Skip to Main Content
The Liability of Internet Intermediaries The Liability of Internet Intermediaries


The Liability of Internet Intermediaries The Liability of Internet Intermediaries

Secondary liability for breach of confidence 9.04


Overview 9.04


The nature of confidential information 9.07


The equitable obligation of confidence 9.14


Historical development 9.21


Assisting a breach of confidence 9.56


Vicarious liability 9.59


International law 9.61


Application to internet intermediaries 9.63


Platforms 9.65


Hosts 9.85


ISPs 9.106


Gateways 9.109


Interference with privacy 9.117


The reshaping of breach of confidence 9.120


The current approach 9.127

9.01 This chapter examines the liability of internet intermediaries for breaches of confidence and invasions of privacy. The scope and content of these duties embody delicate compromises between, on the one hand, the rights to data protection and respect for private life and, on the other, the freedoms to express and receive information. The enforcement of that balance against service providers requires further choices about how far to extend responsibility for infringements of those rights by others, and who should be required to police them. The importance of these rights and policy choices continues to grow in light of recent technological and social changes.

9.02 The liability rules considered in this chapter relate to information which, although neither defamatory nor protected as statutory property, is afforded special legal status. This status takes various forms, determined principally by the nature of the information and the circumstances in which it is created, obtained, and used. Information may be protected because of its intrinsic relationship to the autonomy and identity of an individual—such as personal data held subject to an expectation of privacy—or as confidential information held subject to an obligation of confidence.

9.03 This chapter considers the scope of secondary liability attaching to internet intermediaries who deal in such information. The impact of these rules can be significant, particularly because the relief granted is often injunctive and safe harbour protection will accordingly be limited, or may be excluded entirely.1 Section 1 examines the equitable doctrine of breach of confidence; section 2 considers the application of that doctrine to internet intermediaries. Section 3 considers the modern reshaping of traditional principles under the influence of the Convention and Charter.

9.04  Elements of primary liability. The equitable jurisdiction to restrain a breach of confidence is classically expressed as requiring the claimant to prove that information:


is confidential;


was imparted in circumstances importing an obligation of confidence; and


has been, or is likely to be, used or disclosed by the defendant without permission.2

9.05  Protectable information. Although the doctrine developed primarily in cases involving printed information in commercial settings,3 it equally protects personal4 and governmental5 information, and confidences in electronic6 and photographic7 media. The action has undergone notable transformations in the private sphere, arising from the transposition and indirect horizontal effect of articles 8 and 10 of the European Convention.8 Those transformations are discussed further in section 3.

9.06  Adaptation to new technology. It has been said that cases predating the Human Rights Act 1998 ‘are largely of historic interest only’.9 Nevertheless, that history remains a valuable store of guidance to support the future evolution of the action in principled ways—not least because the effect of these changes is not always wholly clear. As Keene LJ has observed, the action for breach of confidence remains ‘a developing area of the law, the boundaries of which are not immutable but may change to reflect changes in society, technology and business practice’.10 In this context, very few authorities have considered whether equitable principles are wide enough to admit claims against service providers who receive or transmit confidential information. Accordingly, the following sections address the question by analogy with established principles (such as they are).

9.07 Secrets11 enjoy an inherently precarious existence. Their fleeting and deracinated quality, existing solely in the minds and possessions of those who know them, and the frequently prurient nature of their subjects, lead them to move with surprising swiftness and be vulnerable to destruction by a single unwanted disclosure. In Spycatcher [No 1], Donaldson MR gave the following oft-quoted metaphor:

Confidential information is like an ice cube. Give it to the party who undertakes to keep it in his refrigerator and you still have an ice cube by the time the matter comes to trial. Either party may then succeed in obtaining possession of the cube. Give it to the party who has no refrigerator . . . and by the time of the trial you just have a pool of water which neither party wants. It is the inherently perishable nature of confidential information which gives rise to unique problems.12

9.08  The internet secrecy paradox. The internet has fundamentally altered the factual environment within which courts must address these problems. On the one hand, it has produced technologies which make it possible to protect secrecy better than at any point in human history through encryption, authentication, and secure communication protocols.13 However, it has also exacerbated the inherent vulnerability of secrets by providing new tools and platforms which facilitate their speedy and anonymous dissemination.14

9.09  Nature of liability. Liability for wrongfully revealing a secret differs from liability for publishing a defamatory statement or infringing a copyright or trade mark in several important respects. First, whereas erga omnes rights in copyrights and trade marks are products of their proprietary status, rights in secrets are not widely regarded as proprietary.15 Instead, their protection stems from a policy of upholding personal rights of privacy, human autonomy and dignity, accepted commercial practices, and the administration of government.

9.10 Second, unlike defamation, the secret need not be untrue to create liability; indeed, where the information is false, the traditional view (which must be strongly doubted today) was that disclosure would not be restrained in equity.16

9.11 Third, where the law protects secrets, it protects them as such, and not merely because they are expressed in a recognised form or used in restricted ways;17 this is unlike copyright, which protects the expression of an idea rather than the idea itself, and means that the scope of protection afforded to secrets comes closer to conferring a monopoly over facts in favour of the confider. However, it will not protect against those who obtain the same information lawfully. This limited protection is justified by these facts’ private or confidential nature rather than a desire to incentivise socially useful activities—though liability rules do indirectly incentivise people to develop and keep secrets, which may be socially useful (eg an industrial formula or a candid discussion).

9.12 Fourth, in defamation and copyright cases, each publication or reproduction is a separate wrong, irrespective of prior disclosure, whereas a secret can (depending on the scale and nature of disclosure) be destroyed upon its first publication and is actionable only until publicly disclosed.18

9.13 Finally, different types of secrets are protected via overlapping equitable and statutory regimes. This chapter concerns liability under equitable doctrines and remedies; liability under statutory data protection regimes is considered separately.19

9.14  Scope of the obligation. The starting point for determining whether an internet intermediary can be restrained from using or disclosing confidential information is to ascertain the existence and scope of an obligation of confidence. Such obligations arise in two main categories of case.

9.15Direct recipients. Most commonly, a duty of confidence binds the recipient of qualifying information obtained during some transaction or relationship with the disclosing party.20 This is classically expressed in terms of the information being ‘imparted’—that is to say, imparted to the recipient—‘in circumstances importing an obligation of confidence’.21 Relevant circumstances include the status of the confidant (eg as a fiduciary),22 the attitude of the confider, the existence of an express or implied contractual term of confidentiality,23 trade custom, the history of dealing between the parties, and whether the information was disclosed for a limited purpose.24

9.16Third party recipients. The second, more difficult category of case concerns a third party who receives the information from someone to whom it was directly or indirectly disclosed or where the third party happens upon the information by serendipity or subterfuge.25 Such a recipient is not party to any relationship or transaction with the original confider of the information. He or she may be unaware of its confidential nature and may not know of the existence of upstream obligations of confidence.26 Obligations in both categories can end by agreement, waiver, or once the secret has ceased to exist.27

9.17  Intermediaries who are direct recipients. In cases where the claimant discloses confidential information directly to an internet intermediary for safekeeping, there can be no doubt that an obligation of confidence may arise under the first category by applying conventional principles.28 Such situations are uncontroversial because they involve a direct relationship between the service provider and the confider, the terms of which the parties are largely free to regulate by agreement. To the extent that any ambiguity arises, it is likely to concern (1) whether the terms of service are binding, and (2) whether the intermediary has ‘received’ the information in the relevant sense.

9.18  Intermediaries who are indirect recipients. Greater difficulties are posed when a service provider receives confidential information from a third party. These indirectly assumed obligations are the main focus of this chapter. Although their doctrinal foundation is ‘by no means simple to define with precision’,29 it is now abundantly clear that an obligation of confidence can arise in the absence of any pre-existing relationship between a confider and an intermediary in whom secrets are reposed, and the claimant need not be the original confider.30 Collins J confirmed these developments in Mills v News Group Newspapers Ltd, noting that ‘[i]t is no longer...necessary...that the information arises from a confidential relationship’.31 Similarly, in Vestergaard, Lord Neuberger PSC noted that breach of confidence ‘is not, of course, limited to...classic cases’; a recipient of confidential information may be ‘liable to respect its confidentiality from the moment she is told, or otherwise appreciates, that it is in fact confidential’.32

9.19  Different standards of recipient liability. The courts have not always applied a consistent standard to determine when third party obligations of confidence will arise. As such, their doctrinal foundations remain fragmented and confused. The obligation is sometimes expressed as flowing from the defendant’s perception and assessment of the material received, as in Vestergaard;33 in the case of private information, from its protected status as an incident of human autonomy and dignity;34 at other times from various equitable principles, including honesty,35 unconscionability,36 good faith,37 and the ‘fictional norm’ of upholding confidential relations;38 or simply from the quasi-proprietary status occasionally accorded to confidential information.39

9.20  Overview. The following sections attempt to trace the development of third party liability for breach of confidence. A full account of this history is left to other specialist works, but it is useful when considering the position of internet intermediaries to consider how courts have successively enlarged and confined the scope of recipient liability by reference to the standard of knowledge which the defendant must be shown to possess. These changes partly reflect a transformation in the underlying interests protected by the action so as to give effect to fundamental rights. Properly analysed, the foundation of the recipient’s obligation is constructive knowledge that the information is confidential, or that it has probably been obtained in breach of confidence.40 An internet intermediary should not, therefore, face liability in equity until fixed with knowledge by reference to the standard of conduct expected of a reasonable service provider standing in its shoes.

9.21  Manner of receipt. Third party obligations of confidence first crystallised in disputes between trade rivals during the eighteenth and nineteenth centuries, and tended to hinge upon the manner in which information was obtained from the confidant.41 Early decisions involving what would today be called private information, such as Prince Albert v Strange,42 recognised an equitable jurisdiction to restrain the publication of confidential information even where the defendant was not himself responsible for the breach of confidence. The Court held that an injunction would issue to prevent the exhibition of private engravings ‘surreptitiously or improperly obtained’ from the Prince Consort’s employee, whether or not it was the defendant who committed the original wrong. It was sufficient that the material ‘must have originated’ or ‘has its foundation in’ an equitable wrong by the original confidant.43

9.22 Although the decision in Prince Albert v Strange has been cited as authority for a standard of absolute recipient liability,44 the case can be read more persuasively as one of constructive knowledge. The trial judge found that the printer had actual knowledge that the confidential engravings had been authored by a member of the Prince Consort’s household, and that the engravings had been kept under strict secrecy. Knowing those two facts, any ‘intelligent or rational being’ would appreciate that the materials had come into his possession owing to some ‘faithlessness, fraud and treachery on the part of [the confidant]’.45 Lord Hoffmann also read the case in these terms in Campbell.46

9.23  Bona fide purchasers. Subsequent cases, such as Morison v Moat,47 appear to have accepted that any party who derives information from a breach of confidence will be liable to injunctive relief, unless the recipient is a purchaser for value without notice of the prior obligation of confidence. This property-based qualification might be akin to the change of position defence,48 but its applicability to passive service providers remains unclear. Cases such as Duke of Queensberry v Shebbeare appear to go further, holding that even a bona fide purchaser of confidential information might be enjoined from publishing it.49 In that case, the defendant was restrained from printing an unpublished manuscript despite innocently purchasing it from a third party confidant.

9.24  Downstream recipients. To similar effect, Lamb v Evans observed in obiter that not only is a confidant liable for improperly disclosing a secret, but ‘anybody who has obtained that secret from him has also been restrained from using it’.50 These formulations do not appear to contain any mental element (other than intent to use the information), suggesting that the obligation arose strictly.

