Key Facts
- •Joseph Pacini and Carsten Geyer, former XIO Group executives, sued Dow Jones for data protection violations related to two Wall Street Journal articles (2017 and 2018).
- •The articles reported on a dispute between Xie Zhikun and XIO Group concerning Xie's alleged investment in XIO and the source of XIO's funding.
- •The Claimants alleged that the articles contained inaccurate personal data and sought their erasure or correction under UK GDPR and DPA 2018.
- •The court trial focused on preliminary issues: the meaning of the personal data and whether it constituted 'criminal offence data' under Article 10 of UK GDPR.
Legal Principles
Determining the accuracy of personal data in data protection claims should consider the 'natural and ordinary meaning' of the words, drawing on principles from defamation law.
NT1 v Google LLC [2019] QB 344; Aven v Orbis Business Intelligence [2020] EWHC 1812 (QB); Shah v Up and Coming Ltd [2020] EWHC 3472 (QB)
The 'repetition rule' in defamation law, which holds publishers responsible for the inferential meaning of repeated allegations, even if accurate, should generally apply to data protection claims.
NT1 v Google LLC [2019] QB 344; Brown v Bower [2017] 4 WLR 197
In data protection claims, the meaning of personal data should be assessed considering the publication as a whole and the perspective of the hypothetical reasonable reader, but a more literal approach may be appropriate compared to defamation.
Koutsogiannis v Random House Group [2020] 4 WLR 25; Corbyn v Millett [2021] EMLR 19; Chase v News Group Newspapers Limited [2003] EMLR 218; Tinkler v Ferguson [2019] EWCA Civ 819
Data relating to criminal convictions or offences includes data related to alleged offences or related proceedings, interpreted broadly.
Article 10 UK GDPR; Section 11(2) DPA 2018; ICO Guidance; Law Society v Kordowski [2011] EWHC 3185 (QB); Lord Ashcroft v Attorney General & Anor [2002] EWHC 1122 (QB); Aven v Orbis Business Intelligence [2020] EWHC 1812 (QB)
Outcomes
The court determined the meaning of the personal data in the articles, applying the repetition rule and considering the articles as a whole and the perspective of the hypothetical reasonable reader.
The court balanced the need for accurate reporting with the protection of data subjects' rights, concluding that the articles did not impute criminal conduct to the claimants.
The court found that the personal data in the articles did not constitute 'criminal offence data' under Article 10 of UK GDPR.
The court reasoned that the articles reported allegations made by a third party in civil proceedings and did not impute criminal conduct to the claimants.