Policy paper

Call for views and evidence - Review of Representative Action Provisions, Section 189 Data Protection Act 2018

Updated 23 February 2021

1. Introduction

Today’s economy and society are fuelled by the use of data. Digital technology has transformed every aspect of our lives, from the way we shop, listen to music, and socialise with friends through to how we apply for loans, pay our bills and engage with government services.

The government is committed to ensuring the UK is the best place to start and grow a digital business, trial new technology and undertake advanced research. It recognises that individuals need to have confidence in the way that organisations are using their data and that there are rules in place to protect their rights if something goes wrong.

In May 2018, new data protection legislation came into force,[footnote 1] which gave people more control over how their personal data is collected, used and shared. For the first time, it also gave individuals the option of asking relevant non-profit organisations[footnote 2] to help them take action against data controllers which have infringed their data rights. Individuals may ask non-profit organisations to: make complaints to the regulator on their behalf; represent them in the courts when seeking a resolution of those complaints; and bring legal claims against organisations who they believe are processing data in breach of the law.

These ‘representative action’ provisions are the focus of this call for views. They are designed to help individuals who may not have the capabilities or resources to exercise their rights effectively on their own. We are keen to hear your views on how these provisions are operating in practice and what impact it has had for data subjects, particularly children, and non-profit organisations. We would also like to hear from those against whom the rights to representation have been exercised. This could include businesses that may have been subject to a complaint or claim by a non-profit organisation on behalf of an individual or have seen an increase in what they consider to be spurious complaints or claims being made.

The government also wishes to seek views on whether to make new provisions that permit relevant non-profit organisations (as defined) and children’s rights organisations to undertake similar actions if it considers that an individual’s data rights have been infringed but without their specific authorisation.[footnote 3] This could, for example, allow representative action in the interest of individuals whose data rights are violated but who cannot readily authorise a non-profit organisation to act on their behalf, such as children or vulnerable adults. On the other hand, introducing new provisions may have an unintended impact on businesses and other organisations, and increase case volumes for regulators and the courts. The government would welcome views on the likelihood of these outcomes.

Purpose of the call for views

Section 189 of the Data Protection Act 2018 requires the government to review the operation of the representative action provisions in England, Wales and Northern Ireland[footnote 4] and provide a report to Parliament by 25 November 2020. This call for views is part of the government’s wider efforts to consult a wide range of stakeholders before laying a report later this year.

In particular, we wish to examine:

  • The operation of the provisions which allow individuals to authorise non-profit organisations to complain to the ICO or act on their behalf in certain proceedings in the courts and tribunals. Chapter 2 discusses this in more detail.

  • Whether to introduce new provisions to permit organisations to act on behalf of individuals who have not given their express authorisation, and whether to enable children’s rights organisations[footnote 5] to exercise some or all of the rights discussed above on behalf of children with or without their authorisation See Chapter 3 for more detail.

When considering these issues, the Act also requires the government to consider the particular needs of children separately from the needs of adults, including the challenges that children of different ages may face in authorising or deciding whether to authorise other persons to act on their behalf, and what support they receive or may require.[footnote 6]

The government is keen to hear from individuals and organisations with an interest in these issues, including those active in the field of data protection, children and parents, children’s rights organisations and other persons who represent children, child development experts, representatives of vulnerable groups, trade associations and members of the general public. We would also like to hear from those who will be affected by the current provisions and any extension of them, particularly from the business community. The government also intends to consult the Information Commissioner’s Office and the judiciary on the operation of these provisions.

Details on how to respond are set out in Chapter 4. We look forward to considering your responses in due course.

