Virgin Trains’ Release of Corbyn Video Not U.K. Privacy Violation

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

Virgin Trains didn’t violate U.K. privacy laws by releasing video of Labour Party leader Jeremy Corbyn searching for a seat on a train, the U.K. privacy office said July 12.

In August 2016, Corbyn complained publicly that a train on which he had ridden was so “ram packed” he couldn’t find a seat, and therefore “public ownership” of trains was necessary. In response, Virgin Trains East Coast, part of Virgin Rail Group, released closed-circuit television video of Corbyn passing by open seats on a train.

The Information Commissioner’s Office (ICO) determined that Virgin’s action wasn’t a privacy violation because Corbyn had already released his own video of himself seated on the floor of the train, and it was reasonable to expect Virgin to respond to Corbyn’s criticism of its service. “Virgin had a legitimate interest, namely correcting what it deemed to be misleading news reports that were potentially damaging to its reputation and commercial interests,” Steve Eckersley, head of the ICO Enforcement Team, said. “It would not have been possible to achieve Virgin’s legitimate interests without publishing Mr. Corbyn’s image.”

The case offers guidance to companies on the limited circumstances under which they may be able to use personal data in their own defense. However, because the ICO’s analysis is tied to the very specific circumstances of the case at hand, it may have limited, practical impact on companies’ consideration of whether they have a legitimate legal basis for releasing personal data.

From a company’s perspective, “it is a welcome view that there is a point beyond which personal data is sacrosanct, and that it can be used by a company to defend itself,” Hazel Grant, head of the privacy, security, and information group at Fieldfisher in London, told Bloomberg BNA July 12.

Legitimate Interest

The U.K. Data Protection Act requires companies to publish how they will handle personal data, and companies are liable under the law for not following those policies unless they have a “legitimate interest” for the processing.

Robert Johnson, legal director at Reynolds Porter Chamberlain LLP in London, told Bloomberg BNA July 12 that the incident “shows that the ICO is amenable to the view that correcting a misleading news report was in Virgin’s legitimate interests.”

Grant said the two-part analysis on “legitimate interest” provided by the ICO is not really a test and is not written down. It is just an assessment of what is legitimate in this particular circumstance, she said.

Although finding that Virgin had a legitimate basis to show Corbyn in the video, the ICO said the company violated the privacy of other passengers shown in the video it released. Virgin “should have taken better care to obscure the faces of other people on the train,” the regulator said.

The ICO decided not to take formal enforcement action because the release was a “one-off incident,” only three passengers were identifiable on the video, and they “were unlikely to suffer serious distress or detriment,” Eckersley said. However, the ICO required that Virgin provide details of its privacy policies and practices, and strengthen data protection training for its employees.

Companies seeking to defend their interests in the media by releasing personal data may have a legitimate interest, but “any disclosure should be carefully controlled and the data disclosed kept to a minimum” to avoid unlawful prejudice to the targeted individual or others, Johnson said.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security