Privacy and misuse of private information

Privacy law in the UK comprises several elements:

•
the right to respect for a private and family life in Article 8 of the European Convention on Human Rights (ECHR), incorporated into UK law by the Human Rights Act 1998 (HRA 1998)
•
the tort of misuse of private information, which protects citizens from unwarranted intrusion (Campbell v MGN), and
•
provisions in the Protection from Harassment Act 1997 (PHA 1997), which protect individual privacy

There is no single, overarching right to privacy in English law. However, HRA 1998 and the incorporation of Article 8 of the ECHR into domestic law mean that aspects of private life can be protected from unwarranted intrusion.

Right to a private and family life

Article 8(1) of the ECHR protects a person’s right ‘to respect for his private and family life, his home and his correspondence’. Underlying this right is the value attached by society to human dignity and autonomy; the effective protection of Article 8 rights enables individuals to pursue their own lives and to form relationships.

The Strasbourg jurisprudence

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Information Law News

EDPB and EDPS adopt joint opinion on EU Digital Omnibus on AI proposal

The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the European Commission's Digital Omnibus on AI proposal, which seeks to simplify AI Act implementation. The data protection authorities support streamlining but express concerns that proposed changes could undermine fundamental rights protection. Key concerns include the extension of special category personal data processing (such as ethnicity or health data) for bias detection and correction to all AI system providers and deployers, which they recommend should be limited to circumscribed situations where bias risks are sufficiently serious. The EDPB and EDPS oppose the proposed deletion of registration obligations for AI systems categorised as high-risk, even when providers deem them non-high risk, stating this would significantly undermine accountability. They also express concerns about proposed postponement of core provisions for high-risk AI systems and recommend maintaining the original timeline where possible. The opinion supports EU-level AI regulatory sandboxes but calls for direct involvement of Data Protection Authorities in supervision and clarification of the AI Office's supervisory role to avoid overlap with EDPS supervision of Union institutions.

Commission proposes cybersecurity package including revisions to Cybersecurity Act

The European Commission has proposed a new cybersecurity package aimed at addressing increasingly sophisticated cyber and hybrid threats facing the EU. According to the Commission, essential services and democratic institutions across the bloc continue to experience cyber incidents linked to both state and criminal actors.

ICO fines two companies £225,000 for nuisance marketing messages

The Information Commissioner’s Office (ICO) has fined Allay Claims Ltd and ZMLUK Limited a total of £225,000 for sending millions of unsolicited marketing messages in breach of Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2426 (PECR). Allay Claims Ltd was fined £120,000 for sending more than four million unlawful marketing text messages promoting payment protection insurance (PPI) tax refund services without valid consent and could not rely on the ‘soft opt-in’ exemption due to failures at the point of data collection. ZMLUK Limited was fined £105,000 for sending over 67 million marketing emails using third-party data where individuals were not given clear and informed choices, meaning the consent relied on was invalid.

Regulation (EU) 2025/2518 and what it means for reforming cross-border EU GDPR enforcement procedures

EU Law analysis: Regulation (EU) 2025/2518 (the Procedural Regulation) lays down EU-wide procedural rules for the enforcement of the EU General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) in cases involving cross-border processing of personal data. It aims to address inefficiencies and inconsistencies currently observed in cross-border enforcement under the EU GDPR. Key features include harmonised rules for admissibility of complaints and cooperation between Supervisory Authorities, streamlined ‘early resolution’ and ‘simplified cooperation’ procedures, and rights for parties under investigation to have their views heard. Paul Greaves is dual-qualified in England and Wales and Belgium, and is a counsel in Alston & Bird’s Privacy, Cyber & Data Strategy team.

View Information Law by content type :

News