2. Representative action brought on the authority of individuals

Under the UK’s data protection legislation, an individual (whether an adult or a child) can request non-profit organisations to act on their behalf to complain to the Information Commissioner’s Office (ICO), or to bring legal proceedings against the ICO or an organisation with regard to a breach of data protection legislation. In particular, a non-profit organisation can act on a person’s behalf to:

  • make a complaint to the ICO about a data controller or processor[footnote 7]
  • seek an order in the Tribunal requiring the ICO to respond to the individual’s complaint[footnote 8]
  • seek a judicial review of a decision made by the ICO[footnote 9]
  • seek a court order requiring a data controller or processor to comply with data protection legislation[footnote 10]
  • seek a court order for compensation from a controller or processor, except for processing under Parts 3 or 4 of the Data Protection Act 2018, which cover processing for law enforcement purposes and processing by the Intelligence Services respectively.

These provisions recognise that data protection legislation can be complex and individuals may benefit from assistance when seeking to exercise their rights. They were, of course, not intended as an avenue for organisations to make spurious claims for compensation or bring vexatious complaints to the ICO. They allow for representative action only where an organisation meets strict criteria, including where it has objectives which are in the public interest.

This chapter considers how the provisions have worked in practice since the legislation came into force in May 2018.

a) Making complaints to the ICO

Individuals may have diverse reasons for wishing to instruct a non-profit organisation to complain to the ICO on their behalf. They might not be sure how to make a complaint of their own accord, for example. Alternatively they might be aware that they are not the only person who has been the subject of a data breach and agree to join others in approaching a non-profit organisation to complain on their behalf. If the ICO finds that the relevant organisations have not complied with their obligations, it can give advice or compel action, using formal enforcement powers, to resolve the complaint.

Data from the ICO, provided in January 2020, suggests that they have received around 65 complaints from organisations on behalf of individuals since May 2018.[footnote 11] To put this in context, during the reporting period of 2018-2019, the ICO received a total of 41,661 complaints.[footnote 12]

b) Seeking an order in the Tribunal to require the ICO to progress a complaint

The ICO sets targets for dealing with all complaints it receives in a timely manner, whether they are made by individuals or organisations acting on their behalf. Enforcement action may not be taken in respect of every complaint, but the ICO will consider whether there is an opportunity to improve the practice of the organisations it regulates and share its decisions with the person who made the complaint.

If the ICO does not take appropriate steps to consider a complaint or fails to update the complainant on progress within three months of receiving the complaint, individuals or a non-profit organisation acting on their behalf can ask the Tribunal to make an order requiring the ICO to progress the matter. The government would be grateful for any evidence about the extent to which non-profit organisations have brought such applications on behalf of individuals.

c) Seeking a judicial review of a decision made by the ICO

Individuals may also authorise non-profit organisations to challenge the way the ICO made a particular decision by way of judicial review. The government is not aware of any judicial reviews that have been brought by non-profit organisations on behalf of individuals, but would be grateful for any relevant evidence in relation to this.

d) Seeking a court order requiring a data controller or processor to comply with data protection legislation

If an individual believes that an organisation handling its data is in breach of the data protection legislation, they can authorise a non-profit organisation to seek a court order requiring that organisation to take steps to comply. The government is not aware of any relevant proceedings brought by non-profit organisations on behalf of individuals, but would be grateful for further evidence in relation to this.

e) Seeking a court order for compensation

A non-profit organisation can also act on behalf of individuals to seek compensation from a data controller or processor, except for processing under Parts 3 or 4 of the Data Protection Act 2018, which cover processing for law enforcement purposes and processing by the Intelligence Services respectively . This might be appropriate where breaches of the legislation have, for example, caused financial damage to the individual or non-material damage such as distress. As above, the government is not aware of any claims for compensation brought in the courts by non-profit organisations on behalf of individuals, but would be interested in any evidence you may wish to share.

Uptake and operation of provisions

As shown above, uptake of representative action provisions appears to be quite low. There may be many reasons for the lack of activity in the courts and tribunals. Individuals may not be aware of their rights under the provisions above, or may lack sufficient capabilities, resources or support to exercise them. Even if non-profit organisations have been considering bringing claims in the court on behalf of individuals, legal proceedings may not have been initiated yet. Alternatively, the Data Protection Act 2018 may have improved the way businesses operate, resulting in fewer complaints, or the ICO may have taken effective action in response to most complaints and so there is no need for further action in the courts. Lastly, individuals might not wish to pursue the specific forms of redress available via these provisions.

