Some things were made to go together: Macaroni and cheese, video meetings and mute buttons, Lennon and McCartney.
Apparently, the European legislator also thought this about collective actions and enforcement of data protection rights. For example, the GDPR specifically foresees in the representation of data subjects by not-for-profit bodies, organisations and associations (art. 80), and the newly agreed Collective Redress Directive (EU 2020/1828; see a blog on this Directive by my colleagues here) also specifically mentions that it applies to representative actions brought against infringements of the GDPR (see recital 6 and art. 2(1)). Are collective actions and data protection enforcement indeed made to go together?
The GDPR and collective actions
When the GDPR came into force, it was deemed an enormous shift in the legal landscape. Regulators now had effective means of enforcing data protection regulations (e.g. they could now render high fines, impose injunctions, etc.), and it gave data subjects a variety of rights regarding their personal data (access rights, deletion rights, the right to claim damages, etc.). Specifically, the GDPR stipulates that data subjects have the right to receive compensation for any material or non-material damages as a result of a breach of obligations under the GDPR (art. 82).
This brings us to the question: can claimants now claim non-material damages on behalf of a class for non-GDPR compliant data processing activities?
The short form answer is, yes, the GDPR specifically foresees this possibility. However, for such an action to be successful is another matter.
Currently, there are different possibilities and (formal) requirements in different Member States (click here for an overview). Therefore, the claimant entity must first comply with specific requirements of the forum where the litigation is brought. The Collective Redress Directive aims to level this playing field and establishes an obligation for Member States to create at least one collective redress mechanism, or adapt an existing regime, enabling consumer organisations, regulators and other “qualified entities” to commence representative actions (read how this works here).
Even as the EU moves towards a more uniform collective actions framework, there are still other hurdles to overcome. An essential point is the concept of non-material damages. Recital 146 of the GDPR states that the concept of damage should be interpreted broadly in light of the case law of the European Court of Justice. In other words, notwithstanding whether litigation takes place in France, Germany or in the Netherlands, the concept of damages should be applied in the same manner. Because the European Court of Justice has ruled that non-material damage must be “actual and certain” (see e.g. the decision in the European Ombudsman v. Staelen, para’s 91 and 127, available here) this already provides some guidance on the concept of (non-material) damages. Recital 146 GDPR also provides some guidance, as it states that affected data subjects should be able to receive "full and effective compensation" for the damages they suffered. However, it will not come as a surprise that these terms can be quite difficult to apply in the context of non-material damages.
Moreover, it may be difficult to overcome certain inevitable differences in the various Member States when approaching a concept like non-material damages. For example, in 2019, the Dutch Supreme Court ruled that when claiming non-material damages, the claimant must substantiate their impairment (the impairment that led to the non-material damage) with "concrete information". This (again) reveals a few potential problems. Is this threshold compatible with the case law of the European Court of Justice? And can an organisation representing a class claiming non-material damages meet this threshold (substantiating this impairment for the entire class with concrete information – or will it only be able to substantiate the impairment in an abstract sense)? And more in general, could the question whether the non-material damages are sufficiently actual and certain be answered different depending on the country where the litigation is brought (not to mention which amount would meet the full and effective threshold)? While the European Court of Justice has not yet addressed any of these questions, a first deferral on may be on its way (relating to a materiality threshold for damages - see the blog by my colleagues here).
Time will tell
One thing is certain, it will be a while before all these questions are answered. For now, parties should assess their potential exposure (or opportunities) on a country-by-country basis. This does leave quite some room for uncertainty, plot twists, breaks, etc. Until then, only time will tell whether collective actions and GDPR enforcement are the next Ross and Rachel.
Some things were made to go together...