Data protection representative actions consultation opened

The Department for Digital, Culture, Media and Sport (DCMS) has opened a consultation under section 189 of the UK's Data Protection Act (DPA) 2018. The consultation is part of a statutory review of the existing remit of non-profit organisations to make regulatory complaints and to bring court actions. The review is also to consider potentially extending the remit of non-profits in this area.

At the moment, section 187 of the DPA gives non-profit organisations the right to take a range of actions on behalf of individuals where those individuals have given their permission to be represented. Among other things, the existing provisions enable non-profit organisations to make a complaint to the Information Commissioner's Office (ICO) about a data controller or processor on an individual's behalf, and to bring court proceedings on an individual's behalf for remedies such as a declaration, injunction and compensation from controllers or processors through the courts.

According to the DCMS, uptake of the existing provisions "appears to be quite low". It said that up to January 2020 only around 65 of the data protection complaints the ICO had received since May 2018 had come from organisations on behalf of individuals. The ICO received a total of 41,661 complaints during the year 2018-19 alone. It is unclear whether reduced take up is the result of data subjects having little appetite to mandate non-profits to act on their behalf. The DCMS is seeking to understand whether the existing approach should be adjusted. 

In addition, the DCMS is now seeking views on whether to extend the provisions under the DPA. It has identified potential advantages and disadvantages to the idea, and has called on businesses and other stakeholders to input to the debate. Possible developments include non-profits making complaints on behalf of classes of individuals without those individuals having any involvement, or even knowledge that the complaints are being made.

The DCMS is also consulting on the possibility of non-profits bringing court proceedings in the same way. This would be a far-reaching change. Thus far only competition law claims have a dedicated opt-out class action procedure, although there has been recent case law on the use of the representative action procedure in Civil Procedure Rule 19.6 for data breach claims. If implemented in their entirety, the potential new rights would go further than is envisaged in the General Data Protection Regulation.

"The complex nature of our digital environment means it is often difficult for certain groups, particularly children and vulnerable adults, to be able to complain to the ICO or bring legal proceedings without representation," the DCMS said. "Individuals may be unaware that a breach of their data rights has occurred or that they can ask non-profit organisations to help them seek a remedy. Some may be reluctant to become embroiled in a potentially lengthy and stressful legal process, whilst others might decide not to take action to protect their anonymity for personal reasons."

"This provision would permit representative action on behalf of all individuals whose data rights might have been infringed, not only children or vulnerable adults. Some data breaches can affect millions of people and these provisions could provide a suitable remedy for everyone affected, regardless of whether they had expressly authorised a non-profit organisation to act on their behalf," it said.

"Nonetheless these new provisions also present risks, including their potential impacts on our courts, judiciary and regulator. Since the data protection legislation came into force, the ICO has seen a significant increase in complaints made by individuals about data controllers. It may be reasonable to assume that this number would increase further if organisations were permitted to act on behalf of individuals without their authority. There may also be a corresponding impact on the courts and tribunals. The government would need to consider the resource implications carefully when deciding whether or not to introduce new provisions, including the potential for an increase in the number of speculative claims," the DCMS said.

"Concerns have also been expressed that allowing a representative body to act without express authorisation could lead to speculative, vexatious, ‘ambulance chasing’ claims being brought which lack legitimacy and would be an unnecessary further burden on the ICO’s resources without yielding privacy benefits for UK consumers, undermining the link between a claim and measurable harm to specific consumers," it said.

The DCMS call for views and evidence is open to feedback until 22 October. The department is required to submit a report to the UK parliament on the operation of the representative action provisions in England, Wales and Northern Ireland by 25 November.