We would be interested in hearing from individuals and organisations who have further insight on this issue. We would also be interested to hear from organisations subject to complaints and claims, particularly members of the business community, about how the existing provisions have affected them. We would be particularly interested in hearing about any costs or risks that they have incurred. Finally, we would welcome views on the impacts of current provisions on the ICO and the judicial system, their capacity to handle claims, and any measures that might help to manage pressures.

The Data Protection Act 2018 also requires the government to have regard to the specific needs of children when reviewing the effectiveness of the representative action provisions. If data controllers or processors fail to comply with the data protection legislation, children can, in theory, complain to the ICO or bring legal proceedings against the data controller in exactly the same way as an adult. In practice, however, many children - especially those in younger age groups - are unlikely to be familiar with the data protection framework or their rights of redress. If children wish to take action, but do not have the knowledge or confidence to do so, the legislation permits them to authorise a non-profit organisation to act on their behalf.

Children’s rights organisations and representative action

Under the current legislation, the only organisations which can bring representative action on behalf of children are non-profit organisations. These are defined, in this case, as organisations which have objectives in the public interest and are active in the field of data protection. While that might apply to some childrens’ rights organisations, there might be others which do not meet the definition because, for example, they lack expertise in the field of data protection.

The government wishes to explore the case for merits of permitting children’s rights organisations[footnote 13] to bring claims on behalf of children in the same way as relevant non-profit organisations are able to currently. We would welcome views on what criteria should be used to determine whether a children’s rights organisation may make use of any new provisions in these areas. We also seek views on whether new provisions to empower children’s rights organisations should apply to cases where a child authorises an organisation to act on its behalf, or to cases where an organisation acts without a child’s authorisation (see Chapter 3 - Representative action without authority).

The government would be interested to hear from children and parents who have made use of these provisions; individuals or organisations that have represented children; or anyone else with relevant experience of complaint mechanisms and court procedures.

The government would also be keen to understand what information or guidance was provided to children of different ages to help them understand the options open to them. The government is aware that some organisations offer services to children to help them understand their data rights[footnote 14] and the ICO’s web page on lodging complaints[footnote 15] is intended to be plain enough for all age groups to understand. However, we would be interested in your views as to whether more guidance and support for children would be helpful and, if so, what form it should take.

Chapter 2. Consultation questions

Please answer the following questions on the operation of the representative action provisions discussed in Chapter 2.

There are some additional questions specifically for non-profit organisations who have acted on behalf of individuals at questions 5 - 8.

There are also some specific questions for individuals who have asked non-profit organisations to act on their behalf at question 9.

Questions 10 - 11 are for business, industry bodies and other organisations.

Q1. Are you responding to this consultation as:

– a. An individual
– b. A private sector business/organisation
– c. A public sector organisation
– d. A third sector organisation, (e.g. charity, social enterprise)
– e. Other (e.g. informal group, other organisation)

Q2. What is your view on the uptake and operation of representative action provisions to date and what can be done to improve it? Please provide any relevant data and, where possible, make clear its source. For adults and children respectively, please explain what advice and support is currently available in relation to these provisions.

Q3. What, if any, impact might these representative action provsions have had on people who identify with the protected characteristics under the Equality Act 2010 (i.e. age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation)? Please explain.

Q4. Do you think children’s rights organisations should be permitted to bring claims on behalf of children in the same way as relevant non-profit organisations are able to currently? Please explain.

Questions for non-profit organisations who have represented individuals

Q5. Do you offer a service to act on behalf of individuals to make a complaint to the ICO or represent them in courts with respect to breaches of data protection legislation? What challenges did you face in doing so?

Q6. Have you or your organisation complained to the ICO or brought legal proceedings on behalf of children using the representative action provisions? If yes, please briefly explain the nature of the data breach and what action you took.

Q7. What are the most significant differences between the needs of children and the needs of adults in this context, and what particular challenges do children face? Please explain your answer, including whether and how the different needs of children at different stages of development affect your answer.

