Data Protection Bill: Collective Redress

Similar documents
Private actions for breach of competition law

EVIDENCE ON THE DATA PROTECTION BILL. For the House of Commons Public Bill Committee by Open Rights Group and Chris Pounder

Private actions in competition law: effective redress for consumers and business

April 30, The Sections of Antitrust Law and International Law (the Sections ) of the American

Annex - Summary of GDPR derogations in the Data Protection Bill

Data Protection Bill [HL]

Actions for damages under national law: Achieving compensation through an appropriately balanced system

RENFORCER LA COHERENCE DE L APPROCHE EUROPEENNE EN MATIERE DE RECOURS COLLECTIF : PROCHAINES ETAPES

Irish Government Publishes Data Protection Bill 2018

Data Protection Bill, House of Commons Second Reading Information Commissioner s briefing

Data Protection Bill, House of Lords second reading Information Commissioner s briefing

Data Protection Bill [HL]

CLASS ACTION DEVELOPMENTS IN EUROPE (April 2015) Stefaan Voet. Recommendation on Common Principles for Collective Redress Mechanisms

Data Protection Bill: Summary of government amendments for House of Commons Public Bill Committee tabled on 6 March 2018

Law Enforcement processing (Part 3 of the DPA 2018)

Public consultation on the ASSESSMENT OF THE PLANNED COHERENT EUROPEAN APPROACH TO COLLECTIVE REDRESS PUBLIC CONSULTATION PAPER

TECHNOLOGY AND DATA PRIVACY. Investigative Powers of the Data Protection Commissioner. by Peter Bolger, Jeanne Kelly

European Protection Order Briefing and suggested amendments February 2010

TENNIS AUSTRALIA DISCIPLINARY POLICY

Implementation of the Damages Directive across the EU

CONSULTATION ON COLLECTIVE REDRESS RESPONSE OF HOGAN LOVELLS INTERNATIONAL LLP (NOT FOR PUBLICATION) HOGAN LOVELLS INTERNATIONAL LLP

Comments on the proposal for a directive on representative actions for the protection of the collective interests of consumers

Working Document Setting Forth a Co-Operation Procedure for the approval of Binding Corporate Rules for controllers and processors under the GDPR

A BILL. i n t i t u l e d. An Act to amend the Industrial Designs Act ENACTED by the Parliament of Malaysia as follows:

Enforcement of Family Financial Orders. Resolution s response to the Law Commission

Legal remedies and penalties in discrimination cases (Directives 2000/43/EC and 2000/78/EC) Academy of European Law, Trier, 29 September 2014

IVORY BILL. Memorandum from the Department for Environment Food and Rural Affairs to the Delegated Powers and Regulatory Reform Committee

Judicial review: proposals for reform

Before: THE HON. MR JUSTICE ROTH (President) PROFESSOR COLIN MAYER CBE CLARE POTTER. Sitting as a Tribunal in England and Wales

Information exempt from the subject access right (section 40(4) and

Children and Young Persons (Care and Protection) Amendment Act 2009 No 22

Rages, What are the Signs of Practical Progress?

Dispute Resolution Around the World. Germany

European Commission staff working document - public consultation: Towards a coherent European Approach to Collective Redress

ENGLAND BOXING DISCIPLINARY PROCEDURE

Information about the Processing of Personal Data (Article 13, 14 GDPR)

EC consultation Collective Redress

Data Protection Bill [HL]

DISCIPLINARY REGULATIONS MANUAL

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 Data Protection Working Party

Written evidence submitted by Privacy International (DPB07) Evidence on the Data Protection Bill and proposed amendments

ARTICLE 29 DATA PROTECTION WORKING PARTY

Data protection. Guide to the Law Enforcement Provisions

FCA Mission: Our Approach to Enforcement. March 2018

International litigation issues - a New Zealand perspective

The Enforcement Guide

Tribunals Powers and Procedures Legislation Bill, Subpart 10 Proposed amendments to the Lawyers and Conveyancers Act 2006

In the present analysis, we cover the most problematic points of the Directive. For our views on the Regulation, please go to our document pool.

Guidance on consumer enforcement CAP 1018

Liberty s briefing on an amendment to require pre-judicial authorisation for police use of covert human intelligence sources

National Framework for Ethical Behaviour and Integrity in Basketball. Date adopted by BA Board 3 April 2017

General Data Protection Regulation

Industrial Relations Further Amendment Act 2006 No 97

Justice Committee Civil Litigation (Expenses and Group Proceedings) (Scotland) Bill Written submission from Thompsons Solicitors Scotland

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

ECN RECOMMENDATION ON THE POWER TO IMPOSE STRUCTURAL REMEDIES

Administrative Sanctions: imposing warnings and fines

Elements of a Civil Claim

Statewatch Analysis. The Revised Asylum Procedures Directive: Keeping Standards Low

