In what is often perceived as an age of celebrity and social media, the law has an important role to play in the protection of individual privacy. In Scotland, the law relating to privacy is somewhat piecemeal, being derived from a combination of case law and statute.
Human Rights
In Scotland, human rights are protected by two key pieces of legislation - the Human Rights Act 1998 and the Scotland Act 1998. These two statutes incorporate the Convention for the Protection of Human Rights and Fundamental Freedoms into domestic law, expressly codifying a number of human rights, among them being the Article 8 right to a private and family life. However, there is no absolute right to privacy in Scotland – the Article 8 right is subject to derogations (for example, in relation to public safety, prevention of crime and national security), and the inherent tension between the Article 8 right to privacy and the Article 10 right to freedom of expression has resulted in the courts seeking to balance the two competing rights.
The impact of human rights on the law of privacy looks set to be an area of upcoming evolution, with a Bill of Rights at the 2nd reading stage in the House of Commons at the time of writing. If passed in its current form, the Bill of Rights will replace existing protections with a new framework which the government views as strengthening certain rights (such as the right to freedom of expression) while limiting judicial powers in respect of certain other rights (such as the right to a private family life in the context of deportation). How the courts choose to interpret the new framework will be an area of ongoing interest, but the UK Supreme Court, rather than the European Court of Human Rights, will be the ultimate appeal body in respect of the new Bill of Rights.
Confidentiality, defamation and passing off
Aside from the protections afforded to privacy as a human right, the common law of Scotland protects the confidentiality of information where that information has the necessary quality of confidence, is imparted in circumstances where there is an obligation of confidence (whether express or implied), and where there has been an unauthorised use of that information. Provided these three criteria are met, the recipient of that information is likely to be liable to the disclosing party for their breach of confidence.
Where disclosure of information carries the risk of serious reputational harm, the disclosure may be actionable as a defamatory statement. Defamation was historically dealt with under the common law in Scotland, however, the recent introduction of the Defamation and Malicious Publication (Scotland) Act 2021 means there is now a codified body of legislation relating to defamation and malicious publication that provides claimants with a clearer framework with which to identify potentially actionable statements and publications, and a list of available remedies.
Alleged breaches of privacy relating to the image of an individual are likely to be dealt with as a breach of their right to privacy, but it is worth noting that the doctrine of passing off may also be relevant where the individual’s image has commercial value and the breach constitutes a misrepresentation sufficient to suggest endorsement.
Data Protection Law
Data protection law also plays an important role in the protection of privacy since it governs the way in which information is used and stored where that information relates to an identified or identifiable living individual. Since the UK’s implementation of the EU General Data Protection Regulation (GDPR) and the UK GDPR in 2018 and 2020 respectively, individuals have had increasing control over the use of their private information. In particular, a group of rights, commonly referred to as “data subject rights”, enable individuals to more easily determine which of their private information is being processed, understand who has access to that information and, in certain circumstances, prevent or restrict the processing and disclosure of their information. The data subject rights include:
- the right of access which enables the individual to access the personal data held about them by organisations;
- the right of rectification which gives the individual the right to correct or delete inaccurate information that an organisation holds about them;
- the right of erasure which gives individuals the right to request that data held about them by an organisation is deleted;
- the right to restrict processing which gives individuals the right to request that uses of their personal data are limited;
- the right to object which allows the individual to prevent certain processing of their information; and
- the right not to be subject to a decision based solely on automated processing.
As with the right to privacy, the data subject rights are not absolute and only apply in certain circumstances. They have, however, undoubtedly afforded individuals a greater degree of control over their private information than they previously had.
Contract
Private information can also be protected by way of contractual obligations. Where parties envision the disclosure of confidential information (whether personal or otherwise), they will often enter into express contractual obligations of confidence. Well-drafted confidentiality clauses not only serve to put the recipient on notice that they are expected to maintain the confidentiality of the information, but also provide both the disclosing and recipient parties with certainty regarding the scope of the obligations placed on the recipient.
How can Thorntons assist you?
Thorntons is well-placed to advise on the protection of confidential information, whether personal or commercial, so if you have any queries please contact us on 03330 430350.