Q8. For adults and children respectively, what, if any, further support should be made available to ensure these complaints or redress mechanisms are exercised properly and effectively? Please explain whether and how the different needs of children at development stages of development affects your view.

Questions for individuals who have been represented by non-profit organisations

Q9. Have you ever asked a non-profit organisation to act on your behalf in any of the ways described in Chapter 2? What challenges did you face? Please briefly describe what action you asked to be undertaken and why you sought a non-profit organisation to act on your behalf.

Questions for business, industry bodies and other organisations

Q10. What, if any, impacts might the provisions discussed in Chapter 2 have had on data controllers which might be the subject of a complaint or legal claim, particularly businesses, including any increase to compliance and other costs, or risks? Please explain.

Q11. What, if any, impacts might the current provisions have had on the ICO and the judicial system and their capacity to handle claims? What, if any, measures might help to manage pressures?

3. Representative action without authority of individuals

The Data Protection Act 2018 requires the government to consider the merits of making new provisions to permit non-profit organisations to undertake some or all of the actions set out in Chapter 2 without the specific authorisation of individuals.[footnote 16]

The complex nature of our digital environment means it is often difficult for certain groups, particularly children and vulnerable adults, to be able to complain to the ICO or bring legal proceedings without representation. Individuals may be unaware that a breach of their data rights has occurred or that they can ask non-profit organisations to help them seek a remedy. Some may be reluctant to become embroiled in a potentially lengthy and stressful legal process, whilst others might decide not to take action to protect their anonymity for personal reasons.

This provision would permit representative action on behalf of all individuals whose data rights might have been infringed, not only children or vulnerable adults. Some data breaches can affect millions of people and these provisions could provide a suitable remedy for everyone affected, regardless of whether they had expressly authorised a non-profit organisation to act on their behalf.

Nonetheless these new provisions also present risks, including their potential impacts on our courts, judiciary and regulator. Since the data protection legislation came into force, the ICO has seen a significant increase in complaints made by individuals about data controllers.[footnote 17] It may be reasonable to assume that this number would increase further if organisations were permitted to act on behalf of individuals without their authority. There may also be a corresponding impact on the courts and tribunals. The government would need to consider the resource implications carefully when deciding whether or not to introduce new provisions, including the potential for an increase in the number of speculative claims.

Concerns have also been expressed that allowing a representative body to act without express authorisation could lead to speculative, vexatious, ‘ambulance chasing’ claims being brought which lack legitimacy and would be an unnecessary further burden on the ICO’s resources without yielding privacy benefits for UK consumers, undermining the link between a claim and measurable harm to specific consumers.

The Data Protection Act 2018 requires the government to have specific regard to the merits of extending these provisions to compensation cases. The government would welcome views on whether an extension could pose practical difficulties for the courts, for example, in determining the amount of compensation and making an award in cases where a non-profit organisation was purporting to act on behalf of thousands of unnamed individuals.

Representative action without authority on behalf of children

Although children are a wide section of society that is very active online, they may have limited knowledge about law or the rights and remedies that are available to them. Even if they were aware of the legal framework and the options that were open to them, they are less likely to have the resources or independence to contact a non-profit organisation to act on their behalf.

The government would welcome your views on whether or to what extent there is a case to extend the representative action provisions, as described above, on behalf of children. We would also like to learn whether you believe alternative courses of action might be more effective, or complementary. Equally, if you envisage any disadvantages in extending these provisions, we would like to hear from you.

Other considerations

Finally, the government recognises that consideration may need to be given to individuals who do not wish to form part of a claim. We would be interested in views as to what, if any, provisions should be made to allow an individual to prevent a non-profit body or other organisation from exercising, or continuing to exercise, their rights under data protection legislation.

