Background
In the month before the UK general election of 4 July 2024, the Good Law Project Limited (“GLP”) made available an online tool that allowed members of the public to send data subject access requests (“DSARs”) and cessation notices to the five major political parties. Some 1,746 individuals used the tool to send such notices to Reform UK Party Limited (“Reform”). The notices, dispatched between 5 June and 4 July 2024, requested confirmation of what personal data Reform held, access to that data, and cessation of any processing — all rights conferred by Articles 12, 15, 18, and 21 of the UK General Data Protection Regulation (“UK GDPR”) as supplemented by the Data Protection Act 2018 (“DPA 2018”).
Reform failed to respond within the one-month statutory deadline. Following a pre-action letter from GLP in October 2024, Reform sent a brief bulk email (blind-copying recipients) stating that it had found “no record” of the individuals in its systems other than the requests themselves, and alluding to an electoral-roll mailing exempt from subject access. GLP considered that response substantively deficient. Having received no reply to two further letters, GLP issued proceedings on 28 March 2025 as a “representative body” mandated by 51 named individuals (“the Relevant Individuals”) under Article 80(1) of the UK GDPR and section 187 of the DPA 2018, seeking both a compliance order and compensation for non-material damage including concern, worry, and distress.
Reform applied on 30 June 2025 to strike out the claim under CPR r 3.4(2)(a) and (b) — arguing no reasonable grounds and abuse of process — and, in the alternative, for summary judgment under CPR r 24.2. Reform’s threshold argument was that GLP lacked standing to act as a representative body at all, because GLP’s constitution did not satisfy the three cumulative conditions in section 187(3) of the DPA 2018 or the activity condition in section 187(4).
The Court’s Holding
Mr Justice Murray dismissed Reform’s application. On the standing question, the court accepted GLP’s submissions that its Articles of Association provided a reasonable basis for arguing that all income and capital must be applied to GLP’s objects, that those objects fall within the broad definition of “charitable or public purposes,” and that they are in the public interest — thus satisfying the three-part condition in section 187(3). The court rejected Reform’s contention that the specific exceptions permitting ordinary operational payments in GLP’s articles were “irreconcilable” with those conditions, finding them to be reasonable and narrow provisions necessary for GLP to function as a corporate body in pursuit of its stated objects.
The court further accepted that GLP had a reasonable prospect of establishing at trial that it is active in the field of data protection within the meaning of section 187(4), noting that section 187 does not require data protection to be named as a specific constitutional object of the representative body. The court applied the well-established test from Easyair Ltd v Opal Telecom Ltd [2009] EWHC 339 (Ch) and confirmed that a “realistic” — as opposed to “fanciful” — prospect of success is sufficient to defeat a summary judgment application, and that strike-out under CPR r 3.4(2)(a) requires a claim to be unwinnable or bound to fail as a matter of law, a bar not met here.
The court also underscored that neither a strike-out hearing nor a summary judgment application is an occasion for a “mini-trial” or a “minute and protracted examination” of documents and facts, confirming that the substantive questions — including what personal data Reform actually held about the Relevant Individuals and whether its responses were compliant — are properly matters for trial.
Key Takeaways
- A company limited by guarantee pursuing public-interest law can qualify as a UK GDPR “representative body” under Article 80 and section 187 of the DPA 2018 without being constituted as a charity or community interest company, provided its constitution and activities satisfy the statutory conditions.
- A political party that is a registered data controller must comply with DSARs within the one-month deadline under Article 12(3) of the UK GDPR; a brief bulk email asserting that no records exist, sent months late, is potentially an inadequate response and may ground a representative compensation claim.
- To defeat a strike-out under CPR r 3.4(2)(a), the defendant must show the claim is bound to fail as a matter of law — a higher bar than the “no real prospect of success” standard applicable to summary judgment under CPR r 24.2.
- Non-material damage, including distress, concern, and uncertainty caused by a controller’s failure to respond to DSARs, is cognisable under Article 82 of the UK GDPR and may be pursued through a representative action on behalf of mandating data subjects.
Why It Matters
This decision is a significant green light for UK GDPR representative litigation brought by campaign-oriented bodies against political parties. By rejecting Reform’s standing challenge at the threshold, the court confirms that a well-constituted non-profit advocacy organisation with a demonstrated data-protection practice can aggregate individual DSAR complaints and pursue them collectively in court — a model that could be replicated across other sectors where controllers routinely under-respond to access requests.
For political parties and other controllers, the judgment is a reminder that the UK GDPR’s enforcement architecture includes not only regulatory action by the Information Commissioner but also private litigation, potentially at scale, when DSARs go unanswered or are answered deficiently. The court’s willingness to let the claim proceed to trial on both the compliance and compensation heads signals that bulk DSAR non-compliance carries real litigation risk, particularly in the politically charged period before an election.