ORG Guide and lessons learnt report on our experience with representative actions under article 80(1) of the UK GDPR
This report is about Open Rights Group (ORG) experience with representative actions under article 80(1) of the UK GDPR and Section 187 of the Data Protection Act 2018 (DPA). It is meant to help other organisations consider representative actions to challenge infringements of data protection laws.
As technology advances, more and more decisions affecting our rights, welfare or expectations are mediated by digital, data-driven systems. Employers use data to raise or deduce salaries, hire or fire workers. Online platforms use data to favour or discriminate against their customers. Advertisers, banks, insurance companies, landlords, and even law enforcement authorities use personal data to make decisions that may include, exclude, favour, or disfavour individuals.
Data protection laws are meant to protect individuals from unfair, adversarial or otherwise detrimental uses of their data. The UK General Data Protection Regulation provides:
Obligations to use personal data in a legal, fair, transparent, and respectful manner;
Rights for individuals, and remedies against abuses;
Powers for the Information Commissioner’s Office to oversee and enforce data protection laws.
The UK GDPR also provides a new right for public interest organisations to represent individuals. In other words, not-for-profit bodies can represent victims of data protection infringements before the ICO or Courts.
This report is a reflection of our experience. ORG attempted to commence representative action before the ICO as part of our Data and Democracy project, which