The UK government will not introduce new legislation to enable non-profit groups to raise data protection claims on behalf of individuals without their permission, it has confirmed.
The government had considered the option in a consultation exercise begun last year as part of a statutory review of the existing remit of non-profit organisations to make regulatory complaints and to bring court actions. After reviewing the feedback it received, however, it concluded that the case for introducing an opt-out procedure into law was not strong enough.
"There is insufficient evidence of systemic failings in the current regime to warrant new opt-out proceedings in the courts for infringements of data protection legislation, or to conclude that any consequent benefits for data subjects would outweigh the potential impacts on businesses and other organisations, the ICO and the judicial system," the Department of Digital, Culture, Media and Sport (DCMS) said.
Currently, non-profit organisations have the right under UK data protection law to take a range of actions on behalf of individuals where those individuals have given their permission to be represented. Among other things, the existing provisions enable non-profit organisations to make a complaint to the Information Commissioner's Office (ICO) about a data controller or processor on an individual's behalf, and to bring court proceedings on an individual's behalf for remedies such as a declaration, injunction and compensation from controllers or processors through the courts.
However, in rejecting calls to go further to introduce a new opt-out procedure, the government highlighted the existing protections for data subject rights provided for by the ICO in its supervisory activities, the potential for a new opt-out procedure to create uncertainty for businesses, and the lack of clarity that any benefits a new opt-out regime would bring would outweigh the risks.
The DCMS said: "Whilst the government acknowledges the views of respondents who said opt-out proceedings could be designed carefully to limit the risk of unmeritorious claims, it remains wary of the risk of unintended consequences. The government notes the views of business groups who say that new legislation could increase litigation costs and insurance premiums during a period of economic uncertainty. Changes in the level of risk and a hardening in the insurance market could affect all data controllers, including those with a good record of compliance."
In its consultation response, the DCMS said that it was "sympathetic to the views of respondents who said there should be clearer information to help people of all ages understand existing complaint procedures and redress mechanisms". It said it would work with the ICO and other interested parties to "consider ways to improve people’s understanding about seeking redress, including the potential role of non-profit organisations to act on their behalf". It said it would look into the possible introduction of a list or register on the government or ICO’s website detailing "relevant non-profit organisations".
While the question of whether an opt-out procedure will be introduced under UK data protection law has now been resolved, there remains a possibility of bringing a representative action under rule 19.6 of the Civil Procedure Rules. The UK Supreme Court is set to hear an appeal in April 2021 in the Lloyd v Google LLC case which concerns the law in this area. The case concerns a novel attempt to bring a claim on behalf of several million data subjects. Pinsent Masons is acting for Google in the case.