Section 189 of the Data Protection Act 2018 requires the Government to review the operation of the representative action provisions and provide a report to Parliament.

In August 2020, the Government issued a Call for Views and Evidence to examine:

• the operation of the provisions that allow individuals to authorise non-profit organisations to complain to the ICO or act on their behalf in certain proceedings in the courts and tribunals; and
• whether to introduce new provisions to permit organisations to act on behalf of individuals who have not given their express authorisation, and whether to enable children’s rights organisations to exercise some or all of the rights discussed above on behalf of children with or without their authorisation.

The Government received 345 responses to the consultation from organisations and individuals. It also held several meetings with privacy rights campaigners, children’s rights organisations, academics, trade associations and regulators. The Government has now published its report.

Overall, the views on what steps the Government should take next were polarised. Privacy groups, consumer rights groups and children’s rights organisations argued strongly that new legislation is required to permit non-profit organisations to complain to the ICO or bring legal proceedings against data controllers on behalf of people who may not be able to represent themselves.

By contrast, many business groups voiced concern about the potential for increased litigation and questioned whether protracted legal battles are in the best interests of businesses or consumers. They pointed to developments in the regulatory landscape which may lead to an improvement in compliance, including the introduction of the Age Appropriate Design Code. They also pointed to legal developments elsewhere in the law, such as the decision in Lloyd v Google LLC [2019] EWCA Civ, which could lead to a successful form of collective action under current provisions in the civil procedure rules.

Having considered the evidence, the Government has concluded that there is not a strong enough case for introducing new legislation. The Information Commissioner’s Office has a wide range of investigatory and enforcement powers that were significantly strengthened by provisions under the 2018 Act.

Although the Government accepts that some groups in society might find it difficult to complain to the ICO or bring legal proceedings of their own accord, it says that there is no strong evidence to suggest the ICO cannot or will not investigate serious, singular breaches of the legislation or systemic failings across whole sectors. Much of the ICO’s current regulatory activity, including the development of the Age Appropriate Design Code, is focused on ensuring that high risk processing activities, which can have an impact on children or vulnerable people, are carried out fairly, lawfully and transparently.

Further, the Government says that it is sympathetic to views of business groups who said that new legislation could increase uncertainty for data controllers. It is also mindful of the potential impact of new legislation on the workload of the ICO and the courts. The government is not convinced that any perceived benefits of new legislation would outweigh these risks. To access the full response, click here.