Government sidestep: Privacy and access to justice left in the hands of Supreme Court
Dr. Rebecca Rumbul, class representative of the case filed by The Privacy Collective in England and Wales and Head of Research at MySociety, weighs in on the UK Government’s recent review of the GDPR provisions and how they relate to cases such as Richard Lloyd vs Google and our action against Salesforce and Oracle.
The wheels of the legal system tend to turn rather slowly. After filing The Privacy Collective’s claim against Oracle and Salesforce with the High Court last autumn, we are now waiting on a landmark decision at the Supreme Court in another, related case, to enable us to proceed…
Lloyd v Google is a similar representative action case led by Richard Lloyd, concerning the loss of control of personal data. One of the points of law to be ruled on by the Supreme Court in that case directly affects the legal arguments we have put forward. As such, we are waiting with interest for that case to be heard in April, and for a ruling to be provided. The ruling is likely to take several months, so we may not be able to move forward until the second half of 2021.
In the meantime, other developments are giving us cause for optimism that our case is not only legally sound, but that our wider arguments about the harms of data-hoovering cookies are gaining traction.
The UK government recently reviewed the provisions on the representation of data subjects in the UK’s data protection legislation (the UK GDPR). Briefly, Article 80 of the UK GDPR is one of the new provisions on redress. It is made up of two subsections. Article 80(1) permits an individual to authorise a relevant not-for-profit body to exercise certain rights on his or her behalf (such as lodge a complaint with the ICO or bring legal proceedings). This includes proceedings in the courts or proceedings against data controllers in order to seek a compliance or compensation order. Article 80(2) of the UK GDPR permits the Secretary of State to make regulations allowing a non-profit organisation to represent data subjects in a similar way to Article 80(1) of the UK GDPR but without the data subject’s consent. This second subsection, 80(2) was one of the focal points of the review, and a decision was to be taken by the UK government following review and consultation, on whether to implement it. The government has decided against this.
While this does not affect our legal case against Oracle and Salesforce, the government’s response to the review cites the class-action type claims being brought by Richard Lloyd and by us at The Privacy Collective, as routes it considers to have ‘potential’.
The response states:
The opinion of the government is, of course, completely separate from judicial proceedings, however the fact that this legal route has not been cited as inappropriate or attracted the oft-claimed warning of ‘opening the floodgates to nuisance litigation’ corroborates our views.
Elsewhere, Google has indicated that it intends to move away from allowing third-party tracking cookies on its browsers in the future. This is a move similar to Apple, and on the surface, is a welcome shift in behaviour, in particular given the current exposure to third party cookies chrome users currently have. We will reserve judgement, however, until the full details become available. Rewriting the global rules on AdTech may reduce privacy violations in some ways, but it may also tighten Google’s already considerable grip on our shared online world. Saving us from myriad privacy violators is worth nothing if Google takes this opportunity to cancel our privacy unilaterally once it has vanquished the competition.
Exciting times are ahead. We are keeping abreast of all the news, and rooting for Richard Lloyd in the Supreme Court in April. In the meantime, keep following us on social media, or drop in to hear me talking about the case in more detail at the World Ethical Data Forum in March.