9.25  Surreptitiously obtained information. The earlier cases were approved in Lord Ashburton v Pape,51 another surreptitious taking case, where the Court of Appeal enjoined a third party from adducing a privileged document which it had obtained by trickery. The Court was prepared to restrain any person into whose possession confidential information had come. So too held Rex Co v Muirhead.52

9.26  Innocently obtained information. Later cases went even further: the defendant in Butler v Board of Trade53 was the innocent recipient of a privileged document mistakenly handed over by the claimant’s solicitor. Although there was ‘no suggestion of any kind of moral obliquity’ (unlike Pape), Goff J considered that ‘irrelevant because an innocent recipient of information conveyed in breach of confidence is liable to be restrained’.54

9.27  The need for impropriety. Towards the latter half of the twentieth century, judges began to reformulate recipient liability in terms that more clearly connoted the mental element underlying Prince Albert v Strange. That the doctrine binds third party recipients was affirmed by Ungoed-Thomas J in Duchess of Argyll v Duke of Argyll, but this was subject to a requirement of impropriety:

an injunction may be granted to restrain the publication of confidential information not only by the person who was a party to the confidence but by other persons into whose possession that information has improperly come.55

9.28 In that case, the defendant newspaper’s editor, proprietors, printers, and publishers were restrained from publishing confidential information about the Duchess which had been passed to them by the Duke. Although, like earlier decisions, this passage seems to suggest that relief is available wherever a third party receives material deriving from a broken confidence, this case is probably better explained by the fact that the newspaper must have realised (or ought to have realised) that the Duke was acting in breach of marital confidence. In this sense, the reference to ‘improper’ receipt of the information should be understood as a reference to receipt with actual or constructive knowledge of the breach of confidence from which it derives. Put differently, impropriety is not a separate requirement, but—as in Prince Albert v Strange—is implicit in information that could only be attributable to a broken obligation of confidence.

9.29 In reality, most of the nineteenth-century cases can be explained as examples of actual or constructive knowledge: the defendant in Pape, like the Board in Butler, had actual knowledge that the information had been wrongfully obtained, while the defendant in Morison had entered a deed of confidentiality with the claimants, and Shebbeare was really a question of licensing and copyright law.

9.30  Outliers. However, other authorities since Argyll continued to regard third party liability as strict. In Printers & Finishers Ltd v Holloway,56 Cross J held that a third party whose employee learnt know-how as well as trade secrets belonging to a competitor ‘was no doubt innocent in the matter’ but could still be enjoined from using it, on the basis that ‘an injunction may be granted against someone who has acquired—or may acquire—information to which he was not entitled without notice of any breach of duty’.57

9.31 Elsewhere in the judgment, Cross J appears to have had an objective test in mind, remarking that ‘[t]he law will defeat its own object if it seeks to enforce in this field standards which would be rejected by the ordinary man’.58 The doctrine of confidence was to be kept within ‘reasonable bounds’. The true basis for the decision in Holloway thus appears to be that the third party company was fixed with notice when its employee acquired the information.

9.32 Finally, a clear outlier is Goddard v Nationwide Building Society, where—citing Holloway, Butler, and Muirhead—Nourse LJ seemed to regard recipient liability as absolute subject to change of position.59 However, as Arnold points out, this dictum is obiter.60 Notwithstanding these decisions, subsequent cases have more clearly introduced restrictions that mollify the harshness of third party liability by reference to the recipient’s mental state. In many respects, these developments mirror parallel developments in trust law,61 and reflect rapid expansion of the number and type of parties into whose hands confidential information may be passed.

9.33  The Spycatcher decision. Most modern authorities suggest that obligations of confidence depend on some level of knowledge being held by the third party recipient of information. In Spycatcher, Lord Keith identified ‘a general rule of law’ that a third party recipient may be duty-bound not to disclose confidential information, but only if they possess actual knowledge of its confidential character.62 The nature of that duty was said to be a secondary duty of confidence owed to the original confider. Lord Goff did not decide the issue directly, preferring to describe the required mental state in norms of ‘notice’, so as to ‘avoid the (here unnecessary) question of the extent to which actual knowledge is necessary’.63 In obiter, however, his Lordship noted that knowledge would include wilful blindness. The general principle was formulated as follows:

a duty of confidence arises when confidential information comes to the knowledge of a person . . . in circumstances where he has notice, or is held to have agreed, that the information is confidential, with the effect that it would be just in all the circumstances that he should be precluded from disclosing the information to others.64

This formulation is significant because, as Lord Hoffmann noted in Campbell, it for the first time ‘omits the requirement of a prior confidential relationship’.65

9.34 Lord Goff’s other famous dictum in Spycatcher is that relief might still be granted ‘where an obviously confidential document is wafted by an electric fan out of a dropped in a public place, and is picked up by a passer-by’.66 This passage simultaneously reaffirms the liability of innocent recipients and clarifies that such liability is premised on their appreciation that (1) the document is confidential, or (2) its circulation is attributable to an accidental or deliberate breach of confidence (in his Lordship’s example, this is evident from the fact that the material is confidential on its face). Where the recipient comes into the information by happenstance, Toulson and Phipps suggest that actual knowledge or wilful blindness is an appropriate criterion to apply:

Although there is no direct authority on the point, an accidental recipient of confidential information should not be under an equitable obligation unless he knows that the information is confidential or is deliberately blind to the likelihood of it being confidential.67

9.35  Other cases. Spycatcher was not the first case to treat recipient liability as premised on actual knowledge. Prince Albert, Argyll, and Holloway can all be understood as cases in which the recipient knew that the information was confidential and had been wrongfully disclosed. In Fraser v Thames Television Ltd,68 Hirst J held that a duty of confidence would only attach to a third party who knew that the information was confidential, but ‘knowledge of a mere assertion that a breach of confidence has been committed is not sufficient’.69

9.36 In Mars UK Ltd v Teknowledge Ltd,70 the defendant decrypted an encoded message belonging to the claimant. Jacob J held that mere decryption was not enough to create an obligation of confidence. Various cases in the privilege context, such as English and American Insurance Ltd v Herbert Smith,71 suggest that an innocent recipient of privileged documents will be fixed with an obligation of confidence upon discovering their true nature.

9.37  The objective standard. Megarry J in Coco v Clark put the threshold slightly lower: a direct recipient will come under a duty of confidence if a reasonable person in his position ‘would have realised that upon reasonable grounds the information was being given to him in confidence’.72 This reflects a standard of constructive knowledge—that is, knowledge constructed or imputed to the defendant on the basis of an objective standard of alertness, probity, and inquiry that is expected of a reasonable person,73 even if the particular defendant did not actually possess that knowledge.74

9.38  Policy considerations. There are two obvious reasons why an objective standard of knowledge is preferable; first, ‘the law ought not to give an advantage to obtusity’;75 second, given that the rationale for protecting confidences does not wax and wane with the probity of their eventual recipients, the degree of protection afforded to private or commercial interests should not turn on subjective attributes of the recipient but should be as close to uniform as possible for each class of confidence protected;76 and third, to the extent that the doctrine is ultimately founded on conscience, it is consistent with equitable principles to hold recipients to a common standard of conduct.

9.39  Support for constructive knowledge. Later cases have treated constructive knowledge as the preferred standard. In Shelley Films Ltd v Rex Features Ltd, the obligation of confidence arose upon ‘a defendant coming into possession of such information in circumstances in which he actually knows (or is fixed by operation of law with knowledge of) or ought as a reasonable person to know the plaintiff intends to be kept confidential’.77 In Shelley the circumstances were that access to private property had been visibly restricted.78

9.40 More recently, in Campbell Lord Hoffmann concluded that third party liability extends to receipt with constructive knowledge. His Lordship required knowledge of the equitable obligation, rather than the confidentiality of the information:

Equity imposed an obligation of confidentiality upon the [confidant] and (by a familiar process of extension) upon anyone who received the information with actual or constructive knowledge of the duty of confidence.79

Each plurality speech also adopted an objective standard, as did Lord Nicholls.80 Lord Hope and Baroness Hale described a duty of confidence in the personal privacy context as arising whenever a party ‘knows or ought to know’ that the confider can ‘reasonably expect his privacy to be protected’.81 Lord Hope went further in noting that the relevant knowledge must be ‘notice that the information is confidential’.82

9.41 This formulation reflects Lord Goff’s dictum in Spycatcher, which referred the serendipitous acquirer’s obligation to the ‘obviously confidential’ nature of the document so acquired.83 Lord Hoffmann’s formulation more closely aligns with the basis of the equitable duty, being the original duty of confidence owed by the confidant as a result of whose conduct the ultimate recipient improperly acquired the information. However, in most cases, there will be no difference between the two standards, since unless a document is clearly confidential it is unlikely to be reasonable to presume it is the child of wrongful disclosure. Either standard means that an obtuse, careless, or fraudulent third party cannot rely on confidential information acquired or received if a reasonable person in the recipient’s position would have known (whether immediately or by making such further inquiries as were reasonable) that the information was probably obtained due to a prior breach of confidence.

9.42  Threshold of constructive knowledge. The use of constructive knowledge or notice as a basis for imposing equitable duties is hardly unknown. In Macmillan Inc v Bishopsgate Trust plc [No 3], Millett J stated that constructive knowledge

includes not only actual notice (including ‘wilful blindness’ or ‘contrived ignorance,’ where the purchaser deliberately abstains from an inquiry in order to avoid learning the truth) but also constructive notice, that is to say notice of such facts as he would have discovered if he had taken proper measures to investigate them....In order to establish constructive notice it is necessary to prove that the facts known to the defendant made it imperative for him to seek an explanation, because in the absence of an explanation it was obvious that the transaction was probably improper.84

9.43 Adapting this test to confidential information, it must be asked whether a third party—such as an internet intermediary—that has received information (1) actually knew (or was wilfully blind to) the information’s secrecy, (2) knew sufficient facts to put it on notice that the information was probably confidential, or (3) knew sufficient facts that a reasonable service provider would have taken steps to discover the character of the information and so learned the truth.85 In principle, this means that intermediary recipients stand ‘in no different position’ to direct confidants;86 the circumstances of acquisition are irrelevant, since the sole criterion of duty is whether a reasonable person would have known of the probable existence of the original duty of confidence or, at the very least, the confidential status of the information.

9.44 As noted in paragraph 9.22, Prince Albert v Strange can itself be read as a case of constructive knowledge. The trial judge found that the printer had actual knowledge of the origin and authorship of the confidential engravings and that person’s confidential relationship with the Prince Consort. Knowing those two facts, any ‘intelligent or rational being’ would appreciate that they had come into his possession owing to some

faithlessness, fraud and treachery on the part of [the confidant]. It would indeed be a slur upon jurisprudence, and a dishonour to the administration of justice, were a Plaintiff in such a case to seek protection and redress in vain.87

9.45  Journalists. Further support for a requirement of constructive knowledge may be found in Interbrew SA v Financial Times Ltd.88 Journalists received a leaked takeover document from a source who ‘must have known’ it was confidential. Sedley LJ emphasised that its recipients were experienced financial journalists who ‘were not born yesterday’.89 They too must have known that the document, which was sent anonymously and revealed ‘plainly’ confidential details of a proposed transaction, was intended to be kept confidential. To this extent, each defendant facilitated and ‘innocently lent itself’ to the source’s breach of confidence. (Breach of confidence was not pleaded directly against the journalists.)

9.46 To similar effect, Prince of Wales v Associated Newspapers Ltd held that a newspaper that received private diaries with actual knowledge that the source, an employee of the Prince, had breached his duty of confidence was bound not to use or disclose them.90 This case is consistent with the propositions that third party recipients can owe duties of confidence and that such duties require actual or constructive knowledge to be shown.

9.47  Knowledge of direct recipient. In some cases, a third party recipient may have knowledge of the confidentiality of material but nevertheless should not come under an obligation of confidence. For example, superficially confidential information may be imparted in such a manner by the original confider as to suggest that he or she was not concerned about its confidentiality, so that the immediate confidant would owe no duty. Plainly, a third party recipient should not be held to a higher standard than a direct confidant, so the obligations of downstream recipients in these circumstances may not depend solely on notice of the quality of the information that is received.

