ICO to assist a private right of action
Attending last month’s Global Privacy Assembly (GPA) - “a kind of United Nations for Data Protection Authorities” in Bermuda – Laura Linkomies, Editor, and I heard the Data Protection Commissioners from every continent discuss their many roles. They included educators, influencers of public opinion, arbitrators, investigators, prosecutors, advisors, mediators, standards setters and enforcers.
But I did not hear any discussion on a private right of action provided by the EU GDPR and in some US states’ privacy laws. Conventional wisdom is that a person or organisation (such as noyb or BEUC – the European consumer organisation) may use a private right of action, either against a controller or processor to plug the gaps where Data Protection Authorities either do not have the resources, or do not have the priority, to enforce the law against organisations considered to have failed wholly or partly in their legal duties.
Some national data protection laws and the EU GDPR (Arts. 79 and 80) provide this additional enforcement mechanism which enables individuals, or organisations representing individuals, to claim compensation for material and in some cases immaterial damages, or challenge international agreements.
The most prominent case in the UK was Lloyd v Google which went as far as the Supreme Court (PL&B UK Report January 2022). On 10 November 2021, the court unanimously ruled in favour of Google in a landmark judgment against Richard Lloyd, a single claimant attempting to bring a representative action on behalf of a class of 4 million iPhone users. This claim related to Google’s alleged contravention of data protection law. The Court rejected Mr Lloyd’s claim, but it did not rule out the possibility of claimants bringing representative actions in future.
The most famous user of the private right of action is Max Schrems who established crowd funded noyb (Austria-based None Of Your Business) to exercise the private right of action where privacy laws enable such cases both at national level and in appeals to the Court of Justice of the European Union (CJEU). Such actions have led famously to the CJEU’s judgement that the EU-US Safe Harbor and EU-US Privacy Shield agreements were no longer a valid legal basis for transferring personal data to the US.
With this context in mind, in a GPA session - What can DPAs learn from other regulators? - I asked panel member Ulrich Kelber, Germany’s Federal Commissioner for Data Protection and Freedom of Information whether he supported the work of Max Schrems in representing individuals in court actions. Session chair, Claudia Berg, the ICO’s General Counsel, described it as the conference’s shortest answer after Kelber simply replied “Yes”.
It reminded me of a question which I put to Brad Smith, then Head of Legal and Vice-President, Microsoft, at the event in Brussels to mark the GDPR’s entry into force in May 2018. I asked him how he viewed Edward Snowden, accused of leaking US secrets on the Internet, compared with Max Schrems. He replied that Edward Snowden betrayed the trust that the government agency had placed in him while Max Schrems uses provisions in the law which he is entitled to use for the public good.
No company wants to be faced by a private right of action. But much less so if the claimant is supported by a Data Protection Authority. That is exactly what is happening now. The ICO has announced that it is assisting an individual in making a claim against Meta.(1) An ICO spokesperson said: "The Commissioner has chosen to intervene in these proceedings to assist the Court with the interpretation of part of the UK GDPR that was not previously considered.”
The ICO assists a private claim against a company in rare cases. The ICO informed me that the Commissioner “does not usually involve himself in litigation between private parties. However, these proceedings raise an important legal question which has significant practical importance to all data subjects whose rights the Commissioner is duty bound to uphold beyond the facts of this case.”
Most important, in its role as a whole economy regulator, and a supporter of innovation, should we now expect the ICO to intervene in future in similar cases which make sense in terms of the ICO’s regulatory priorities?
Publisher, Privacy Laws & Business