EWHC (UK) - KB-2025-001120

Summary

The High Court of Justice in the UK has refused to strike out a representative UK GDPR claim brought by Good Law Project Limited on behalf of 51 individuals against Reform UK Party Limited. The claim alleges Reform UK failed to substantively respond to Data Subject Access Requests (DSARs) and other data processing objections submitted before the 2024 general election. The court found that the representative body had a real prospect of establishing its standing under UK GDPR and DPA 2018, rejecting the argument that specific legal incorporation was required.

Full text

Help EWHC (UK) - KB-2025-001120: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 07:45, 24 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators96 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 07:45, 24 June 2026 EWHC (UK) - KB-2025-001120 Court: EWHC (UK) (Spain) Jurisdiction: Spain Relevant Law: Article 15 UK GDPRArticle 79 UK GDPRArticle 80 UK GDPRArticle 82 UK GDPRSchedule 1 DPA 2018Section 167 DPA 2018Section 168 DPA 2018Section 187 DPA 2018 Decided: 19.06.2026 Published: 19.06.2026 Parties: Reform UK Party Limited Good Law Project Limited National Case Number/Name: KB-2025-001120 European Case Law Identifier: Appeal from: Appeal to: Original Language(s): English Original Source: Bailii (in English) Initial Contributor: bms A Court refused to strike out a representative UK GDPR claim concerning Reform UK’s alleged failure to respon to DSARs before the 2024 general election. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Good Law Project Limited, a representative body, was mandated by 51 individuals to bring proceedings on their behalf under Article 80 UK GDPR. Reform UK Party Limited, the controller, is a registered political party and processed personal data in the context of its political activities. In the month before the UK general election of 4 July 2024, the representative body provided an online tool through which members of the public could send notices to major political parties. These notices included a request to stop processing personal data, an objection to processing under Articles 18 and 21 UK GDPR, a written notice under Schedule 1 DPA 2018 requiring the recipient not to process the sender’s personal data and a DSAR under Article 15 UK GDPR. More than 11,600 individuals used the tool. Of these, 1,746 individuals, including the data subjects represented in the claim, sent a notice to the controller between 5 June and 4 July 2024. The controller did not respond within one month. It neither provided a substantive response nor explained that it required additional time to respond. On 8 October 2024, the representative body sent a pre-action letter to the controller. Between 11 and 14 October 2024, the controller sent response emails stating that it had found no record of the recipients in its systems, except for the DSAR and cease-and-desist notice. The controller also stated that any election mailing may have been based on electoral roll data, which it claimed it was entitled to use and which was exempt from subject access. The representative body considered these responses insufficient. It wrote again to the controller on 24 October and 3 December 2024, but the controller did not reply. On 28 March 2025, the representative body issued a claim seeking compliance with the DSARs and compensation for non-material damage under Article 82 UK GDPR and Section 168 DPA 2018. The controller applied to strike out the claim or, alternatively, for summary judgment. The controller argued that the representative body did not have standing under Article 80 UK GDPR and Section 187 DPA 2018, that the claim had no real prospect of success and that it was abusive or vexatious. Holding The Court refused the controller’s application. First, the Court held that the representative body had a real prospect of establishing at trial that it satisfied the requirements of Section 187 DPA 2018. The Court rejected the argument that a body must be incorporated in a specific legal form, such as a charity or community interest company, to qualify as a representative body under Article 80 UK GDPR. It was sufficient, at this stage, that there was evidence that the representative body’s constitution pursued public-interest objectives and that it was active in the protection of data subjects’ rights. Second, the Court found that the claim had been sufficiently pleaded. The representative body had alleged that the controller failed to comply with the DSARs, primarily because it did not respond within the statutory time limit and because its later responses were allegedly inadequate. Whether the controller had in fact complied with the DSARs was a matter for trial. Third, the Court rejected the controller’s argument that the claim was an abuse of process or vexatious. The Court held that even if the representative body had a political motive, this did not make the claim abusive. The essence of the claim was the enforcement of data protection rights. If those rights had been infringed and the data subjects suffered non-material damage, they were entitled to seek appropriate relief. The Court also held that any alleged procedural deficiencies, including alleged failures in the pre-action correspondence, did not justify striking out the claim or granting summary judgement. Accordingly, the Court held that the claim raised triable issues of fact and had a real prospect of success. The application to strike out the claim or grant summary judgement was refused. No fine was imposed. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the English original. Please refer to the English original for more details. Neutral Citation Number: [2026] EWHC 1458 (KB) Case No: KB-2025-001120 IN THE HIGH COURT OF JUSTICE KING’S BENCH DIVISION MEDIA AND COMMUNICATIONS LIST Royal Courts of Justice Strand, London, WC2A 2LL Date: 19 June 2026 Before : THE HONOURABLE MR JUSTICE MURRAY - - - - - - - - - - - - - - - - - - - - - Between : GOOD LAW PROJECT LIMITED Respondent/Claimant - and - REFORM UK PARTY LIMITED Applicant/Defendant - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Andrew Sharland KC and George Molyneaux (instructed by Pallas Partners LLP) for the Respondent/Claimant Philip Coppel KC (instructed by Griffin Law Limited) for the Applicant/Defendant Hearing date: 4 February 2026 - - - - - - - - - - - - - - - - - - - - - Approved Judgment This judgment was handed down remotely at 10.30am on 19 June 2026 by circulation to the parties or their representatives by e-mail and by release to the National Archives. ............................. Approved Judgment Good Law Project Ltd v Reform UK Party Ltd Mr Justice Murray: 1. The defendant, Reform UK Party Limited (“Reform”), made an application on 30 June 2025 to strike out, or for summary judgment in its favour on, the claim brought against it by the claimant, Good Law Project Limited (“GLP”), on 28 March 2025 (“the Application”). 2. At this hearing, the applicant/defendant is represented by Mr Philip Coppel KC, and the respondent/claimant is represented by Mr Andrew Sharland KC and Mr George Molyneaux. 3. The claim concerns Reform’s alleged failure to comply with its obligations under the UK General Data Protection Regulation (“the UK GDPR”). The UK GDPR is the versionofthe EuropeanUnion’s Regulation (EU)2016/679 ofthe EuropeanParliament and of the Council of 27 April 2016 (generally known as “the General Data Protection Regulation” or “the GDPR”), which was assimilated into English law following the departure of the United Kingdom from the European Union. The processing and protection of personal data in the UK is governed by the UK GDPR as supplemented by the Data Protection Act 2018 (“the DPA 2018”). 4. GLP states in its Particulars of Claim that it brings the claim in its capacity as a representative mandated by a group of 51 individuals (“the Relevant Individuals”) to pursue proceedings on their behalf under Article 80 of the UK GDPR. Reform disputes that GLP has standing to act in that capacity. 5. The names of the Relevant Individuals are set out in a Confidential Appendix to the Particulars of Claim, a revised version of whi

Entities