9.48  The analogy with breach of fiduciary duty. In Campbell, the Court of Appeal expressly rejected as ‘ambitious’ the submission that dishonesty operates as a touchstone of third party duties of confidence,91 as did the trial judge.92 The point was not taken up on appeal to the House of Lords. Previously, in Thomas v Pearce,93 the Court of Appeal had assumed that a test of dishonesty would apply by analogy with dishonest assistance of a breach of fiduciary duty. Under this approach, which is modelled on Royal Brunei Airlines v Tan, no intermediary could act in breach of an obligation of confidence unless it had failed to ‘act as an honest person would in the circumstances’ based solely on ‘what [it] actually knew at the time, as distinct from what a reasonable person would have known or appreciated’.94 This is a hybrid standard with both a subjective element (what was known) and an objective element (honesty). In Thomas, the claimant failed because the defendant employer acted negligently but honestly in using customer lists provided by a former employee of the claimant.95

9.49  Support for dishonesty standard. The analogy between Tan and breach of confidence finds very little support. Some references to dishonesty may be found sprinkled throughout the case law, none of them particularly clear. In Prince Albert v Strange, for example, the defendant’s attitude was described as ‘one of entire and undissembled dishonesty’.96 The Court in Holloway referred to the standard of ‘a man of ordinary honesty and intelligence’ in delimiting notice.97 However, Wilmer LJ in National Broach & Machine Co v Churchill Gear Machines Ltd rejected the analogy in the context of damages.98 In Coco itself, Megarry J came closest to supporting an analogy by noting that confidence is the ‘cousin of trust’,99 but went no further. Toulson argues that dishonesty is an ‘equally natural’ standard to apply to trade secrets.100 However, no reference was made in Thomas to the major authorities, and most commentators suggest that the decision is per incuriam.101

9.50  Criticism of dishonesty standard. The reasons why dishonesty is not a ‘natural’ criterion to apply to a recipient of confidential information are amply demonstrated by the facts of Campbell. In that case, the defendant maintained that it believed disclosure to be justified by the public interest102 (presumably, the public’s interest in feeding its ‘endless appetite for articles and images depicting the private lives of others’).103 If actual dishonesty were required to fix such a defendant with liability, then a journalist acting in good faith could never possess the subjective element of dishonesty identified in Tan, since they would not appreciate themselves to be transgressing ordinary standards of honesty and propriety. In cases of personal privacy, this would fail to protect article 8 rights adequately, and suggests that dishonesty is not an appropriate test.

9.51 Further, a test of dishonesty carries several obvious problems. First, it offers little guidance about when the use or disclosure of information innocently acquired will be dishonest and may ultimately devolve to a test of constructive notice. Second, it fails to account for information activists such as whistle-blowers. What of the defendant who, honestly believing that the public interest demands disclosure of a government or corporate secret, publishes it online considering that other members of the public might do the same? If dishonesty contains a subjective element, it seems to pre-empt and override the public interest defence. Those cases are better dealt with by a requirement of notice—since the circumstances of taking would ordinarily be such as to lead a reasonable person in the position of the taker to regard the information as subject to a duty of confidence. Third, defining primary recipient liability by reference to dishonesty would eclipse the role of equitable secondary liability for dishonest assistance of a breach of confidence.104 Further, as Gurry argues, the analogy is, at best, unhelpful and, at worst, could ‘complicate what is already a difficult area of the law’.105

9.52  The status quo. Based on this review of the authorities, the state of the law can only be described as ‘unsatisfactory’.106 This may be in part because of the unprincipled and fusionist expansion of the equitable action to resemble a ‘tort’ that protects the statutory right to privacy. In Gray v News Group Newspapers International Ltd, Vos J noted that the authorities concern ‘widely disparate species of confidential information, and must be viewed in their individual contexts.’107 Nevertheless, at least insofar as the recipient liability of internet intermediaries is concerned, the test appears to be uniform: actual or constructive knowledge of confidentiality or of a prior duty of confidence.

9.53  A proportionality-based approach. An example of an approach that is radically different in form (if not in result) is London Regional Transport v Mayor of London.108 In that case Sedley LJ rejected the orthodox approach in favour of a test derived from the Convention concept of proportionality: the tool—the metwand—which the Court has adopted...for deciding a variety of Convention issues...Does the measure meet a recognised and pressing social need? Does it negate the primary right or restrict it more than is necessary? Are the reasons given for it logical?...It seems to me, with great respect, that this now well established approach furnishes a more certain guide for people and their lawyers than the test of the reasonable recipient’s conscience. While the latter has the imprimatur of high authority, I can understand how difficult it is to give useful advice on the basis of it. One recipient may lose sleep a lot more readily than another over whether to make a disclosure, without either of them having to be considered unreasonable. If the test is whether the recipient ought to be losing sleep, the imaginary individual will be for practical purposes a judicial stalking-horse and the judgment more nearly an exercise of discretion and correspondingly less predictable. So for my part I find it more helpful today to postulate a recipient who, being reasonable, runs through the proportionality checklist in order to anticipate what a court is likely to decide, and who adjusts his or her conscience and conduct accordingly.109

9.54 A grundnorm of proportionality has much to commend it: the concept is simpler, easier to describe, and more flexible. Doubtless, the checklist of salient features would closely resemble those that are currently examined (including knowledge, the circumstances of receipt, and any countervailing interest in disclosure). That list would need to be clearly articulated and consistently applied to avoid uncertainty. However, proportionality may offer a useful lens through which to examine and articulate the scope of assumed duties of confidentiality. Whether it will be adopted in future cases remains uncertain.

9.55 Most recently, in Primary Group (UK) Ltd v Royal Bank of Scotland plc, Arnold J reviewed the authorities and concluded that:

It follows from the statements of principle I have quoted above that an equitable obligation of confidence will arise not only where confidential information is disclosed in breach of an obligation of confidence (which may itself be contractual or equitable) and the recipient knows, or has notice, that that is the case, but also where confidential information is acquired or received without having been disclosed in breach of confidence and the acquirer or recipient knows, or has notice, that the information is confidential. Either way, whether a person has notice is to be objectively assessed by reference to a reasonable person standing in the position of the recipient.110

Accordingly, to determine the existence and scope of an obligation of confidence requires the Court to consider the circumstances from the perspective of a reasonable person in the position of the recipient of the information.111 Arnold J also explained that where information is disclosed for a particular but limited purpose, a recipient who knows or ought to know of that purpose will owe a duty to the original discloser to use the information for that purpose and no other.112 (It is suggested that such a recipient would also owe a duty to the intermediate confidant only to use the confidential information for the stipulated purpose.)

9.56  Dishonest assistance. In Vestergaard Frandsen A/S v Bestnet Europe Ltd, Lord Neuberger PSC considered it arguable that a person could face secondary liability for assisting a breach of confidence in either of two circumstances: first, by analogy with knowing assistance of a breach of trust; second, as a joint tortfeasor who participates in a common design. As to the first possibility, his Lordship explained:

while a recipient of confidential information may be said to be primarily liable in a case of its misuse, a person who assists her in the misuse can be liable, in a secondary sense. However, as I see it, consistently with the approach of equity in this area, she would normally have to know that the recipient was abusing confidential information. Knowledge in this context would of course not be limited to her actual knowledge, and it would include what is sometimes called ‘blind-eye knowledge’. The best analysis of what that involves is to be found in Royal Brunei Airlines Sdn Bhd v Tan...where Lord Nicholls of Birkenhead approved the notion of ‘commercially unacceptable conduct in the particular context involved’, and suggested that ‘acting in reckless disregard of others’ rights or possible rights can be a tell-tale sign of dishonesty’.113

9.57 This suggests that a dishonesty standard of secondary liability applies. As noted in chapter 5, dishonest assistance is the equitable form of secondary liability which developed in the context of breach of fiduciary duty. However, there is no good reason why it should not apply to other equitable wrongs, including breach of confidence.114 Importantly, this does not amount to endorsing the Thomas v Pearce view that an obligation of confidence is directly imposed upon a dishonest secondary party. The scope of the obligation of confidence is unchanged; instead, the secondary party is made liable as an accessory for dishonestly assisting the breach of a primary duty of confidence owed by another.

9.58  Joint tortfeasorship. Lord Neuberger also accepted that a party may become liable as a joint tortfeasor who is party to a common design to breach confidence.115 That result involves the application of general principles of tortious secondary liability to an equitable wrong. Although some may criticise this as an example of the fusion fallacy, it is suggested that the authorities make clear that liability as a joint tortfeasor extends to equitable wrongs. For the same reason, procurement and authorisation would also be relevant connecting factors.

9.59 Where a person misuses confidential information in the course of his or her employment, it is arguable that their employer will face vicarious liability for the resulting breach of confidence. As Lord Neuberger PSC reasoned in Vestergaard:

even a person who did not know that the information which is being abused is confidential could nonetheless be liable if there were relevant additional facts. Thus, if a person who directly misuses a claimant’s trade secret does so in the course of her employment by a third party, then the third party could (at least arguably) be liable to the claimant for the breach of confidence. However, that would simply involve the application of one well established legal principle, vicarious liability, to another, misuse of confidential information.116

9.60 This is an uncontroversial result, since it simply involves the application of ordinary principles of vicarious liability. Cases such as Holloway reflect this approach.117 In Primary, Arnold J cited this passage and appeared to accept the parties’ position that an employer whose employees received confidential information would be liable for any breach of confidence committed by its employees within the scope of their employment.

9.61  TRIPS Agreement. In applying the equitable doctrine of breach of confidence, it is necessary to have regard to article 39 of the TRIPS Agreement, which requires signatories to protect ‘undisclosed information’ in specified circumstances:

Natural and legal persons shall have the possibility of preventing information lawfully within their control from being disclosed to, acquired by, or used by others without their consent in a manner contrary to honest commercial practices . . .

9.62 Footnote 10 clarifies the meaning of dishonest commercial practices, whose meaning includes ‘breach of confidence and inducement to breach, and includes the acquisition of undisclosed information by third parties who knew, or were grossly negligent in failing to know, that such practices were involved in the acquisition’ (emphasis added). The reference to ‘inducement to breach’ may suggest that TRIPS requires some form of accessory liability for breach of confidence. The reference to gross negligence suggests that an objective standard of liability is necessary to comply with TRIPS.

9.63 Assessing the scope of liability faced by an internet intermediary for disclosures of confidential information acquired from a third party requires careful analysis of the contributory acts and concomitant mental states of the service provider. Scenarios in which a service induces or encourages disclosure must be distinguished from those in which it merely assists passively. Services who actually receive and store information may warrant different treatment from services who merely transmit it.

9.64 Accordingly, this section considers separately the liability of four classes of internet intermediary in cases of innocent and culpable (negligent or dishonest) receipt. Bearing in mind that this area of law is likely to continue its development ‘through ad hoc decisions which are often motivated primarily by a desire not to let an unmeritorious defendant escape liability’,118 it is of crucial importance to adopt an appropriate analytical structure from the outset. Ultimately, however, each case will turn upon the particular circumstances in which the intermediary has received and acquired knowledge of the information.

9.65  Unauthorised communications. The most obvious way in which a platform may face liability for breach of confidence is by directly causing confidential material to be disclosed through online publication. Disclosure bears the same meaning on the internet as it does in printed media: the question is whether, in breach of a duty of confidence, the platform has communicated material enjoying the necessary quality of confidence to a third party besides the confider. Disclosure need not make the information ‘so generally accessible’ that it is no longer confidential,119 though for obvious reasons it often will.

9.66  Extent of disclosure. It is enough that the use made (or threatened to be made) of the material is in breach of the equitable duty upon which the action is founded. Certainly, if the information becomes ‘known to a substantial number of people’,120 it will have been disclosed; so too if the information becomes ‘public property and public knowledge’.121 Whether a disclosure can ever be so trivial or minor that it will not be actionable, or would not be proportionate to bring an action, remains a possibility. However, disclosure is a question of degree122 and the answer—and with it the quantum of any compensatory remedy—will depend on the circumstances and extent of disclosure.

