In the consolidated claims of Mircom & GoldenEye v Virgin Media, the claimants sought court orders from the UK court requiring Virgin Media to disclose the names and addresses of tens of thousands of its broadband subscribers who, the claimants say, had unlawfully downloaded pornographic films.
The claimants required the individuals’ names and addresses in order to take action against those individuals for copyright infringement. Without Virgin Media’s assistance, the claimants were only able to identify the alleged infringers’ IP addresses.
Obtaining information from an innocent third party (in this case, Virgin Media) so that the claimant can take action against a potential defendant (here, the individual broadband customers) is a well-established form of relief available in the English courts. It is often referred to as Norwich Pharmacal relief following the 1970s litigation which established the availability of the remedy.
In this application, the claimants failed for multiple reasons that we explore below. In short, whilst the court had no objection in principle to ordering Virgin Media to disclose its subscribers’ information to Mircom and GoldenEye to ground an IP claim, the factual and expert evidence which the claimants put forward in support of their application was found to be fundamentally defective.
Has the legal test changed since the 2012 GoldenEye litigation?
When considering the grant of Norwich Pharmacal relief, the court considers whether:
(i) “arguable wrongs” have been committed against the claimants;
(ii) the respondent (i.e. Virgin Media) is “mixed up” in the arguable wrongs;
(iii) the claimants genuinely intend to try to seek redress for these arguable wrongs;
(iv) the disclosure of the requested information (i.e. the individuals’ names and addresses) is necessary in order to enable the claimants to pursue that redress;
(v) the order sought is proportionate having regard to the privacy and data protection rights of the intended defendants; and
(vi) the court should exercise its discretion in favour of granting relief.
Those principles are well established and are summarised in the Court of Appeal’s judgment in an application made in 2012 by GoldenEye (one of the claimants in this case). Virgin Media argued (unsuccessfully), that two things had happened since the Court of Appeal’s 2012 judgment in GoldenEye’s application which meant that this new application could be distinguished:
Firstly, Virgin Media submitted that the Supreme Court’s judgment in Rugby Football Union v Viagogo  UKSC 55 had changed the approach which had to be taken. This submission was rejected, however, largely because the Viagogo case reached the Supreme Court before the appeal was heard in GoldenEye’s 2012 application, and there was no reason to suppose that the Court of Appeal was unaware of it when deciding the appeal. In addition, the approach set out by the first instance judge in the 2012 GoldenEye application was expressly approved as the “correct statement” by the Supreme Court in Viagogo.
Secondly, Virgin Media raised the prospect that the GDPR had fundamentally altered the balancing act which is required when the court considers ordering that one party discloses personal data to another in the context of civil proceedings. However, the court concluded that “nothing turns on the GDPR”. This was primarily because, in the UK, the GDPR is disapplied for many purposes connected to legal proceedings as a result of the provisions found in Schedule 2, Part 1 of the Data Protection Act 2018. In particular, Schedule 2 Part 1 contains provisions which disapply major parts of the GDPR “where disclosure of the data is required by…an order of a court”, and also where disclosure is “necessary for the purposes of establishing, exercising or defending legal rights”. These provisions, it seems, result in many of the more onerous provisions in the GDPR not applying to litigants and prospective litigants who receive personal data as part of the disclosure process which takes place.
The claimants also submitted that, if the disclosure order was made, the claimants would in any event be mere “data recipients” under the GDPR, rather than “data controllers” because they would not “[determine] the purposes and means of the processing of personal data”. It is hard to reconcile this submission with the evidence that the claimants would be processing the disclosed data in order to correspond with individuals and potentially commence legal proceedings against them, but this issue was not explored in detail. The fact that the GDPR was disapplied for many purposes connected to legal proceedings (as described above) seems to have been the overriding factor in the judge’s decision that nothing turned on the GDPR, rather than the more nuanced arguments about whether the claimants would be data recipients or data controllers once they received the disclosed data.
Defective fact evidence
The key reason that the claimants’ application was rejected was that their fact and expert evidence was deemed to be fundamentally flawed. By way of example, below are some of the defects in the evidence which were identified:
- The evidence was missing key exhibits, most important of which was the schedule of Virgin Media customers’ IP addresses for which the claimants sought the names and addresses.
- The evidence referred to some films which were not tied to any of the parties.
- One of the expert reports was over 9 years old, which was considered particularly fatal in the context of a report on computer software.
- Some of the expert reports contained no statements of truth, and did not comply in other respects with the court’s requirements for expert evidence.
These shortcomings in the evidence were considered fundamental, rather than merely technical. Whilst the claimants had offered to make the grant of the relief conditional on correcting the flaws in the evidence, the judge rejected this and instead required the claimants to make a fresh application.
Did the claimants have a genuine intention to use the personal data to seek redress for the infringements?
Although it was not part of the judge’s decision to refuse this application, he did go on to consider the question of whether the claimants had a genuine intention to use the requested Virgin Media customer data to seek redress by enforcing the claimants’ intellectual property rights.
Virgin Media’s view was that the claimants’ real motive was to use the subscribers’ information as part of a money-making scheme which was designed to embarrass and coerce as many people as possible (regardless of whether they were actual infringers) into making the payments demanded.
The judge did not have a great deal of information before him in order to decide this point. However, he did have evidence that, following a similar order made in 2014 in favour of Mircom, the claimant had sent demand letters to 749 people. Of these, 76 admitted liability and 15 settled the claim without admitting liability. No proceedings were commenced, despite the remaining 658 recipients apparently not reaching any settlement with Mircom. Virgin Media suggested that this demonstrated that the claimants had no intention to seek redress.
The judge did not reach a conclusion on this point, but it appears clear that in any future application the court will expect to see evidence that the applicants have a genuine intention to try to obtain redress for the infringement rather than merely trying to “shakedown” (in Virgin Media’s words) embarrassed individuals.
Whilst this case does not signal any fundamental shift in the legal position in relation to Norwich Pharmacal relief, it is an important and interesting judgment for three main reasons.
Firstly, it serves as a good reminder that litigants need to ensure that their evidence is appropriate before asking the court to make any order, and particularly so when seeking an order which requires an innocent party to disclose the personal data of tens of thousands of its customers.
Secondly, it appears to be clear that in situations where an applicant has obtained Norwich Pharmacal relief on a previous occasion and then returns to court seeking an additional order, the court will be interested to see how the information previously obtained has been used. This will form part of the assessment of whether the applicant genuinely intends to try to seek redress for the wrongs it has suffered. This judgment suggests that evidence that the applicant reached settlements with only a small proportion of the alleged infringers will not suffice.
Third, the case considers the interplay between the GDPR, the UK’s civil procedure rules and the availability of remedies which have for many years been available to UK litigants, such as Norwich Pharmacal relief. Here, the judge decided that nothing turned on the GDPR, primarily because many of the obligations are disapplied where data is disclosed and processed as part of legal proceedings. This is likely to be seen as positive news for litigants receiving disclosure. However, we anticipate that this will not be the final time that the courts are asked to consider the impact, if any, of the GDPR on the obligations of litigants who receive disclosure in UK proceedings or use personal data in their possession for the purposes of enforcing their rights.