In het nieuws

Government sidestep: Privacy and access to justice left in the hands of Supreme Court

op 22 februari 2021

Government sidestep: Privacy and access to justice left in the hands of Supreme Court


Share on facebook
Share on linkedin
Share on twitter

Dr. Rebecca Rumbul, class representative of the case filed by The Privacy Collective in England and Wales and Head of Research at MySociety, weighs in on the UK Government’s recent review of the GDPR provisions and how they relate to cases such as Richard Lloyd vs Google and our action against Salesforce and Oracle. 

The wheels of the legal system tend to turn rather slowly. After filing The Privacy Collective’s claim against Oracle and Salesforce with the High Court last autumn, we are now waiting on a landmark decision at the Supreme Court in another, related case, to enable us to proceed...

Dr Rebecca Rumbul

Lloyd v Google is a similar representative action case led by Richard Lloyd, concerning the loss of control of personal data. One of the points of law to be ruled on by the Supreme Court in that case directly affects the legal arguments we have put forward. As such, we are waiting with interest for that case to be heard in April, and for a ruling to be provided. The ruling is likely to take several months, so we may not be able to move forward until the second half of 2021.

In the meantime, other developments are giving us cause for optimism that our case is not only legally sound, but that our wider arguments about the harms of data-hoovering cookies are gaining traction.

The UK government recently reviewed the provisions on the representation of data subjects in the UK’s data protection legislation (the UK GDPR). Briefly, Article 80 of the UK GDPR is one of the new provisions on redress. It is made up of two subsections. Article 80(1) permits an individual to authorise a relevant not-for-profit body to exercise certain rights on his or her behalf (such as lodge a complaint with the ICO or bring legal proceedings). This includes proceedings in the courts or proceedings against data controllers in order to seek a compliance or compensation order. Article 80(2) of the UK GDPR permits the Secretary of State to make regulations allowing a non-profit organisation to represent data subjects in a similar way to Article 80(1) of the UK GDPR but without the data subject’s consent. This second subsection, 80(2) was one of the focal points of the review, and a decision was to be taken by the UK government following review and consultation, on whether to implement it. The government has decided against this.

While this does not affect our legal case against Oracle and Salesforce, the government’s response to the review cites the class-action type claims being brought by Richard Lloyd and by us at The Privacy Collective, as routes it considers to have ‘potential’.

The response states:

Finally, the government is mindful of developments in the Lloyd v Google case which is due to be heard in the Supreme Court, in early 2021. Although cases brought under the civil procedure rules are different from claims brought under Article 80(2) of the UK GDPR because they rely on an affected individual to act as the lead claimant when representing the interests of others, they demonstrate the potential for a form of representative action to succeed under the existing Rules. The government will continue to monitor developments in this area closely.

The opinion of the government is, of course, completely separate from judicial proceedings, however the fact that this legal route has not been cited as inappropriate or attracted the oft-claimed warning of ‘opening the floodgates to nuisance litigation’ corroborates our views.

Elsewhere, Google has indicated that it intends to move away from allowing third-party tracking cookies on its browsers in the future. This is a move similar to Apple, and on the surface, is a welcome shift in behaviour, in particular given the current exposure to third party cookies chrome users currently have. We will reserve judgement, however, until the full details become available. Rewriting the global rules on AdTech may reduce privacy violations in some ways, but it may also tighten Google’s already considerable grip on our shared online world. Saving us from myriad privacy violators is worth nothing if Google takes this opportunity to cancel our privacy unilaterally once it has vanquished the competition.

Exciting times are ahead. We are keeping abreast of all the news, and rooting for Richard Lloyd in the Supreme Court in April. In the meantime, keep following us on social media, or drop in to hear me talking about the case in more detail at the World Ethical Data Forum in March.

Steun onze zaak tegen Oracle en Salesforce.


Toon je support

Door je gegevens hier achter te laten steun je onze zaak tegen Oracle en Salesforce. We gebruiken je volledige naam en mailadres mogelijk om in de juridische procecure aan te tonen hoeveel mensen actief hun steun hebben gegeven aan The Privacy Collective.

Support form | home & popup

- Je steunt de zaak van The Privacy Collective tegen Oracle en Salesforce.

- Je maakt deel uit van de groep van benadeelden.

Je maakt deel uit van deze groep als je sinds 26 mei 2018 vanuit Nederland cookies geaccepteerd hebt van Oracle en/of Salesforce en op dit moment in Nederland woont. Deze cookies zijn aanwezig op populaire websites zoals,,,,,, en

- The Privacy Collective gebruikt jouw voor- en achternaam en emailadres om jouw steun aan te tonen in de procedure tegen Salesforce en Oracle en om contact met je op te nemen over het verloop van de procedure.

Waar mogelijk worden persoonsgegevens gepseudonimiseerd. Lees hier het volledige privacybeleid van TPC.

Door op 'Aanmelden' te klikken, bevestig je het bovenstaande.