UK Government response to Call for Views and Evidence - Review of Representative Action Provisions, Section 189 Data Protection Act 2018
Updated 23 February 2021
Contents
- Introduction
- Legal Background
- Summary of responses on operation of the current law: representation on the authority of individuals
- Summary of responses on merits of changing the legislation to permit representation without the authority of individuals
- Summary of responses on the representation of children
- Government’s response
Annex A: List of respondents
Annex B: List of questions
Annex C: Children and young people questionnaire
Annex D: Involved stories survey of children and young people
1. Introduction
1.1. The purpose of this report is to update Parliament on the government’s review of the provisions on the representation of data subjects in the UK’s data protection legislation.
1.2. Under the current legal framework, individuals can request relevant non-profit organisations [footnote 1] to act on their behalf to complain to the Information Commissioner’s Office (ICO) or to bring legal proceedings against a data controller where there is evidence of non-compliance. These provisions are relatively new to data protection legislation. They were introduced in recognition of the fact that data protection legislation is complex and individuals may prefer to authorise a relevant organisation to act on their behalf. The legislation does not currently permit non-profit organisations to represent individuals who have not expressly authorised them to do so.
1.3. The scope of the review was determined by the requirements of section 189 of the Data Protection Act (DPA) 2018 [footnote 2]. To inform the review, the Department for Digital, Culture, Media and Sport (DCMS) ran a call for views between 27 August and 22 October 2020. The government received 345 written responses from organisations and individuals. A full list of organisations that responded is at Annex A.
1.4. During the same period, DCMS officials held several meetings with privacy rights campaigners, children’s rights organisations, academics, groups representing parents and children, trade associations, individual businesses and regulators. DCMS officials also worked with Youthleads and YouthFocus in Manchester and Wipers Youth Project and Youth Reality Homes (a children’s residential home) in London to seek the views of children directly.
1.5. Overall the views on what steps the government should take next were polarised. Privacy groups, consumer rights groups and children’s rights organisations have argued strongly that new legislation is required to permit non-profit organisations to complain to the ICO or bring legal proceedings against data controllers on behalf of people who may not be able to represent themselves.
1.6. By contrast, many business groups have voiced concern about the potential for increased litigation and questioned whether protracted legal battles are in the best interests of businesses or consumers. They have pointed to developments in the regulatory landscape which may lead to an improvement in compliance, including the introduction of the Age Appropriate Design Code [footnote 3]. They have also pointed to legal developments elsewhere in the law, such as Lloyd vs Google case, which could lead to a successful form of collective action under current provisions in the civil procedure rules.
1.7. Having considered the evidence, the government has concluded that there is not a strong enough case for introducing new legislation. The Information Commissioner’s Office (ICO) is one of the biggest data protection regulators in Europe and has a wide range of investigatory and enforcement powers that were significantly strengthened by provisions in the Data Protection Act 2018. Although the government accepts that some groups in society might find it difficult to complain to the ICO or bring legal proceedings of their own accord, there is no strong evidence to suggest the ICO cannot or will not investigate serious, singular breaches of the legislation or systemic failings across whole sectors. Much of the ICO’s current regulatory activity, including the development of the Age Appropriate Design Code, is focused on ensuring that high risk processing activities which can have an impact on children or vulnerable people are carried out fairly, lawfully and transparently. The government is sympathetic to views of business groups who have said that new legislation could increase uncertainty for data controllers. It is also mindful of the potential impact of new legislation on the workload of the ICO and the courts. The government is not convinced that any perceived benefits of new legislation would outweigh these risks.
1.8. The remainder of this report is divided into five chapters:
- Chapter 2 explains the legal background to the representative action provisions;
- Chapters 3 to 5 summarise responses to the call for views exercise. Chapter 3 summarises responses received in relation to the operation of the current law; Chapter 4 summarises views on the risks and benefits of introducing new provisions; and Chapter 5 summarises responses received about the particular needs of children and whether there should be an expanded role for children’s rights organisations in representing their interests.
- Chapter 6 sets out in more detail how the government will proceed in the light of consultation responses and the other evidence it has considered.
2. Legal Background
2.1. The General Data Protection Regulation (GDPR) was adopted by the EU in April 2016 and replaced the EU Data Protection Directive 95/46/EC. It took effect on 25th May 2018 and applies directly in each EU Member State. It enhanced data subject rights previously provided under the Data Protection Directive and introduced some new rights. It also introduced new redress mechanisms, if individuals had concerns about the way their data was being used. At the end of the transition period, the UK retained the GDPR in domestic law, subject to some minor amendments to correct deficiencies arising as a result of EU Exit. One of these changes was to rename the GDPR the UK GDPR. [footnote 4]
2.2. Article 80 of the UK GDPR is one of the new provisions on redress. It is made up of two subsections. Article 80(1) permits an individual to authorise a relevant not-for-profit body [footnote 5] to exercise certain rights on his or her behalf e.g lodge a complaint with the ICO or bring certain legal proceedings. This includes proceedings in the courts or tribunals against the ICO in relation to the way it has handled a complaint; or proceedings against data controllers in order to seek a compliance or compensation order. Similar provisions exist under the Law Enforcement Directive (LED) and section 187 of the Data Protection Act 2018, but the main difference is that an individual cannot mandate a non-profit organisation to seek compensation on his or her behalf from a competent authority under the LED.
2.3. Article 80(2) of the UK GDPR permits the Secretary of State to make regulations allowing a non-profit organisation to represent data subjects in a similar way to Article 80(1) of the UK GDPR but without the data subject’s consent. The Secretary of State has not exercised these powers to date and several EU Member States have also delayed implementation of article 80(2) of the GDPR. A report released in June 2019 found that only three Member States (Belgium, France and Denmark) had transposed the ability had legislated for the representation of data subjects without mandate and a further three (Germany, the Netherlands, and Spain) already provided for this in their legislation. [footnote 6]
2.4. Section 189 of the DPA 2018 sets out a requirement for the government to: review the operation of Article 80(1) of the UK GDPR and section 187 DPA 2018, consider the merits of implementing Article 80(2) of the UK GDPR, and consider the merits of children’s rights organisations exercising rights under Article 80(1) (with authorisation) or Article 80(2) (without authorisation) on behalf of data subject who is a child.
