On 26 September 2023, it was reported that the comedian, actor, author and former Britain’s Got Talent judge, David Walliams, had issued a data protection claim against Fremantle UK, one of the independent television production companies behind the ITV smash hit talent show which has been broadcast since 2007.

Today, The Sun has reported on the detail of that claim, revealing that Walliams alleges that throughout the course of the production while he was a judge (between 2012 and 2022), he was (without his knowledge) continuously recorded on filming days and that transcripts of such recordings were prepared, retained and shared with Simon Cowell’s production company, Syco, on request.

It is not clear whether The Sun was provided with a copy of the claim by or on behalf of Walliams or if it was released to The Sun by the courts in accordance with the Civil Procedure Rules after the defendant had filed an acknowledgment of service (which is due within 14 days of service of the claim form).

In November 2022, The Guardian reported that it had been leaked a copy of transcripts relating to 3 days of recording at the London Palladium in January 2020 which revealed that Walliams had made “derogatory and sexually explicit remarks about contestants during the recording of an episode of the ITV show”. Walliams admitted making the comments stating “I would like to apologise to the people I made disrespectful comments about during breaks in filming for Britain’s Got Talent in 2020. These were private conversations and – like most conversations with friends – were never intended to be shared. Nevertheless, I am sorry”. One of the co-producers of Britain’s Got Talent, Thames, was reported to have acknowleged that the comments were private.

The claim form reportedly states that the recordings amounted to some 1,700 hours of audio recordings across 10 years and 145 episodes, in addition to 41,526 hours of visual recordings from 191 days of filming, and that the personal data processed in the context of such recordings and transcripts included sensitive personal data (under the Data Protection Act 1998) or special category personal data (under the GDPR and UK GDPR and Data Protection Act 2018) such as Walliams’ political views, religious beliefs, sex life and health: “Walliams complains some of the recorded material was private - including heart to hearts with Alesha about his marriage, divorce, spending sprees, sex life, relationships and his physical and mental health. They also covered the funny man’s political views, reasons behind his atheism and family disputes, his battle with food addiction, weight problems, his opinions of other celebrities and even the impact of his father’s death”.

While we have not seen the claim form or particulars of claim themselves at this time, and the claim could relate merely to the failure to appropriately secure the recordings and transcripts leading to the data incident arising in relation to the provision of a copy of a transcript to The Guardian, we anticipate that Walliams also alleges that potentially the recordings themselves, and certainly their prolonged retention and transcription, and sharing (authorised or otherwise) were not fair as a consequence of the alleged failure to provide transparency information and were neither necessary or proportionate to any lawful basis for processing his personal data.

While both the Data Protection Act 1998 and the Data Protection Act 2018 provide an exemption from certain obligations under the data protection legislation when processing of personal data is undertaken for the special purposes of journalism, art or literature, neither provides a blanket exemption but require that processing be undertaken with a view to the publication by any person of journalistic, artistic or literary material, the controller has a reasonable belief that compliance with the relevant provision would be incompatible with the special purposes and the final publication would be in the public interest.

We do not consider that any failure to provide transparency information in the above circumstances would fall within the scope of the exemption. Continuous recording - if reasonably necessary for practical filming and production reasons - could be justifiable as lawful processing or falling within the scope of the special purposes exemption, as could its prolonged retention as part of an archive of library material. The creation and prolonged retention of full transcripts of such recordings, including material which was never intended for broadcast - if that is the position - would be challenging to defend either as being necessary and proportionate or as falling within the scope of the journalism exemption. The existence and content of data protection compliance documentation such as retention schedules, data protection impact assessments, and legitimate interest assessments, will be relevant to the determination of these issues.

It is not known publicly at this stage how a copy of a transcript came to be provided to The Guardian, save that, in response to a request for comment from The Sun, a source at Simon Cowell’s production company Syco “insisted no transcripts were ever requested”. A personal data breach is defined in the GDPR and UK GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The mere fact that data is copied or stolen does not necessarily mean that this was the result of a breach of security. It is not known at this stage if Fremantle recorded a data breach in its own records as required by Article 33(5) GDPR and UK GDPR and/or reported a breach to the Information Commissioner, which it would be obliged to do within 72 hours of becoming aware of the incident unless it was judged unlikely to result in a risk to the rights and freedoms of individuals. The Information Commissioner’s ‘Overview of Data Protection Harms and the ICO’s Taxonomy’ identifies harms as including “Negligently, knowingly, or purposefully paving the way for emotional distress or disturbance (embarrassment, anxiety, fear) to occur”, “Negative impacts on rights and freedoms in and of themselves”, “Harms from thwarted expectations, through misuse, repurposing, unwanted retention or continued use and sharing of personal data, including a lack of commitment to the accuracy of data or lack of transparency”, “The cost in terms of time or money incurred in the avoidance or mitigation of harms or vulnerabilities related to data privacy”, “Negligently, knowingly, or purposefully paving the way for financial losses to occur”, and “Unwanted communications or intrusions that disturb tranquillity, interrupt activities, sap time or increase the risk of other harms occurring”.

