The UK Authorities has revealed its response to final yr’s session reviewing the consultant motion provisions in s187 of the Data Protection Act (DPA) 2018.
DCMS session
As reported in my earlier post on the consultation, final Autumn, the Division for Digital, Tradition, Media and Sport (DCMS) consulted on present provisions within the DPA that allow people to ask sure non-profit organisations to complain to the ICO or convey authorized proceedings on their behalf for information safety infringements. Importantly, the DCMS additionally consulted on whether or not to increase these guidelines to permit non-profit organisations to take motion with out people’ consent. The proposed adjustments may have drastically elevated information controllers’ publicity to mass compensation claims for breaches of knowledge privateness guidelines.
If it ain’t broke don’t repair it
The session generated polarised responses, which illustrates the challenges of, and vary of views on, regulating information and digital points (see our Regulating Digital Hub for extra data). Critically, the Authorities has determined that there’s not a powerful sufficient case to introduce the proposed ‘opt-out’ rule on the premise that:
- While extra may very well be performed to extend people’ consciousness of the prevailing complaints procedures and redress mechanisms, the present regime already provides robust protections for people and routes for redress. The Authorities will work with the ICO and different events to sort out consciousness points with the prevailing framework.
- The ICO is finest positioned to take motion to sort out systemic dangers to privateness and information breaches. Though the ICO can’t award compensation to information topics, its enforcement instruments allow it to reply swiftly and pragmatically to offer impact to information privateness rights.
- Shifting to an opt-out system could be a “important step”. The Authorities would must be assured that such a change was proper within the context of knowledge safety legislation and in mild of potential unintended penalties, such because the dangers of accelerating litigation prices and insurance coverage premiums, which may have an effect on all information controllers, together with these with good compliance data, in addition to rising the workload of the ICO and the courts.
- Lloyd v Google, which is because of be heard by the Supreme Court docket this April, reveals the potential for opt-out collective actions for data-related claims beneath present provisions within the English Civil Process Guidelines. The Authorities “will proceed to observe developments on this space carefully…”
What does this imply for information controllers?
The Authorities’s choice to not introduce the proposed opt-out guidelines at this stage will probably be welcomed by information controllers. Nonetheless, everyone seems to be watching to see how the Supreme Court docket tackles comparable points in Lloyd v Google, which may nonetheless open the door to mass opt-out claims towards information controllers. As well as, the Authorities will little doubt be holding an in depth eye on the broader path of journey outdoors the UK in the direction of the implementation of collective redress mechanisms in numerous areas, such because the EU’s Representative Action Directive and home developments in international locations such because the Netherlands. It might due to this fact be flawed to imagine that that is the final we’ll see of a possible opt-out class motion regime in UK information safety legislation.
…the federal government is aware of developments within the Lloyd v Google case which is because of be heard within the Supreme Court docket, in early 2021. Though instances introduced beneath the civil process guidelines are completely different from claims introduced beneath Article 80(2) of the UK GDPR…they show the potential for a type of consultant motion to succeed beneath the prevailing Guidelines. The federal government will proceed to observe developments on this space carefully.
