Data and tech companies have been facing GDPR lawsuits from individuals for some time now. Litigation can be triggered by unauthorised access of personal data or by other breaches of the GDPR. GDPR-related claims become particularly severe for companies if the claims are pursued by means of collective redress, as mass claims can mean high financial risks. The implementation of the EU’s Representative Actions Directive (RAD) has prompted new legislation in most EU member states (including Germany), which is intended to encourage collective enforcement and will also apply, in principle, to claims under the GDPR.
In this article we explore the current landscape for mass GDPR claims in Germany and the likely implications of the RAD.
Rights under the GDPR
Individuals to whom personal data relates (‘data subjects’) can enforce their rights under the EU’s GDPR regime in two different ways:
- lodge a complaint with a supervisory authority; or
- civil action.
In particular, data subjects may claim damages under the GDPR if their personal data has not been processed in compliance with its requirements. Usually, claimants seek compensation for non-material damage (ie damages for harm other than economic loss, such as distress or emotional suffering caused by the infringement).
In its decision on 4 May 2023(UI v Österreichische Post AG, Case C-300/21), the Court of Justice of the European Union (CJEU) ruled that a mere infringement of the GDPR does not automatically give rise to a right to compensation but that claimants must prove that they have suffered causal damage resulting from the alleged infringement (see our blogpost here). The CJEU does not give further guidance for national courts to determine whether ‘feelings of annoyance or discomfort’ resulting from eg the ‘mere loss of control’ of personal data constitute compensable non-material damage. Hence, the legal requirements for the recognition of non-material damages are still to a large extent unclear under German law.
Collective enforcement of data protection rules under German law
German law provides several mechanisms for the collective enforcement of data protection rules:
- These include, above all, an action under the Unterlassungsklagengesetz (Injunction Act, UKlaG) and the Unlauterer Wettbewerb-Gesetz (Unfair Competition Act, UWG). In both cases qualified entities can enforce rights on behalf of consumers. Under the UKlaG, companies can be sued for injunctive relief in the event of violations of certain data protection provisions. With the collective action under the UWG, qualified entities can seek orders requiring companies to cease unlawful business acts.
- Another theoretically possible option – that has not yet proven relevant in the practice of privacy litigation – is the ‘declaratory model action’. Since its introduction in 2018, only about 30 declaratory model actions have been published with the public registry for model actions. The declaratory model action was initially introduced in response to the growing number of mass proceedings and enables qualified entities to bring a declaratory action on behalf of consumers. In contrast to the actions in the context of the legislation implementing the RAD (see below), two claims must be filed here: first, a declaratory model action must be filed by a qualified entity for declaratory relief and then an action for damages filed by an affected individual seeking compensation based on the preceding declaratory judgement.
- The EU’s RAD, which came into force on 25 June 2023, is worth noting here. The RAD seeks to facilitate consumer mass claims/class actions in the EU. The RAD, which has now been implemented in Germany (see our previous blogpost here), may lead to an increased collective action risk for companies that fall victim to a data breach affecting numerous people. However, there are various questions about how Germany’s implementation of the RAD will in fact operate and interact with the GDPR, which may need to be tested in court. Moreover, collective actions in the context of legislation implementing the RAD are only possible if the claims pursued are sufficiently “similar”. In the case of a data breach, it must therefore first be assessed whether the alleged damage is the same for each claimant. This may be challenging in some cases, given that non-material harm is highly subjective and individual in nature.
Collective redress by way of cession models
Collective redress in Germany can also be sought after a data breach by private providers seeking to enforce claims by way of ‘cession models’ (which consist of bundling claims with a special purpose entity by way of assignment). Under German law it is generally possible to sell and assign claims to third parties. It is also possible, in principle, to assign claims to a ‘debt collection’ special purpose vehicle, which is a legal entity whose sole purpose is the bundling and enforcing of claims in court. However, it is disputed under German law whether non-material claims for damages under the GDPR can be assigned. Some argue that the claim cannot be assigned because it is of a highly personal nature. It remains to be seen how the German courts will decide this question, the outcome of which is likely to determine whether cession models will establish themselves as a viable mechanism for pursuing collective data protection claims.
The next few months will see significant changes in the data and tech litigation landscape in Germany (and via the RAD also in the rest of the EU). The implications remain to be seen. For litigation funders, Germany’s implementation of the RAD may yet turn out to be unattractive as their fees are capped by law. Hence, litigation funders may continue to have sufficient (financial) incentive to continue to bring claims using existing mechanisms, such as the cession model or by pursuing individual actions. With respect to law firms specialising in the field of consumer protection law, time will tell if they will still bring individual claims or if they will prioritise other options. Whether it be as a result of individual claims or collective redress actions, civil litigation is likely to grow in the field of privacy and data protection law.