Relevant to Fremantle’s liability is the question of whether in respect of any unlawful data processing activity that might be established it was reasonable foreseeable that this could lead to the harm that actually resulted.

The disclosure of personal data without the consent of the data controller is a criminal offence under s.170 Data Protection Act 2018, unless it can be established that (i) the person acted for the special purposes of journalism, art or literature, (ii) with a view to the publication of journalistic, artistic or literary material and, (iii) in the reasonable belief that in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest, or the disclosure could otherwise be justified in the public interest. In such circumstances, the individual committing the offence is taken to be acting as a data controller in their own right, and is therefore responsible for compliance and any harm arising from non-compliance.

Even if there was criminal conduct, and a third party is the relevant controller in respect of disclosure to The Guardian, that does not necessarily mean that Fremantle can avoid liability for it. If the discloser were to be determined to be an employee of Fremantle, for example, or someone else so closely connected to it in a relationship akin to employment that the doctrine of vicarious liability ought to apply, then as set out by the Supreme Court in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 the question will be whether “disclosure of the data was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment”. In that case, it was held that the Morrisons employee was not furthering his employer’s interests but was engaged in a frolic of his own and that Morrisons ought not to be held liable for the data breach in which the employee leaked staff payroll data online.

The Sun reported that Walliams is claiming £6.1 million in lost earnings, including £1m in Britain’s Got Talent earnings after the invitation to be part of the next series was withdrawn by “BGT bosses”, in addition to unspecified damages for psychiatric harm, distress and upset and the loss of control over his private information and legal costs, as well as the destruction of the recordings and transcripts, i.e. the right to erasure under Article 17 GDPR and UK GDPR.

The Sun reports that Walliams claims to be having “active suicidal thoughts” and has “lost the ability to be funny”. Walliams had previously revealed in his autobiography that he suffered from depression and had been diagnosed with bipolar disorder. The courts have confirmed in TLT v Secretary of State for the Home Department [2016] EWHC 2217 (QB) that it is appropriate to have regard to awards in personal injury claims when considering distress caused by a data breach to ensure that the to are not out of kilter. The 16th edition of the Judicial College Guidelines for the Assessment of General Damages in Personal Injury Cases note that psychiatric injuries are to be valued according to factors such as the impact on ability to work and relationships, whether medical assistance has been sought, the prognosis & effectiveness of treatment and any future vulnerability, with the most severe cases meriting awards of up to £115,730. Absent the significant claim for loss of earnings, damages awards in pure data protection claims have tended to be relatively low - sums of a few thousand pounds to the low tens of thousands, equivalent to a ‘less severe’ or ‘moderate’ psychiatric injury.

Even if Fremantle could be held liable for a breach of security or vicariously liable for the actions of an employee leading to the publication which resulted in the alleged loss of earnings, Walliams does not deny that he made the ill-judged and offensive remarks regarding BGT’s contestants. Whether these - and even these type of remarks - were commonplace, could be overheard by others, and who was aware of them within the relevant BGT and ITV entities will be relevant to whether it should be held liable for those alleged losses even if they can be established - but for the existence and disclosure of the transcript of the recording of the remarks, would the losses of earnings have occurred? In Sir Cliff Richard’s misuse of private information and data protection claim against South Yorkshire Police and the BBC in connection with the publicity surrounding the search of one of his properties, Mr Justice Mann took what might be considered a generous approach to the test of causation in relation to the various heads of special damage claimed by Sir Cliff.

Fremantle was reported by The Sun to have stated “we remain available and open to dialogue to resolve this matter amicably” and “we will examine the various allegations and are prepared to robustly defend ourselves if necessary”. Should the claim proceed, we expect liability to be hotly contested, and that juicy details of the inner workings of the production and the conduct of the judging panel will become matters of public record.

If you are a freelance journalist, content creator, independent production company, publisher, media organisation or other individual or entity wishing to understand how data protection law and the special purposes exemption applies to you and how to establish and implement a data protection compliance strategy and framework, please contact us.