9.67  Previous disclosure. Complications can arise from a prior internet disclosure, since the information may have lost its confidentiality by the time of the later disclosure. It is axiomatic that once information is in the public domain, it is no longer confidential and nobody—except perhaps those previously responsible for its misuse or disclosure123—remains under an equitable duty not to use or disclose it.124 This is frequently the case when a website ‘mirrors’ or republishes information reported on other websites, which often occurs within moments of the original disclosure. Where the primary confidant is known to have acted in breach of duty, there may (interim relief aside) be relatively little to gain by pursuing secondary disclosers.

9.68  Loss of confidentiality by publication. These difficulties were noted by Tugendhat J in Northern Rock plc v Financial Times Ltd,125 where the Court held that publication of confidential information for a brief period on a website that was not widely accessed or used by the general public might not amount to sufficient disclosure for the information to lose its confidentiality. For obvious reasons, a threshold of disclosure that is too low would be undesirable, since it may lead to commercially valuable information being deprived of equitable protection even where it remains unknown to the vast majority of the population. On the other hand, relief may be futile if multiple websites are already publishing copies of the information, especially where it is of public interest.

9.69Barclays Bank plc v Guardian News and Media Ltd126 suggests that a relatively high threshold of disclosure applies to websites.127 Blake J held that the claimant still had a realistic chance of proving confidentiality at trial despite the information having been published for a period of around four hours on the website of The Guardian, which had roughly 30 million users at the time. The claimant’s documents, which detailed strategies for tax avoidance, had been leaked by one of its employees to a government minister, who then leaked them to the press.128 The relevant documents were visible on the website from 10pm until around 2.30am, when Ouseley J granted an urgent injunction129 and the documents were removed.

9.70 Unlike Northern Rock, the website was ‘particularly well known’ and ‘readily accessible’, the publication was to the public at large, and the removal order prompted some ‘internet chatter’ in blogs. Despite this, confidentiality was not necessarily lost: the period of publication was brief, and the fact that sufficiently interested members of the public might be able to locate the material was insufficient;130 besides which, it would be ‘somewhat unattractive’ to allow The Guardian to rely on its own publication (and publications deriving from it) to deprive the material of its confidentiality.131

9.71 In Barclays Bank, the Court was evidently concerned to protect the claimant’s rights in a medium in which secrecy can often be imperfect:

I am conscious that there are real significant differences between the publication of books and publication of material by other means, particularly in the age of the internet, where there is very rapid global communication.132

The Court contrasted the circumstances of the case with the situation that would exist where there is ‘general availability’ of information, which would usually preclude confidentiality. However, where dissemination is ‘very limited’ and ‘partial’ (as on a site accessible only with ‘a great deal of effort’), disclosure on a website may not lead to total destruction of confidentiality.133 Accordingly, the Court continued the interim injunction, and also made orders prohibiting supply of the material and incitement of publication by others.

9.72  Communications made by a user. Alternatively, a platform may facilitate a disclosure of confidential material caused by the actions of a third party. For example, an end user may, in breach of confidence, post confidential material to a website so that it appears without the intervention of the website operator and is available to other users. In these cases, it will be important to ask whether, at the moment of disclosure or subsequently, the website operator had or has acquired actual or constructive knowledge of the confidentiality of the material or the prior breach of confidence.

9.73  Relevant factors. In determining whether the website operator has come under a duty of confidence, all the circumstances must be considered. Relevant factors may include: whether the operator had forewarning of the disclosure, induced, or encouraged it; the likelihood of confidential material being uploaded; the nature of the relationship between operator and users; previous wrongdoing by the user; and any terms of use between operator and users.

9.74  Discussion fora. This situation was considered at an interim stage in Aegis v Stoner,134 where the defendant set up 14 websites critical of the claimant, his former employer. The websites disclosed ‘low-level’ information about the claimant’s security operations in Iraq, including video footage of operations, and invited users (some of whom were employees) to air their grievances in a public discussion forum. The claimants sought injunctive relief against possible disclosure by third parties who might utilise the website as a means of dissemination. Deputy Judge Arnold QC noted that this involves ‘considerations which are somewhat different’ to those arising in relation to the defendant’s own disclosures on the website, and continued:

So far as publications by third parties of confidential information on his website are concerned, it is less obviously the case that that is something for which the defendant can properly be held responsible. The mechanism by which the [information] was posted on the website was by someone posting to a discussion board. There is no way in which the registrant of a domain name and the owner...of a website can know in advance what information going to post. He cannot know whether someone posting on a discussion board is going to post information which is entirely innocuous and anodyne or whether it is extremely sensitive. That can only be known once it has been posted.135

9.75 The claimants argued that the defendant should be liable as the website operator for all information supplied by third parties, just as a publisher of a book would, it was said, be liable if its author had included confidential information.136 The Court did not decide the question, instead relying on breach of contract and passing off, but did conclude that the claimant’s contention was arguable.

9.76 It is suggested that, had the case proceeded to trial, the point should have been decided against the claimants. The liability of a book publisher is different because, as a publisher who has chosen to assume responsibility for those specific contents, it is reasonable to fix them with notice of all that the book contains. A website operator stands in a wholly different position: it does not normally edit or review the contents of comments prior to publication, does not in the ordinary course expect such comments to contain wrongful disclosures, does not ordinarily assume responsibility for such material, and does not intervene in their publication. Unless and until such an operator has actual knowledge of the disclosure and its confidential nature, it will be difficult to support an allegation of constructive knowledge, since a reasonable person in their shoes would be unlikely to have known of the existence of the disclosure, let alone its contents.

9.77  Encouragement by website operator. A more borderline case may be where the operator actively encouraged users to breach confidences or was aware of this happening routinely. Given such encouragement, it might be reasonable to check for wrongful disclosures or pre-moderate comments, absent which constructive knowledge could be imputed if the material is not removed after a reasonable period. Alternatively, the encouragement might reach such a degree that it becomes deliberate inducement, incitement, or persuasion to commit a breach of confidence, which would be sufficient to impose joint liability in tort.137

9.78 To the extent that a website operator is not liable for third party disclosures, one must have considerable sympathy for claimants whose confidential information is published online. As the Court noted in Aegis v Stoner, the interval between disclosure and injunction or removal, however brief, may be sufficient for the material to propagate to other websites and thereby become impossible to remove—and eventually deprived of confidentiality.138

9.79  Gossip sites. Sir Elton John v Countess Joulebine provides a further example of recipient liability for third party disclosure.139 In this case, summary judgment was granted against a website operator who linked to confidential legal advice which had been ‘filched’ and posted by a third party. The defendant’s website invited members to upload ‘juicy gossip’ via a discussion board hosted in the United States. After an anonymous third party uploaded the document, the defendant became aware of it and featured it on the home page by way of a hyperlink for around two weeks, until an injunction required its deletion. The Court continued the injunction restraining disclosure and awarded damages for the breach of confidence.

9.80  Time when obligation arises. Master Leslie held that the cause of action arose as soon as the website operator knew or ought to have known ‘there was a risk’ that the information had been imparted in breach of confidence. Upon obtaining constructive knowledge, the operator came under an equitable obligation to remove the material. Placing an additional hyperlink which drew attention to the material was the opposite of what conscience demanded. Importantly, this did not require notice from the claimant; provided a reasonable person in the defendant’s position would have appreciated a risk that sensitive legal advice was disclosed in breach of confidence, the duty arose.140 Presumably, the effect of notice by the claimant would be to militate in favour of constructive knowledge, bearing in mind the warning in Fraser that the ‘mere assertion’ of a broken confidence may not be enough to fix the recipient with liability.141

9.81 Deveci criticises Joulebine as impugning ‘the very foundation of the internet’.142 Certainly, it appears to impose a burden upon intermediaries to remove content about which no complaint has been received, purely on the basis of constructive notice. That is, however, consistent with the doctrinal foundations of the action and arguably necessary to protect confidences on the internet (since a complaint might not be forthcoming until it is too late to prevent confidentiality being destroyed). It is also consistent with the principle that no website operator can come under a duty of confidence until actually in receipt of confidential material. The likelihood of a website operator facing monetary liability before notification for mere receipt of such material is also lessened considerably by the operation of the safe harbours considered in chapter 12.

9.82 In Joulebine, Master Leslie concluded that the moment of receipt was, as a matter of law, the moment when the website operator became aware of the confidential material. In this sense, the necessary mental state is a hybrid of actual knowledge of the material (subjective) and constructive knowledge of its confidential character or wrongful derivation (objective). However, the standard of constructive knowledge was arguably set too low; in requiring knowledge of a mere ‘risk’ of wrongful disclosure, rather than a ‘probability’, the Court is holding website operators to a more stringent standard than newspapers and journalists, which is inappropriate.

9.83  Scope of relief. Where information is wrongfully disclosed on a website, it is axiomatic that the relief granted will not be wider than the content found to breach confidence. To claim for removal of the website as a whole ‘regardless of content’ is thus improper and unsupported by authority.143

9.84  Social networks. It is clear that threats to disclose private or confidential information on a social network may found a claim for injunctive relief. In DDF v YYZ, the High Court granted an injunction against an unknown person to restrain harassment and the publication of private information by means of Instagram.144 From media reports, it appears that the respondent had sent messages to the applicant (a student) in which threats were made to make false complaints that the student had committed serious sexual offences and to disclose explicit photographs.145 Because the identity of respondent was not known, Nicol J directed that substituted service be effected via Instagram.

9.85  Requirement of knowledge. Although an action for breach of confidence can be maintained without any prior relationship of confidence between confider and recipient, actual or constructive knowledge is essential before an innocent recipient—let us suppose, someone who has received confidential information without encouragement, solicitation, or forewarning—can be liable. As Toulson and Phipps observe:

If the [action] is based on equitable principles, no liability would be expected to attach to a third party recipient of confidential information for acts done by him in ignorance that there had been any breach of confidence.146

9.86 This approach was approved by the Court of Appeal in Vestergaard, which cautioned that recipient liability for breach of a duty of confidence is not strict,147 even where its basis is contractual. In that case, the Court held that the employee—although she ‘behaved reprehensibly’—could not have misused confidential information if she had no knowledge about it or its use.148 In light of these principles, a host who unwittingly disseminates confidential information—perhaps even recklessly—cannot be held liable until put on notice of the existence of the information and its confidential quality.

9.87  The equitable obligation to remove. Recent authorities in offline contexts suggest that, once fixed with knowledge, an action will lie against any host in possession of confidential information without authorisation. If this approach is accepted, then hosts will come under an equitable obligation to remove or disable access to confidential information upon being notified by the claimant. The rationale for this secondary obligation is that it is necessary to preserve the information’s confidential character, without which the secret would be destroyed. Thus, in Imerman v Tchenguiz, Lord Neuberger MR, giving the judgment of the Court of Appeal, set out a broad test of passive receipt:

In our view, it would be a breach of confidence for a Defendant, without the authority of the Claimant, to examine, or to make, retain, or supply copies to a third party of, a document whose contents are, and were (or ought to have been) appreciated by the Defendant to be, confidential to the Claimant. It is of the essence of the Claimant’s right to confidentiality that he can choose whether, and, if so, to whom and in what circumstances and on what terms, to reveal the information which has the protection of the confidence.149

9.88 The Court was clearly influenced by article 8 jurisprudence, and by the prejudice that continued retention of confidential information by a defendant would have upon the claimant’s right of confidentiality, whether through the risk of being lost ‘or even potentially lost’ by inadvertent or deliberate disclosure.

9.89  Mere storage of information. The idea that mere retention or supply of copies of a confidential document can constitute a breach of confidence is not new, but it suggests that hosts could fall within the ambit of the action when they do no more than store information that they knew or ought to have known was confidential. Importantly, this test does not seem to require a service provider to examine information it has no reason (or ability) to suspect is confidential. However, the Court’s reasoning suggests that the third element of breach of confidence (threatened use or disclosure) is now nugatory; merely threatening to ‘look at’ or store the information can be sufficient. This reflects a shift in the concern of the action from unauthorised use of the confidential information150 to mere acquisition or storage of the information. However, in such a case, there would be clear arguments that a safe harbour would prevent any monetary remedy from being awarded against a host who does no more than store, cache, or transmit the confidential material.151

9.90  Identification of confidential information. It is generally unnecessary for the claimant to identify with specificity each individual document that is said to be confidential and in the possession of the defendant.152 To require otherwise would be ‘oppressive and verging on the absurd’.153 This concession mirrors parallel developments in copyright joint liability.154 However, any class of relevant confidential documents must obviously be described with adequate clarity and precision to enable a reasonable service provider to ascertain what falls within the class and where it is stored on equipment under its control.

