The Department for Digital, Culture, Media & Sport (DCMS) recently conducted a consultation as part of its statutory obligation under section 189 of the Data Protection Act 2018 (DPA) to review the effectiveness of existing provisions for individuals to mandate non-profit organisations to make regulatory complaints and to bring claims on their behalf for breaches of data protection law.
Stewarts responded to the consultation, which closed on 22 October 2020. DCMS will now consider whether to allow non-profit organisations to lodge complaints on behalf of data subjects on an ‘opt-out’ basis, in other words, without their express consent. The department is required to submit a report to parliament on the operation of the representative action provisions by 25 November 2020.
Stewarts’ response to the consultation included the following:
We believe that the DPA should be amended to introduce the ‘opt-out’ provisions contained in Article 80(2) of the General Data Protection Regulations (GDPR). The current ‘opt-in’ mechanism at Article 80(1) GDPR is in our view insufficient since it presupposes that an individual knows they have certain data rights, is aware they have been the victim of a breach, and has the time and resources to collate evidence of a claim with a view to mandating a non-profit organisation to pursue a complaint or remedy.
Allowing non-profits to initiate complaints without express authorisation would ensure that the GDPR rights of all affected individuals within a class are upheld, rather than only those of a knowledgeable minority with the time, inclination and resources to proactively pursue the matter. This would allow redress for harms that would otherwise go uncompensated, in a manner which best utilises the resources of non-profits that understand the requirements for a successful claim.
Impact on the regulator
The government raised concerns that the adoption of Article 80(2) could result in speculative or vexatious claims, and that allowing non-profits to act without the consent of individuals could result in a disproportionate administrative burden on the regulatory system. In our view, sufficient safeguards already exist to prevent this.
Given the highly specific criteria in the GDPR, only a small number of non-profit organisations will likely be eligible to lodge complaints or seek remedies on behalf of individuals, many of which are likely to be regulated by the Charity Commission or otherwise. We believe that granting new powers to this small pool of organisations expert in the area of personal data may, in fact, decrease the administrative burden on the regulatory system. This is because privacy groups will be able to carry out initial investigations, perform due diligence, make merits assessments and package up complaints relating to large classes of affected individuals into a single complaint, ensuring that many low level, unfounded or spurious claims are weeded out in a way that they are not presently.
Enabling non-profit organisations to take independent action without explicit consent would, therefore, help the Information Commissioner’s Office (ICO) to focus its resources better and ensure more effective enforcement.
Impact on the court system
In our view, the likely impact of introducing Article 80(2) GDPR would be manageable for the courts as any new system of collective redress would exist within the existing legal and judicial frameworks. For example, the costs regime in England and Wales acts as an effective deterrent to speculative and vexatious claims, given the loser pays the winner’s costs. This is a particularly acute consideration for a non-profit organisation, which will need to be convinced of the merits of any case (as required by Article 80(2)) before incurring its own legal costs let alone taking on adverse costs risk.
Arguments about speculative or vexatious claims were rehearsed in the run-up to the introduction of the opt-out competition law mechanism in the Consumer Rights Act 2015. But the Competition Appeal Tribunal has yet to certify an opt-out claim. While we are confident that the Supreme Court will clarify the framework for the opt-out competition law regime in Merricks v Mastercard, the absence of any certified claims after five years far from points to Article 80(2) opening the floodgates to frivolous data protection claims which would put a disproportionate burden on the court system.
The courts are likely to impose further structure, not least through the certification process.
Impact on businesses
Adoption of these provisions should make it easier for the victims of GDPR breaches to obtain redress from businesses, which could have an impact on business. However, we believe that the focus should be on encouraging businesses to take measures to reduce the risk that GDPR breaches occur in the first place and to mitigate losses when these do nonetheless occur. Also, businesses should be encouraged to adopt a transparent approach with the victims of data breaches and offer sensible credit monitoring or other redress upfront. If these steps are taken, then there is unlikely to be a claim which a non-profit could or would seek to bring in any event.
We consider that the proposed measures would complement rather than duplicate existing mechanisms to compensate consumers in the event of a data breach. They would plug gaps, in particular the ability for individuals to obtain redress which they would otherwise not be aware they were entitled to or do not have the resources to pursue. Under the GDPR, the ICO has the power to issue considerable fines to businesses for contraventions of the GDPR. But this is a punitive measure, which does not address the issue of redress for individuals who have been the victims of a data breach, potentially involving sensitive personal data. The introduction of Article 80(2) would ensure a mechanism to ensure that the provisions for redress for individuals are similarly robust.
You can find further information regarding our expertise, experience and team on our Media Disputes page.
Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.