2.5. Although the UK has not implemented Article 80(2) of the UK GDPR, there are mechanisms elsewhere in the law which allow collective action proceedings against data controllers for breaches of data protection legislation. For example, the courts can already group similar claims together and hear them at the same time using group litigation orders under Civil Procedure Rule 19.10. [footnote 7]
2.6. In Lloyd v Google, the Court of Appeal (COA) granted Mr Lloyd permission to bring a representative claim under Civil Procedure Rule 19.6 in his own name and on behalf of 4 million other Google users whose data rights have allegedly been infringed. [footnote 8] Mr Lloyd is claiming £750 per head. Having granted Google permission to appeal against the COA decision, the Supreme Court will decide in early 2021 whether or not it agrees with the COA. Although this is not the same as a representative body bringing a claim on behalf of a number of unnamed individuals, it is relevant to the government’s consideration of whether to implement Article 80(2) of the UK GDPR (see chapter 4) because it shows a form of collective action can proceed under the current framework where the parties to the claim share the same interest. There are other cases that might be influenced by the outcome of Lloyd v Google, including the case of McCann and others v Google Ireland Ltd where the claimant is seeking damages in relation to YouTube’s alleged use of under-13s data without parental consent.
2.7. In considering the merits of whether to implement Article 80(2) of the UK GDPR, the government has also considered the way representative bodies act on behalf of consumers in other areas of the law. For example, section 11 of the Enterprise Act 2002 gives designated consumer bodies (such as Which?) the right to make a super-complaint to the Competition and Markets Authority where there is a feature of a market for goods and services in the UK that is significantly harming the interests of consumers. Since 2010, super-complaints have been brought in respect of issues relating to the transparency of cash ISAs, retailers surcharges for paying by credit or debit cards, misleading prices in the groceries sector, and loyalty penalties for insurance, mortgages and other products. Once a designated body makes a super-complaint they are dealt with according to a fast-track procedure. Possible actions include: taking enforcement action, launching a market study into the issue, making recommendations to the government for changes in legislation, referring the complaint to another consumer enforcement body, launching campaigns to promote consumer education and awareness, or giving the market a clean bill of health.
2.8. The Consumer Rights Act 2015 introduced a collective proceedings regime in relation to certain consumer claims before the Competition and Appeals Tribunal (CAT). This provides for two types of collective proceedings - ‘opt-in’ proceedings whereby affected individuals have to actively opt-in to be a part of the claim, and ‘opt-out’ proceedings whereby affected individuals are automatically included in the claim unless they actively opt-out during a set period. The CAT provides for several safeguards in order to maintain the integrity of the system. For example, the CAT will scrutinise all aspects of the collective action before it can proceed. Individuals or organisations affected by a breach only form part of the class covered by the proceedings once a collective proceedings order has been made, and that order must include a description of the class of persons whose claims are eligible for inclusion. Exemplary damages are prohibited and there is a presumption that the losing party pays the winning party’s costs [footnote 9]. So far, no cases have reached a conclusion under these provisions, but there are a small number of cases progressing through the system.
3. Summary of responses on the operation of the current law: representation on the authority of individuals
Introduction
3.1. The call for views sought evidence on the extent to which people had approached non-profit organisations to represent them in making complaints to the ICO or bringing legal claims; and the challenges of identifying such an organisation to act on one’s behalf, including for people with protected characteristics under the Equality Act 2010. It also asked about the impact of the existing provisions on data controllers, the ICO, and the courts and tribunals (see Annex B for a full list of the review questions).
3.2. The rest of this chapter summarises the responses received, but the views of children’s rights organisations, parents and children on issues specific to children are discussed separately in Chapter 5.
Volume of cases brought to ICO or courts by non-profit organisations under Article 80(1) of the GDPR or section 187 of the Data Protection Act 2018
3.3. The ICO’s response to the call for views confirmed that the overwhelming majority of complaints received by the ICO since May 2018 (around 40,000 per year) were from individuals concerned about how an organisation has handled their personal data. Since May 2018, fewer than 100 cases have been brought to them by civil society organisations, though it was unclear what percentage of these were made on behalf of individuals under Article 80(1) of the GDPR or section 187 of the Data Protection Act 2018.
3.4. There was limited evidence of claims having been brought to the courts or tribunals under the provisions in Article 80(1) of the GDPR or section 187 of the Data Protection Act 2018. Most respondents across the different interest groups confirmed they were unaware of any such case. Since the call for views closed, however, we have become aware of an application to the Tribunal by Open Rights Group seeking an order for the ICO to progress a complaint in relation to adtech and real-time bidding [footnote 10]. The application appears to have been brought under Article 80(1).
Reasons for low uptake
3.5. The views of respondents were mixed on why uptake of the current provisions has been low. Privacy groups, children’s rights organisations and consumer rights groups said that lack of awareness about data rights and redress mechanisms was likely to be one of the main reasons. Some referred to a survey conducted by the European Union Agency for Fundamental Rights, which found only 35% of 1,384 people interviewed from the UK knew who the regulator is for data protection [footnote 11]. Others noted that while there is information available on the ICO’s website concerning how to make a complaint to the ICO, this information does not include advice or support relating to how a data subject could authorise a non-profit organisation to make a complaint to the ICO on their behalf. Several respondents called for a more effective data literacy strategy, starting with education in schools about data rights and redress mechanisms.
3.6. By contrast, some business groups considered that the increase in complaints made to the ICO since the GDPR came into force showed that general levels of public awareness of data rights and the ICO had increased. They pointed to figures on the ICO’s website which show the ICO now receives around 40,000 complaints each year from individuals (compared with around 20,000 the year before GDPR came into force). Some thought it would not always be necessary for people to instruct non-profit organisations if they were complaining to the ICO or relevant sectoral oversight bodies directly. Business groups were not generally opposed, however, to the government, ICO or non-profit organisations doing more to raise awareness of existing redress mechanisms or signposting which non-profit organisations may assist individuals.
3.7. Privacy and consumer rights groups added that, even if people are aware their data has been misused, they might not have the time, resources or energy to take action against the big-tech giants in the courts. Privacy groups noted that while serious data breaches may affect thousands, millions or even tens of millions of users, typically the individual loss may seem too low to justify the effort, stress or cost involved in making a complaint or seeking redress. Others said if an ordinary person had a complaint they wished to be addressed, expecting them to wait years for an outcome, that may be of little tangible benefit to them, is unrealistic.
