Author: Tom

The High Court in D’Aloia v Persons Unknown Category A & Ors [2024] EWHC 2342 (Ch) (full judgment available here), has recently dismissed claims brought by a Claimant, who was the object of a complex crypto based fraud, against Bitkub, a cryptocurrency exchange located in Thailand. Bitkub had allegedly received the Claimant’s Tether, a ‘stablecoin’ which essentially pegs its value to the US Dollar and is backed by reserves (USDT).

The Claimant alleged that Bitkub held USDT which he had initially transferred to fraudsters (the First Defendants and persons unknown), having believed he was making legitimate transfers to a regulated brokerage. The USDT, according to the Claimant’s expert witness, was subsequently dissipated by way of numerous transfers (or ‘hops’ as they were called in the proceedings) to various accounts. A proportion of the USDT allegedly ended up in an account referred to as the ‘82e6 Wallet’, which was operated by Bitkub and held by the Seventh Defendant, who was later identified as Ms Hlangpan. Ms Hlangpan then withdrew the USDT from the 82e6 Wallet and converted it into Thai baht, which was then withdrawn.

This judgment of 12 September 2024 dealt principally with the claims against Bitkub, with other claims against the other defendants (including the popular exchange, Binance) having been either previously settled, struck out, or been made subject to a summary judgment application. This recent judgment also comes after the widely publicised interim decision from the High Court on 24 June 2022, which allowed the Claimant to serve the proceedings on the unknown defendants and exchange defendants via NFT (judgment available here: D’Aloia v Persons Unknown & Others [2022] EWHC 1723 (Ch).

Following the recent trial, the Court found that the initial fraudsters (the First Defendants and peoples unknown) had held the USDT on constructive trust for Mr D’Aloia from the point the USDT was transferred to them, but that Bitkub had not similarly held the USDT on constructive trust for Mr D’Aloia. The constructive trust claim against Bitkub primarily failed on the basis that the Court could not find, as a matter of fact, that the USDT in the 82e6 Wallet had come from the Claimant. The Court was very critical of the methodologies used by the Claimant’s expert witness as part of his tracing exercise which led him to the 82e6 Wallet. This was essentially fatal to Mr D’Aloia’s claims against Bitkub.

The Claimant sought to argue (by way of a non-pleaded claim which arose at trial) that the constructive trust over USDT held by Bitkub, was essentially premised on the fact that Bitkub had failed to implement its own anti-money laundering (AML) procedures. The significant withdrawal and conversion of the USDT to Thai baht occurred amidst a backdrop of clearly suspicious account activity which Bitkub was aware of. This, the Claimant alleged, therefore provided the foundation for the finding of a constructive trust. The Court rejected this argument, partly on the basis that it had not been advanced prior to trial and that a previous application to adduce Thai law evidence as to Bitkub’s compliance with contemporary AML practices in Thailand (again made close to the start of the trial), had been rejected.

In dismissing the constructive trust claim, the Court noted that even if a trust could have been established, it would not have been in favour of Mr D’Aloia. This was despite the Court agreeing, amongst other points, (i) that Bitkub had fallen short of its own due diligence procedures which operated to prevent money laundering, by failing to impose a ‘block’ on Ms Hlangpan’s account when significant withdrawals which far exceeded the daily limits contractually placed on her by Bitkub were made, and (ii) that Ms Hlangpan’s Bitkub account was being used to launder the proceeds of fraud and that the transaction volumes could not have originated from her legitimate income.

The Claimant also brought a claim in unjust enrichment against Bitkub. However, whilst the Court accepted that USDT had been held in the 82e6 Wallet and that Bitkub had arguably been enriched, this was not an enrichment which could be proven to have been at the expense of the Claimant, as the Court was not convinced that the 82e6 Wallet specifically held the Claimant’s USDT. This claim therefore failed on the same factual basis as the constructive trust claim.

Despite the Claimant being unsuccessful at trial, the case is significant, and potentially helpful for similar victims of crypto fraud, for the following key reasons:

1. Many of the issues and recent Court decisions involving crypto fraud, have not been made following a trial and therefore have arguably been of limited use as a matter of binding precedent. The D’Aloia case is the first of its nature to be made following a trial and has given credence to many of the findings outlined in previous ‘interim’ judgments. In turn, this has provided greater certainty for victims of crypto fraud as to how their claims might be dealt with by the English Courts, which are evidently willing to tackle the complex legal and factual issues involved.
2. The Court maintained that tracing through a mixed fund is not possible at common law, but is available in equitable claims and went onto accept that “in principle the USDT in this case could have been followed”. This is relevant in circumstances where cryptocurrencies are mixed in a ‘hot wallet’ by an exchange. The Court indirectly accepted that Tether Ltd (the entity that administers USDT) would likely have had the records necessary to follow the Claimant’s USDT successfully. Relevant to this, the D’Aloia judgment carefully considered the underlying nature of USDT as a class of cryptocurrency and in referring specifically to Tether Ltd’s white paper, noted that Tether Ltd has the power to create and destroy USDT. No evidence from Tether Ltd as to the Claimant’s USDT had been put before the Court, so it was unable to use such records to find that the USDT previously held in the 82e6 Wallet was indeed the Claimant’s. Accordingly, the Court indicated that such an information gathering exercise could be utilised by similar victims in future cases – a point which is likely to be extremely helpful to those seeking to follow and recover USDT specifically.
3. Through the Court’s extensive criticisms of the Claimant’s expert witness, it emphasised the vital importance of a robust and clearly explained tracing/following exercise and identified pitfalls that need to be avoided when carrying out such an exercise in the future.
4. The Court’s rejection of the Claimant’s constructive trust claim, which relied on Bitkub’s AML failings (which had not previously been pleaded), was not premised on the claim in theory being objectionable. Aside from the lack of convincing factual evidence that the Claimant’s USDT was held by Bitkub, the Court felt bound by the previous judge’s decision that the Claimant’s prior applications to make this argument by way of amended particulars of claim and adduce additional evidence in respect of it, had been rejected. Therefore, in circumstances where the internal AML procedures of an exchange have been manifestly inadequate, victims could in theory look to rely on these inadequacies in order to impose duties on exchanges as trustees – provided that the underlying trust claim is clearly pleaded and appropriate evidence adduced in good time.
5. The Court confirmed that a variety of defences, typically available to recipients of fraudulently appropriated funds, could in theory be available to an entity in receipt of fraudulently appropriated cryptocurrency (such as Bitkub)^[1].The Court also indicated that these defences may not be available in contexts where the recipient’s AML procedures were insufficient, as was the case with Bitkub.

The Court definitively confirmed that USDT is property^[2], with proprietary rights attaching to the USDT itself, rather than the right to control it (for example, by way of private key). This classification is vital in ensuring effective proprietary claims and remedies are available to victims of crypto-based fraud.

[1] including the defences of a good faith change of position, a bona fide purchaser for value without notice (specifically in relation to Tether) and ministerial receipt.

[2] Despite not being a chose in possession or a chose in action, it satisfied the test outlined in National Provincial Bank Ltd v Ainsworth [1965] 5 WLUK 32.

A judge in the United States has ruled that Fiona Harvey, the woman accused of stalking Baby Reindeer creator Richard Gadd, can continue her defamation claim against Netflix.

Baby Reindeer portrays the experiences of Richard Gadd, its creator and star, as his character Donny is stalked by a woman called Martha. Despite changing the names of the individuals portrayed, a California court found the series to be “heavily based on reality”. Like Harvey, the character of Martha is a lawyer from Scotland living in London, 20 years older than Gadd, who has previously been accused of stalking a lawyer in a newspaper article. The character also has an “accent, manner of speaking, and cadence… indistinguishable” to Harvey.

Within the story, Martha frequently posts on Donny’s social media pages. The content of one post, shown in the series, was in fact identical to a message posted by Harvey to Gadd in 2014. As we discussed in an earlier article, viewers discovered Harvey to be the real Martha within days of the show’s release via the process of jigsaw identification.

The fact that Harvey confirmed the suspicions around her identity on Facebook, and later took part in an interview with Piers Morgan, did not convince the court that her claim should be dismissed.

Whilst Harvey’s purported real-life actions were considered “reprehensible” by the court, district judge Gary Klausner ruled that the events shown in Baby Reindeer were “of a worse degree”, depicting Martha as a convicted criminal who had spent 5 years in prison for stalking, who sexually assaulted Gadd in an alley, violently assaulted him, and stalked Gadd by waiting outside his home for “every day for up to 16 hours a day”. None of these events depicted were in fact true.

Netflix sought to strike out Harvey’s claim, under anti-SLAPP laws, which allow a defendant to file a special motion to strike a complaint that is brought primarily to chill the valid exercise of free speech and petition. The court rejected this. The judge stated that “there is a major difference between stalking and being convicted of stalking in a court of law…there are major differences between inappropriate touching and sexual assault, as well as between shoving and gouging another’s eyes”.

A significant point the court took into account was the fact that each episode of the series opens with the sentence “this is a true story” being shown on-screen.  By contrast, Gadd’s theatre play, on which the series was based, claimed only to be “based on a true story”. The judge expressed concerns about the addition of this on-screen text and the fact that this would be likely to lead viewers to conclude that everything depicted was accurate, when this was not the case.

