On October 22, 2020, the Center for Information Policy Leadership (“CIPL”) in Hunton Andrews Kurth delivered its response to a request from the UK Department for Digital, Culture, Media and Sport (“DCMS”) for views and evidence regarding its review of representative measures according to § 189 of the Data Protection Act 2018 (“data protection authority”). Section 189 requires the UK government to review the functioning of the DPA’s representative action rules and report to Parliament by 25 November 2020.
In particular, the call for comments focused on the current application of the Data Protection Agency’s provisions which allow individuals to empower non-profit organizations to lodge complaints with the UK’s Information Commissioner’s Office (“ICO”) or to act on their behalf in legal proceedings. The call also addressed the question of whether new provisions should be introduced to allow organizations to act on behalf of individuals without express authorization.
After consulting with its members, CIPL provided the following feedback, among others:
- The existing means of redress offered by the current data protection system, including the possibility for individuals to bring individual claims before the High Court, join a class action or reject a representative action, are sufficient and should not be expanded without evidence to that this would have clear advantages. It is likely that expanding these redress options would divert resources and investments away from internal compliance programs when the interests of the data subjects are safeguarded through the proactive compliance activities of organizations, such as improving complaint handling.
- The ICO, not the courts, should be the first point of contact for data protection complaints. As an experienced and active regulator, the ICO is better able to receive and resolve such complaints and is more likely to lead to an outcome that adequately protects and reinforces the fundamental interests of individuals under data protection laws.
- The ICO should be given time to use the expanded powers envisaged by the DPA and to find the relatively new avenues of redress before further expansion. These existing paths have been used significantly since the implementation of the GDPR in May 2018. In the past two years, the ICO has received around 40,000 complaints from affected people. In CIPL’s view, these existing options are sufficient. If expanded, the creation of an ombudsman or certification bodies would be more appropriate legal remedies as an additional way of bringing claims through the judicial system.
- Rather than expanding already sufficient legal remedies and treating organizations and data subjects as controversial, the focus should be on greater transparency and better management of data subjects’ rights, organizational complaint procedures and data literacy between data subjects so that the latter are affected are able to fully understand their rights and to exercise them directly if necessary.
- Representative measures do not necessarily allow the actual loss of an individual to be measured, especially if data subjects are not even consulted. While some people may feel badly harmed by a data breach, others may view the risk of a breach simply as part of the dynamic of engaging with the digital environment and as a necessary compromise to benefit from using the relevant services. Other affected persons can suffer a much greater loss, but have to be satisfied with a lesser claim, since a common loss must be established among all applicants in a class. In such cases, the ICO is better able to assess the real impact on data subjects than the judicial system.
- Given the vital role data use plays in innovation and economic and social growth, the UK should focus on ensuring that it remains competitive in the world market. This includes ensuring suitable and effective means of protecting personal data. While representative measures play a role here, regulatory interventions can be more effective when designing responsible data handling.
Download a copy of CIPL’s full answer.