On October 22, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the UK Department for Digital, Culture, Media and Sport (“DCMS”) call for views and evidence on its review of representative actions under Section 189 of the Data Protection Act 2018 (“DPA”). Section 189 requires the UK government to review the operation of the representative action provisions of the DPA and provide a report to Parliament by November 25, 2020.
In particular, the call for views focused on the current operation of the DPA provisions that permit individuals to authorize not-for-profit organizations to lodge complaints with the UK Information Commissioner’s Office (“ICO”) or to act on their behalf in court proceedings. The call also addressed the question of whether to introduce new provisions to permit organizations to act on behalf of individuals without express authorization.
After consulting with its members, CIPL submitted the following feedback, among other observations:
- The existing avenues for legal redress provided by the current data protection regime, which include the ability for individuals to bring individual claims in the High Court, opt in to a group action, or opt out of a representative action, are sufficient and should not be expanded without evidence that doing so would have clear benefits. It is likely that allowing for an expansion of these legal redress options would result in the diversion of resources and investment away from internal compliance programs, when the interests of data subjects would be better served by the proactive compliance activities of organizations, such as investment in improving complaints handling processes.
- The ICO, rather than the courts, should be the first port of call for data protection complaints. As an experienced and active regulator, the ICO is better placed to receive and resolve such complaints, and is more likely to produce a result that appropriately protects and enhances the fundamental interests of individuals under data protection legislation.
- The ICO should be given time to employ the expanded powers provided under the DPA, and for the relatively new avenues of legal redress to be established, before any further expansion. These existing avenues have seen significant use since the GDPR’s implementation in May 2018–for example, the ICO received approximately 40,000 data subject complaints in each of the past two years. In CIPL’s view, these existing avenues are sufficient. If they were to be expanded, the creation of an ombudsman or certification bodies would be more appropriate forms of redress than an additional route for claims to be made through the court system.
- Instead of expanding already sufficient legal avenues for redress and casting organizations and data subjects as adversarial, the focus should be directed towards facilitating greater transparency and better management of data subject rights, complaints procedures from organizations and data literacy among data subjects, so that the latter are able to fully understand their rights and exercise them directly when necessary.
- Representative actions do not necessarily allow for the measurement of true loss suffered by an individual, especially where data subjects are not even consulted. For example, while some individuals may feel greatly damaged by a data breach, others may consider the risk of a breach to be simply a part of the dynamic of engaging with the digital environment, and a necessary trade-off for the benefit of using the relevant services. Other data subjects may suffer much greater loss, but be forced to settle for a lesser claim due to the fact that a common loss must be established among all claimants in a class. In such cases, the ICO is better placed to assess the true impact on data subjects than the court system.
- Given the significant role that data use plays in innovation and economic and societal growth, the UK should focus on ensuring that it remains competitive in the global market. This includes ensuring appropriate and effective means for protecting personal data. While representative actions have a role to play in this, regulatory intervention may be more effective in shaping responsible data handling.
Download a copy of CIPL’s full response.