CIPL Response to DCMS Representative Actions Consultation

On October 22, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the UK Division for Digital, Tradition, Media and Sport (“DCMS”) name for views and proof on its assessment of consultant actions below Part 189 of the Information Safety Act 2018 (“DPA”). Part 189 requires the UK authorities to assessment the operation of the consultant motion provisions of the DPA and supply a report back to Parliament by November 25, 2020.

Specifically, the decision for views centered on the present operation of the DPA provisions that let people to authorize not-for-profit organizations to lodge complaints with the UK Data Commissioner’s Workplace (“ICO”) or to behave on their behalf in court docket proceedings. The decision additionally addressed the query of whether or not to introduce new provisions to allow organizations to behave on behalf of people with out categorical authorization.

After consulting with its members, CIPL submitted the next suggestions, amongst different observations:

• The prevailing avenues for authorized redress supplied by the present knowledge safety regime, which embody the flexibility for people to deliver particular person claims within the Excessive Court docket, decide in to a bunch motion, or decide out of a consultant motion, are ample and shouldn’t be expanded with out proof that doing so would have clear advantages. It’s doubtless that permitting for an enlargement of those authorized redress choices would outcome within the diversion of assets and funding away from inside compliance applications, when the pursuits of information topics can be higher served by the proactive compliance actions of organizations, corresponding to funding in bettering complaints dealing with processes.

• The ICO, relatively than the courts, must be the primary port of name for knowledge safety complaints. As an skilled and lively regulator, the ICO is healthier positioned to obtain and resolve such complaints, and is extra more likely to produce a outcome that appropriately protects and enhances the basic pursuits of people below knowledge safety laws.

• The ICO must be given time to make use of the expanded powers supplied below the DPA, and for the comparatively new avenues of authorized redress to be established, earlier than any additional enlargement. These current avenues have seen important use for the reason that GDPR’s implementation in Might 2018–for instance, the ICO acquired roughly 40,000 knowledge topic complaints in every of the previous two years. In CIPL’s view, these current avenues are ample. In the event that they have been to be expanded, the creation of an ombudsman or certification our bodies can be extra acceptable types of redress than an extra route for claims to be made by the court docket system.

• As a substitute of increasing already ample authorized avenues for redress and casting organizations and knowledge topics as adversarial, the main target must be directed in the direction of facilitating better transparency and higher administration of information topic rights, complaints procedures from organizations and knowledge literacy amongst knowledge topics, in order that the latter are in a position to totally perceive their rights and train them instantly when crucial.

• Consultant actions don’t essentially enable for the measurement of true loss suffered by a person, particularly the place knowledge topics usually are not even consulted. For instance, whereas some people might really feel tremendously broken by a knowledge breach, others might contemplate the chance of a breach to be merely part of the dynamic of participating with the digital surroundings, and a crucial trade-off for the good thing about utilizing the related companies. Different knowledge topics might endure a lot better loss, however be pressured to accept a lesser declare resulting from the truth that a standard loss have to be established amongst all claimants in a category. In such instances, the ICO is healthier positioned to evaluate the true influence on knowledge topics than the court docket system.

• Given the numerous function that knowledge use performs in innovation and financial and societal progress, the UK ought to give attention to guaranteeing that it stays aggressive within the world market. This consists of guaranteeing acceptable and efficient means for safeguarding private knowledge. Whereas consultant actions have a task to play on this, regulatory intervention could also be more practical in shaping accountable knowledge dealing with.

Obtain a duplicate of CIPL’s full response.