9.91  Examples. The position of a host who receives confidential material by inducement or encouragement may best be illustrated by three examples.

9.92WikiLeaks style platform. First, consider the website known as WikiLeaks. This is an edited platform that tells its visitors: ‘Have documents the world needs to see? We help you safely get the truth out.’155 Original documents of any kind can be sent to its editors anonymously, who vet submissions and choose material of interest for disclosure. It is, in short, a curated platform. Published materials include a summary, often making express reference to the fact that the document is confidential (and giving details of its governmental classification status),156 and can be accessed by any interested member of the public.

9.93Gossip blog. Second, consider an unedited emporium of gossip that invites and then publishes all comments as received, without the intervention or awareness of its operators. In a more conventional scenario, the blog operator will also publish edited postings alongside user-created content, or in distinct sections of the website.

9.94Service providers. Finally, consider the position of the hosts, ISPs, and payment providers that supply bandwidth, equipment, and other enabling services to each of these platforms.

9.95 On a curated platform, it seems beyond doubt that the operators would be liable for each document wrongfully disclosed. The operators have ‘received’ the information in the necessary sense, since it comes into their control. Though it would depend on the exact nature of the confidential document being published, the operators may well have actual knowledge of the fact that the material is confidential (particularly if labelled as such, or marked ‘classified’, ‘privileged’, or ‘secret’), or be wilfully blind to that fact. Alternatively, any reasonable person in the operators’ position would have appreciated that a document ‘leaked’ or ‘filched’ by an employee, government servant, or other confidant would probably be confidential and protected by duties of confidence. Because all documents are reviewed prior to being uploaded and disclosed, the operators would be fixed with knowledge of all documents, and would be acting in breach of the resulting duties of confidence.

9.96 The second platform poses greater difficulties. On the one hand, its operator has intentionally created a forum in which confidences can be breached with impunity; it can, in a general sense, be said to induce all of the resulting wrongful disclosures. Conversely, unless the operator examines or has cause to examine specific documents (eg as a result of complaints) it would lack actual knowledge of any specific duty of confidence. It is also unclear whether the operator would have ‘received’ the information merely by creating technical infrastructure which caused the documents to be stored on electronic media within its general control.

9.97 As to constructive knowledge, it is difficult to posit the standard of how a reasonable secret-leaking website operator would act; however, a more plausible benchmark is the conduct of website operators at large. On balance, it seems likely that equity would fix such an operator with knowledge of any document whose confidentiality and wrongful origin would have been apparent on a cursory examination.157 An action would then lie for at least delivery up of the document and its removal from the website.

9.98 Service providers who do no more than facilitate the dissemination of material on these websites would not owe duties of confidence. A host would technically receive the information if the data were within its control, but could not be fixed with notice until specifically drawn to its attention. It has been suggested that, once notified, a host who failed to remove the offending material within a reasonable period might be committing an equitable fraud on the confider.158 It is also conceivable that continued acquiescence in the publication of such material might, by analogy with defamation cases, be treated as authorisation or ratification of the wrongful disclosure sufficient for joint liability. However, this point has not yet arisen in English courts in the context of confidentiality.159

9.99 As to a payment processor or interconnecting ISP who facilitated the operation of such a platform, neither would receive the information and could not be expected to take notice of the website’s activities until notified; moreover, it is not clear what they could do to prevent ongoing breaches of confidence, short of severing any contractual relationship with the operator.160 Although each innocently facilitates—and therefore assists—the dissemination of material in breach of confidence by the platform operator, there is no legal or equitable wrong of assisting a breach of confidence per se. Secondary liability in equity for dishonest assistance would require proof that the service provider had acted dishonestly.161

9.100 In all three scenarios, an issue arises where the host knowingly receives information that has come into the public domain as a result of prior wrongful disclosure. In Spycatcher, Lord Goff was prepared to recognise continuing derivative obligations of confidence:

If the confidant who has wrongfully published the information so that it has entered the public domain remains under a duty of confidence, so logically must also be anybody who, deriving the information from him, publishes the information with knowledge that it was made available to him in breach of a duty of confidence...—even booksellers who...put the [information] on sale in their shops, would likewise be in breach of duty. If it is suggested that this is carrying the point to absurd lengths, then some principle has to be enunciated which explains why the continuing duty of confidence applies to some, but not to others, who have wrongfully put the [confidential information] in circulation.162

9.101 If accepted, this would mean that any website hosting materials which they knew derived from a breach of confidence would be liable even once the information was widely published. The simple answer, of course, is that once previously confidential information is put into circulation, it is deprived of confidentiality, so that neither the confidant163 nor any derivative recipient remains bound.164 Instead, the confider’s original expectation of confidence is replaced with a secondary entitlement to equitable compensation against those responsible for depriving the material of its secrecy.

9.102 Electronic dissemination of confidential information sometimes begins when a malicious party obtains unauthorised access to a networked computer system. Using a variety of tools and techniques—including spyware, keyloggers, brute force password attacks, ‘zero day’ exploits, and social engineering—the cracker (nowadays ‘hacker’) accesses data stored on systems belonging to the claimant or a service provider that supplies services to the claimant, and then proceeds to download and republish those data to third parties.

9.103 In determining the liability of a host from whom data have been obtained by a malicious third party, the starting point is to consider what (if any) obligations of confidence are owed by the host to its customer. In many cases, such obligations may arise contractually as an incident of the host assuming responsibility for the secure storage of data that are entrusted to it. This would depend upon the nature of the services provided by the host and the relevant terms of service.

9.104  Computer hacking. Where a malicious third party obtains access to hosted confidential information, this will ordinarily involve a breach of confidence being committed by the intruder. For example, Ashton Investments Ltd v OJSC Russian Aluminium (Rusal) concerned an allegation that the defendant, a private Russian company, had hacked into the claimant’s internal server in London using access credentials obtained via a keylogger, which it then used to obtain various privileged documents relating to ongoing litigation between the two companies.165 In rejecting an interlocutory application by the defendant to set aside service, the Court accepted that such conduct, if established at trial, would amount to a breach of confidence committed in England.166 Where the compromised system belongs to a service provider, the additional question then arises whether the intermediary can be liable for the breach of confidence.167

9.105  ‘Leaked’ information. Interbrew SA v Financial Times Ltd concerned an action for disclosure of the identity of the party who had leaked a confidential takeover bid document to the defendant newspapers. Sedley LJ held that a breach of confidence had occurred, since the source of the material had constructive knowledge of the document’s confidentiality. Each newspaper, as a recipient of the leaked document, had ‘innocently lent itself’ to the tort and was no longer a mere bystander, since they had disseminated the document.168 It follows that they were under an equitable obligation to deliver up the documents. However, it was not suggested that the newspapers were themselves wrongdoers.

9.106 The liability of an ISP who transmits confidential information through its network or systems has not yet been considered by the English courts. However, it is submitted that an ISP who does no more than transmit information for the sole purpose of onwards transmission is very unlikely to owe a duty of confidence. This is so even if the ISP knows or is notified of what it has transmitted and fails to disconnect the subscriber.

9.107 The first reason for this is simply that such an ISP cannot be said to have ‘received’ the information, since transient storage (in a cache or router’s primary memory) lasts a matter of milliseconds, and is therefore so fleeting as to be difficult to characterise as giving rise to meaningful custody or control. For similar reasons, it is normally impossible or impractical for an ISP to detect or record the contents of transmissions, still less determine whether or not they are confidential.

9.108 Second, and more fundamentally, such transmissions are not properly characterised as acts of the ISP but rather of the transmitter. The conduct of the ISP is an involuntary reflex that results in electrical signals being transmitted whose contents have been solely determined by the transmitter. Any breach is therefore that of the transmitter and not the ISP who unwittingly supplies the means.

9.109  Obligations before notification. A search engine or other gateway who does no more than index or aggregate confidential documents that have been authored, disclosed, and hosted by a third party has strong arguments that it does not owe a duty of confidence in respect of that material, absent something more. The issue has not yet arisen for decision in the United Kingdom, but a number of observations may be made.

9.110 First, it may be questioned whether such a service provider has ever ‘received’ confidential information at all. Although it may process and store metadata in a search index which directs users to confidential material, it would need to be determined whether the extraction of keywords, snippets, and URLs actually embodies any confidential material.

9.111 Second, even if it has received confidential information as a result of algorithmic processing of third parties’ data, a search engine or other indexer does not normally have any direct relationship with the primary discloser of confidential information; it is, at best, an inadvertent and innocent recipient. In the absence of actual or constructive knowledge that the relevant information is confidential or derives from a breach of confidence, it is therefore difficult to see how a duty could arise.

9.112 Third, if confidential material is not displayed on the face of search results themselves (eg in snippets, URLs, or page titles), then it is unclear whether the act of directing the user to a place where confidential material may be obtained is itself an act of use or disclosure sufficient to breach any equitable duty that does arise.

9.113 Fourth, even where a search engine assists searchers to locate confidential information—eg by suggesting query terms—it seems highly doubtful whether such assistance could be considered dishonest in a way that would lead to equitable secondary liability. Without knowledge of the confidential nature of the material or the prior breach of confidence, it is implausible to suggest that any particular intent could be formed—still less a dishonest one. For similar reasons, it seems unlikely—absent a specific relationship with the user or website operator—that a search engine could be liable as a joint tortfeasor.

9.114 Another powerful reason against imposing a duty of confidence is that a search engine or aggregator does not manually examine the contents of documents, and is incapable of determining a priori whether the information they contain is confidential or derives from a prior breach of confidence. For this reason, it would be unreasonable to impute knowledge of the materials being indexed algorithmically to the person who controls the index: the indexer would lack knowledge of both the nature of the information and any prior obligation of confidence with respect to it.

9.115  Obligations after notification. Once put on notice of a breach of confidence, a search engine may come under an equitable obligation (by analogy with Interbrew and Norwich Pharmacal) to remove the confidential material from its index so as to prevent its further dissemination and thereby avoid further facilitating wrongdoing. This is a simple and, by all accounts, highly effective way of reducing the exposure given to wrongfully disclosed secrets. Bearing in mind the valuable purpose that search engines serve in facilitating access to knowledge on the internet, some degree of incidental disclosure of confidential or private information that occurs during indexing and prior to notification may be unavoidable.

9.116  Remedies. It is conceivable that damages may be awarded against a search engine who refuses, or fails, to remove confidential information within a reasonable period of being notified of its existence and nature. Such liability could arise on the basis of common law authorisation by analogy with defamation cases such as Byrne v Deane, or on the basis that an equitable obligation arises upon notice and is thereby breached by a failure to cease disclosing the information. Additionally, non-monetary remedies are potentially available in two forms: (1) de-indexing injunctions of the kind considered in chapter 16; and (2) statutory data protection remedies, which are dealt with in chapter 10.

9.117 Privacy is now protected by means of the action for misuse of private information. That action has a convoluted history and derives from several sources, including the Human Rights Act 1998, the European Convention, the EU Charter, and the equitable law of confidence discussed in sections 1 and 2 of this chapter. The next section offers a short introduction to these sources, with a focus on how far the action is likely to extend to secondary wrongdoers who facilitate access to private information on the internet.

