Mass claims for data breaches: perhaps a change of heart by the Government but don’t forget Lloyd v Google

The UK Government has published its response to last year’s consultation reviewing the representative action provisions in s187 of the Data Protection Act (DPA) 2018.

DCMS consultation

As reported in my earlier post on the consultation, last Autumn, the Department for Digital, Culture, Media and Sport (DCMS) consulted on existing provisions in the DPA that enable individuals to ask certain non-profit organisations to complain to the ICO or bring legal proceedings on their behalf for data protection infringements. Importantly, the DCMS also consulted on whether to extend those rules to allow non-profit organisations to take action without individuals’ consent. The proposed changes could have drastically increased data controllers’ exposure to mass compensation claims for breaches of data privacy rules. 

If it ain’t broke don’t fix it

The consultation generated polarised responses, which illustrates the challenges of, and range of views on, regulating data and digital issues (see our Regulating Digital Hub for more information). Critically, the Government has decided that there is not a strong enough case to introduce the proposed ‘opt-out’ rule on the basis that:

• Whilst more could be done to increase individuals’ awareness of the existing complaints procedures and redress mechanisms, the current regime already offers strong protections for individuals and routes for redress. The Government will work with the ICO and other parties to tackle awareness issues with the existing framework.
• The ICO is best placed to take action to tackle systemic risks to privacy and data breaches. Although the ICO cannot award compensation to data subjects, its enforcement tools enable it to respond swiftly and pragmatically to give effect to data privacy rights.
• Moving to an opt-out system would be a “significant step”. The Government would need to be confident that such a change was right in the context of data protection law and in light of potential unintended consequences, such as the risks of increasing litigation costs and insurance premiums, which could affect all data controllers, including those with good compliance records, as well as increasing the workload of the ICO and the courts. 
• Lloyd v Google, which is due to be heard by the Supreme Court this April, shows the potential for opt-out collective actions for data-related claims under existing provisions in the English Civil Procedure Rules. The Government “will continue to monitor developments in this area closely…”

What does this mean for data controllers?

The Government’s decision not to introduce the proposed opt-out rules at this stage will be welcomed by data controllers. However, everyone is watching to see how the Supreme Court tackles similar issues in Lloyd v Google, which could still open the door to mass opt-out claims against data controllers. In addition, the Government will no doubt be keeping a close eye on the wider direction of travel outside the UK towards the implementation of collective redress mechanisms in different areas, such as the EU’s Representative Action Directive and domestic developments in countries such as the Netherlands. It would therefore be wrong to assume that this is the last we will see of a potential opt-out class action regime in UK data protection law.