3.8. Privacy rights groups also said some people might be reluctant to take action as they wish to protect their anonymity for personal reasons. Privacy International’s 2019 investigation into the use of third party trackers on mental health websites [footnote 12] was cited as an example of a case where people might have been reluctant to come forward owing to prejudice and stigma associated with mental health issues.
3.9. There were mixed views on whether ICO’s approach to dealing with complaints had an impact on case volumes. Privacy rights groups said if ICO was not seen to be dealing with complaints effectively, this could deter other organisations from making complaints about similar issues. They added it was difficult to bring legal proceedings in court if the ICO had not taken any action against the data controller, as the judge would often ask what the ICO’s view was on the matter. They cited the ICO’s investigation into adtech and real-time bidding as an example of a complaint that had not reached a conclusion, although the ICO’s website outlines the actions they have been taking in this area [footnote 13]. They also questioned the efficacy of judicial remedies to hold the ICO to account, but acknowledged they were unaware of any cases having been brought against the ICO by representative bodies acting on the authority of individuals.
3.10. By contrast, several businesses praised the ICO as a proactive regulator, which is willing to work constructively with organisations to explain data protection requirements and improve business practices. Some pointed to the Age Appropriate Design Code as evidence of the ICO working with data controllers to improve compliance. Others noted that ICO has taken decisive action against data controllers when necessary. Impending actions against the Marriott Hotel where the ICO has indicated an intention to fine £18.4 million [footnote 14], and against British Airways where the intended fine is expected to be in the region of £20 million [footnote 15] were cited as examples.
4. The merits of changing the legislation to permit representation of data subjects without the authority of individuals
Introduction
4.1. As well as reviewing the operation of the existing provisions on the representation of data subjects by non-profit organisations, the government sought views on the merits of making new provisions to permit such organisations to represent individuals without their specific authorisation. This could occur when complaining to the ICO or when bringing the same types of legal proceedings in which they can represent individuals under current opt-in mechanisms (including compensation claims). The views of key interest groups are summarised below, but issues in relation to children are discussed in more detail in Chapter 5.
Arguments for and against implementing Article 80(2) of the UK GDPR
4.2. The consensus amongst privacy groups, children’s rights organisations and consumer rights groups was that permitting representation without authorisation was necessary to address what they considered to be the problems with the current framework (discussed in Chapter 3). They argued that the complex nature of data rights and data protection legislation means that the opt-in system will never be effective in either delivering the redress consumers need or driving change in the behaviour of those businesses which are not doing enough to protect consumers’ data.
4.3. Although there was broad agreement amongst these groups that children and vulnerable people who are unlikely to be able to represent themselves would benefit from the implementation of Article 80(2) of the UK GDPR, several respondents thought non-profit organisations should be permitted to complain to the ICO or bring claims to court on behalf of any group in society which had been adversely affected by failures in organisations’ data processing activities. In their opinion, this would ensure that the rights of all affected individuals could be upheld and defended, rather than just the small minority with the knowledge, time, resources and resolve to appoint a representative body to act on their behalf. It was argued that this would complement any regulatory activity undertaken by the ICO or, in some cases, provide an alternative to regulatory action.
4.4. The ICO was also broadly supportive of the intention of Article 80(2) of the UK GDPR. It recognised that opt-out proceedings have the potential both to contribute to the protection of the rights of data subjects who may not be aware of the potential breaches of their data protection rights, and to raise awareness and understanding of data rights and data misuse. On the other hand, the ICO also confirmed that it had taken forward a number of investigations at the request of non-profit organisations, regardless of whether they were acting on behalf of a named individual. Examples cited included an investigation of mobile phone extraction by the police, the use of live facial recognition technology and cases involving the misuse of children’s data in relation to the Gangs Matrix.
4.5. Business groups and their representative bodies were strongly opposed to the introduction of opt-out proceedings, which they said could lead to an acceleration in claims that is detrimental to firms, customers, the ICO, and the courts. Some argued that the ICO rightly plays the central role in monitoring and identifying any systemic breaches of the data protection legislation, prioritising those cases where there is the clearest evidence of infringements and harms to data subjects, including vulnerable groups. They argued that the ICO carries out this function effectively and is a relatively proactive regulator, especially with respect to cross-cutting or systemic challenges to privacy, and ought to retain its agenda-setting role. They also argued that the ICO’s approach to enforcement was pragmatic and collaborative, working with organisations to enhance data protection practices and treating enforcement action as a last resort.
4.6. Many observed that opt-out proceedings were more common in countries like the US, where they had given rise to a compensation culture that tended to benefit claimant law firms and litigation funders more than ordinary people. They said that success fees charged by such firms could reduce the amount of compensation paid to individuals and the result is that the data subject may only receive a small fraction of the compensation, and potentially less than they would receive if they had represented themselves.
4.7. Some businesses were concerned that an opt-out model could also expose organisations to higher insurance costs. They noted that insurance premiums were already increasing due to the threat of group litigation orders under the civil procedure rules and restrictions were also being placed on the scope of cover on offer, such as capping the insurer’s liability for third party claims at a low limit. Businesses said that extending the law to include opt-out claims could make the situation worse and be counterproductive to the intention of allowing third party claimants the ability to secure realistic compensation.
4.8. Several trade associations highlighted the uncertainty such provisions could have on smaller businesses and high-tech start-ups in particular. They said implementing Article 80(2) of the UK GDPR would risk placing further burdens on these businesses. Some said the threat of litigation could discourage growth and investment in the UK by creating a more costly and risky environment for business operations, without any clear offsetting benefits.
4.9. Some businesses remarked that introducing opt-out proceedings seemed to contradict the UK GDPR principles on transparency, which should ensure people are kept informed about how their data is used. They said it did not seem appropriate to cut individuals out of the process by pursuing a legal claim without their knowledge. They thought the current legal framework is preferable because it helps to ensure legal proceedings are not launched either when individuals are satisfied with any proactive remediation they have already received following a complaint to the data controller, or when individuals are already pursuing claims. Some said it would also ensure that parents or guardians retained control over actions taken on behalf of their child. Privacy groups and consumer rights organisations countered this argument by pointing out that any proceedings under Article 80(2) of the UK GDPR should be well-publicised to give individuals the opportunity to opt out if they wanted to.