9.118  Comparison with breach of confidence. Similar considerations are likely to apply to internet intermediaries for both breaches of confidence and interferences with privacy. However, the scope of primary wrongdoing is not necessarily the same, because ‘the concepts of confidence and privacy are not the same and protect different interests’.169 Lord Nicholls adverted to these differences in Campbell, observing that some information may be both confidential and private, while other information may be private but (because already disclosed) not confidential; and industrial trade secrets may be protected even though they are in no sense private.170 Similarly, it has been observed that the underlying values protected by the two actions are different: breach of confidence enforces confidences reposed (and the voluntarily assumption of responsibility for preserving their secrecy which that entails), and objective standards of good faith and fair dealing; misuse of private information protects human autonomy and dignity—and, in particular, control of information about one’s private life.

9.119 The new dimensions of the action for misuse of private information are considered in section 3.1, while the current boundaries of liability are considered in section 3.2.

9.120 Article 8 of the Convention provides:

Right to respect for private and family life


Everyone has the right to respect for his private and family life, his home and his correspondence.


There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of...the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

9.121  The cause of action. The starting point is that there is no general tort or equitable wrong of invasion of privacy. The House of Lords decided as much in Wainwright v Home Office.171 That conclusion was followed in McKennitt v Ash.172 However, as was explained in paragraph 9.05, claims for misuse of private information have been ‘shoehorned within’173 and ‘grafted on to’174 the equitable jurisdiction to hear claims for breach of confidence for the purpose of giving effect to the parties’ rights under article 8 of the Convention.175

9.122  Criticism of the fused approach. The resulting doctrinal fiction, which involves treating an expectation of privacy as tantamount to an obligation of confidence, was criticised by Lord Phillips in Douglas v Hello! Ltd [No 3]: ‘we cannot pretend that we find it satisfactory to be required to shoehorn within the cause of action for breach of confidence claims for publication of unauthorised photographs of a private occasion’.176 As a result of these changes, it must now be asked whether the action for misuse of private information is a tort of privacy in all but name. Indeed, as the Court of Appeal has accepted, the result of these ongoing developments is that ‘there are now two separate and distinct causes of action: an action for breach of confidence; and one for misuse of private information.’177

9.123  Width of the action. The transformation of the classical equitable wrong carries with it several consequences. First, the scope of the action is at least as wide as its operation in cases involving private information protected by article 8. Its boundaries must reflect Convention (and corresponding Charter) provisions,178 to which the courts, as public authorities and in accordance with the interpretive proviso, are required to give effect by awarding appropriate remedies for misuses of private information.179 As such, the general impact of Convention jurisprudence has been to enlarge the scope of liability beyond the range of conduct which equitable remedies would have restrained.

9.124  The balancing exercise. Second, courts must engage in a multi-step balancing exercise to determine, broadly: (1) whether the circumstances give rise to an obligation of confidence or expectation of privacy; and (2) whether an impugned dealing with protected information is, properly balanced with the claimant’s rights, justified and proportionate.180

9.125  Classification of wrongdoing. Third, the action for misuse of private information may no longer be a purely equitable wrong, which affects how it should be classified for the purpose of jurisdiction and choice of law rules. The traditional view was that breach of confidence is not a claim in tort but rather an equitable wrong.181 This view accords with the historical origins of the action and the preponderance of authority. Conversely, equitable wrongs are no longer treated in hermetic isolation from torts for certain purposes, such as joint tortfeasorship.182 The competing view is that misuse of private information is now a separate tort, or sufficiently analogous to a tort to be treated as one. As Lord Neuberger MR noted in passing in Imerman, ‘there is now a tort of misuse of private information’.183 If correct, this would have the consequence that permission to serve a claim form upon an internet intermediary domiciled outside the jurisdiction would be available where an arguable misuse of private information can be shown within the United Kingdom.

9.126 The classification of misuse of private information as a tort was upheld by the Court of Appeal in Google Inc v Vidal-Hall, an appeal against the grant of permission to serve outside the jurisdiction. The Court reasoned that no previous authority was binding on the question, and there were no ‘sound reasons of policy or principle’ why the action should not be classified as a tort.184 Permission to appeal to the Supreme Court was refused, suggesting that the point is now firmly decided, at least for the purposes of private international law.185

9.127  Summary. The principles applicable to claims for misuse of private information were helpfully distilled from Campbell by Sir Anthony Clarke MR in Murray v Express Newspapers plc, as follows:186


The right to freedom of expression enshrined in article 10 of the Convention and the right to respect for a person’s privacy enshrined in article 8 are vitally important rights. Both lie at the heart of liberty in a modern state and neither has precedence over the other...


Although the origin of the cause of action relied upon is breach of confidence, since information about an individual’s private life would not, in ordinary usage, be called ‘confidential’, the more natural description of the position today is that such information is private and the essence of the tort is better encapsulated now as misuse of private information...


The values enshrined in articles 8 and 10 are now part of the cause of action and should be treated as of general application and as being as much applicable to disputes between individuals as to disputes between individuals and a public authority...


Essentially the touchstone of private life is whether in respect of the disclosed facts the person in question had a reasonable expectation of privacy...


In deciding whether there is in principle an invasion of privacy, it is important to distinguish between that question, which seems to us to be the question which is often described as whether article 8 is engaged, and the subsequent question whether, if it is, the individual’s rights are nevertheless not infringed because of the combined effect of article 8(2) and article 10...187

9.128 In McKennitt v Ash, Buxton LJ summarised the effect of the authorities in terms of a simpler, two-stage inquiry:

in a case such as the present, where the complaint is of the wrongful publication of private information, the court has to decide two things. First, is the information private in the sense that it is in principle protected by article 8? If ‘no’, that is the end of the case. If ‘yes’, the second question arises: in all the circumstances, must the interest of the owner of the private information yield to the right of freedom of expression conferred on the publisher by article 10? The latter inquiry is commonly referred to as the balancing exercise...188

This analysis reinforces the importance of undertaking a structured inquiry. A suggested framework for analysis is set out in the following paragraphs. In light of the difficult issues raised by claims for misuse of private information, it is submitted that a structured approach is best able to avoid unpredictability and uncertainty, both in digital and other contexts, and ensure consistent and rational decision-making.

9.129  Identifying the information. A sometimes forgotten but logically anterior question is to identify the nature of the interest in respect of which the claimant alleges interference. This matters because it determines the object and scope of any expectation of privacy.

9.130  Information must relate to private life. The categories of interest protected by article 8 are restricted in at least two ways. First, it relates to private information, as distinct from trade secrets or trivialities. In Campbell, the House of Lords explained that private information involves ‘something worth protecting as an aspect of human autonomy and dignity’.189 This is information which implicates ‘the right to control the dissemination of information about one’s private life and the right to the esteem and respect of other people’.190 However, it is apparent that article 8 can be engaged by information concerning an individual’s professional or business affairs.191 The concept of private life is a broad one and information can be protected under article 8 in a wide variety of circumstances.192

9.131 In R (Wood) v Commissioner of Police of the Metropolis, Laws LJ explained the rationale for protecting private information in the following terms:

The notion of the personal autonomy of every individual marches with the presumption of liberty enjoyed in a free individual’s personal autonomy makes him—should make him—master of all those facts about his own identity...This cluster of values, summarised as the personal autonomy of every individual and taking concrete form as a presumption against interference with the individual’s liberty, is a defining characteristic of a free society. We therefore need to preserve it even in little cases.193

Thus, the information must, it is suggested, relate to the claimant’s private or family life, rather than to his or her commercial or business interests (which may instead be the proper subjects of an action for breach of confidence).

9.132  Information must relate to the claimant. Additionally, the private information must relate to the claimant rather than to another person. This is an ‘important difference’ between breach of confidence and misuse of private information: the former can relate to any kind of confidence; the latter is restricted to information relating to the claimant.194 This reflects the nature of the action for misuse of private information as a vehicle for upholding the human rights of that claimant rather than enforcing obligations of confidence voluntarily assumed by others.

9.133  Personal data protected under article 8 of the Charter. It is possible that, in the context of claims arising from interference with a claimant’s rights under article 8 of the Charter, the scope of protectable information may be wider than under article 8 of the Convention. This is on the basis that the Charter provision extends to any kind of ‘personal data’, and thereby ‘clearly goes further, is more specific, and has no counterpart in the ECHR’.195

9.134  Not known to the public. Second, the information must be private. This requires that the information must not be known to the public at large. An individual cannot complain of misuse of private information if that information is already in the public domain (provided that such publicity is not itself the consequence of the defendant’s misuse complained of). However, there is no requirement that the information be kept absolutely secret. In Browne v Associated Newspapers Ltd, Sir Anthony Clarke MR explained that there is:

potentially an important distinction between information which is made available to a person’s circle of friends or work colleagues and information which is widely published in a newspaper.196

9.135  Known to a limited circle. In Hutcheson v News Group Newspapers Ltd, Gross LJ held that the mere fact that otherwise private information is known within a ‘limited circle of people’ does not of itself preclude a claimant from objecting to wider publication, for example to the world at large.197

9.136 It follows that an action is not precluded where private information is known a small group of people, such as close friends or family of the claimant.198 It is an open question whether the restricted sharing of private information on social media (eg to close friends, or all friends) is consistent with such information retaining its private status. Ultimately, whether private information has become known to the public at large is a question of fact and degree that depends upon all the circumstances.

9.137 Third, the most important question which must be asked is whether the claimant has a reasonable expectation of privacy. Sometimes this is described as whether article 8 of the Convention is ‘engaged’ (or whether it applies on the facts of the case). Although sometimes framed as an expectation of privacy per se, the question of course relates to an expectation in respect of the information that the claimant seeks to protect. Overall, the question is one of fact and degree.199

9.138  The objective test. The overall test was articulated in Campbell in the following terms: whether a reasonable person of ordinary sensibilities, if placed in the same situation as the subject of the disclosure, rather than the recipient, would find the disclosure offensive. This is an objective test,200 as the Supreme Court emphasised in In re JR38. Lord Toulson explained that the test is an objective one, but is to be applied broadly and in light of the actual characteristics of the claimant.201 Lord Clarke added that

the concept of reasonable expectation is a broad objective concept and that the court is not concerned with the subjective expectation of the person concerned, whether that person is a child or an adult.202

Unlike breach of confidence, misuse of private information does not depend on the actual or constructive knowledge of the defendant, though some of the early cases involving receipt of private information do frame the issue in these terms. However, the broad multi-factorial test now preferred since Murray suggests that whether or not the defendant knew the facts giving rise to the expectation of privacy will not be decisive, though it may be a relevant factor.203

9.139  Relevant factors. Whether a reasonable expectation of privacy exists is a question of fact and will depend upon all the circumstances. Relevant factors have been held to include:


attributes of the claimant, including his or her age;204


the nature of the information, including in particular its subject matter and the level of detail in which it is expressed (eg the bare fact of an occurrence compared to information about the contents or details of that occurrence);205


what activity the claimant was engaged in, and the place where that activity occurred;206


previous disclosures made by the claimant;


where and how the information was obtained by the defendant;


the nature and purpose of the intrusion, considered from the perspective of the claimant;207


the consequences to the claimant of unfettered use or disclosure of the information;


the presence or absence of consent;208 and


whether that was known or could be inferred by the defendant.209

9.140  Applicable law. Where private information is obtained or created abroad, it may become relevant to ask whether to do so was lawful under the laws of that place. For example, in Douglas Lord Phillips observed that the lawfulness of the defendant photographer’s activity in New York would be relevant to the question of whether the claimants could have a reasonable expectation that the events would remain private.210

9.141 Similarly, in Weller, Dingemans J concluded that the lawfulness of the defendant’s photographs of the child claimants under Californian law was relevant but not decisive of that question.211 Ultimately, what mattered was the conduct complained of in England and Wales, the lawfulness of which depended on whether there was a reasonable expectation of privacy in that jurisdiction. On appeal, Lord Dyson MR accepted that the trial judge was entitled not to accord substantial weight to Californian law, because the claimants’ connection with California was slight, and the private information was published in England.212 This suggests that, even if there would be no reasonable expectation of privacy in the place where the private information was obtained or processed, misuse may be wrongful if such an expectation would exist in the country of publication.