The government would like to consider your views on the potential advantages and disadvantages of this approach. We would particularly like to understand the potential impact on individuals who have been affected by data breaches. We would also be interested to hear from data controllers which might be the subject of a complaint or legal claim, particularly businesses, about how the adoption of these new provisions may affect them, including any increased costs or risks. Finally, we would like to hear about the likely impacts on the ICO and the judicial system, which will be required to consider representations made by non-profit organisations, their capacity to handle new claims brought under any new provisions, and how the design of any new provisions may help to manage pressures.

Chapter 3. Consultation questions

When answering questions below, please consider each one in relation to adults and children respectively. Please consider the particular needs of children, including the challenges that children of different ages may face in authorising or deciding whether to authorise other persons to act on their behalf, and what support they receive or may require. Please indicate where your answers pertain to all individuals, or only to adults or only to children.

Q12. Do you think the data protection legislation should be changed to allow non-profit organisations to act on behalf of individuals who have not given express authorisation? Please explain whether and why to permit such action in relation to the exercise of some or all of a data subject’s rights.

Q13. Should a children’s rights organisation be permitted to exercise some or all of a data subject’s rights on behalf of a child, with or without being authorised to do so? Please explain

Q14. What, if any, impact might allowing non-profit organisations to act on behalf of individuals who have not authorised them to do so have an impact on people who identify with the protected characteristics under the Equality Act 2010 (i.e. age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation)?[footnote 18] Please explain.

Q15. What safeguards, if any, should operate to avoid the speculative or vexatious use of any new powers for non-profit organisations to act without the consent of individuals and avoid a disproportionate administrative burden on either the regulatory or courts systems?

Q16. What conditions, limitations or safeguards should apply if non-profit organisations act on behalf of individuals who have not authorised them to do so? For example, should individuals be given the right to object to a non-profit organisation taking action on their behalf without their consent? Please explain.

Q17. If the new provisions discussed in this chapter were adopted, what impacts do you anticipate on data controllers which might be the subject of a complaint or legal claim, particularly businesses, including any increased costs or risks?

Q18. If the new provisions discussed in this chapter were adopted, what are the likely impacts on the ICO or the judicial system, which will be required to consider representations made by non-profit organisations? What is their capacity to handle new claims brought under any new provisions, and how might the design of any new provisions help to manage pressures?

Q19. What are the alternative means or mechanisms by which non-profit organisations are currently able to bring complaints to the ICO or to court using existing Civil Procedure Rules? Please provide any evidence of their use or operation to date.

Q20. In what ways would the potential measures outlined in Chapter 3 either complement or duplicate these alternative mechanisms?

4. How to respond

We welcome your views and evidence. To help us analyse the responses please submit your responses by email to dataprotection@dcms.gov.uk. Alternatively, hard copy responses can be sent to:

Data Protection Team
Department for Digital, Culture, Media & Sport
4th Floor
100 Parliament Street
London
SW1A 2BQ

The closing date for responses is 22 October 2020. When providing your response, please also provide contact details - we may seek further information or clarification of your views.

We will also be conducting a number of virtual workshops to facilitate discussion on the representative action provisions. If you are interested in taking part in these discussions, please get in touch via email at dataprotection@dcms.gov.uk. Whether or not we meet you in person, we would encourage you to send your representations on the call for views to us in writing or via email at dataprotection@dcms.gov.uk

Should you require access to the consultation in another format (e.g. Braille, large font or audio) please contact us on 020 7211 6000 or at dataprotection@dcms.gov.uk.

5. Privacy Notice

The following explains your rights and gives you the information you are entitled to under the Data Protection Act 2018 and the General Data Protection Regulation (“the Data Protection legislation”). This notice only refers to your personal data (e.g. your name, email address, and anything that could be used to identify you personally) not the content of your response to the survey.

1. The identity of the data controller and contact details of our Data Protection Officer

The Department for Digital, Culture, Media and Sport (“DCMS”) is the data controller. The Data Protection Officer can be contacted at dcmsdataprotection@dcms.gov.uk. You can find out more here: Personal information charter

2. Why we are collecting your personal data

Your personal data is being collected as an essential part of the consultation process, so that we can contact you regarding your response and for statistical purposes such as to ensure individuals cannot complete the survey more than once.

