Prince Harry won a legal battle with the paparazzi using Europe's GDPR privacy law - and it gives the royals a powerful new weapon against the media
- Prince Harry won a legal dispute with Splash News, a photo agency which used a helicopter to take pictures inside his home.
- As well as arguing that they invaded his privacy, the Duke of Sussex also based his case on the photographers having mishandled his personal data under Europe's new GDPR law.
- This is an unexpected application of data law, which is more commonly thought of as governing large online databases and spammy mailing lists.
- It opens a new avenue in the royal family's never-ending struggle to keep parts of their lives out of the public eye.
- Visit Business Insider's homepage for more stories.
Prince Harry this week notched another victory in the royal family's long-running battle with paparazzi photographers, securing a "substantial payout" from an agency which used a helicopter to take pictures inside a house he was renting.
Potentially even more interesting than that is the way in which he won his battle - basing a legal case partly on a sweeping new European data law that is less than a year old.
According to a statement delivered to London's High Court on Thursday, in which the paparazzi agency Splash News apologized to Harry, also known as the Duke of Sussex (emphasis ours):
"This matter concerns a claim for misuse of private information, breaches of The Duke's right to privacy under Article 8 ECHR and breaches of the General Data Protection Regulation ("GDPR") and Data Protection Act 2018 ("DPA")."
Royals and celebrities arguing that media coverage invades their privacy is relatively well-trodden ground. Prince William and Kate Middleton famously won a payout from the French edition of Closer magazine on privacy grounds after it published topless photographs of Middleton while she was on holiday in Provence.
But pursuing photographers on the grounds that their business constitutes illegal data processing is a new strategy, and a use of GDPR that few would have predicted.
Much of the focus on GDPR has been how it would pertain to mass processing of data: social networks that know your phone number, businesses that send you marketing emails, banks which know your address and how much is in your account.
But, at least according to the thrust of Harry's legal argument, a photograph can be personal data too - even one of your home which you are not even in. One concern may have been that the photographs gave away Harry's address.
Harry's lawyers at Harbottle & Lewis declined to comment, as did Splash News.
PA Images via Getty Images
Once you accept that the pictures Splash took count as Harry's personal data, they have a whole host of obligations.
(It is worth noting that legal dispute did not involve a trial, so the issues were never argued in court. Although Splash apologized to Harry in the court statement, it did not admit specific wrongdoing, and could have argued that it did not in fact breach GDPR. It chose to settle instead.)
According to Article 5 of the law (full text), companies are obliged to handle data "fairly and in a transparent manner," and also to use it for "legitimate purposes."
You also need a reason to handle the data, like the subject's consent, some kind of contract, or be able to argue that what you did was "in the public interest" or for a "legitimate purpose."
But even from what was made public about the case, it can be seen that GDPR has given the royals another tool in their legal arsenal to fend off what they see as unjustifiable intrusion into their lives by photographers.
Legal experts have previously said that data protection legislation could give public figures a different way to beat the media in court.
Timothy Pinto, a senior counsel for the law firm Taylor Wessing, wrote an article about GDPR in media law, which said that it offers a potentially attractive alternative to claims of defamation of invasion of privacy. It said:
"To succeed in a defamation claim, the claimant must establish at least that: (i) the statement complained of is defamatory of him or her; and (ii) the serious harm to reputation threshold has been met. For a privacy claim, the claimant must establish that information is private.
"In contrast, a claimant relying on data protection law need not prove either of these things."
When GDPR came into force in May 2018, less than one week after Harry and Meghan Markle's royal wedding, it seemed largely designed to punish companies for data breaches, and crack down on spam email lists.
In light of this case, it looks like it could also end up fundamentally reshaping how celebrities and the courts enforce the hotly-contested boundaries between the parts of famous people's lives the public can see, and the parts they can't.