9.142  Photography. Special considerations apply to photographs. This is because they present a ‘particularly intrusive’ means of invading privacy.213 The decisions of the European Court of Human Rights also afford particular weight to uses of photographs, since ‘a person’s image constitutes one of the chief attributes of his or her personality’ and reveals the ‘unique characteristics’ and distinguishing features of the person.214 In Weller the Court summarised these authorities and concluded that they demonstrated ‘a very relevant difference in the potentially intrusive effect of what is witnessed by a person...and the publication of a permanent photographic record’.215

9.143  Surveillance footage. In Kinloch v HM Advocate,216 no reasonable expectation of privacy was enjoyed by a person allegedly involved in laundering money in relation to the surveillance of his movements on public streets by police. Lord Hope offered the example of CCTV security monitoring of a person walking down a public roadway. Such a person should expect that his movements may be seen and recorded by CCTV, whether or not that disclosed criminal or lawful activity.217 This analogy suggests that users of an internet service that is widely known to monitor and record users’ activities may not have an expectation of privacy in respect of such information, at least insofar as the service provider is concerned.

9.144 Conversely, in Weller, the claimants had a reasonable expectation of privacy in respect of photographs taken of them in a kerbside café with their father, a well-known musician, in California. The photographs showed their faces and identified them by surname. Another relevant factor was that the defendant newspaper knew that the photographs had been taken without their parents’ consent, since the photographs were captioned ‘spotted’, though it did not know of the photographer’s promise to pixelate the children’s faces. This conclusion was unanimously upheld by the Court of Appeal.218

9.145  Proof of expectations. To establish an expectation of privacy requires evidence of the relevant circumstances to be adduced. Evidence should ordinarily be given by the individual affected by the alleged misuse: ‘Respect for the dignity and autonomy of the individuals concerned requires that, if practicable, they should speak for themselves.’219

9.146  Proportionality. Fourth, just because there is a reasonable expectation of privacy does not necessarily mean there has been an interference with privacy. That is a distinct question and the next stage in the inquiry.220 This involves conducting ‘the ultimate balancing test’ to determine whether there has been (or would be) a misuse of the information having regard to the comparative importance of freedom of expression. This proceeds according to the principles summarised by Lord Steyn in In Re S (A Child) (Identification: Restrictions on Publication):

First, neither article [8 or 10] has as such precedence over the other. Secondly, where the values under the two articles are in conflict, an intense focus on the comparative importance of the specific rights being claimed in the individual case is necessary. Thirdly, the justifications for interfering with or restricting each right must be taken into account. Finally, the proportionality test must be applied to each.221

9.147 The balancing exercise must be carried out in light of the decisions of the European Court of Human Rights.222Von Hannover v Germany states that ‘the decisive factor in balancing the protection of private life against freedom of expression should lie in the contribution that the published photos and articles make to a debate of general interest’.223

9.148 In Von Hannover v Germany [No 2] the Grand Chamber of the Court articulated several further factors which were relevant when conducting the balancing exercise: whether the material contributes to a debate of general interest; how well known is the person concerned and whether the material relates to the public’s right to be informed rather than having the aim of satisfying the public curiosity; the prior conduct of the claimant; the content, form, and consequences of the publication (including its degree of circulation); the circumstances in which the private information was recorded, and in particular whether consent was given; whether the recording occurred with the claimant’s knowledge or surreptitiously; the seriousness of the intrusion; and the impact upon the claimant.224 There will be considerable overlap with the factors relevant to determining whether there was a reasonable expectation of privacy.

9.149 Fifth, the claim must exceed a lower threshold upon the interference with an individual’s personal autonomy before article 8 is engaged. This is sometimes described as a ‘safeguard’ or ‘qualification’ upon the claimant’s right, which is designed to prevent unreasonable or disproportionate actions from being brought. The question is whether the interference involves ‘a certain level of seriousness’.225

9.150 Sixth, the right to privacy is not absolute. It is qualified in several important ways.

9.151  Freedom of expression. The most obvious qualification is article 8(2) itself, which accepts that the right may be curtailed for various legitimate purposes. For example, the right is most commonly qualified by freedom of expression. Additionally, the various limitations on injunctive relief may operate to restrict the availability or scope of a remedy.226 These limitations, and the wider balancing exercise that accommodates them, are discussed in chapter 13.

9.152  Legitimate interests of another. What would otherwise constitute an interference with privacy may be justified to protect the legitimate interests of another party. For example, in Tournier v National Provincial, Scrutton LJ accepted that an obligation not to disclose information would be subject to the qualification that disclosure would be permitted ‘when, and to the extent to which it is reasonably necessary for the protection of the [defendant’s] interests, against [the confidant]’.227 In that case, a bank sought to rely on confidential information for the purpose of defending its interests against a customer.

9.153 The Tournier principle was later extended to apply to any confidential business relationship.228 On this basis, it appears to be equally applicable to private information of the kind considered in Campbell and Douglas. In consequence, an internet intermediary may be permitted to breach confidence or use private information to protect its own interests against one of its customers.


See further chapter 12, section 1.2.


Coco v A N Clark (Engineers) Ltd [1969] RPC 41, 47 (Megarry J) (‘Coco’); Attorney–General v Guardian Newspapers Ltd [No 2] [1990] 1 AC 109, 268 (Lord Griffiths) (‘Spycatcher’); Campbell v MGN Ltd [2004] AC 457, [13] (Lord Nicholls) (‘Campbell’); Douglas v Hello! Ltd [No 3] [2008] 1 AC 1, 46 (Lord Hoffmann) (‘Douglas’).


See Tugendhat et al, Privacy and the Media (2006) 198.


See, eg, A v B plc [2003] QB 195, 212–13 (Lord Woolf CJ) (‘A v B’); Barrymore v News Group Newspapers Ltd [1997] FSR 600, 602 (Jacob J).


See, eg, Spycatcher; A v Director of Establishments of the Security Service [2010] 2 AC 1, 14 (Laws LJ), 26 (Lord Brown); Commonwealth of Australia v John Fairfax & Sons Ltd (1980) 147 CLR 39.


See, eg, Vestergaard Frandsen A/S v BestNet Europe Ltd [2010] FSR 2, 41 (Arnold J) (electronic databases).


See, eg, Creation Records Ltd v News Group Newspapers Ltd [1997] EMLR 444; Douglas; Campbell; Shelley Films Ltd v Rex Features Ltd [1994] EMLR 134.


See Nicole Moreham, ‘Privacy and Horizontality: Relegating the Common Law’ [2007] Law Quarterly Review 373, 374–5.


A v B, [9] (Lord Woolf CJ).


Douglas v Hello! Ltd [No 1] [2001] QB 967, 1011 (Keene LJ).


Writing extracurially, Millett LJ (as his Lordship then was) has noted that ‘it is something of a misuse of language to speak of a breach of confidence. The real subject of protection is privacy or secrecy, not confidence’: P J Millett, ‘Equity’s Place in the Law of Commerce’ [1998] Law Quarterly Review 214, 221 n 30.


Attorney–General v Newspaper Publishing plc [1988] Ch 333, 358 (Donaldson MR) (‘Spycatcher [No 1]’).


See, eg, Tom Davis, ‘RSA Encryption’ (Math Circles, 10 October 2003) <>; Free Software Foundation Inc, ‘The GNU Privacy Guard’ (GnuPG, 15 February 2011) <>.


See, eg, Anonymous, ‘What is Wikileaks?’ (2010) <>; Anonymous, ‘Openleaks’ (2011) <>.


Phipps v Boardman [1967] 2 AC 46, 102 (Lord Cohen), 127–8 (Lord Upjohn); Nichrotherm Electrical Co Ltd v Percy [1957] RPC 207, 209 (Lord Evershed MR). Cf Francis Gurry, Breach of Confidence (1984) 46.


Thus, it is said that there can be ‘no equity in iniquity’. However, this view may be in decline: see Woodward v Hutchins [1977] 1 WLR 760, 764 (Lord Denning MR); Khashoggi v Smith (1980) 124 SJ 149.


See, eg, Prince Albert v Strange (1849) 41 ER 1171, 1180; 1 Mac & G 25, 47 (Lord Cottenham LC) (‘privacy is the right invaded’); Wyatt v Wilson (Unreported, 1820, Lord Eldon).


Spycatcher, 282 (Lord Goff) (no confidence in public information); British Broadcasting Corporation v Harpercollins Publishers Ltd [2010] EWHC 2424, [56], [61] (Morgan J) (‘The Stig’); Thomas Marshall Ltd v Guinle [1979] Ch 227, 248 (Megarry VC)


The regime established by the Data Protection Act 1998 is discussed in chapter 10.


McKennitt v Ash [2008] QB 73, 83 (Buxton LJ).


Coco, 47 (Megarry J).


Parry-Jones v Law Society [1969] 1 Ch 1, 7 (Lord Denning).


Pollard v Photographic Company (1889) 40 Ch D 345, 351 (North J).


Saltman Engineering Co Ltd v Campbell Engineering Co Ltd (1948) 65 RPC 203 (‘Saltman’); Schering Chemicals Ltd v Falkman Ltd [1982] QB 1, 37 (Lord Denning).


See Mosley v News Group Newspapers Ltd [2008] EMLR 20, 709–10 (Eady J); Douglas; Campbell.


Spycatcher, 281 (Lord Goff).


O Mustad & Son v Dosen [1964] 1 WLR 109, 111 (Lord Buckmaster); Saltman, 215 (Lord Greene MR); Spycatcher, 285–6 (Lord Goff).


In most cases, this will be confirmed by express provision in the contract of service between the intermediary and the customer; see, eg, Data Recovery Lab Ltd, Data Recovery Service Terms & Conditions (2010) <> cl 4(i) (agreeing not to disclose externally any information stored on client equipment).


Shelley Films Ltd v Rex Features Ltd [1994] EMLR 134, 144 (Mann QC AJ).


Venables v News Group Newspapers Ltd [2001] Fam 430, 462 (Butler-Sloss P).


[2001] EMLR 957, [26] (Lawrence Collins J).


Vestergaard Frandsen A/S v Bestnet Europe Ltd [2013] 1 WLR 1556, 1563 (Lord Neuberger PSC) (‘Vestergaard’).


See also Spycatcher, 282 (Lord Goff).


Douglas v Hello! Ltd [No 1] [2001] QB 967, 1001 (Sedley LJ); Campbell, 472 (Lord Hoffmann).


See, eg, Thomas v Pearce [2000] FSR 718; see also R G Toulson and C M Phipps, Confidentiality (2nd ed, 2006) 79 (describing dishonesty as a ‘natural word’).


Stephens v Avery [1988] Ch 449, 456 (Browne-Wilkinson VC); Moorgate Tobacco Co Ltd v Philip Morris Ltd [No 2] (1984) 156 CLR 414, 437–8 (Deane J). Cf Royal Brunei Airlines Sdn Bhd v Tan [1995] 2 AC 378, 392 (Lord Nicholls) (‘Tan’).


Fraser v Evans [1969] 1 QB 349, 361 (Lord Denning). See also Richard Arnold, ‘Circumstances Importing an Obligation of Confidence’ [2003] Law Quarterly Review 193, 196.


Gurry, n 15, 5. See also HRH Prince of Wales v Associated Newspapers Ltd [2008] Ch 57, 125 (Lord Phillips); Norwich Pharmacal Co v Customs and Excise Commissioners [1974] AC 133, 141 (Lord Denning) (describing confidences as ‘sacrosanct’); Spycatcher, 255 (Lord Keith).


Cf Peter Birks, An Introduction to the Law of Restitution (1985) 343–4; Spycatcher, 281 (Lord Goff).


This conclusion was recently endorsed by Arnold J in Primary Group (UK) Ltd v Royal Bank of Scotland plc [2014] RPC 26, [211] (‘Primary’).


Tchenguiz v Imerman [2010] EWCA Civ 908, [54] (Lord Neuberger MR).


(1849) 2 De Gex & Smale 652; 64 ER 293. The Court reasoned that the information was a kind of property whose use the plaintiff had the right to control: at 697–8; 314 (Knight Bruce VC).