Safeguards
4.10. The call for views sought views from respondents on what safeguards could or should be put in place if Article 80(2) of the UK GDPR were implemented to minimise the number of unfounded complaints or claims reaching the ICO and the courts.
4.11. Some privacy rights organisations said that the definition of “non-profit organisation” in the UK GDPR meant there were already sufficient in-built safeguards. They said there would only be a small number of organisations that were both non-profit and had sufficient expertise in data protection law to be able to bring claims against data controllers. They added that the loser pays principle is an established feature of civil litigation, which would deter organisations from making unfounded claims. Consumer rights groups and children’s rights organisations pointed to the safeguards that are a feature of opt-out proceedings in consumer rights and competition law and said that the government could consider introducing a similar model in relation to proceedings under data protection legislation.
4.12. The starting point of most business groups was that Article 80(2) of the UK GDPR should not be implemented. However, if the government were minded to legislate, they said any new provisions should be carefully designed to protect businesses from speculative or unfounded claims. They agreed with some of the suggestions outlined above and proposed other safeguards, such as the introduction of a strict merits test before any claim could proceed and a declaration by the non-profit organisation of any third party funding. Some said limits could also be placed on the percentage of damages that could be retained by claimant law firms or litigation funders. Others suggested the government could consider introducing an alternative dispute resolution mechanism, similar to that which exists for breaches that relate financial services rules, to settle cases quickly before they go to court.
4.13. In acknowledging the potential impact on its resources, the ICO suggested that if the government were minded to legislate in this area, it might be possible to introduce changes incrementally, for example, by introducing opt-out proceedings in relation to children first.
5. Representation of children
Introduction
5.1. The call for views sought evidence on how the current opt-in system of redress operated with respect to children, including what support and advice was available to help them make complaints directly or ask non-profit organisations to act on their behalf. It sought views on the merits of permitting children’s rights organisations to bring claims on behalf of children in the same way as relevant non-profit organisations are able to currently. It also asked for views on whether non-profit organisations or children’s rights organisations should be able to represent children when complaining to the ICO or bringing legal proceedings without a child’s authorisation.
Operation of the current law
5.2. Most children’s rights groups and privacy organisations that responded to the call for views were not surprised that there had been so few complaints made to the ICO or legal claims brought by representative bodies on behalf of children. They said the current legislative framework relies on children having the ability to understand that their data rights have been breached, the motivation to take action, the time and resources to pursue a claim against some very large companies, and then to assert their rights first to the ICO and ultimately the courts. The majority agreed that this would be difficult for an adult and almost impossible for a child or young person. Some referred to academic evidence [footnote 16] which showed that while children frequently engage with apps and online services and have some awareness of online harms and privacy issues, they lacked a deeper understanding of how data is recorded, tracked, aggregated, analysed and monetised.
5.3. Many respondents thought that children would not know how to enforce their rights, even if they wanted to, and suggested that many are unlikely to have heard about the ICO or of non-profit organisations which could act on their behalf. This view was supported by responses from children to DCMS’s survey (see below). Some noted there does not appear to be any support or advice easily accessible to adults or children concerning the ability of a non-profit organisation to bring enforcement proceedings on their behalf under the DPA 2018.
5.4. Some said that infringements involving sensitive data about children’s protected characteristics, such as their mental health, may deter them from taking action. Others pointed to more general issues in relation to access to justice. They felt that the justice system was not child-friendly and mentioned barriers to court action around access to legal aid for children and parents. Although making data protection complaints to the ICO is, in theory, more straightforward for children and parents, some felt that the ICO was not sufficiently pursuing cases or providing clear enough outcomes for cases to be taken to the courts and tribunals.
The merits of introducing an opt-out model
5.5. Most children’s rights groups who responded to the review were in favour of adopting the opt-out representative action mechanism and allowing non-profit organisations to act on behalf of children without authorisation. Some referred to recital 38 of the UK GDPR which recognises that children merit specific protection with regard to their personal data, as they may be less aware of the risks and their rights in relation to the processing of their data. They said implementation of Article 80(2) of the UK GDPR would support organisations to raise systemic compliance failures which impinge upon children’s data rights and potentially protect them from real world harms, such as identity theft, online grooming, data profiling and micro-targeting. It was argued that the complexity, opacity and insidiousness of these types of infringements means that most children will not recognise that they have been injured by their exposure and, even if they do, they are unlikely to recognise the actual or potential seriousness of such injury.
5.6. Not all respondents were in agreement, however. One parent’s group expressed concern that opening the door to opt-out representative action may endanger the child’s (and the parent’s) right to consent. They felt that it was important that children should consent to action to be taken on their behalf - and if they did not have the capacity to consent, there were legal routes available for a guardian or a legal representative to consent on their behalf instead. They suggested the focus should be on educating parents and children about data rights in order to empower them to take action themselves, whether directly or through organisations. Some organisations felt that the government should take more of a role in improving data literacy, for instance, by improving education in schools.
5.7. These arguments were countered, however, by respondents working with society’s most vulnerable children and young people within the care and youth detention systems who do not have engaged parents or guardians championing their rights and for whom the opt-out mechanism could offer access to justice. Some said that, even if data literacy were improved, its effects would be over the medium- to long-term. The onus would remain on children, and younger and more vulnerable children would still struggle to enforce their rights under the existing regime. Others suggested that actions brought by non-profit organisations without the consent of individuals could contain a clear mechanism for parents or children to opt out if they did not want to form part of the claim. They referred to opt-out proceedings in competition law that are based on a similar model.
Views on whether children’s rights groups should be able to represent children (in addition to non-profit organisations) on an opt-in or opt-out basis
5.8. Several respondents (including children’s rights organisations, consumer rights organisations, children, claimant law firms and academics) thought that children’s rights organisations should be able to represent children in complaints to the ICO or the courts on an opt-in or opt-out basis, if they had the required expertise. One research organisation suggested they should only be allowed to perform such a role if they met the litigation friend criteria defined by section 21 of Mental Capacity Act (MCA) 2005. Trade associations felt that children’s organisations should only be able to represent children under existing opt-in rules.
