The Department for Digital, Culture, Media and Sport (DCMS) has opened a consultation under section 189 of the UK’s Data Protection Act (DPA) 2018. The consultation is part of a statutory review of the existing remit of non-profit organisations to make regulatory complaints and to bring court actions. The review is also to consider potentially extending the remit of non-profits in this area.
At the moment, section 187 of the DPA gives non-profit organisations the right to take a range of actions on behalf of individuals where those individuals have given their permission to be represented. Among other things, the existing provisions enable non-profit organisations to make a complaint to the Information Commissioner’s Office (ICO) about a data controller or processor on an individual’s behalf, and to bring court proceedings on an individual’s behalf for remedies such as a declaration, injunction and compensation from controllers or processors through the courts.
According to the DCMS, uptake of the existing provisions “appears to be quite low”. It said that up to January 2020 only around 65 of the data protection complaints the ICO had received since May 2018 had come from organisations on behalf of individuals. The ICO received a total of 41,661 complaints during the year 2018-19 alone. It is unclear whether reduced take up is the result of data subjects having little appetite to mandate non-profits to act on their behalf. The DCMS is seeking to understand whether the existing approach should be adjusted.
However, there is a developing area of law in the wider data privacy space in the UK in relation to opt-in group actions, with the Court of Appeal in England and Wales last year lowering the bar for bringing mass data protection claims. That case, in which Pinsent Masons, the law firm behind Out-Law, is acting, is subject to appeal before the UK Supreme Court.
The DCMS is now seeking views on whether to extend the provisions under the DPA. It has identified potential advantages and disadvantages to the idea, and has called on businesses and other stakeholders to input to the debate. Possible developments include non-profits making complaints on behalf of classes of individuals without those individuals having any involvement, or even knowledge that the complaints are being made.
In addition, the DCMS is consulting on the possibility of non-profits bringing court proceedings in the same way. This would be a far-reaching change. Thus far only competition law claims have a dedicated opt-out class action procedure, although there has been recent case law on the use of the representative action procedure in Civil Procedure Rule 19.6 for data breach claims. If implemented in their entirety, the potential new rights would go further than is envisaged in the General Data Protection Regulation.