Prince Albert v Strange (1849) 1 Mac & G 25, 41, 44 (Lord Cottenham LC).


See Morison v Moat (1851) 68 ER 492, 502–3; 9 Hare 241, 263 (Turner VC).


Prince Albert v Strange (1849) 2 De Gex & Smale 652, 714; 64 ER 293, 321 (Knight Bruce VC).


[2004] 2 AC 457, 471 (Lord Hoffmann).


Morison v Moat (1851) 68 ER 492, 503; 9 Hare 241, 263 (Turner VC).


Cf Lipkin Gorman (a firm) v Karpnale Ltd [1991] 2 AC 548, 580–1 (Lord Goff). However, it may be incorrect to recognise such a general defence: see James Edelman, Gain-Based Damages: Contract, Tort, Equity and Intellectual Property (2010) 96–7.


(1758) 2 Eden 329; 28 ER 924.


[1893] 1 Ch 218, 235–6 (Kay LJ).


[1913] 2 Ch 469, 472 (Cozens-Hardy MR), 475 (Swinfen Eady LJ).


(1926) 136 LT 568, 573 (Clauson J).


[1971] Ch 680 (‘Butler’).


Butler, 690 (Goff J).


[1967] Ch 302, 333 (Ungoed-Thomas J).


[1965] 1 WLR 1 (‘Holloway’).


Holloway, 7 (Cross J).


Holloway, 6 (Cross J).


[1987] QB 670, 685 (Nourse LJ) (citations omitted).


Arnold, n 37, 195.


See, eg, Baden v Société Générale Pour Favoriser le Developpement du Commerce et de l’Industrie en France SA [1993] 1 WLR 509 (‘Baden’); Consul Development Pty Ltd v DPC Estates Pty Ltd (1975) 132 CLR 373, 376, 398, 412; Tan, 392.


Spycatcher, 260 (Lord Keith).


Spycatcher, 281 (Lord Goff).


Spycatcher, 281 (Lord Goff).


Campbell, 472 (Lord Hoffmann) (describing the change as ‘firmly established’); see also Earl Spencer v United Kingdom (1998) 25 EHRR CD 105; A v B plc [2003] QB 195, 207.


Spycatcher, 281 (Lord Goff). To the extent that separate impropriety was ever required, it was clearly abandoned here. There is, of course, nothing improper about examining a document abandoned or brought upon the breeze to a public place.


Toulson and Phipps, n 35, 81.


[1984] QB 44 (‘Fraser’).


Fraser, 65 (Hirst J).


[2000] FSR 138.


[1988] FSR 232.


[1969] RPC 41, 420–1 (Megarry J).


This corresponds to categories (iii)–(v) of the knowledge scale identified by Peter Gibson J in Baden,575–6.


Logically, this standard also encompasses actual knowledge and wilful blindness, since a reasonable person would know all that the recipient knew or shut his eyes to.


Pizzey v Ford Motor Co Ltd [1994] PIQR 15, 21 (Mann LJ); cited in Arnold, n 37, 197.


Cf In re Montagu’s Settlement Trusts [1987] Ch 264, 278, where, in the related context of dishonest receipt of trust property, Sir Robert Megarry VC commented that: ‘The cold calculus of constructive and imputed notice does not seem to me to be an appropriate instrument for deciding whether a [person’s] conscience is sufficiently affected for it to be right to bind him’; see also Bank of Credit and Commerce International (Overseas) Ltd v Akindele [2001] Ch 437, 455 (Nourse LJ) (Ward and Sedley LJJ agreeing).


[1994] EMLR 134, 146 (Martin Mann QC AJ).


Cf Creation Records Ltd v News Group Newspapers Ltd [1997] EMLR 444 (public area).


Campbell, 471 (Lord Hoffmann) (dissenting) (emphasis added).


Campbell, 465 (Lord Nicholls) (dissenting) (the duty arises where the recipient ‘knows or ought to know [information] is fairly and reasonably to be regarded as confidential’).


Campbell, 480 (Lord Hope) (Lord Carswell agreeing); see also Campbell, 495 (Baroness Hale).


Campbell, 480 (Lord Hope).


See also Arnold, n 37, 198–9.


[1995] 1 WLR 978, 1000, 1014 (Millett J).


See, in another context, Sinclair Investments (UK) Ltd v Versailles Trade Finance Limited (in rec) [2010] EWHC 1614 (Ch), [83]–[92], [98] (Lewison J).


Arnold, n 37, 199.


Prince Albert v Strange (1849) 2 De Gex & Smale 652, 714; 64 ER 293, 321 (Knight Bruce VC). As noted in para 9.22, Lord Hoffmann also read the case in these terms in Campbell.


[2002] EMLR 24 (‘Interbrew’). The Norwich Pharmacal order was overturned by the ECHR on art 10 grounds: Financial Times Ltd v United Kingdom [2010] EMLR 21, 543, 555–7.


Interbrew, 462–3 (Sedley LJ) (Longmore and Ward LJJ agreeing).


[2008] Ch 57, 77–8, 115 (Blackburne J).


[2003] QB 633, 663 (Lord Phillips).


[2002] EMLR 30, 629 (Morland J).


[2000] FSR 718.


Tan, 389 (Lord Nicholls).


Thomas v Pearce [2000] FSR 718, 723–4 (Buxton LJ), 726 (Gage J).


Prince Albert v Strange (1849) 2 De Gex & Smale 652, 714; 64 ER 293, 320 (Knight Bruce VC).


[1965] 1 WLR 1, 5, 6 (Cross J).


[1965] RPC 516, 529 (Wilmer LJ).


Coco, 419 (Megarry J). However, this case was decided at a time when the liability of accessories in equity was decided by reference to actual or constructive knowledge. In nineteenth-century cases, the language of ‘trust’ was less a term of art than a synonym for ‘confidence’; their meanings have since diverged in equity.


Toulson and Phipps, n 35, 79.


See, eg, Arnold, n 37, 194.


[2003] QB 633, 662–3 (Lord Phillips). The point was not pursued before the House of Lords.


Lorna Brazell, ‘Confidence, Privacy and Human Rights: English Law in the Twenty-First Century’ [2005] European Intellectual Property Review 405, 406.


Cf R Meagher, D Heydon, and M Leeming, Equity: Doctrines and Remedies (4th ed, 2002) 1131.


Gurry, n 15, 274.


Arnold, n 37, 196.


Gray v News Group Newspapers International Ltd [2011] EWHC 349 (Ch) [65].


[2003] EMLR 4 (‘London Regional Transport’).


London Regional Transport, [57], [58] (Sedley LJ) (Aldous LJ agreeing).


[2014] RPC 26, [223] (Arnold J).


Primary, [237] (Arnold J).


Primary, [239] (Arnold J).


Vestergaard, 1563 (Lord Neuberger PSC).


See chapter 5, section 3.


Vestergaard, 1564 (Lord Neuberger PSC).


Vestergaard, 1563 (Lord Neuberger PSC).


See para 9.31.


Christopher Wadlow, The Law of Passing Off (3rd ed, 2004) 5.


Spycatcher, 282 (Lord Goff).


Stephens v Avery [1988] 1 Ch 449, 454 (Browne-Wilkinson VC).


Saltman, 215 (Lord Greene MR).


Spycatcher, 177 (Donaldson MR); O Mustad & Son v Dosen [1964] 1 WLR 109.


Cf Spycatcher, 277–8 (Lord Goff) (derivative duties continuing to bind bookseller or publisher after disclosure).


The Stig, [58]–[61], [69] (Morgan J).


[2007] EWHC 2677 (Ch), [16], [23].


[2009] EWHC 591 (QB) (‘Barclays Bank’).


See also Attorney–General v Greater Manchester Newspapers Ltd [2001] EWHC 451 (QB). Butler-Sloss J held that information accessible on the website of a government department had not been disclosed so as to deprive it of confidentiality, since it was not realistically accessible to members of the public not engaged in statistical research: at [32]. Referring to this decision, Arnold J in Aegis v Stoner [2006] EWHC 1515 held that there was at least an arguable case that information published for several months on the defendant’s websites remained confidential.


Barclays Bank, [2]–[3].


Barclays Bank, [6] (which ‘admirably demonstrates that justice in this country never sleeps’).


Barclays Bank, [21].


Barclays Bank, [26].


Barclays Bank, [21].


Barclays Bank, [22], [33].


[2006] EWHC 1515 (Ch) (‘Aegis’).


Aegis, [62] (Arnold QC).


Aegis, [64] (Arnold QC).


See chapter 5, section 2.1.


Aegis, [63] (Arnold QC).


[2001] WL 98221 (QB) (Unreported, 26 January 2001, Master Leslie) (‘Joulebine’).


Joulebine, 7 (Master Leslie).


See nn 68–69 and accompanying text.


Hasan Deveci, ‘Hyperlinks Oscillating at the Crossroads’ [2004] Computer and Telecommunications Law Review 82, 90.


Aegis, [66] (Arnold QC).


(Unreported, High Court of Justice, Nicol J, 5 June 2015).


See Emma Cross, ‘Service of Proceedings via Instagram’ (The Injunctions Blog, 14 September 2015) <>.


Toulson and Phipps, n 35, 38.


Vestergaard Frandsen SA v Bestnet Europe Ltd [2011] EWCA Civ 424, [44]–[50] (Jacob LJ) (Chadwick and Jackson LJJ agreeing).


Cf Vestergaard [No 1], 42 (Arnold J).


Imerman v Tchenguiz [2010] EWCA Civ 908, [69] (Lord Neuberger MR) (‘Imerman’). Cf White v Withers LLP [2008] EWHC 2821 (QB), [8] (Eady J) (suggesting no cause of action would lie against solicitors in possession of confidential documents). This statement was not taken to preclude an action for recovery of the documents.


See Stephenson Jordan & Harrison Ltd v MacDonald (1951) 68 RPC 190, 195 (Lloyd-Jacob J).


See chapter 12, sections 3–5.


Imerman, [78] (Lord Neuberger MR).


Imerman, [78] (Lord Neuberger MR). Cf Lock International plc v Beswick [1989] 1 WLR 1268, 1274, where confidentiality was asserted only in respect of certain information.


See chapter 5, section 1.2.


Anonymous, ‘Wikileaks’ (17 March 2011) <>.


Websites such as OpenLeaks, whose aim is similar to WikiLeaks, may take a less interventionist approach to editing, but uploaded tend to be vetted by an anonymous community of volunteers before publication.


However, the website operator may very well have a defence under art 14 of the E-Commerce Directive: see chapter 12, section 5. The duty also arguably comes close to a general duty to monitor, contrary to art 15 of that Directive.


This would be on the basis identified by Toulson and Phipps, n 35, 73, and cited in Abernethy v Hutchinson (1824) 3 LJ Ch 209, that a person who knowingly assists in a breach of trust, confidence of contract by another commits an equitable fraud.


See, by analogy, chapter 8, section 1.2.


Both PayPal and took this course when faced with allegations that they were facilitating breaches of confidence and related criminal offences by WikiLeaks: Robert Mendick, ‘Paypal Cuts off Donations to WikiLeaks’ (The Telegraph, 4 December 2010) <>.


See section 1.5.


Spycatcher, 277–8 (Lord Goff).


Of course, the confidant cannot profit from his own wrong, and may be obliged to account for any profits or pay compensatory damages: Spycatcher, 288–9 (Lord Goff).


See also Vestergaard [No 1], 60 (Arnold J).


[2006] 2 CLC 739 (‘Ashton’).


Ashton, 767 (Jonathan Hirst QC) (describing the alleged conduct as ‘an outrageous attempt to gain access to privileged information’: at 756).


In most cases, liability would be predicated upon tort (specifically negligence) or contract (such as breach of an express or implied term of data integrity or security).


Interbrew, 463 (Sedley LJ).


Google Inc v Vidal-Hall [2015] EWCA Civ 311, [21] (Lord Dyson MR and Sha