The importance of handling personal data with care was highlighted again recently with the High Court’s decision in Sabados v Facebook Ireland in which the court ordered Facebook to disclose the identity of the person who requested the deletion of a Facebook profile and the personal information it contained.
Ms Sabados, the Claimant, had been in a close personal relationship with the owner of the deleted profile (who had passed away) for six years; they spoke every day on Facebook Messenger and Skype. Ms Sabados lived (and still lives) in London, whilst the deceased lived in Sarajevo, Bosnia.
Approximately six months after her partner’s death, Facebook received and acceded to a request from a person unknown to delete the deceased’s account. The material posted by the deceased – and subsequently deleted – included music videos, photographs, poems and intimate messages between the couple.
Ms Sabados claimed that some of the deleted information, such as messages she sent to the deceased, contained her personal data and the deletion amounted to a breach of the Data Protection Act 1998 (DPA 1998). Despite Ms Sabados’ requests, Facebook would not say who requested the deletion, saying only that it was a family member and that they followed their normal processes.
Ms Sabados applied for a Norwich Pharmacal Order (NPO) requiring Facebook to disclose the identity of the person who requested deletion of the deceased’s account.
An NPO was used in these circumstances because whilst Ms Sabados was unable to identify the ultimate wrongdoer to bring an action against him or her, she was able to identify a third party, in this case Facebook, involved in the wrongdoing (even innocently so) who could provide the information.
Ms Sabados was able to satisfy the three conditions that must be satisfied for the court to grant an NPO:
In addition to satisfying the three threshold conditions, the judge made it clear that the underlying purpose of the NPO, to do justice for the applicant, was also satisfied.
Ms Sabados argued that the English court had jurisdiction as that was where the distress was suffered (given her residence in London), as opposed to the Republic of Ireland (where Facebook Ireland is incorporated), or Bosnia (where the deceased lived). Although the general rule is that a defendant domiciled in an EU Member State, should be sued in that Member State, Article 7(2) of the Recast Brussels Regulation, a defendant can be sued in another Member State in matters relating to a tort, “where the harmful event occurred or may occur”. The judge was persuaded that the harm had occurred in England and that an NPO could be enforced in other Member States without any further special procedures.
The key message from this decision is for the holders of personal data to take care when handling requests for deletion of said data, both to ensure the requestor has appropriate authority and in relation to any third party data involved.
As to the question of jurisdiction, despite the court’s decision, there remains scepticism as to whether this case can provide a reliable basis for the court to extend Norwich Pharmacal relief outside the jurisdiction, as courts remain wary of making a disclosure order which would infringe the sovereignty of another state, and therefore it should be approached with caution.