5.9. One children’s rights organisation mentioned that some children’s charities would not have the resources to bring multiple complaints from children to the ICO or courts on an individual basis under Article 80(1) of the UK GDPR but, if Article 80(2) were implemented, they could bring a smaller number of complaints about systemic issues potentially affecting large numbers of children. Another suggested that under any new opt-out model, there could be a designation framework, similar to the one which exists under the super-complaint mechanisms in the Enterprise Act 2002, so that only a select group of children’s organisations could make complaints to the regulator.
5.10. On the other hand, some of the privacy groups did not believe that the current requirements for representative bodies (i.e they must be non-profit, have objectives in the public interest and have expertise in data protection law) precluded children’s rights organisations from representing children. They cautioned against widening the definition to permit organisations with no or little data protection knowledge to bring claims. Some trade associations queried whether children’s groups would have the required expertise and others worried that such proceedings could provide a platform for campaign groups to use court cases to further campaign goals without bringing direct benefits for children.
Views of children
5.11. Section 189(5) DPA 2018 listed children amongst those people and organisations that should be consulted. As the issues raised in the call for views document were complex, DCMS worked with youth groups in London and Manchester to design some questions that would be more accessible to children.
Children and young people questionnaire
5.12. Nineteen young people aged 10-21 answered the questionnaire, which included questions aimed at gauging their awareness of data protection and privacy issues generally, their knowledge of the ICO and non-profit organisations and their views on whether children’s rights organisations should be able to take action on children’s and young people’s behalf, whether with or without authorisation.
5.13. Key findings from the questionnaire (available at Annex C) were:
- The majority (15) spent more than 3 hours per day using the internet
- They had a good awareness of data protection in some areas - most (13) used privacy settings and (11) took notice of cookie warnings.
- In other areas, awareness was not as strong. Most (9) lacked awareness of how companies like advertisers might use their personal data and (12) had not heard of the ICO.
- 9 young people said they would complain to website providers or others about how their information had been handled, but 14 considered there was a lack of support and advice to help them complain.
- There was strong support for children’s rights organisations to take action on children’s and young people’s behalf, on a mandated basis (16). The majority, albeit with fewer (12), also supported such action on a non-mandated basis.
Involved stories survey of children and young people
5.14. DCMS also used the government’s new online tool Involved, which aims to involve young people in policy making by using polls and stories to hear views of 13 to 25-year-olds on Instagram. The questions asked are listed at Annex D.
5.15. Key findings from Involved were:
- Out of 95 respondents, 33 had heard of the ICO; 62 had not.
- Out of 85 respondents, 81 thought that the NSPCC and other charities or bodies should be able to complain to government and social media companies on their behalf; 4 thought they should not.
- Out of 85 respondents, 63 thought that charities should be able to make complaints of data breaches without young people’s consent; 22 thought they should not.
5.16. Given sample sizes, the above evidence is not sufficient to draw robust inferences. The responses to these surveys of children and young adults do, however, align with many responses received from other stakeholders - particularly in terms of there being a lack of awareness amongst these age groups about both how data is being used and redress mechanisms for the misuse of their personal data.
6. The government’s response
Improving existing opt-in mechanisms of redress
6.1. The government has considered the different views about the reasons for the low uptake of the opt-in provisions under Article 80(1) of the UK GDPR. It has noted the views from privacy groups, consumer groups and children’s rights organisations that this might be because many people have limited awareness of either their rights and the remedies available when their data is misused or the ICO and non-profit organisations that could assist them in bringing complaints and potentially taking action in the courts. On the other hand, it has also noted views from business groups that the ICO is dealing with more complaints from individuals than ever before, and some people might complain to businesses or sectoral oversight bodies instead of contacting the ICO or appointing representative bodies to take action on their behalf.
6.2. There is conflicting evidence about people’s level of awareness of the ICO and it’s activities. While the EU survey referred to by respondents in chapter 3 appears to confirm a limited level of understanding [footnote 17], the ICO’s annual Trust and Confidence Survey in 2020 (comprising 2,150 online interviews of UK adults) showed that, when prompted, two thirds (66%) of those aware of the ICO were aware that it is the regulator for data protection in the UK [footnote 18]. The same survey found that nearly seven in ten (69%) adults believe that the “regulator is there to act for the interests of the public”, and three in five (60%) agree that the “regulator can successfully enforce data protection through the courts.” There is also evidence to suggest that the ICO receives more complaints directly from individuals than it did before the UK GDPR came into force [footnote 19] and in higher volumes than most other European regulators [footnote 20]. This could reflect the publicity generated by commencement of the UK GDPR, high profile enforcement action by the ICO in relation to cases such as Facebook and Cambridge Analytica and ongoing work by ICO to raise awareness of data protection issues through campaigns such as Your Data Matters [footnote 21].
6.3. The government acknowledges there are some gaps in the evidence base, however. The ICO’s response confirmed it had received fewer than 100 complaints from civil society groups since the GDPR came into force but it is unclear what percentage of these complaints were made by organisations acting on behalf of named individuals under Article 80(1) of the GDPR. Meanwhile, respondents to the call for views were not aware of any representative actions brought in the courts or tribunals under Article 80(1).
6.4. Having considered the available evidence, the government is sympathetic to the views of respondents who said there should be clearer information to help people of all ages understand existing complaint procedures and redress mechanisms. It was struck by findings in the ICO’s Trust and Confidence Survey that “there is substantial appetite to exercise data protection rights, but there is often uncertainty around how to do this.” [footnote 22] It agrees that more could be done to increase awareness, so that people have the confidence to complain when data controllers get it wrong. The government will work with the ICO and other interested parties to consider ways to improve people’s understanding about seeking redress, including the potential role of non-profit organisations to act on their behalf. Several respondents to the call for views suggested there should be a list or register of relevant non-profit organisations on the government or ICO’s website. The government will work with the ICO, non-profit organisations and other interested parties to explore the feasibility of this.
6.5. Improvements to the information that is available to children about redress mechanisms would build on government initiatives to increase digital literacy [footnote 23] and tackle online harms [footnote 24]. The Online Harms White Paper sets out the government’s intention to develop an online media literacy strategy. This strategy will be published in Spring 2021 and will ensure a coordinated and strategic approach to online media literacy education and awareness for children, young people and adults. It will complement existing initiatives, including work by the Department for Education to ensure that schools are equipped to teach online safety and digital literacy [footnote 25]. The strategy will aim to support citizens as users in managing their privacy settings and their online footprint, thinking critically about content they come across online, and how the terms of service and moderating processes can be used to report harmful content.
