UK: Government rejects opt-out GDPR class actions
Breach of data protection laws can result in both regulatory action by the Information Commissioner and civil claims in the Courts. Until relatively recently, civil claims were generally rare and compensation awards generally limited.
The GDPR significantly increased the regulatory sanctions for breach with fines of up to €20 million or 4% of annual worldwide turnover, but its adoption has also broadly coincided with a significant rise in civil claims now being pursued. Those claims include a number of ‘class actions’, such as the now-dismissed ‘opt-in’ Group Litigation Order against Morrisons (here) and the ‘opt-out’ representative action against Google which will shortly be heard by the Supreme Court (here).
Consultation on statutory ‘opt-out’ class actions
Against this backdrop, the UK Government has now finished its review of the statutory representative action provisions in the Data Protection Act 2018 (the “DPA 2018”) and has concluded that there is not a strong enough case to introduce an opt-out collective redress mechanism for non-profit organisations (here).
The reason for the consultation is that when the UK government implemented the GDPR, it chose not to implement Article 80(2), which would allow non-profit organisations to make complaints to the UK Information Commissioner or bring legal proceedings on behalf of individuals who have not expressly authorised them to do so. However, it included provisions in the DPA 2018 for a process to review this decision. Following a consultation process which took place between August and October this year, that review is now complete.
Responses to the consultation
The government response notes that the views of those who responded to the consultation conducted last year were “polarised”. Privacy groups, consumer rights groups and children’s rights organisations argued that Article 80(2) should be implemented, so that non-profits can act on behalf of people who may be unable to represent themselves.
Many business groups argued that it should not be implemented. They raised concerns about the potential for more litigation, the potential for increased insurance premiums caused by the increased risk of litigation and the possibility that that situation would put small business and start-ups off from entering into or investing in the UK. Business groups also pointed to the risk of creating an industry for such actions which benefits lawyers and litigation funders more than ordinary people.
Ultimately, the government was not persuaded to introduce new legislation. The government gives various reasons for its decision, including that it sympathises with some of the concerns raised by business groups and that it had seen no clear evidence that the UK Information Commissioner, as one of the biggest data protection regulators in Europe, was not fulfilling its mandate with respect to supervision and enforcement, particularly in light of the significant fines recently issued to Marriott and British Airways.
The government also said that, in reaching its decision, it was “mindful” of developments in the case of Lloyd v Google, which “shows a form of collective action can proceed under the current framework where the parties to the claim share the same interest”. That case was brought under CPR 19.6, which does provide that a claim can be brought by one or more persons as representatives on behalf of others with the “same interest” in the claim. However, the scope of that decision is unclear. It is also subject to appeal to the Supreme Court in April and many of the same arguments that the government cited in favour of not implementing Article 80(2) apply equally to the Court of Appeal’s decision in that case.
The UK government has, over a number of years, stated that it will consider expanding collective redress mechanisms on a sector by sector basis. An opt-out collective redress mechanism was introduced for competition claims in 2015. Right now, it doesn’t appear likely that the data protection sector will be next.