Collective Redress: Government Position - Open Rights Group Response

The following is a briefing paper from Open Rights Group responding to the Government’s argument against strengthening the representation of data subjects on Day 6 of Committee Stage. Government’s position is in bold​. Open Rights Group’s response is in red.


Government’s position is in bold. Open Rights Group’s response is in red.

Government Position: Sufficient powers already in place

We believe that they are not required because the Bill already provides sufficient recourse
for data subjects by allowing them to give consent to a non-profit organisation to represent
their interests.

Lord Ashton of Hyde, Day 6 of Committee

Open Rights Group Response: Two separate rights

These two powers are separate.

The current powers aid those individual data subjects who have experienced a breach of their rights to extract a penalty from the data controller. The proposed amendment allows for not for profit bodies to complain without a data subject’s mandate. This means bodies can represent the interests of data subjects en masse without having to represent each individual data subject. Recent large scale data breaches like Equifax and Uber are examples of the type of situation that collective redress is a better system to operate than the current Government proposals.

Government Position: Premature power.

....the amendment is premature. If we were to make provision for article 80(2), it would be
imperative to analyse the effectiveness not only of Clause 173 and article 80(1) of the GDPR
but of other similar provisions in UK law to ensure that they are operating in the interests of
data subjects and not third parties.

Lord Ashton of Hyde, Day 6 of Committee

Open Rights Group Response: You already have the answer. The benefit is clear.

Similar powers exist in similar areas. The benefit is already clear.

The super-complainant system has been in place since 2002 under the Enterprise Act 2002 which allows designated bodies to take complaints on features of a market that appear to be harming the interests of consumers in the UK. There have been over a decade of the super-complaints system in different models, from oversight by the Office of Fair Trading to the Competition and Markets Authority now. It was via the super-complainant system that Citizens Advice Bureau brought the mis-selling of Payment Protection Insurance to the attention of the authorities.

To suggest that there is not enough evidence to speak to this form of mechanism is a disingenuous delaying tactic.

Government Position: Not necessary. The public can exercise their rights.

It is not true that when we have large numbers of data subjects they are unable, or too ignorant of their rights, to combine. For example, it is worth noting that more than 5,000 data subjects have brought one such action which is currently proceeding through the courts.

Lord Ashton of Hyde, Day 6 of Committee

Open Rights Group Response: 80(2) protects anonymity, and seeks to respond to ignorance or lack of interest.

The case is brought by a former executive director of Which?, the case run by the independent law firm Mischon de Reya. Not a well spring of organised Gentlemen on the Clapham Omnibus. Merely another example for 80(1) and not an example against 80(2). Also we’re not seeking a class action power, which this represents.

Ashley Madison hack was a huge data breach, affecting, it is estimated, hundreds of thousands in the UK, yet not one complaint was presented to the ICO. Why? Perhaps the sensitive nature of the information disclosed lead those affected to decide not to take on enforcement, and because no member of the public took the complaint, the ICO didn’t act. This amendment will help to address that discrepancy for actions against breaches of data protection laws.

There are lots of reasons people are unable or unwilling to take cases, ignorance could be one but embarrassment has to also be considered. And that factor is not solved with education and outreach. Whatever the nature of the service provided, a breach of data protection law is a breach of data protection law. Article 80(2) would provide another level enforcement that doesn’t rely on a data subject to reveal themselves to have been part of a sensitive datasets.

For further information please contact Jim Killock, Executive Director, Open Rights Group, jim.killock@openrightsgroup.org