6.6. The government will work with the ICO to address the evidence gaps highlighted above and monitor the impact that awareness-raising activities have on the volume of complaints made by representative bodies to the ICO and the courts and tribunals. It recognises that increasing awareness of complaint and redress mechanisms could increase the volume of complaints. The government will continue to work with the ICO, the Ministry of Justice and the courts to ensure that any increase in caseload is manageable.
The role of children’s rights organisations in opt-in proceedings
6.7. The government has considered the views of respondents about whether children’s rights organisations should be permitted to represent children who authorise them to bring complaints to the ICO or take action in court. The government noted there was some support for this across the different interest groups, providing such organisations had the necessary skills in data protection. However, it also noted the views of privacy groups that this should already be possible under the current law if children’s organisations meet the definition of relevant non-profit-organisations. The government agrees with that analysis and, as part of the awareness-raising activities described above, will work with the ICO to make the current position clearer.
6.8. The government acknowledges the views of children’s rights organisations that some children’s charities may not have the resources to bring multiple claims on behalf of children individually on an opt-in basis, even if they have expertise in data protection matters. Improving information on the ICO’s website about which organisations can represent children when authorised to do so may allow organisations to work together to identify which body is best placed to take a complaint or claim forward.
The merits of implementing Article 80(2) of the UK GDPR
6.9. The government has considered the arguments for and against implementing Article 80(2) of the UK GDPR which would permit non-profit organisations to represent individuals without their authority. The current regime already offers strong protections for individuals, including vulnerable groups and children, and routes for redress. In the government’s view, there is insufficient evidence of systemic failings in the current regime to warrant new opt-out proceedings in the courts for infringements of data protection legislation, or to conclude that any consequent benefits for data subjects would outweigh the potential impacts on businesses and other organisations, the ICO and the judicial system.
6.10. The government recognises that children’s rights organisations and privacy groups feel strongly that opt-out proceedings would give children and other vulnerable groups who cannot easily represent themselves greater protection. However, the proposed improvements to the opt-in mechanisms, outlined above, combined with ongoing regulatory activity by the ICO to protect the data rights of citizens, including vulnerable people, will continue to offer robust protections without the need for new legislation.
6.11. As set out in its Regulatory Action Policy, the ICO aims to “respond swiftly and effectively to breaches of legislation which fall within the ICO’s remit, focussing on (i) those involving highly sensitive information, (ii) those adversely affecting large groups of individuals, and/or (iii) those impacting vulnerable individuals” [footnote 26]. The government believes the ICO is best placed and actively working to identify, assess and, where appropriate, take action to tackle systemic risks to individuals’ privacy and breaches of the data protection regime. Furthermore the ICO has confirmed that is the case, irrespective of whether complaints are made by organisations acting with the authority of named individuals. Indeed, the ICO’s investigations into mobile phone extraction [footnote 27], victims’ data [footnote 28], gangs’ intelligence [footnote 29] and live facial recognition were prompted by concerns raised by non-profit organisations who were not acting on the express instructions of individuals. The latter led to the Commissioner issuing an Opinion [footnote 30] about how the ICO regulates the processing of personal data when live facial recognition is deployed by law enforcement in public spaces.
6.12. The ICO has also been engaging extensively with children’s representative groups and data controllers during development of the Age-Appropriate Design Code [footnote 31] and has invited applications to its regulatory sandbox [footnote 32] from innovators that put children’s privacy issues and compliance with this code at the heart of their operations. Protecting the data of vulnerable people was also a feature of ICO’s guidance on Artificial Intelligence [footnote 33] and in its ongoing work with supermarkets, utility companies, government departments and local government during the Covid-19 crisis.
6.13. While some respondents expressed frustration about the perceived lack of regulatory activity in areas such as adtech, others have pointed to enforcement against Marriott, British Airways and some credit reference agencies as evidence that the ICO can - and does - take action on complaints when serious issues are raised. The ICO is equipped with a powerful set of enforcement tools; it can, for example, conduct compulsory audits through the use of assessment notices, issue enforcement notices, and impose fines of up to 4 percent of an organisation’s global turnover for serious cases of non-compliance. The government recognises that ICO cannot award compensation to data subjects, but its array of enforcement tools should be sufficient to respond swiftly and effectively to breaches of the legislation.
6.14. There is no clear evidence that the ICO is not fulfilling its regulatory mandate with respect to supervision and enforcement against data breaches or other privacy risks with the resources available to it. The government considers that the ICO should be given space to regulate and Parliament should continue to hold it to account if it considers that the risk-based approach set out in its Regulatory Action Policy is not being implemented effectively.
6.15. The current legislation also provides individuals or representative bodies acting with the data subject’s authority an avenue to challenge the ICO’s handling of a complaint, for example, via an application to the Tribunal for an order against the ICO to progress a complaint. While the government notes that some respondents were sceptical about the efficacy of these provisions, limited evidence was provided as to why they are too weak.
6.16. Moving to a system of opt-out proceedings in the courts for infringements of data protection legislation would be a significant step. Although the government notes that opt-out proceedings are currently possible in competition law, it would need to be confident that such a change was right in the context of data protection law. Whilst the government acknowledges the views of respondents who said opt-out proceedings could be designed carefully to limit the risk of unmeritorious claims, it remains wary of the risk of unintended consequences. The government notes the views of business groups who say that new legislation could increase litigation costs and insurance premiums during a period of economic uncertainty. Changes in the level of risk and a hardening in the insurance market could affect all data controllers, including those with a good record of compliance.
6.17. Finally, the government is mindful of developments in the LLoyd v Google case which is due to be heard in the Supreme Court, in early 2021. Although cases brought under the civil procedure rules are different from claims brought under Article 80(2) of the UK GDPR because they rely on an affected individual to act as the lead claimant when representing the interests of others, they demonstrate the potential for a form of representative action to succeed under the existing Rules. The government will continue to monitor developments in this area closely.
