Relevant Case Law
These points are practical leverage — proof of how we challenge, not theory.
1) ParkingEye v Beavis [2015] UKSC 67
What happened: A motorist overstayed in a retail park with a 2‑hour limit and faced an £85 charge. He argued it was a penalty and unenforceable.
Decision: The Supreme Court held the charge enforceable. It protected legitimate interests and the signage made the terms clear.
How to use it: Test clarity and prominence of signs, amount of the charge, and whether the operator has a legitimate interest beyond punishment.
2) Ferguson v British Gas [2009] EWCA Civ 46
What happened: After ending her account, the claimant was pursued with repeated computer‑generated demands and threats for a debt she did not owe.
Decision: The Court of Appeal allowed a harassment claim to proceed even where contact was automated.
How to use it: If a firm bombards you with demands despite disputes or vulnerability, cite Ferguson. Automated bullying can still be harassment.
3) Duke v Moores [2024] (County Court, unreported)
What happened: Dispute over enforcement conduct and authority (visit logs, BWV, and council instruction).
Decision: County court outcomes vary; poor records and process undermine enforcement and fees.
How to use it: Demand the paper trail: warrant/authority, BWV, visit logs, council instructions.
4) Marriott International (ICO fine, 2020)
What happened: Compromise within the acquired Starwood systems persisted. Controls and due diligence were insufficient.
Decision: Significant ICO penalty; emphasis on security and accountability.
How to use it: Acquisitions and migrations do not excuse weak controls. Demand remediation timelines and governance proof.
5) British Airways (ICO fine, 2020)
What happened: Website compromise skimmed customer data.
Decision: Substantial ICO penalty; criticism of detection and security.
How to use it: Use BA to frame systemic security failures as governance issues, not one‑off mistakes.
6) Meta and behavioural ads (EU/UK guidance)
What happened: Regulators rejected “contract” or “legitimate interests” for personalised ads without consent.
Decision: Consent is generally required for personalised tracking.
How to use it: When firms profile vulnerable people or refuse objections, cite limits on legitimate interests and the need for consent.
7) Article 82 GDPR damages
What happened: Courts in the UK/EU confirm compensation for non‑material damage (distress), but de minimis claims are discouraged.
Decision: Distress alone can be compensable with evidence.
How to use it: Document harm: sleep, health, time, and vulnerability impact.
8) ICO maximum fines
What happened: UK GDPR allows up to £17.5m or 4% global turnover for serious infringements.
Decision: Penalties scale with gravity and mitigation.
How to use it: Argue seriousness where systemic failures and vulnerable groups are affected.
9) GDPR litigation trends (2024–25)
What happened: Courts emphasise disclosure, proportionality, and real harm.
Decision: Better evidence wins; triviality is discounted.
How to use it: Build tight bundles: timelines, exhibits, and requests for the balancing test when 6(1)(f) is claimed.
10) Equality Act in civil claims (Paulley v FirstGroup [2017] UKSC 4)
What happened: A wheelchair user was unable to access a designated space due to policy and practice.
Decision: Supreme Court reinforced reasonable adjustments and effective policy duties.
How to use it: When vulnerability is disclosed, adjustments are not optional; use this to pause or alter enforcement approaches.