3. Our legal basis for processing your personal data

DCMS has a legal obligation to consult on the representative action provisions under section 189 of the Data Protection Act 2018. You are under no obligation to respond, however.

The lawful bases we rely on for processing your personal data can be found under article 6(1)(c) (legal obligation) of the GDPR.

4. With whom we will be sharing your personal data

The government will use your responses to prepare a report for Parliament setting out how it intends to proceed. Your responses may be published alongside the report, but we will remove any information that could be used to identify you or other individuals.

If you want the information that you provide to be treated as confidential, please be aware that, under the Freedom Of Information Act (FOIA) 2000, there is a statutory Code of Practice with which public authorities must comply and which deals, amongst other things, with obligations of confidence. In view of this, it would be helpful if you could explain to us why you regard the information you have provided as confidential. If we receive a request for disclosure of the information, we will take full account of your explanation, but we cannot give an assurance that confidentiality can be maintained in all circumstances. An automatic confidentiality disclaimer generated by your IT system will not, of itself, be regarded as binding on the Department.

5. For how long we will keep your personal data, or criteria used to determine the retention period.

Your personal data will be held for two years after the survey is closed. This is so that the department is able to contact you regarding the result of the survey following analysis of the responses.

6. Your rights, e.g. access, rectification, erasure

Some of the data we are collecting is your personal data, and you have considerable say over what happens to it. You have the right:

  • To see what data we have about you

  • To ask us to stop using your data, but keep it on record

  • To have all or some of your data deleted or corrected

  • To lodge a complaint with the independent Information Commissioner (ICO) if you think we are not handling your data fairly or in accordance with the law.

You can contact the ICO at https://ico.org.uk or telephone 0303 123 1113. Or you can write to them at:

ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

7. Your personal data will not be sent overseas.

8. Your personal data will not be used for any automated decision making.

9. Your personal data will be stored in a secure government IT system.

  1. The General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018. 

  2. The GDPR defines a non-profit organisation as an organisation or association which has been properly constituted in accordance with domestic law, has statutory objectives which are in the public interest and is active in the field of individuals’ rights and freedoms with respect to their personal data 

  3. Article 80(2) of GDPR gave Member States the discretion to do this, but there was no requirement to do so. 

  4. See section 189 of the Data Protection Act (DPA) 2018. The review requirement does not extend to Scotland. 

  5. See section 189 of the Data Protection Act (DPA) 2018. The review requirement does not extend to Scotland. 

  6. The government will also have regard to the United Kingdom’s obligations under The United Nations Convention on the Rights of the Child (UNCRC), which grants all children and young people (aged 18 and under) a comprehensive set of rights. 

  7. See articles 80(1) and 77 GDPR. For processing activities falling outside the scope of the GDPR, see ss. 182(2) and 165(2) of the DPA. 

  8. See articles 80(1) and 78(2) GDPR and s.166 DPA 2018. For non-GDPR processing , see ss.187(2) and s.166(2) DPA. 

  9. See articles 80(1) and 78(1) GDPR. For non-GDPR processing , see ss.187(2)(d). 

  10. See articles 80(1) and 79 GDPR. For non-GDPR processing , see ss.189(2) and 167(1) DPA. 

  11. It is unclear whether all of these complaints were made by non-profit organisations; or what percentage related to alleged breaches of GDPR and Parts 3 and 4 of the DPA. 

  12. Page 30, ICO Annual Report 2018-19 

  13. Section 189(6) of the Data Protection Act 2018 defines ‘childrens’ rights organisations’ as “a body or other organisation which (a) is active in representing the interests of children; and (b) has objectives which are in the public interest. 

  14. See, for example, services offered by 5Rights, Parent Zone and the NSPCC 

  15. https://ico.org.uk/make-a-complaint/ 

  16. See section 189 of the Data Protection Act 2018. Any extension, following the review, would only apply to actions brought by non-profit organisations under the GDPR. 

  17. Page 30, ICO Annual Report 2018-19 

  18. Protected Characteristics, Equality Act 2010