This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Freshfields TQ

Technology quotient - the ability of an individual, team or organization to harness the power of technology

| 1 minute read

Data and tech: collective actions and mass claims across Europe

Actions for non-material damages following (alleged) infringements of the General Data Protection Regulation (GDPR) are increasingly being brought before courts across Europe. But legal requirements for the recognition of non-material damages are still to a large extent unclear. In our new blog post series, we explain the situation in several countries across Europe.

Many claimants request compensation solely based on a mere feeling of discomfort due to, for example, the loss of control over their personal data. In its 4 May 2023 decision (UI v Österreichische Post AG, Case C-300/21), the Court of Justice of the European Union (CJEU) ruled that a mere infringement of the GDPR does not automatically give rise to a right to compensation, but that claimants must prove that they have suffered causal damage resulting from the alleged infringement (see our recent blog). The CJEU does not give further guidance for national courts to determine whether ‘feelings of annoyance or discomfort’ resulting from eg the ‘mere loss of control’ of personal data constitute compensable non-material damage. Hence, the legal requirements for the recognition of non-material damages are still to a large extent unclear.

The procedural possibilities of asserting such mass claims vary from jurisdiction to jurisdiction. While opt-in actions seem to be more widespread in Europe, there are also opt-out actions (eg England, Wales and the Netherlands). In Belgium, the judge will decide if the action will be subject to an opt-in or an opt-out mechanism. 

Further, on 24 December 2020, the EU Representative Actions Directive (EU) 2020/1828 (EU-RAD) came into force, aiming to ensure consumers can protect their collective interests in the EU via representative actions. Legal actions under the EU-RAD must be brought by so-called qualified entities and may lead to an increased collective action risk for companies that fall victim to a data breach affecting numerous people. Additionally, we are seeing mass claims being brought by specialised claims vehicles, often backed by litigation funders.

Please find out more about the situation in Germany, England and Wales, France, the Netherlands, Belgium, Italy and Austria in our blog posts during the next weeks. 


data, data protection, europe, gdpr, litigation