The court therefore denied the defendant’s motion to dismiss the defamation claim, stating that Harvey’s claim “has a probability of prevailing on the merits”.

Defamation

Although Harvey is pursuing her claim in California, this case continues to highlight some of the general legal risks around dramatisations of stories based on true events. In this jurisdiction, whether a depiction of a real person is defamatory or not would turn on factors such as whether they are identifiable, whether the events depicted are accurate, or whether viewers would understand that some aspects have been fictionalised for the purpose of the show. Use of taglines such as “based on a true story” can make viewers aware that the events depicted are not factual and help mitigate the risk of a defamation claim being brought.

The Government announced on 13 September 2024 an important change to the law which will help victims of intimate image-based abuse online.

The offence of sharing intimate images without consent will be made a ‘priority offence’ under the Online Safety Act, when the relevant provisions come into force from spring 2025. Priority offences reflect the “most serious and prevalent illegal content and activity” such as terrorism, fraud, selling illegal drugs or weapons, sexual exploitation or child sexual abuse.

What this means is that social media platforms will “need to put in place systems for removing illegal content when it does appear. Search services will also have new duties to take to reduce the risk users encounter illegal content via their services”. Failure to do so will lead to large fines imposed by the regulator OFCOM of up to 10% of a firm’s qualifying worldwide revenue.

This development builds on changes in the criminal law which came into force on 31 January 2024. These included extending protection to deepfake images as well as victims no longer having to prove intent to cause distress when intimate images have been shared without their consent. Victims can also pursue a civil claim for damages and other remedies for breach of privacy, breach of confidence, intentional infliction of harm, harassment and/or a breach of the UK GDPR.

Managing associate Louise Prince said “Today’s news is another positive step in the fight to tackle the rise in nonconsensual and abusive sharing or selling of private intimate images. It is absolutely essential that the law continues to keep in step with changes to technology and provide proper protection to victims of unlawful content online.”

The announcement of this change in the law can be found here: Crackdown on intimate image abuse as government strengthens online safety laws – GOV.UK (www.gov.uk)

The “consent or pay” model which allows websites to share users’ personal information unless they pay to keep their data private has now made it to the UK. “Consent or pay” pop ups last week appeared on many major UK news websites including Mail Online, The Daily Mirror, The Daily Express and The Independent, giving users a difficult dilemma. Either they agree and pay anything from between £1.99 to £4 monthly for a cookie-free experience, only seeing basic, non-targeted adverts, or they “allow” their data to be monetised. It’s a win-win situation for the media as either way there is an income stream.  This must be the objective given falling advertising revenue and could prove to be expensive for users who regularly consume media from many outlets.

Whilst this is not a new development as around 80% of German news websites already now adopt this model, the speed in which it has been adopted in the UK is surprising. In March 2024, the Information Commissioner’s Office (ICO), the UK’s independent regulator for data protection, called for views on the model indicating that “in principle, data protection law does not prohibit [such] business models”.  They said “any organisation considering such a model must be careful to ensure that consent to processing of personal information for personalised advertising has been freely given and is fully informed, as well as capable of being withdrawn without detriment”. On the subject of fees, the ICO also said “should be set so as to provide people with a realistic choice between the options, with the provider capable of providing objective justification of the appropriateness of the level”.

Given the ICO’s position so far, there is little standing in the way of the new model at the moment but it is worth noting that the ICO also emphasised their “emerging thinking” … “should not be interpreted as confirmation that such an approach is legally compliant”. The consultation closed on 17 April 2024.

Managing associate Louise Prince said:

“The consent or pay model illustrates that privacy can sometimes come at a cost. It will be interesting to see the ICO’s upcoming guidance on cookies and similar technologies following the call for views, and what the EU has to say from a legal perspective. This may not be the end of the story and other websites may proceed with caution opting to wait and see what happens next both in the UK and Europe before implementing this significant change.”

The ICO’s call for views on the “consent or pay” business model can be found here: Call for views on “consent or pay” business models | ICO

The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has issued a reprimand to a school in Essex in respect of its use of facial recognition technology (FRT) which infringed the UK GDPR.

The data controller, Chelmer Valley High School, are an academy school located in Essex providing education for around 1,200 students ages 11 to 18. The reprimand concerned FRT which processes biometric data to uniquely identify people and is likely to result in high data protection risks. The school had been using fingerprint technology to manage the cashless catering and canteen since 2016 and introduced FRT in March 2023.

