The Government’s own goals on data privacy

The UK Government has decided not to take up an optional power to improve data protection enforcement. GDPR 80.2 would have allowed organisations like Open Rights Group to take complaints to the ICO and onto the courts if necessary, for breaches of data protection law, but without the data subject’s consent. Despite overwhelming evidence from all privacy, children’s and consumer rights groups on the difficulties for individuals to take complaints forward, and firsthand information from individuals on the lack of awareness of the ICO and support for such a power, the Government opted to not bring this power in.

Open Rights Group have supported the introduction of new enforcement powers over the years and over 300 supporters responded to the Government’s consultation expressing support for the provisions. These submissions represented the vast majority of the 345 responses the Government received. There can be no doubt that we showed the public appetite for such enforcement powers.

As a result of this, the option for collective redress for systemic abuses of data protection and privacy in the UK are left to expensive court actions, such as the Lloyd v. Google case. While there is a space for damages claims, leaving it as the only option will increase costs for businesses and send more claims to the Courts. Ironically increased burdens on the courts is cited by the Government as a reason for abandoning 80.2. Instead of meeting its own goal for improving fairness, transparency and trust in the data economy, the Government have successfully scored a series of own goals.

Why we need 80.2

The 80.2 provisions in the General Data Protection Regulation would have allowed for charitable or not for profit organisations active in the field of protection of data subjects’ rights and freedoms to take complaints to the Information Commissioner’s Office about alleged breaches of the General Data Protection Regulation without having to get the consent of data subjects.

This new enforcement power is an important addition to improve options available for challenging data practices that breach data protection law that are currently not being sufficiently addressed, in particular highly complex systemic issues and taboo or sensitive processing. It would also have met the Government’s goals in the National Data Strategy of improving fairness, transparency and trust in the data economy.

Data processing is a deeply complex system, one which has much more activity going on behind the scenes than on the user facing side, sometimes referred to as invisible processing. This makes it difficult for the scale of a systemic problem to be identified by an individual, let alone as something actionable as a complaint. One leading example of such a problem is online advertising, in particular Real Time Bidding. 

The practice of allowing bids from thousands of advertisers based on users personal information such as special category data like mental health or ethnic and identity groups, or politics has drawn the ICO to acknowledge it as a systemic problem containing practices which are unlawful, yet no enforcement action has yet been taken. This area of work is a perfect example of a systemic problem, visited on all of us everyday we go online that is often difficult to see happen transparently to understand the breach. It would have benefited from an 80(2) type action being available for groups like ORG to take enforcement measures.

In other scenarios, there may be sensitive or taboo issues raised by the processing that means individuals are reluctant to place themselves as a leading data subject complaint. Privacy International found in September 2019 that mental health websites were loading third party trackers onto their websites that was then subsequently used in advertising. This occurred before a user was able to accept or reject consent to allow for processing, a clear breach of GDPR standards.

However, unsurprisingly no individual mandated Privacy International to take that complaint to a supervisory authority. This is likely because of the stigma attached to mental health. It would take a brave person to step forward and mandate an organisation to exercise their rights on their behalf. If 80(2) were available a complaint could be raised by an appropriate organisation that this systemic and sensitive issue is occurring and bring it to the attention of the ICO or a judicial authority without the individual having to lose their anonymity or confidentiality to take the case on.

The Government also conducted their own research for young people, a specific category of individuals that the Commission was asked to consider. two thirds had not heard of the ICO, and the majority thought that charities should be able to make complaints of data breaches without young people’s consent.

The Government’s Own Goals

Despite these clear examples of the need, and its own evidence from consultation with groups, the Government decided against adopting this power. They said there is no clear evidence that the ICO is not fulfilling its regulatory mandate with respect to supervision and enforcement against data breaches or other privacy risks with the resources available to it.

The ICO’s failure to fulfil its mandate is not the only reason to bring in these powers, and while we have raised concerns about the ICO’s enforcement of data protection law, there are reasons beyond the ICO’s operations to take this on like the one’s laid out above.

And finally the Government sided with business who said they were concerned about that implementing 80.2 could increase litigation costs and insurance premiums during a period of economic certainty. Instead, they say, that the Lloyd v. Google case, due to be heard in the Supreme Court in early 2021 demonstrates the potential for a form of representative action to succeed under existing Rules.

Except that Lloyd v. Google is a court action, that goes immediately to the court, does not pass an regulator like the ICO. 80.2 would engage a regulator first before going to the lawyers and the courts. Secondly, Lloyd v. Google is a damages claim seeking compensation, a pretty significant damages claim that could land Google with a £3 billion bill. Both of these speak more to business concerns than 80.2 which explicitly removes compensation and first takes the case to a regular. Enforcement through 80.2 aims at better data processing, not pounds on a balance sheet. The Government knew this, because our submission said this, yet they did not respond. These are the Government’s own-goals that they may have to live with in the years to come.

The Government’s other own goal is failing to meet their own stated goals in their National Data Strategy for creating a data regime to provide confidence for individuals and groups in how their data is used. If they really meant this then 80.2 would have been an important example of meeting that aim. Instead they have ducked it and scored another own goal.

The Government have agreed that there are paths for improving access to rights and complaints to the ICO. These are things like giving more information online and providing names of organisations that might be able to assist in taking complaints under the 80.1 system. We will engage in discussions that would improve access to enforcement mechanisms but ultimately the Government have missed the bigger, much more substantive point, and risks undermining its own aims in the long term.