Amendment​ ​to​ ​Clause ​173​ ​:​ ​Supporting​ ​Consumer ​Rights ​for ​All

Need for implementation of collective redress mechanism

Research from consumer group Which? revealed that almost 1 in 5 consumers said they would not know how to claim redress following a data breach, and the same proportion (1 in 5) reporting they would not know who is responsible for helping them when data is lost.

Most importantly, three quarters of those surveyed said they would welcome an independent body helping to get redress on a collective basis.

These amendments speak to those concerns that people have, and are aimed at supporting consumers who too often find themselves at a loss about how to assert their rights.

Data Protection should be the same as other consumer rights. The benefit is already clear.

In consumer laws there is a power for private enforcers to take civil actions in courts to protect the collective consumer rights via enforcement orders. Which? are the only designated private enforcer.

In the financial sector, there is a power for Which?, Citizens Advice, the Federation of Small Businesses and the Consumer Council for Northern Ireland have the power to present “super-complaints” to the Financial Conduct Authority.

The “super-complainant” system is one of the reasons the Payment Protection Insurance misselling scandal was discovered, via Citizens Advice work.

There are empowered, independent enforcers of consumer rights in the traditional consumer sector and the consumer finance sector, but there is no equivalent status for digital consumer enforcers.

Powers for independent action are an important aspect of other consumer protection frameworks. The need for a similar framework in data protection is no different.

Supporting the next generation

Young people are often the target of advertising and analysis using their personal data. Some of these practices have had profoundly negative effects on children, creating social anxiety, as was raised in a Guardian article recently in a report on the debate of this Bill.

What is more concerning is that these practices appear to fall outside of the law, but enforcement is not taking place. A survey in 2015 by the Global Privacy Enforcement Network found that:

  • Only 1 in 3 websites surveyed by the ICO in 2015, had effective controls in place to limit the collection of personal information from children.
  • Only 24% of the sites encouraged parental involvement.

Adam Stevens, Information Commissioner’s Intelligence Hub commented on the Global Privacy Enforcement Network Report:

“…we saw some websites and apps gathering more information than we felt they needed, and sharing that data with third parties.”

However, Open Rights Group has seen no evidence or follow-up from the GPEN report that shows enforcement actions had taken place to improve.

These proposed amendments would increase the enforcement mechanism that would protect individuals that are most negatively affected, yet least capable of taking action.

The need for Amendments to 173.

Clause 173 gives effect to Article 80(1) of the GDPR, enabling data subjects to authorise a body, or other organisation which meets the conditions set out in Article 80 of the GDPR, to exercise certain rights on the data subject’s behalf. 

While welcome, this approach would require individuals to be aware that they are a victim of a breach of the law, which often people are not. These proposed amendments would enable organisations such as Open Rights Group to take action ‘independently of a data subject’s mandate’, if it considers that the rights of a data subject have been breached.

Clause 173 (1), would apply to processing to which the GDPR applies. These are processing which falls under the GPDR, such as:

  • A company established in the Union is processing or controlling the data of someone in the Union.
  • A company not established in the Union is offering goods or services to data subjectsin the Union.
  • Monitoring the behaviour of individuals as far as their behaviour takes place within the Union.

Clause 173 (2), would apply to processing to which the GPDR does not apply. These are practices and scenarios, such as:

  • Processing under Part 3 of the Bill (law enforcement processing).
  • Processing under Part 4 of the Bill (intelligence services processing).
  • If Britain were to leave the European Union, the same standards of enforcement for processing prior to and after leaving.

Amending 173 (1) and 173 (2) provides a single standard in the area of enforcement.

Article 2(2) of the GDPR states that the Regulation does not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law. To avoid data controllers being compelled to do an assessment of whether the activity they are engaged in falls inside or outside the scope of Union law, the Government design the Bill so that it contained provision to extend the GDPR standards to data processing to create a simple framework under which data controllers and processors can apply a single standard.

Support Amendments to 173(1) to incorporate Article 80(2) of the GDPR.

Amend 173(2) to support collective redress by not for profit bodies independent of a data subject’s authorisation.

If you have any questions or would like to discuss the proposals in more detail please contact Jim Killock, at