Across the EU and the UK, data privacy litigation is on the rise. Potential plaintiffs have multiple avenues at their disposal to bring actions for alleged violations of the General Data Protection Regulation (GDPR), which has been in effect for four years now. These different avenues – as well as the associated risks for companies – are highlighted by a recent judgment by the European Court of Justice (CJEU).
GDPR does not preclude representative actions under national consumer protection law
The CJEU judgement concerned a representative action under German law brought by a consumer protection association alleging data protection violations by a social media company. German law allows certain qualified entities to bring representative actions for alleged violations of consumer protection laws without individual mandates by consumers and independently of the infringement of a specific consumer’s rights. The German Federal Court of Justice which referred the case to the CJEU doubted whether such representative actions were permitted under GDPR.
The CJEU ruled, however, that Member State legislation allowing such actions is not precluded by GDPR. In particular:
The action must be brought by a non-profit organisation, and the non-profit must claim that the data processing concerned is liable to affect the rights of identifiable data subjects.
It is not necessary for the national legislation to specifically concern data protection; the CJEU considers that a violation of consumers’ data protection rights may at the same time constitute a violation of consumer protection law. Thus, existing consumer protection remedies become viable in data privacy litigation.
Data privacy litigation in the EU
The CJEU’s judgment shows that while the GDPR’s material rules are, in principle, uniform across the EU, data controllers facing allegations of GDPR violations need to prepare for various forms of actions across the different Member States. While the GDPR provides for the right to individual actions and representative actions mandated by individual data subjects, the national legal environment can considerably enhance plaintiffs’ procedural possibilities.
A quick round across Europe shows the relevance of the CJEU’s considerations:
- Within the EU, the judgment seems to be particularly relevant to the Netherlands. Under the new regime for collective actions, (non-profit) claim vehicles may file claims collectively for their constituencies without a mandate. Therefore, in practice, collective actions (for alleged breaches of GDPR) are most often initiated without a mandate. In a recent collective action, parties even debated the possibility of claiming damages under the national collective action regime (and not only cease-and-desist-orders) but the court left this issue open, and it has to be noted that the CJEU also did not rule on the permissibility of collective actions for damage claims.
- In Germany meanwhile, in addition to the representative action at issue in the case above, specialised law firms use ‘legal tech’ to file high numbers of substantively identical individual claims with the courts. Other forms of actions consist of consolidating small claims into one case through the assignment of hundreds or thousands of alleged claims to the plaintiff.
Status quo in the UK
Outside the EU, in October 2020, the UK Government reviewed its earlier decision not to implement the relevant collective redress provision (Article 80(2) GDPR) into UK law and concluded that there was not a strong enough case to introduce an opt-out collective action mechanism for non-profit organisations. This was primarily because there was no evidence to suggest that the Information Commissioner was not fulfilling its role; and the UK Civil Procedure Rules (CPR) already permit parties to bring representative actions in certain circumstances.
Be that as it may, the GDPR forms part of the law of the UK. Whilst, post-Brexit, the ECJ’s judgment is not binding on UK courts, it will still likely be relevant and therefore could indirectly influence the ever- evolving data privacy landscape, as well as encourage claimant lawyers and litigation funders to continue to try to find creative and novel methods of pursuing data privacy litigation, including by way of representative actions in accordance with the CPR.To date, the scope for bringing opt-out representative actions on behalf of large numbers of individuals in accordance with the CPR has been limited, and collective actions are more commonly pursued on an opt-in basis, through group litigation orders.
Despite the UK Supreme Court’s recent dismissal of a representative action in the high-profile data privacy case of Lloyd v Google, claimants continue to test the circumstances in which opt-out representative proceedings are available for breaches of data protection legislation.
Claimants are also continuing to test the scope of data privacy claims and the causes of action available for pursuing such actions – see, for example, Warren v DSG Retail Limited and Johnson v Eastlight Community Homes.
What potential Defendants should prepare for
All of these examples highlight the need for companies confronted with data privacy litigation to prepare for different forms of actions across different jurisdictions. A successful defence against multi-jurisdictional claims necessitates not just data protection law expertise but also thoughtful consideration of the various national procedural rules regarding collective actions and individual (mass) claims to be able to coordinate a unified legal defence across multiple jurisdictions
The stakes will be even higher going forward as the transposition of the Directive on representative actions for the protection of the collective interests of consumers will open another legal avenue for potential plaintiffs and adds another layer of complexity for potential defendants.