This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Freshfields TQ

Technology quotient - the ability of an individual, team or organization to harness the power of technology

| 2 minutes read

Data and tech: collective actions and mass claims across Europe #6 – Focus on Italy

Actions for non-material damages following (alleged) infringements of the General Data Protection Regulation (GDPR) are increasingly being brought before courts across Europe. But legal requirements for the recognition of non-material damages are still to a large extent unclear. 

In our new blog post series, we explain the situation in several countries across Europe (see our introduction). Please find out below about GDPR damages claims in Italy.

As discussed in our previous post (Italian Supreme Court & ECJ rulings on non-material damages under GDPR), almost in parallel with the decision issued by the CJEU in UI v Österreichische Post AG (Case C-300/21), the Italian Supreme Court took a significant stance on damages resulting from GDPR breaches in May 2023. The Italian Supreme Court’s position is that compensation under Art. 82 GDPR not only requires the claimant proving the suffering of an actual damage (excluding compensation of damage in re ipsa), but also mandates a certain level of seriousness.  In a scenario in which claims for damages resulting from GDPR breaches are on the rise, it will be interesting to monitor whether the Italian Supreme Court maintains this position in future rulings. 

Under Italian law, compensation for damages stemming from GDPR breaches can be sought through either individual actions or collective redress, recently reformed in accordance with European legislation on consumer protection. In particular, following the transposition in Italy of the EU Directive No. 2019/770/UE and No. 1828/2020 (EU-RAD), the Italian legislator has taken a clear stance to facilitate the interaction between collective remedies and data protection.

In case of damages stemming from GDPR breaches, private enforcement of data protection rights can be pursued through various procedural options, including: 

  • Class action under Art. 840-bis of the Italian Civil Procedure Code, resulting from EU Directive No. 2019/770/UE, which came into effect on 20 May 2021. This ‘new’ class action replaced and expanded the scope of the ‘traditional’ class action, originally designed solely to protect consumers. The Italian legislator extended the scope of this new collective remedy beyond consumer protection to provide redress for homogeneous categories of damages, including those arising from GDPR breaches. Initiating collective proceedings is open to both representative entities and individual class members. It offers an alternative to individual claims, especially in cases involving ‘small’ damages where the cost of initiating a proceeding may be less appealing;
  • Representative action under Art. 140-ter of the Italian Consumer Code, resulting from EU Directive No. 1828/2020 (EU-RAD), which came into effect on 25 June 2023. 

It is still too early to determine whether these forms of collective redress will prove effective in practice and contribute to increased collective private enforcement in the context of data protection rights. For example, according to publicly available information (refer to Portale Servizi Telematici. Class Action - Azioni di Classe (giustizia.it)), a class action under Art. 840-bis of the Italian Procedural Code has been initiated against a major Italian bank specialising in payment services. The collective proceeding was based on the alleged inadequacy of the ‘Customer Strong Authentication’ procedure adopted in compliance with the Payment Service Directive 2, thus resulting in the breach of customers’ personal data. In November 2023, the class action was settled.

The next blog post in our data and tech mass claims series will focus on Austria.