Response to the Call for Evidence by DCMS: Review of Representative Action Provisions (Section 189, Data Protection Act 2018)

On 27 August 2020, the UK Department for Digital, Culture, Media and Sport published a call for views and evidence relating to the review of the Data Protection Act 2018’s representative action provisions. This is a summary of Privacy International's response to that call, with a full copy of our submissions to the DCMS available for download at the bottom of this page.

Key advocacy points

We believe that:

  • There is need to raise awareness about the possibility of representative action for those individuals who may require it due to either a lack of knowledge on the process or lack of resources to pursue a complaint.
  • The existing provisions for representative action brought on the authority of individuals are of little potential benefit to people with protected characteristics under the Equality Act 2010.
  • The Data Protection Act 2018 should be revised to allow non-profit organisations to act on behalf of individuals who have not given express authorisation, as detailed in Article 80.2 GDPR.
Advocacy
image

Photo by Vincent Botta on Unsplash

Section 187 of the Data Protection Act read with Article 80 of the GDPR gives individuals the option to seek assistance from public interest non-profit organisations to take action against data controllers which have infringed their data rights. In this role, non-profit organisations may:

  • make complaints to the regulator on the individual’s behalf;
  • represent the individual in the courts when seeking a resolution of those complaints; and
  • bring legal claims against organisations they believe are processing data in breach of the law.

These ‘representative action’ provisions are designed to help individuals who may not have the capabilities or resources to exercise their rights effectively on their own. This call was an opportunity for submissions of views on how these provisions are operating in practice and what impact the provisions have had on data subjects, particularly children, and non-profit organisations.

Below is a summary of some of the key points of Privacy International’s submissions to the call.

Low uptake of representative actions in the UK

We noted that there was a very low uptake of representative actions authorised by data subjects. We believe this is due to the fact that all the information gateways point to the data controller or regulatory authority as the right places to complain.

Data controllers are required by law to give that information according to GDPR Article 13.1, however, a simple search online (e.g. ‘data protection complaints’ ‘privacy complaints’ ‘where to complain’ etc.) will always come up with the ICO or the government site which also points to the ICO.

There is need to raise awareness about the possibility of representative action for those individuals who may require it due to either a lack of knowledge on the process or lack of resources to pursue a complaint.

Representative action provisions and individuals with protected characteristics

We consider that the existing provisions for representative action brought on the authority of individuals are of little potential benefit to people with protected characteristics under the Equality Act 2010.

This is due to the fact that by authorising a qualified organisation to take up a complaint on their behalf they would have to reveal sensitive private data – and few would be comfortable in doing this. For example, Privacy International’s study of popular mental health websites (see submission for a summary of this study) revealed widespread sharing of highly sensitive personal data with advertisers and data brokers. It is not likely that many people with mental health conditions would come forward individually about misuse of their information.

We believe that the right to representation under GDPR 80.1 and Section 187 must not be limited but apply broadly to non-for-profits that meet the conditions in Section 187 (3) and 187 (4) of the DPA 2018.

Acting on behalf of individuals who have not given express authorisation

Privacy International firmly believes that the Data Protection Act 2018 should be revised to allow non-profit organisations to act on behalf of individuals who have not given express authorisation, as detailed in Article 80.2 GDPR. The detailed reasoning we gave during the passage of the Data Protection Bill through Parliament on why this article must be implemented, is still valid and we stand by it in this present moment.

Since the majority of breaches of data protection law – such as unlawful data sharing or processing without a legal basis – affect hundreds of thousands of people rather than one individual, a mechanism for collective redress would save significant administrative and court time. Experience also shows that if cases are taken up for one individual only, infringing entities do not necessarily correct their practices to cover and benefit all individuals affected.

Additionally, allowing non-profit organisations to act on behalf of groups of individuals would be of benefit to people with the above-mentioned protected characteristics because they would not have to individually reveal personal, highly sensitive data while action would be taken on their collective behalf to ensure lawful processing of their data.

Download our full submission to the Department for Digital, Culture, Media and Sport Call for Evidence on the Review of Representative Action Provisions (Section 189, Data Protection Act 2018) below.