This article was written by Kiril Waite.
The article Liam Ryan and I recently published on the High Court’s decision in Al‑Masarir v Kingdom of Saudi Arabia [2026] EWHC 119 (KB) (read here) has generated a good deal of correspondence in chambers. Al‑Masarir was, of course, a harassment case in the strict sense – covert intrusion into a personal device – but it confirmed that the surreptitious harvesting of private information and personal data is, in principle, capable of amounting to a course of conduct under the Protection from Harassment Act 1997, particularly where the victim is unaware of it at the time.
Predictably, that has prompted questions from insurer clients about covert surveillance of suspected fraudulent or exaggerated claims, and whether the GDPR adds an additional layer of risk to investigative activity that, until recently, was thought of in essentially evidential terms. Rather than reply to each enquiry individually emailed to us, this note addresses most of the recurring points by reference to a decision that goes the other way: Kul v DWF Law LLP [2025] EWHC 1824 (KB), in which Eady J firmly rejected a GDPR challenge to a large‑scale similar fact exercise.
DWF acted for around 18 insurers defending personal injury claims brought via Ersan & Co Solicitors, where an unusually high proportion involved psychological injury supported by reports from a single psychiatrist who diagnosed a recognised condition in every case he assessed. DWF’s director of organised fraud compiled a witness statement and spreadsheet (“JS1”) drawing on data from 372 Ersan‑represented claimants – names, medical details, diagnoses and prognoses – in unredacted form, served on Ersan and filed with the court.
Three claimants applied to debar reliance on JS1 on data protection grounds. Those applications failed, an appeal failed before Freedman J, and an ICO complaint found no breach. By March 2023 a pseudonymised version had been directed. The three then issued separate UK GDPR proceedings in October 2023 seeking, in substance, to relitigate the issue.
Eady J dismissed the claims. The central question was whether it had been necessary to use actual names rather than pseudonyms when JS1 was first served. Applying Cooper v National Crime Agency [2019] EWCA Civ 16, necessity sits between “absolutely necessary” and “merely desirable”. DWF cleared that bar: its case management system was structured by accident rather than individual; initials and surnames were unreliable where accident victims travel together and share names; and Ersan’s prior conduct made it overwhelmingly likely that any summarised version would be challenged and the underlying material demanded in any event.
Crucially, JS1 was disclosed only to Ersan – the claimants’ own solicitors, and the original source of the underlying data – and to the court. The Article 6(1)(f) balance, undertaken on the South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 framework, came down decisively in DWF’s favour: a claimant who issues or threatens personal injury proceedings cannot reasonably expect their medical material to remain insulated from scrutiny by the opposing insurer’s solicitors.
Health data and child data made no difference. Article 9(2)(f) lifts the special category prohibition where processing is necessary for the establishment, exercise or defence of legal claims; Article 17(3) disapplies erasure in the same circumstances; and Schedule 2 paragraph 5(c) DPA 2018 displaces the Article 14 transparency obligation. C2’s status as a child, properly represented by a litigation friend, did not shift the balance.
Returning to the question that prompted these enquiries: Al‑Masarir does not, in my view, materially alter the position of an insurer carrying out proportionate surveillance and similar fact analysis in the context of suspected exaggeration or fabrication. Kul is the more directly relevant authority and provides a workable checklist:
Provided those factors are kept in mind, a GDPR challenge to legitimate fraud investigation should not get off the ground. Al‑Masarir expands the harassment toolkit; Kul reminds us that the GDPR does not, on a proper reading, deliver a parallel one.
