Review of Representative Action Provisions, Section 189 Data Protection Act 2018 - Which? response

Which? Response to the Call for Views and Evidence for the Review of the Representative Action Provisions in Section 189 of the Data Protection Act 2018.

Which? welcomes this opportunity to submit its views and evidence to the Government for the statutory review of the Representative Action Provisions, Section 189 Data Protection Act 2018.

Which? has been interested in this area for a number of years and welcomed the introduction of the provisions in question in its submission of evidence to the Committee for the Data Protection Bill. Which? continues to seek the implementation of Article 80(2) GDPR and the measures that would better enable consumers access to redress. Access to adequate redress is a necessary consumer right in the data space and Which? believes there is a compelling need for better provisions.

In order for the Government to achieve its stated objectives of ensuring that the UK is the ‘best place to start and grow digital business, trial new technology and undertake advanced research’, a collective redress mechanism on an opt-out basis needs to be introduced for breaches of the data protection principles, including significant data breaches. This will aid in creating an environment where data subjects have confidence in the way that organisations are using their data and are assured that there are processes in place to protect their rights if something goes wrong.​​​​

Summary

1. Which?’s position is informed by our expertise of working in consumer protection. Adequate redress mechanisms for data breaches are needed in an economy and society fueled by data.
2. The current 'opt-in' system is not working to adequately serve consumers who suffer at the hand of data breaches and business practices that breach data protection principles. This is evidenced by the low uptake of the current provisions. A fundamental reason for this, is that the current model presupposes that affected consumers are aware that their data has been breached, that they know their right to appoint a representative body, and that they see the value in expending time on such an appointment in circumstances where the individual harm suffered may seem relatively small even though it may have had a much greater collective impact.
3. Data breaches have and are continuing to happen with consumers suffering real harm as a consequence but without having access to the redress they deserve. Multiple high-profile data breaches have occurred in the years since the introduction of the legislation. Which? recently published an investigation which showed the real-life impact data breaches can have on consumer lives.
4. More needs to be done to hold businesses to account when they do not adequately protect consumers’ data or engage in business practices which contravene the data protection principles - more needs to be done to incentivise them to improve their data processing practices. Facilitating redress through an opt-out mechanism would be a complementary method to incentivising good practice alongside existing measures. Which? recently published an investigation which found that a number of major travel companies who have been the subject of major data breaches were still failing to protect their users and had serious data security vulnerabilities on their websites.
5. We have seen the introduction of opt-out mechanisms in other areas of consumer protection - an opt-out collective redress regime for competition law claims was introduced by the Consumer Rights Act 2015 and has not led to a wave of spurious claims. Data protection is well-suited to this kind of redress mechanism due to the nature of the harm suffered. It often affects a vast number of consumers with relatively small individual harm and large collective impact.
6. Which? envisages a proportionate and effective system of collective redress that incorporates appropriate safeguards to ensure the system works in the interests of consumers, companies and the courts alike.