On 23 February 2021 the UK government published a policy paper elaborating, among other things, its view on the introduction of an opt-out regime for data protection class actions, implementing Article 80(2) GDPR.[1] The paper was published after a consultation was held in 2020. According to the paper, there is insufficient evidence of systematic failings in the current regime to warrant new opt-out proceedings.

When the UK government implemented the GDPR, it chose not to implement Article 80(2) GDPR. This article permits the Member State to make regulations allowing a non-profit organisation to represent data subjects without the data subject’s express consent.

The UK government concluded it is still not willing to implement Article 80(2) GDPR and introduce new legislation. Although the UK government accepts that some groups might find it difficult to complain to the Information Commissioner’s or bring legal proceedings of their own accord, there is no strong evidence to suggest that the Information Commissioner’s Office cannot or will not investigate serious, singular breaches of the legislation or systemic failings across whole sectors. The Information Commissioner’s Office is UK’s independent authority set up to uphold information rights in the public interest.

The UK government is also sympathetic to the view that new legislation could increase uncertainty for data controllers and is mindful of the potential impact of new legislation on the workload of the Information Commissioner’s Office and the courts. The UK government is not convinced that any perceived benefits of new legislation would outweigh these risks.

[1] Department for Digital, Culture, Media & Sport, Policy paper UK Government response to Call for Views and Evidence – Review of Representative Action Provisions, Section 189 Data Protection Act 2018, 23 February 2021.