Annex A: List of respondents
Cameron McKenna Nabarro Olswang LLP (CMS)
Mishcon de Reya LLP
UK Finance
Hausfeld & Co LLP
Coalition for a Digital Economy (Coadec)
U.S. Chamber Institute for Legal Reform
Confederation of British Industry (CBI)
Horizon Digital Economy Research Institute, University of Nottingham
Association of British Insurers (ABI)
Data Protection Foundation
TechUK
Bryan Cave Leighton Paisner LLP (BCLP)
Internet Association
Equifax
British Retail Consortium (BRC)
The Centre for Information Policy Leadership (CIPL)
Credit Services Association (CSA)
Open Rights Group
Carnegie UK Trust
Privacy International
Which?
Experian
5Rights Foundation
Stewarts
The National Society for the Prevention of Cruelty to Children (NSPCC)
News Media Association (NMA)
Data Marketing Association (DMA)
Youth Reality Homes
Wipers
Youth Leads UK
Youth Focus North West (Youth Combined Authority)
Annex B: List of questions
Call for Views, Chapter 2: Consultation Questions
The following questions appeared in Chapter 2 of the Call for Views and addressed the operation of the existing representative action provisions.
Some questions (5-8) were aimed specifically at non-profit organisations who have acted on behalf of individuals.
Question 9 was aimed specifically at individuals who have asked non-profit organisations to act on their behalf.
Questions 10 - 11 are intended to specifically address the views and concerns of business, industry bodies and other organisations.
Question 1. Are you responding to this consultation as:
a) An individual
b) A private sector business/organisation
c) A public sector organisation
d) A third sector organisation, (e.g. charity, social enterprise)
e) Other (e.g. informal group, other organisation)
Question 2. What is your view on the uptake and operation of representative action provisions to date and what can be done to improve it? Please provide any relevant data and, where possible, make clear its source. For adults and children respectively, please explain what advice and support is currently available in relation to these provisions.
Question 3. What, if any, impact might these representative action provisions have had on people who identify with the protected characteristics under the Equality Act 2010 (i.e. age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation)? Please explain.
Question 4. Do you think children’s rights organisations should be permitted to bring claims on behalf of children in the same way as relevant non-profit organisations are able to currently? Please explain
Questions for non-profit organisations who have represented individuals
Question 5. Do you offer a service to act on behalf of individuals to make a complaint to the ICO or represent them in courts with respect to breaches of data protection legislation? What challenges did you face in doing so?
Question 6. Have you or your organisation complained to the ICO or brought legal proceedings on behalf of children using the representative action provisions? If yes, please briefly explain the nature of the data breach and what action you took.
Question 7. What are the most significant differences between the needs of children and the needs of adults in this context, and what particular challenges do children face? Please explain your answer, including whether and how the different needs of children at different stages of development affect your answer.
Question 8. For adults and children respectively, what, if any, further support should be made available to ensure these complaints or redress mechanisms are exercised properly and effectively? Please explain whether and how the different needs of children at development stages of development affects your view.
Questions for individuals who have been represented by non-profit organisations
Question 9. Have you ever asked a non-profit organisation to act on your behalf in any of the ways described in Chapter 2? What challenges did you face? Please briefly describe what action you asked to be undertaken and why you sought a non-profit organisation to act on your behalf.
Questions for business, industry bodies and other organisations
Question 10. What, if any, impacts might the provisions discussed in Chapter 2 have had on data controllers which might be the subject of a complaint or legal claim, particularly businesses, including any increase to compliance and other costs, or risks? Please explain.
Question 11. What, if any, impacts might the current provisions have had on the ICO and the judicial system and their capacity to handle claims? What, if any, measures might help to manage pressures?
Question 12. Do you think the data protection legislation should be changed to allow non-profit organisations to act on behalf of individuals who have not given express authorisation? Please explain whether and why to permit such action in relation to the exercise of some or all of a data subject’s rights.
Call for Views, Chapter 3: Consultation Questions
The following questions appeared in Chapter 3 of the Call for Views and addressed the possibility of representative action without the authority of individuals. Each question should be considered in relation to both adults and children respectively.
Respondents were asked to consider the particular needs of children, including the challenges that children of different ages may face in authorising or deciding whether to authorise other persons to act on their behalf, and what support they receive or may require.
Question 13. Should a children’s rights organisation be permitted to exercise some or all of a data subject’s rights on behalf of a child, with or without being authorised to do so? Please explain.
Question 14. What, if any, impact might allowing non-profit organisations to act on behalf of individuals who have not authorised them to do so have an impact on people who identify with the protected characteristics under the Equality Act 2010 (i.e. age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation)? Please explain.
Question 15. What safeguards, if any, should operate to avoid the speculative or vexatious use of any new powers for non-profit organisations to act without the consent of individuals and avoid a disproportionate administrative burden on either the regulatory or courts systems?
Question 16. What conditions, limitations or safeguards should apply if non-profit organisations act on behalf of individuals who have not authorised them to do so? For example, should individuals be given the right to object to a non-profit organisation taking action on their behalf without their consent? Please explain.
Question 17. If the new provisions discussed in this chapter were adopted, what impacts do you anticipate on data controllers which might be the subject of a complaint or legal claim, particularly businesses, including any increased costs or risks?
Question 18. If the new provisions discussed in this chapter were adopted, what are the likely impacts on the ICO or the judicial system, which will be required to consider representations made by non-profit organisations? What is their capacity to handle new claims brought under any new provisions, and how might the design of any new provisions help to manage pressures?
Question 19. What are the alternative means or mechanisms by which non-profit organisations are currently able to bring complaints to the ICO or to court using existing Civil Procedure Rules? Please provide any evidence of their use or operation to date.
Question 20. In what ways would the potential measures outlined in Chapter 3 either complement or duplicate these alternative mechanisms?
Annex C: Children and young people questionnaire
Data protection rights
The Department of Digital, Culture, Media and Sport (DCMS) is a government department. Part of its work involves looking after the rules about people’s personal and private information, which we call ‘personal data’. We help ensure that people’s personal data, such as their names, where they live and information about their health can be kept safe. It is really important that organisations look after people’s personal data. We want to understand if people know how to put things right if organisations aren’t treating personal data in the best way possible. By answering the following questions you will help us decide whether there is more we could do to help keep people’s personal data safe. You do not have to give your name and all information provided will be treated in confidence.