The school was reprimanded for failing to:

1. Complete a data protection impact assessment (DPIA) – organisations must carry out a DPIA before you process personal data when the processing is likely to result in a high risk to the rights and freedoms of individuals. Under Article 35(4) of the UK GDPR, the ICO has published a list of processing activities that require a DPIA to be completed prior to the processing. The published list states that the processing of biometric data requires a DPIA where this is combined with any of the criteria from the European guidelines. These guidelines include the processing of data concerning vulnerable data subjects (such as children), and the use of new technological solutions. The school’s DPO has not completed a DPIA prior to the introduction of FRT in March 2023. Instead it was completed in November 2023 after the FRT had already been introduced.
2. Seek valid explicit consent from the students for the processing of biometric personal data – it had been relying on assumed consent for facial recognition, except where parents or carers had opted children out of the processing. Article 4(11) of the UK GDPR is clear that consent requires an affirmative action, and as such consent on an opt-out basis would not have been valid or lawful. Further to this, the majority of students would have been considered sufficiently competent to provide their own consent given Article 8 of the UK GDPR sets the age of which a child can give consent to the processing of personal data at 13 years old. The parental opt-out deprived students of the ability to exercise their rights and freedoms in relation to the processing between March and November 2023. The school has since refreshed consents by obtaining explicit opt-in consent from students.
3. Seek advice from their Data Protection Officer and consulting with parents or students before commencing with the processing. The ICO believed that had the school sought advice from their DPO, many of the compliance issues would have been identified prior to the processing commencing.

The reprimand recommends several further actions the school should take. Although such recommendations are not legally binding directions, it includes: completing a DPIA prior to new processing operations, or upon changes to the nature, scope, context or purposes of processing for activities that pose a high risk to the rights and freedoms of data subjects; amend the current DPIA to give thorough consideration to the necessity and proportionality of cashless catering, and to mitigating specific, additional risks such as bias and discrimination; and amend privacy information given to students so that it provides for their information rights under the UK GDPR in an appropriate way.

This enforcement action exemplifies of the importance of completing a DPIA prior to commencing any processing that is likely to result in a high risk to the rights and freedoms of individuals – it is clear that completing a DPIA as a “tick-box” exercise after commencing the processing will not be enough to comply with data protection laws.

If you would like to keep up to date on the latest in data protection, please get in touch to subscribe to our newsletter, The Data Download.

The King’s Speech last week gave us our first glimpse of the Government’s priorities for the new Parliament. 

From a tech perspective, in the run-up to the King’s Speech, the press were widely reporting that an AI Bill would be included. Although artificial intelligence (AI) did get a mention, there are two bills sitting under the Department for Science, Innovation and Technology and not one of them has AI in the title. These are:

• Digital Information and Smart Data Bill: which our team has summarised here.
• Cyber Security and Resilience Bill: which, considering the severe impact of the IT outage across the private sector and critical national infrastructure last week, seems very well timed.

In the King’s Speech itself, the Government stated it will “seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models”.

What does this mean?

This ties back to the Labour manifesto which stated that a Labour Government would ensure the safe development and use of AI models by introducing “binding regulation” on companies developing the most powerful AI models, and with what Peter Kyle (the now Minister for Science, Innovation and Technology) said at London Tech Week in June 2024: “At the moment there’s a voluntary code regulating AI, particularly frontier AI […] We would legislate to require the frontier AI labs to release their safety data. That’s to make sure we legislate the standards that are already in the voluntary code”.

There is some discussion now on how the Government might achieve this and under which bill – perhaps by granting a Secretary of State the power to create secondary legislation in relation to codes and standards? This could possibly be as part of the Cyber Security and Resilience Bill as the cybersecurity aspects of LLMs is something the AI Safety Institute has continued to focus on and, following the July global IT outage, this will not abate. Watch this space.

However, what does look possible is that for the many solutions underpinned by the “most powerful models” the Government may be hoping (with some justification) that by putting these standards on a statutory footing this will both wash through all industries, build greater trust and increase adoption. As companies move to increased AI adoption with potentially increased investment in digital, it will be interesting to see the impact of increased workers’ rights and whether this leads companies to increasingly focus on AI governance. Especially as employee rights and cybersecurity obligations are strengthened across all sectors and industries under this new Government and two significant and well known risks of implementing AI solutions are the cybersecurity of the solution and whether outputs produce discriminatory effects. Of course this may already take place by virtue of compliance with the EU AI Act for those providers or users with exposure to the EU market or EU customers.

What is clear is that while an AI Bill is not imminent, the use or reliance on outputs of AI are now well publicised and likely to get increased scrutiny, so a “buyers beware” approach is necessary in the absence of an AI governance regime that assesses and mitigates the risks while ensuring AI forms part of a digital transformation journey with maximum use and efficiency gain.