Comments. made by the Conference of the German Data Protection Commissioners of the Federation and of the Länder. of 11 June 2012

Data Protection Bill: Summary of government amendments for Lords Committee tabled on 20 October 2017

Limitation of Actions Amendment (Criminal Child Abuse) Bill 2014 Exposure Draft

Damages Actions for Breach of the EC Antitrust Rules

Private sector-led challenges to anti-competitive behaviour. Growth and fairness: private sector-led challenges to anti-competitive behaviour

The SIAC Arbitration Rules 2016: A detailed look at the new rules 1 August 2016

CONSULTATION ON COLLECTIVE REDRESS GREEK MINISTRY OF JUSTICE

Submission. Submission to the Criminal Procedure Rule Committee on proposed new rules on appeal to the High Court in extradition cases

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

Information Notice. Information Notice. Reference: ComReg 17/49

SIMON READHEAD Q.C. PRIVACY NOTICE

Local Government Amendment (Conduct) Act 2012 No 94

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

GDPR. EU General Data Protection Regulation. ebook Version 1.2

Tribunal Procedure Committee

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

Data Protection Bill [HL]

Competition litigation in the European Union: recent developments

Independent Press Standards Organisation Arbitration Scheme Consultation Paper

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

DISCIPLINARY PROCEDURE

Statewatch Report. Consolidated agreed text of the EU Constitution. Judicial Provisions

Customer Data Annual Privacy Agreement

Act No. 502 of 23 May 2018

GRIEVANCE PROCEDURE BY-LAW TABLE OF CONTENTS

Memorandum to the Joint Committee on Human Rights The Armed Forces (Service Complaints and Financial Assistance) Bill 2014

Economy, Transport and Environment. Enforcement Policy

Purchasing Terms and Conditions

PUBLIC LIMITE EN COUNCILOF THEEUROPEANUNION. Brusels,19December2013 (OR.en) 18031/13 LIMITE. InterinstitutionalFile: 2012/0011(COD)

REGULATION (EU) 2016/679 General Data Protection Regulation

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

EXECUTIVE SUMMARY. 3 P a g e

LEGAL SCHEME REGULATIONS. These Regulations came into force on 1 October 2017

Executive summary. We will continue to pursue any actions still outstanding at the time of writing. Regulatory action taken to date:

Human Rights and Equal Opportunity Commission (Transitional Provisions and Consequential Amendments) Act 1986

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

Council of the European Union Brussels, 26 February 2015 (OR. en)

Revenue Protection Policy

Civil and Administrative Tribunal Amendment Act 2013 No 94

Interinstitutional File: 2012/0011 (COD)

Transcription:

Bill Committee Evidence Data Protection Bill: Collective Redress Which? is the largest consumer organisation in the UK with more than 1.7 million members and supporters. We operate as an independent, a-political, social enterprise working for all consumers and funded solely by our commercial ventures. We receive no government money, public donations, or other fundraising income. Which? s mission is to make individuals as powerful as the organisations they have to deal with in their daily lives, by empowering them to make informed decisions and by campaigning to make people s lives fairer, simpler and safer. Summary 1. Which? welcomes this opportunity to submit evidence to the Committee for the Data Protection Bill and supports the aims of the Government in bringing forward this Bill to ensure that the UK remains compliant with EU law by implementing the EU General Data Protection Regulation (GDPR). In particular, it will give more powers to the regulator, the Information Commissioner s Office, to take action against companies who are in breach of the legislation and give more protections to consumers. 2. However, the Bill lacks important measures that would better enable consumers to access redress in cases where they have been a victim of a data breach and the response by the company involved has not been adequate. These measures are provided for under the derogable Article 80(2) of the GDPR, but the Government has argued that they are not needed as Clause 183 provides for individuals to appoint an organisation who meets the set criteria to represent them. Whilst this is welcome, Which? believes that this measure on its own is not enough. 3. Although consumers who have been a victim of a data breach currently have the right to redress, the mechanisms to access it are inadequate and many are reluctant to pursue a case through the courts, particularly as it can be difficult for individuals prove that any losses they have suffered were directly caused by the company s failings. 4. Collective redress is particularly appropriate in the context of data breaches, given the many thousands of consumers who may be affected by a single breach but whom individually may have suffered relatively small harm, or who could not be expected to know their data had been subject to a breach and therefore would be unable to seek redress themselves. 5. Which? urges the Committee to consider and support amendment 154 which would enable independent organisations acting in the public interest to take collective action on behalf of all victims of a data breach if they have not been offered appropriate redress. Introduction 6. Which? research found that almost one in 10 (8%) people who have shared their details online believe they have been subject to a data breach in the last year, with three quarters (73%) concerned that the information they have shared could be at risk of a leak. 1

