 2019

  What it's about: A retailer embedded a Facebook “Like” button that quietly sent visitors' data to Facebook. The court said the website shares responsibility for that.

  Why privacy pros should care: Embedding third-party tools (pixels, plugins, share buttons) can make you a “joint controller” — you're on the hook for the data they collect on your site.

  Read the judgment on curia.europa.eu →

• Planet49

  C-673/17 · Court of Justice of the European Union · 2019

  What it's about: A company used a pre-ticked box to claim “consent” for cookies. The court said that isn't consent at all.

  Why privacy pros should care: Cookie consent must be an active, deliberate choice — no pre-ticked boxes — and it applies whether or not the data is “personal.” Core to every cookie banner.

  Read the judgment on curia.europa.eu →

• Meta Platforms v Bundeskartellamt

  C-252/21 · Court of Justice of the European Union · 2023

  What it's about: Germany's competition regulator challenged how Facebook combines data from across its services and the wider web. The court found serious GDPR problems.

  Why privacy pros should care: It limits relying on “contract” or “legitimate interests” to justify ad-tracking, says browsing can reveal special-category data, and confirms competition regulators can weigh in on data practices.

  Read the judgment on curia.europa.eu →

• Österreichische Post (non-material damage)

  C-300/21 · Court of Justice of the European Union · 2023

  What it's about: Someone sought compensation simply because their data had been misused, without showing it actually harmed them. The court said a breach alone isn't enough — but there's no minimum threshold of harm either.

  Why privacy pros should care: It sets the bar for data-damages claims in the EU — claimants must show some real (even small) harm, not just point to a breach.

  Read the judgment on curia.europa.eu →

• SCHUFA

  C-634/21 · Court of Justice of the European Union · 2023

  What it's about: A credit agency's automated score effectively decided whether people got loans. The court treated that scoring as an automated decision with real legal effects.

  Why privacy pros should care: Automated scoring and profiling that drives real-world decisions falls under the strict “automated decision-making” rules — directly relevant to AI, credit and risk models.

  Read the judgment on curia.europa.eu →

ECtHR (European Court of Human Rights — Article 8)

• S and Marper v United Kingdom

  App. nos. 30562/04 & 30566/04 · European Court of Human Rights · 2008

  What it's about: UK police kept the DNA and fingerprints of two people who were never convicted. The human-rights court said holding them indefinitely breached the right to a private life.

  Why privacy pros should care: A foundational ruling on biometric retention — you can't keep sensitive biometric data forever “just in case”; retention has to be justified and limited.

  Read the judgment on HUDOC →

• Big Brother Watch v United Kingdom

  App. no. 58170/13 & others · European Court of Human Rights · 2021

  What it's about: After the Snowden revelations, campaigners challenged UK bulk surveillance. The court found parts of the regime lacked adequate safeguards.

  Why privacy pros should care: A leading ruling on state surveillance and the safeguards required when authorities collect data at scale — relevant to any government or law-enforcement data work.

  Read the judgment on HUDOC →