Rt Hon Matt Hancock MP
Minister of State for Digital
Department for Digital, Media, Culture and Sport
100 Parliament St
The Data Protection Bill presents you with a unique opportunity to legislate for a cost effective and administratively efficient mechanism for redress to be sought in instances of mass data breaches and systemic insecurities in connected devices. This will ensure the stated aims of the Bill – to make our data protection laws fit for the digital age, and to empower people to take control of their data - are upheld.
The Bill must include measures that takes into account the potential scale of data breaches.
Under the current system individuals have the right to seek redress from organisations when their data has been lost or misused. Whilst we wholly support the provisions in Article 80(1), which reflects the existing system, it is inadequate on its own in holding organisations to account. Further, given the potential scale of data breaches and the breach notification duty, a mechanism under Article 80(2) would save significant administrative and court time, in that it will avoid a myriad of individual claims.
Despite a commitment that the Government would use the Data Protection Bill to make it easier for those impacted by data breaches to have a clearer right of redress, the Bill currently fails to deliver the provisions that are needed.
Implementing Article 80(2) of the General Data Protection Regulation (GDPR) would create a collective redress regime for breaches of data protection law. This would complement the existing collective redress regime introduced under the Consumer Rights Act 2015 (“CRA”) which applies to infringements of competition law. The Courts have procedures and practices in place for the CRA, including ensuring only cases that have merit proceed, which could be adapted to apply to an Article 80(2) regime.
Article 80(2) would ensure a scheme whereby consumers are afforded effective and appropriate redress. It provides a mechanism whereby serious breaches of data protection,
which may affect the most vulnerable in society, are addressed and result in real change that benefits thousands if not millions of consumers in the UK.
It is time for the Government to do the right thing by amending the Data Protection Bill and facilitating the implementation of an effective system for collective redress. This would give consumers the voice they deserve when holding companies to account for loss of data.
We urge the Government to allow for not for profit bodies, as defined in Article 80(1) of the GDPR, to act in the public interest to help groups of affected people to seek collective redress from those in breach of their data protection obligations.
Alex Neill, Managing Director of Home Products and Services, Which?
Jim Killock, Executive Director, Open Rights Group
Caroline Abrahams, Charity Director, Age UK
Sue Lewis, Chair, Financial Services Consumer Panel
Gus Hosein, Executive Director, Privacy International
Jonquil Lowe, True Potential Centre for the Public Understanding of Finance (PUFin) and member of the Open Banking Consumer Forum