7. Although consumers who have been a victim of a data breach currently have the right to redress, existing mechanisms to access it are inadequate, forcing individuals to go through the courts if the offer made by the company is poor. Many people are reluctant to become embroiled in a potentially lengthy and costly legal process, which may not be proportionate to the loss or the appropriate remedy, and it is often difficult for victims to obtain the evidence they need to demonstrate that the company s systems and processes were not sufficient. 8. Equally, it can be difficult for individual consumers to prove that any losses they have suffered were directly caused by the company s failings. The burden rests on the consumer to evidence these points a challenging and sometimes impossible task. 9. Contained in the GDPR is the provision under Article 80(2) to allow for independent organisations acting in the public interest to bring collective redress actions on behalf of consumers for breaches of data protection rules. However, this mechanism has not been included in the Bill. 10. The Information Commissioner s Office has stated its support for the introduction of a collective redress mechanism, as set out in Article 80(2). The ICO highlights that there are circumstances where data subjects may not necessarily be aware of what data about them is held by organisations, and more importantly what is being done with it. In such instances data subjects could not be expected to know whether and how they could exercise their rights under data protection law. The need for collective redress 11. Introducing Article 80(2) of the GDPR into UK legislation would enable an independent organisation to seek on behalf of all affected consumers, without those consumers each having to bring or appoint a representative body to bring - an individual case against the company involved. It also has significant advantages in respect of costs and court time, and provides finality of liability for businesses since all claims are dealt with at once. A properly implemented redress system would ensure that where infringements have occurred, consumers who have been affected receive redress effectively which need not be financial in every case being obtained promptly by most consumers. 12. It would also prevent future infringements by creating a deterrent effect, and a significant incentive for businesses to improve their processes, systems and customer service in order to comply with important data protection measures. Companies that behave appropriately and meet their obligations, including by treating their customers fairly when things go wrong, have absolutely nothing to fear and much to gain from an effective redress regime. 13. Despite the Government indicating 1 that the Bill would make it easier for actions to be brought on behalf of similarly affected individuals by a representative entity (e.g. ombudsman, consumers or civil society bodies) the Bill does not currently contain sufficient provisions to enable collective redress for victims of data breaches. 14. Clause 183 of the Bill allows an individual consumer to effectively opt-in to a claim, giving them the right to authorise a body or organisation to exercise its data subject s rights. This implements Article 80(1) of the GDPR. However, this does not go far enough on its own. It 1 A New Data Protection Bill: Our Planned Reforms. DCMS, Statement of Intent, 7 August 2017 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/635900/2017-08-07_dp_bill_-_statement_of_intent.pdf

presupposes that affected consumers are aware their data has been breached, that they know their right to appoint a representative body and that they see the value in expending time on such an appointment in circumstances where the loss may be small. 15. Collective redress is particularly appropriate in the context of data breaches, given the many thousands of consumers who may be affected by a single breach but whom individually may have suffered relatively small harm, or who could not be expected to know their data had been subject to a breach and therefore would be unable to seek redress themselves. 16. Which? also has experience of where the opt-in type model proposed in Article 80(1) has posed challenges when seeking redress for consumers. Through the Competition Act 1998, the UK introduced representative collective actions in the competition law sphere, on an opt-in basis. Which? was the only designated representative who could bring actions on behalf of consumers. Using its designation, Which? brought a collective action against JJB Sports for their role in fixing the price of replica football shirts. The opt-in model presented significant administrative and evidential difficulties. The impact on business and safeguards to prevent inappropriate use 17. Which? recognises that careful thought must be given to the way any new collective redress mechanism is structured. Which? envisages a proportionate and effective system of collective redress that incorporates appropriate safeguards to ensure the system works in the interests of consumers, companies and the courts alike. Indeed, any collective actions regime would exist within the UK s wider civil justice system. This means that existing safeguards within our procedural framework can be retained, and new ones can be introduced, to ensure any collective redress mechanism is proportionate and effective. 18. Existing safeguards within our procedural framework include the facts that, in contrast to the situation in the US where compensation is determined by juries who can award punitive damages, in the UK the amount of compensation would be determined by a court or specialist tribunal and there is no provision for punitive damages (as opposed to compensatory damages) in UK consumer law. In addition, while each party pays their own costs in the US regime, the loser pays the other side s costs in the UK. In practice, this is a powerful deterrent to unmeritorious cases. 19. The regime under the Consumer Rights Act 2015 provides one example of how new procedural safeguards may be introduced to ensure only meritorious cases proceed in the UK. In contrast to the US, contingency fees for lawyers are banned under the Act. In addition, the Act prescribes a process for the specialist Competition Appeal Tribunal to certify actions at the outset, which prevents unmeritorious cases from being taken forward. 20. However, this only applies to infringements of competition law, and few cases have been brought since its introduction. Indeed, the first two opt-out collective actions for breaches of competition law considered by the Competition Appeal Tribunal for certification, and neither claim was allowed to proceed. 21. In other areas, including data protection, few options exist for pooling claims together, and those that do exist are only available in very narrow (and thus rare) factual circumstances,