Question 1. What age group do you belong to?
o Age: 10-12 (1)
o Age: 13-15 (2)
o Age: 16-18 (3)
o Age: 18-21+ (4)
Question 2. Roughly, how long do you spend in a day on the internet or use apps or play games online?
o Less than an hour (1)
o 2-3 hours (2)
o More than 3 hours (3)
Question 3. Privacy settings are controls available on many social networking and other websites that allow users to choose who can and can’t see their profile and what information visitors can see. Do you make use of privacy settings?
o Yes (1)
o No (2)
Question 4. A cookie is a text file that is downloaded onto your device when you visit a website. Amongst other things, cookies record your user activity and preferences to tailor your internet experience. Do you take notice of cookie warnings?
o Yes (1)
o No (2)
Question 5. Do you know how information about you might be used by companies such as advertisers?
o Yes (1)
o No (2)
Question 6. Have you ever been surprised or concerned about the way your information has been used or about advertising material you have received?
o Yes (1)
o No (2)
Question 7. Would you ever complain to the company which runs the website, or to anyone else?
o Yes (1)
o No (2)
Question 8. Do you think there is enough support and advice to help you understand what to do?
o Yes (1)
o No (2)
Question 9. Have you ever heard of the Information Commissioner’s Office (or ICO) (the organisation which enforces the law on privacy?)
o Yes (1)
o No (2)
Question 10. We are considering whether charities which promote and support children’s rights should be allowed to make a complaint on behalf of a young person, or lots of young people, who have asked them to complain. Do you think charities like NSPCC should be able to complain on behalf of young people who ask them to?
o Yes (1)
o No (2)
Question 11. We are also considering whether children’s charities should be allowed to make a complaint on behalf of a young person, or lots of young people, who have not asked them to. Do you think charities should be able to make complaints on behalf of children who haven’t asked them for help (e.g. when they think a company is using children’s data in a way that isn’t right)?
o Yes (1)
o No (2)
Annex D: Involved stories survey of children and young people
Engagement topic Young People’s Data
Method: Involved stories
Question 1: Have you heard of the Information Commissioner’s Office (ICO)?
Question 2: What do you think the ICO does?
- Regulates what data is collected and for what purpose
- Protect people’s data
- Regulates information Access, Storage, Destruction
- Gives information to the public?
- Controls information
- You can complain to them
- In charge of data breaches and gives out fines
- Protect citizens and businesses against data breaches
- Controls information we receive from Govt
Question 3: Should young people be able to ask the NSPCC to complain to government / social media companies on their behalf?
Question 4: Should charities be able to make complaints of data breaches to government / social media companies without young people’s consent?
-
A relevant non-profit organisation is defined in section 187(3) and (4) of the Data Protection Act 2018 as one that applies the whole of its income and any capital it expends for charitable or public purposes; is prohibited from directly or indirectly distributing amongst its members any part of its assets; has objectives which are in the public interest; and is active in the field of data protection. ↩
-
https://ico.org.uk/media/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services-2-1.pdf ↩
-
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/946117/20201102_-_GDPR_-__MASTER__Keeling_Schedule__with_changes_highlighted__V3.pdf ↩
-
See footnote 1 ↩
-
https://www.accessnow.org/cms/assets/uploads/2019/06/One-Year-Under-GDPR.pdf ↩
-
https://www.justice.gov.uk/courts/procedure-rules/civil/rules/part19#III ↩
-
Lloyd v Google LLC [2019] EWCA Civ 1599 ↩
-
If the losing party is a representative body, that body would be liable to pay costs rather than all of the members of the class of persons covered by the action. ↩
-
https://www.openrightsgroup.org/press-releases/privacy-organisation-open-rights-group-taking-the-privacy-regulator-ico-to-court-in-a-landmark-case ↩
-
https://fra.europa.eu/sites/default/files/fra_uploads/fra-2020-fundamental-rights-survey-data-protection-privacy_en.pdf ↩
-
Privacy International https://privacyinternational.org/campaigns/your-mental-health-sale ↩
-
https://ico.org.uk/about-the-ico/what-we-do/our-work-on-adtech/ ↩
-
30th October 2020 ICO fined Marriott International Inc £18.4million for failing to keep millions of customers’ personal data secure. ↩
-
On 16th October 2020 ICO fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers. ↩
-
https://www.lse.ac.uk/media-and-communications/research/research-projects/childprivacyonline ↩
-
https://fra.europa.eu/sites/default/files/fra_uploads/fra-2020-fundamental-rights-survey-data-protection-privacy_en.pdf ↩
-
https://ico.org.uk/media/about-the-ico/documents/2618178/ico-trust-and-confidence-report-2020.pdf ↩
-
The ICO received 41,661 complaints in 2018/19 and 39,860 in 2019/20. This compares with 21,019 in 2017/18, ↩
-
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_contributiongdprevaluation_20200218.pdf ↩
-
https://ico.org.uk/media/about-the-ico/documents/2618178/ico-trust-and-confidence-report-2020.pdf ↩
-
See chapter 5.2.1 of the National Data Strategy and Part 2 of the UK DIgital Strategy: https://www.gov.uk/government/publications/uk-national-data-strategy/national-data-strategy https://www.gov.uk/government/publications/uk-digital-strategy/2-digital-skills-and-inclusion-giving-everyone-access-to-the-digital-skills-they-need ↩
-
See the Online Harms White Paper https://www.gov.uk/government/consultations/online-harms-white-paper ↩
-
Since September 2020, statutory guidance for schools says pupils should be taught the rules and principles for keeping safe online and have a strong understanding of how data is generated, collected and shared: https://www.gov.uk/government/publications/education-for-a-connected-world ↩
-
https://ico.org.uk/media/about-the-ico/documents/2259467/regulatory-action-policy.pdf ↩
-
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/06/ico-releases-findings-on-the-use-of-mobile-phone-extraction-by-police-forces/ ↩
-
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/12/access-to-serious-sexual-crime-victims-personal-information-how-much-is-too-much/ ↩
-
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/11/ico-finds-metropolitan-police-service-s-gangs-matrix-breached-data-protection-laws/ ↩
-
https://ico.org.uk/media/about-the-ico/documents/2616184/live-frt-law-enforcement-opinion-20191031.pdf ↩
-
ICO, Age Appropriate Design Code ↩
-
https://ico.org.uk/media/2618112/our-key-areas-of-focus-for-regulatory-sandbox.pdf ↩
-
ICO, Guidance on AI and data protection ↩