Inaccurate personal data – what approach do the courts take and how do the principles of defamation law help?

In Pacini v Dow Jones & Co Inc, the court applied principles from defamation law to a data protection claim, to determine the meaning of allegedly incorrect personal data contained within two news articles. The case was the first to consider the single meaning of a statement as a preliminary issue in a claim solely based on data protection and the alleged inaccuracy of personal data.

25 April 2025

two people having a meeting

In Pacini v Dow Jones & Co Inc [2024] EWHC 2714 (KB), the court applied principles from defamation law to a data protection claim to determine the meaning of allegedly incorrect personal data contained within two news articles. The case was the first to consider the single meaning of a statement as a preliminary issue in a claim solely based on data protection and the alleged inaccuracy of personal data.

Background

The claimants were investment bankers and former senior executives of XIO, a global investment business. The defendant was the owner of the Wall Street Journal (WSJ), which is published worldwide on its website at WSJ.com. The claimants alleged that two articles published by the WSJ contained inaccurate personal information and should be erased or brought up to date as the articles remained accessible to subscribers. 

The articles reported allegations made by an alleged investor in XIO during a civil court action in the Cayman Islands. The allegation was that when they were executives of XIO, the claimants (along with other XIO executives) had defrauded the investor and received secret profits. The claimants denied the allegations and claimed that the investor had never been an investor in the company. The Cayman Islands proceedings had been abandoned by the time the claimants commenced their claim against the owner of the WSJ. 

The claimants said that their personal data in the WSJ articles was inaccurate and alleged breaches of the UK GDPR and the Data Protection Action 2018, including Article 5 of the UK GDPR, which provides that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject”; and
  2. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay”.

They sought a compliance order and compensation under the Data Protection Act 2018 on the basis that the information was inaccurate and out of date and, therefore, being processed unfairly by the defendants in maintaining online access to the articles on the WSJ website.

The Issues for the Court

The Court had to determine two preliminary issues: 

  1. the meaning of the allegedly incorrect personal data; and
  2. whether any such data was criminal offence data within the meaning of the UK GDPR. 

This article discusses the first issue. 

Meaning of the allegedly incorrect personal data

The claimants referred to established principles from defamation law in arguing about the meaning of the allegedly incorrect personal data. There was a lengthy and detailed discussion of how the differences between the law of defamation and data protection may require alternative approaches to determinations of meaning. However, the judge was mindful that although the two legal regimes are distinct, unjustifiable incoherence should be avoided. Therefore, the judge proceeded on the basis that the single meaning rule, and the repetition rule, applicable to defamation claims, were also applicable to this data protection claim. 

The Single Meaning rule

In assessing the single meaning, a court will consider the following:

  1. The meaning that an ordinary, reasonable reader would give to the words.
  2. That this is an objective test and the publisher’s intention is irrelevant.
  3. The hypothetical reader is taken to be representative of those who read the publication. A financial publication’s readership would be taken to be persons with a degree of financial knowledge.
  4. The publication must be read as a whole and therefore any aggravating as well as mitigating or balancing aspects of the publication must be taken into context (any “bane and antidote”).
  5. The ordinary, reasonable reader is not naïve nor are they overly suspicious and “avid for scandal”. 

The Repetition rule

A publisher of a statement cannot avoid liability in defamation simply on the basis that they are reporting allegations made by someone else. Repeating an allegation made by a third party will be treated by the courts as if the statement was originally made by the person themselves. However, it does not preclude the court from finding that the repeated statement has a lesser defamatory meaning. The repeated statement’s single meaning will be assessed as though it was an original statement, and the court may determine that there are factors that reduce its defamatory meaning – for example, whether there is any ‘bane and antidote’ in the publication.

Decision 

In applying those rules to this case, the judge was troubled by the course that the proceedings had taken: “it seems to me that ‘data’ centrally concerns matters of fact, whereas ‘meaning’ is centrally concerned with the message conveyed by the material in question.” 

The WSJ argued that the repetition rule should be disapplied in data protection cases where there is a report of court proceedings. The argument was that to avoid a claim of defamation a party would need to prove that the allegation itself was true and that would make the “reporting of legal proceedings in which allegations that are reputationally damaging are made all but impossible.” The judge rejected that argument and held that the repetition rule will be applied to the articles including any parts that could be held to be a report on court proceedings. 

Nevertheless, applying the principles discussed above, the judge agreed that the meaning of the personal data in the articles aligned with the meaning contended for by the WSJ and determined the preliminary issues in its favour. The judge refused, however, to strike out the claim as abuse of process, rejecting the argument that the claim was “a statute-barred defamation complaint dressed up as a data protection claim”. The case could yet, therefore, proceed to a trial to consider the substance of the claim. 

Comment

The courts have been keen to highlight that while defamation law and data protection law are distinct, incompatibility should be avoided where possible. This case tested the boundaries of defamation law and data protection law. 

If this case is followed, the courts will apply both the single meaning and repetition rules when considering a data protection claim founded upon inaccuracy in media publications and this should be kept in mind when considering legal action. However, this approach does not appear to extend beyond media publications. The judge distinguished the approach for a data protection claim in respect of a media publication and in respect of other publications, stating that defamation principles did not and should not apply when considering, for example, the accuracy of health or financial records and that the principles set out in previous cases, and affirmed in this case, did not intend to set out general principles of data protection law but rather an approach specifically applicable to cases involving media publications. 

It also remains to be seen what compensation will be achieved (if any) for any established reputational harm. If it is determined following a trial, that the claimants are entitled to financial compensation for reputation harm in these circumstances, then that will be a significant development in data protection law. 

For further information on how we can help you please contact a member of our dedicated defamation and reputation management team.

This article was co-authored by Trainee Jamie Hadden.

Author(s):
Ruairidh Leishman