Take 10 - 04 April 2025

Welcome to RPC's Media and Communications law update. This month's edition on key media developments and the latest cases.

A win for the media - Tengbo Yang v Secretary of State for the Home Department

On 21 March 2025, the Special Immigration Appeals Commission (the SIAC) granted the release of certain information regarding H6 v Secretary of State for the Home Department to the media. This was the case in which the SIAC determined that the Secretary of State had correctly identified Yang Tengbo (Mr Yang) as a threat to UK national security and was therefore entitled to exclude him from the UK. Mr Yang had previously been known as 'H6' pursuant to an anonymity order which he himself applied to lift in December 2024.

Three further categories of information were sought by the media and considered by the SIAC:

1) Information provided by Mr Yang which the SIAC had heard submissions on in private during the first day of the hearing of 9-11 July 2024 (the "personal information"). The SIAC decided that this information should not be released to the media since it did not relate to matters in the public interest [68], its disclosure could seriously harm Mr Yang, and would go against SIAC's duty of fairness towards him [69].

2) Information which Mr Yang alleged was imparted to him in confidence or was otherwise commercially sensitive (the "commercial information"). The SIAC granted the release of almost all of this information on the basis that there was no evidence of a contractual obligation of confidence [75] and that there is a substantial public interest in reporting the information since it pertains to UK companies and a member of the Royal Family being involved in international trading activities [82].

3) An unused witness statement from Mr Dominic Hampshire, a senior aide to the Duke of York, (and other evidence reflecting its contents) which supported the review of the decision to exclude Mr Yang from the UK. The tribunal permitted the release of the statement and other materials revealing its content subject to the redaction of two words since much of the content was not confidential [86-89]; it had been considered by the tribunal when making its December judgment [89]; and the open justice principle outweighed any non-contractual "expectation of discretion" when dealing with the Royal Family [90].

The documents are expected to be released to the media on Friday 4th April 2025, subject to any appeal. 

HXZ v NMX – Injunctions granted to businessman against blackmailing ex

Further to an ex-parte hearing on 13 March 2025, Mr Justice Ritchie granted both an urgent interim injunction against the publication of private information regarding the Claimant and an anti-harassment injunction in HXZ v NMX following allegations by the Claimant that the Defendant sought to blackmail him for varying amounts of money (from £30,000 up to £1 million) by threatening to publish naked pictures of him, details of his sexual history, and purported medical information.

The court held (unsurprisingly) that the Claimant had a legitimate expectation of privacy in relation to the photos (which were taken without the Claimant's consent), medical conditions and sexual history, and that these outweighed the Defendant's right to freedom of expression noting that she could have still 'told her own life story' without threatening to share the Claimant's personal information [41]. The threats made by the Defendant were considered to be evidence of a blackmail attempt. The blackmail threats plus the fact that some of the personal information had already been published were deemed sufficient to demonstrate that the Claimant had a good prospect of success in relation to a damages claim and an injunction on the basis of both what he thought she may do (a "quia timet" injunction) and on the basis of what she had already done [42]. The blackmail by the Defendant was held to amount to harassment and also almost nullified the Defendant's Article 10 rights to freedom of expression and disapplied the higher test for an interim injunction which would have granted the Defendant a more favourable stance [46, 52].

CPR SLAPP amends wait to come into force and will not come into force with the Civil Procedure (Amendment) Rules 2025

As previously reported, the Civil Procedure Rule Committee has made amendments to CPR 3.4 (Power to strike out a case) and CPR 44.2 (Court's discretion as to costs) in order to implement the anti-SLAPP provisions at sections 194-195 of the Economic Crime and Corporate Transparency Act 2023 (the 'ECCTA'). 

However bear in mind that whilst the Civil Procedure (Amendment) Rules 2025, containing such amendments, come into force on 6 April 2025, s1(2) of the statutory instrument makes it clear that the specific Rules regarding SLAPPs will only come into play once s.194 ECCTA is in force for all purposes, the date of which is still yet to be confirmed but is anticipated to be soon.

Freedom of Speech: the OfS, the FSU and the University of Sussex

The higher education regulator, Office for Students (OfS), has fined the University of Sussex £585,000 after its investigation determined that the University's governing documents failed to uphold freedom of speech by requiring positive representation of trans people and trans lives which it felt could prevent staff and students expressing opposing views. The investigation was triggered by the resignation of Professor Kathleen Stock, a senior academic, who left the University after students began a campaign of protests against her views on sex and gender, accusing her of transphobia and calling for her dismissal. The university intends to appeal the fine according to vice-chancellor Professor Sasha Roseneil.

The OfS's fining powers follow the introduction of further provisions within the Higher Education (Freedom of Speech) Act 2023 which granted the OfS the power to investigate and issue fines in relation to complaints over breaches of free speech from academics, external speakers and members of universities and required universities to have "robust" codes of practice to protect free speech (Government Press Release). The government announced it was dropping the implementation of these provisions back in July 2024. However, the Free Speech Union (FSU) responded by sending a pre-action protocol letter to the Education Secretary, demanding that she reverse her decision and continue with the implementation of the Act and threatening judicial review proceedings.

Online Safety Act: Providers now obliged to introduce measures protecting users against illegal harms

From 17 March 2025, online providers must ensure that they have implemented sufficient measures to protect users against illegal content (e.g. child sexual abuse material, terrorism, and fraud) as required by the Online Safety Act 2023 (OSA) and as set out under Ofcom's Codes of Practice. Providers will need to prevent users encountering illegal content online; mitigate illegal activity; remove illegal content; facilitate easy reporting of illegal content online; and provide a complaints procedure. The safety measures expected should be proportionate to the services offered. Different measures will be required depending on (for example) the types of service provided, the features of those services, the number of users the provider has, and how risky those services are.

Failing to comply with the OSA duties risks sanctions from Ofcom which has the ability to fine platforms who breach their duties up to £18 million or 10% of their worldwide revenue (whichever is greater) and to also seek court orders imposing business disruption measures (e.g. asking an advertising company to stop engaging with the business' service). This is a significant development from Ofcom's preceding video-sharing platforms (VSP) framework which followed the EU Digital Services Act 2022 upon which it has thus far based its investigations. Recent investigations founded on the old framework include Ofcom's May 2024 probe into OnlyFans' insufficient age verification measures (previously reported here) which recently allowed the platform to get away with a comparatively lower fine of £1.05 million than what it could have been subject to had it been investigated under the OSA's more stringent requirements.

ECJ Advocate General encourages the CJEU to allow WhatsApp's appeal against EDPB's decision

On 27 March, Advocate General Ćapeta recommended to the CJEU that WhatsApp's application for annulment against a decision of the European Data Protection Board (EDPB) should be declared admissible. The application had previously been declared inadmissible by the General Court and is the latest development in a long-running saga following a decision by the Irish Data Protection Commission (IDPC) in 2021 to fine WhatsApp €225 million for breaches of various provisions of the GDPR in relation to a 2018 privacy policy update. As part of the decision-making process following the investigation set out in the GDPR, lead supervisory authorities (such as the IDPC) are bound to consider and incorporate into their final decision the EDPB's views pursuant to Article 65 GDPR.

Whilst it is open for the subject of a decision made by lead supervisory authorities (such as the IDPC) to appeal it at national level before then seeking a preliminary reference to the European Courts, it can take several years to exhaust the national appeals process. The AG's Opinion considered that as the lead supervisory authority had no discretion as to the implementation of the decision, the EDPB's decision amounted to a challengeable act pursuant to Article 263(1) TFEU, and was challengeable by WhatsApp as a third party to that decision because it was "directly concern[ed]" by the decision as its legal position was affected by the outcome pursuant to Article 263(4) TFEU. If this Opinion is accepted by the CJEU, it will provide appellants with a route to challenge EDPB decisions quickly before final decisions are made by lead supervisory authorities. A number of appeals by other digital platforms are stayed whilst the outcome of WhatsApp's appeal is awaited, so the CJEU's decision will be one to watch for them. If the AG's Opinion is followed, it will be welcome news for those appellants and others who are currently under investigation for alleged breaches of the EU GDPR.

Communications and Digital Committee launches inquiry into media literacy

Parliament has announced that the Communications and Digital Committee has launched a new inquiry into media literacy in the UK "to establish a clear vision for what good media literacy should look like in the UK, and examine the barriers to achieving this vision." The inquiry will involve examining the roles and responsibilities of the Government, industry and regulators and identifying the key steps necessary to improve media literacy skills across the population.

Ofcom's research indicates that just 45% of adults in the UK feel confident in judging whether sources of information are true, whilst only 30% consider themselves able to identify whether content is AI generated. When faced with information they believe to be incorrect, only 26% would use a search engine to find a more reliable source with 24% saying they would check a trusted news website.

Evidence was heard on 25 March 2025 and 1 April 2025 from key thinkers in the field around the primary challenges facing the UK’s online information environment and the international approaches being taken to media literacy. Baroness Keeley, Chair of the Committee, noted: “The strength of our inquiry will depend on the quality of the evidence we receive, so I would encourage anyone with knowledge or an interest in this area to send in their views.”

Written contributions are invited until 5:00pm on Friday 11 April 2025. Submissions can be made by the public on an individual basis, or on behalf of organisations. Guidance and directions for how to submit evidence are available here.

Healthcare provider obtains a Persons Unknown interim injunction after cyber attack

The High Court has continued an interim injunction granted against "Persons Unknown" who were responsible for a ransomware attack on a national health and care organisation, HCRG Care Limited. Between around 26 January to 12 February 2025, the Defendant(s) operating under the name "Medusa" stole confidential personal data and made a ransom request [14].  HCRG Care Limited brought a claim for breach of confidence over the stolen data and an interim injunction was granted following an ex parte hearing in private given the active threat of dissemination of the data. 

The Judge was satisfied that the return hearing could take place in private as an exception to the principle of open justice. The Judge did not consider the Defendant(s) Article 10 rights were engaged given the context of criminal activity and threats to reveal sensitive private information [16]. However, the Judge was mindful of the potential implications for wider reporting on the incident [7]. Ultimately the Judge concluded that the Claimant had taken "all practicable steps" to notify the Defendant(s) and had notified other parties who had reported on the case and so permitted the hearing to take place in private.

In continuing the injunction, the Judge was satisfied that there was a serious issue to be tried, damages would not be an appropriate remedy given the sensitivity of the data involved, a cross-undertaking had been given and the balance of convenience was "plainly in favour" of continuing the injunction "to contain potential damage in the absence of any engagement from the Defendants" [17]. 

This case is a useful reminder that injunctive relief is available in the event of a cyber breach even where the identity of the attackers cannot be ascertained. The Court took a practical approach to the usual rules on service – allowing service via the Defendant(s)' web portal and later by email when the Defendant(s) disabled the chat function in what the Judge considered to be "blocking tactics" to prevent service [13].

Ofcom and Google called upon to use powers under OSA following individual complaint regarding the dissemination of intimate photos  

Lawyers from Mishcon de Reya and Leigh Day have partnered up to support a woman (Jane) after intimate images of her were posted online without her knowledge or consent. The site featured images of numerous women, including minors, uploaded without their consent. The photos are often posted alongside personal data of the individuals, including their names, social media profiles, relatives and location.

Leigh Day is encouraging Ofcom to use its powers under the Online Safety Act (OSA) to investigate the site, gather evidence to assist a full formal investigation, and consider imposing fines and a business disruption order. Mishcon de Reya meanwhile has taken the fight to Google, demanding that the site is delisted and pressuring Google to comply with its obligation to protect online users from illegal content under the OSA, or otherwise face the prospect of fines of up to 10% of its worldwide revenue issued by Ofcom.

The approach is interesting as the OSA was not introduced with the aim of offering private remedial measures to individual claimants but rather to place duties on the providers of user-to-user services as well as regulated search services to prevent online harms. It is perhaps notable that the OSA contains no equivalent provision to Article 54 of the EU's Digital Services Act (DSA), which gives claimants the right to compensation from providers for any damage or loss suffered due to a provider's failure to comply with their DSA obligations. It will be interesting to see how Ofcom responds, how interventionist it is in its approach, and how it applies its newly granted powers.

Journalists seek costs from Police Service of Northern Ireland (PSNI) after court hearings abandoned following delay in key evidence disclosure

Two journalists from Northern Ireland are seeking their legal costs from the Police Service of Northern Ireland (PSNI) for delays in disclosing important evidence in the proceedings. This follows the Investigatory Powers Tribunal's (IPT) ruling in December 2024 that a covert surveillance operation authorised by the former head of the PSNI was unlawful. See our previous edition of Take 10 for details on the ruling.  Barry McCaffrey and Trevor Birney were both awarded £4,000 in damages.

The IPT must now consider for the first time in its 25-year history whether it can award costs against government bodies accused of unreasonable behaviour. In a hearing on 17 March, the IPT heard that the PSNI had failed to disclose surveillance operations against the journalists until the night before two court hearings in 2024 which allegedly meant the hearings had to be abandoned. The PSNI argued that it would breach the tribunal's rules for the surveillance operations to be disclosed in open court. Judgment is awaited.

Quote of the fortnight

"Our online safety standards are not up for negotiation. They are on statute and they will remain.”

- Peter Kyle, Secretary of State for Science, Innovation and Technology, on whether the Online Safety Act may be a bargaining chip in tariff talks with the US.