often not applicable to consumer claims. 2 The consequence is that there are many instances where large groups of consumers who have suffered the same kind of harm cannot get effective redress. Data breach cases are arguably a better fit for this type of redress than cases brought under the CRA. 22. It has been argued that the introduction of collective redress for victims of data breaches should be delayed until further competition law cases have been tested. However, waiting for more competition law cases to be brought before the courts will simply mean that victims of data breaches will continue to be left without an appropriate mechanism to access redress where companies fail to provide it. 23. The Government has tabled amendments to the Bill that give order making powers to introduce 80(2) if the case for its need is proven following a two year review of the effectiveness of 80(1). However, in developing the redress regime for breaches of competition law, the Government has already taken action in light of the challenges to an opt-in model. 24. In most case where collective redress would be needed, there is likely to be relatively small levels of harm to each individual consumer. In these cases the appropriate redress may be similar to the steps we have seen taken by Equifax following their recent data breach - to offer identity or credit monitoring - or it may even be as simple as giving consumers the right to leave their contact penalty free. Introducing Article 80(2) would not stop responsible companies from taking timely actions to put things right following a data breach. 25. The GDPR is also specific about the type of organisations able to take cases on behalf of consumers through both Article 80(1) and Article 80(2). Organisations wishing to represent consumers must meet the criteria as set out by Clause 183 (3) and (4) of the Data Protection Bill. Only not for profit organisations who are acting in the public interest, and who actively work in the area of the protection of data subjects rights, would qualify to take a case under and the case itself would have to have prima facie merit, namely where a data breach has occurred and the company responsible for protecting consumer s data has not offered appropriate redress. Any organisation wishing to take action would therefore have to demonstrate that not only did it meet the criteria to act of consumers behalf but that they had an appropriate case. Conclusion 26. Whilst the measures set out in the Bill under Clause 183 are welcome, Which? believes that this does not go far enough on its own. A collective redress mechanism, as set out under Article 80(2) of the GDPR, is required to ensure that all victims of a data breach are easily able to access appropriate redress in cases where the company at fault fails to provide it. 27. We urge the Committee to support amendment 154 which would enable independent organisations acting in the public interest to take collective action on behalf of all victims of a data breach. For more information, contact Vanessa Furey on 020 7770 7325 or vanessa.furey@which.co.uk Which?, 2 Marylebone Road, London NW1 4DF March 2018 2 Options include seeking a Group Litigation Order or bringing a representative action under Rule 19.6 of the Civil Procedure Rules. Neither of these options have proved effective for the vast majority of consumer claims.

Appendix amendment 154 Clause 183, page 106, line 24, at end insert (4A) In accordance with Article 80(2) of the GDPR, a person who satisfies the conditions in Article 80(1) and who considers that the rights of a data subject under the GDPR have been infringed as a result of data processing, may bring proceedings, on behalf of the data subject and independently of the data subject s mandate (a) pursuant to Article 77 (right to lodge a complaint with a supervisory authority), (b) to exercise the rights referred to in Article 78 (right to an effective judicial remedy against a supervisory authority), (c) to exercise the rights referred to in Article 79 (right to an effective judicial remedy against a controller or processor). (4B) An individual who considers that rights under the GDPR, this Act or any other enactment relating to data protection have been infringed in respect of a class of individuals of which he or she forms part may bring proceedings in respect of the infringement as a representative of the class (independently of the mandate of other members of the class), and (a) for the purposes of this subsection proceedings includes proceedings for damages, and any damages recovered are to be distributed or otherwise applied as directed by the court, (b) in the case of a class consisting of or including children under the age of 18, an individual may bring proceedings as a representative of the class whether or not the individual s own rights have been infringed, (c) the court in which proceedings are brought may direct that the individual may not act as a representative, or may act as a representative only to a specified extent, for a specified purpose or subject to specified conditions, (d) a direction under paragraph (c) may (subject to any provision of rules of court relating to proceedings under this subsection) be made on the application of a party or a member of the class, or of the court s own motion, and (e) subject to any direction of the court, a judgment or order given in proceedings in which a party is acting as a representative under this subsection is binding on all individuals represented in the proceedings, but may only be enforced by or against a person who is not a party to the proceedings with the permission of the court. (4C) Subsections (4A) and (4B) (a) apply in respect of infringements occurring (or alleged to have occurred) whether before or after the commencement of this section, (b) apply to proceedings begun before the commencement of this section as if references in subsections (4A) and (4B) to bringing proceedings included a reference to continuing proceedings, and (c) are without prejudice to the generality of any other enactment or rule of law which permits the bringing of representative proceedings.

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback