Data privacy class actions in Europe are here to stay, writes Bird & Bird partner Bryony Hurst.
Two years ago, I wrote an article which addressed the predictions that companies subject to the GDPR would suffer a deluge of class actions as soon as the legislation came into force in May 2018. At the time of writing the article, what had become clear is that, for many reasons, the tidal wave of litigation had not yet hit and, at most, we were at the early warning stage. In a two part article, I discuss the position now that the GDPR has had time to bed in, what is the position two years on? In Part One, I suggest that while we still may not be drowning in cases, there is definitely a need to start swimming and consider how and why different European jurisdictions are attracting claimants. In Part Two I examine claims commenced so far and actions companies can take to prepare for actions that may head their way.
Claimants are jumping in feet first
We still may not be drowning in cases, but there’s definitely a need to start swimming. As I noted previously, a culture of data privacy awareness has grown out of the introduction of the continent-wide GDPR framework. Data subjects have more and clearer rights to data protection, and data controllers are required to provide greater transparency into what data they handle and how. The GDPR also provided that judicial remedies would be available to all those who had suffered harm as a result of a breach of its provisions. Consequently, claimants have become more clued up about their rights, and more confident in asserting them in national courts. The evolution of class action claimant law firms and litigation funders interested in data privacy cases has further encouraged this. Individual and collective actions have increased around Europe as a result.
The waters are still muddy
However, despite the best of intentions, the GDPR has not delivered an utterly clear path for claimants to pursue relief in court. Key aspects of the remedies provisions (found in Chapter 8 of the GDPR) are still left to be implemented at the discretion of each EU member state. In particular, each country can decide for itself which entities can bring representative actions on behalf of data subjects, and whether those entities can apply for compensation or just declaratory relief. Article 82 of the GDPR is also not overly prescriptive as to what type of harm should be compensable, stating only that compensation should be available to anyone who has suffered “material or non-material damage” – and different member states’ judiciaries have taken their own stab at defining this. There is still, then, a certain amount of working out to be done before Europe can boast that it has a truly effective and consistent collective remedies regime for data protection infringements.
These GDPR-specific hurdles should be considered alongside Europe’s somewhat potted history and attitude to collective redress mechanisms more generally. The European authorities have intermittently flirted with the idea of legislating for an EU-wide representative actions regime. The European Commission considered the issue in 2013 but stopped short of passing any laws, issuing instead a non-binding “recommendation” on common principles for injunctive and compensatory collective redress mechanisms. Certain countries, such as France and the Netherlands, did introduce new means of collective redress in quite a broad range of areas; others such as Spain and the UK did so but limited their mechanisms to certain breaches of law only; and still others made no changes, concluding either that their current regimes were sufficient, or that there was no need for collective redress mechanisms. Not entirely surprisingly, when the issue was reviewed by the European Commission in 2018, the availability of collective redress across Europe was found to be inconsistent.
Claimants are choosing their swimming lanes carefully
Where does this leave collective actions for GDPR breaches?
The GDPR has broad territorial scope: data controllers do not have to have an establishment in Europe to be caught by its provisions, and in certain circumstances, data subjects do not even have to reside in Europe to be entitled to protection. Data subjects can choose to sue a data controller in the member state where the controller has its main establishment, or in the member state where the data subjects resides. This gives individual claimants at least two options, and gives representative organisations of collective actions a wide choice of forum to hear the dispute – if data subjects in multiple EU countries are affected by the alleged infringement, a representative entity has an array of jurisdictions to select from.
This creates a real headache for potential defendants to class actions in Europe: claims could pop up anywhere and predicting where is not an easy task. By analysing each member state’s particular collective redress regime, however, and observing current class action trends, it is possible to make some educated guesses as to the likely most popular forums:
This is a growth class action market of note. Class actions brought by a “representative entity” for declaratory relief relating to the same or similar events have long been permitted in the Netherlands. As of 1 January 2020, though, actions for compensation are now also available – subject to certain conditions relating to the funding, structure and transparency of the representative entity (which, if not fulfilled, could provide an opportunity to strike out the claim).
The new law specifically provides for such actions to be brought in relation to GDPR violations and interestingly deems that representative actions will operate as an opt-out claim for residents of the Netherlands (and opt-in for non-residents, unless the court is asked to order otherwise – which one could foresee a defendant might seek to do, in an attempt to avoid copycat litigation in multiple member states).
A collective settlement law already exists which provides a neat and swift resolution to mass damages claims if settled which, again, operates on an opt-out basis.
This is the closest European regime we have seen to US-style class actions, and is already proving attractive to groups of claimants, particularly civil rights/not-for-profit organisations whose main motive is to seek declaratory relief to clarify the law in a particular area of data protection law, but who can more easily obtain investment for their actions if they are also able to take advantage of the damages mechanism to attract litigation funders.
Thanks to a case that has been making its way through the UK court system over the past couple of years, the UK is currently teetering on the edge of accepting opt-out mass damages claims without any formal legislative mandate. The UK has not yet opted to introduce the rights in Article 80 of the GDPR for not-for-profit bodies to start proceedings in court on behalf of data subjects without their consent.
The case, Lloyd v Google, has been brought using a representative action mechanism in the UK Civil Procedure Rules. The standing test for representative actions has historically been interpreted narrowly, and the mechanism has not been the collective action of choice for groups of litigants to date. Representatives can bring claims on behalf of other persons who have “the same interest” in the claim.
In Lloyd v Google, which concerns allegations of a lack of transparency around Google’s ‘Safari Workaround’, the High Court determined that the “same interest” threshold had not been met because a) claimants would have suffered different types of damage and b) it was not possible to identify every member of the class.
The case has since been heard by the Court of Appeal, which disagreed and upheld the action. The primary reason for this appears to be the creative way in which Lloyd structured the claim: he disavowed any claim for damages to compensate specific pecuniary or other losses, and claiming only a relatively low, uniform amount for each claimant in respect of the damage they all had in common, which he asserted was a loss of control over their personal data. This appeared to impress the Court of Appeal; if the appeal judgment is upheld by the Supreme Court, it may provide a novel way for claimant groups and representatives to engineer an opt-out damages claim using the representative action mechanism.
This could act as a real boon for collective actions in the UK which previously have been funnelled down an alternative route known as Group Litigation Orders (GLOs). GLOs are not true class actions, but are simply a procedural mechanism by which courts can more efficiently manage and hear a large number of claims concurrently. They are difficult to commence (requiring a large administrative effort to sign claimants up to a court register), to handle (often involving multiple claimant law firms all vying for influence over the case) and entail high costs risks for claimants, unless litigation funding and insurance is obtained.
In April 2019, Italy passed a new law which significantly amended its collective action regime. It extended the availability of class actions (for compensation as well as declaratory relief) from just consumers to any group of individuals who have “homogenous rights” (ie rights generated by the same fact or event). It also created a right for not-for-profit associations and consumer organisations to bring claims on behalf of individuals, and extended the causes of action from a limited number of specific torts to virtually any and all breach of tort law.
The system is opt-in, but claimants have two bites of the cherry in this regard: they can sign up to the action after it has been declared admissible by the court, or after judgment on liability has been entered.
The new regime is rather unfriendly for defendants in respect of costs. A loser-pays principle has been introduced, and the defendant also has to cover the costs of technical and quantum experts appointed in the proceedings to assist the court with aspects of the case and calculation of damages. An additional “reward” fee is paid by the defendant to the claimants’ lawyer – this is likely to act as an additional incentive for class action lawyers in Italy to identify easy-win cases (for example, egregious data breaches).
France introduced legislation in 2016 which provided for an opt-in class action regime in certain areas of law, including data protection. To qualify, the group members must have been in “a similar situation” and suffered material or moral harm as a result.
Groups of litigants can bring such action, but the law also allows “authorised associations” to bring representative actions on behalf of individuals. The French Data Protection Act defines which entities fall within this class.
France also decided, in implementing Article 82 of the GDPR, to permit authorised associations to seek compensation on behalf of data subjects for any infringement that occurred after 24 May 2018, not just declaratory relief.
One problem representative associations face in France is a prohibition on advertising the collective action anywhere other than newspapers. The litigation funding market is also less developed in France than in certain other member states, which can be an additional hurdle to getting an action off the ground.
Spain has a collective action regime (which permits claims for compensation) available to protect “consumer rights”, but it does not explicitly cover data protection actions, and Spain’s data protection legislation does not provide for collective actions.
That said, a case is currently making its way through the Madrid Commercial Court which is likely to test the boundaries both of Article 80 of the GDPR and the definition of “consumer rights” and establish, much in the same way as Lloyd v Google in the UK, whether representative actions can in fact proceed in the courts despite the absence of a legislative mandate. The case has been brought by a consumer organisation (OCU) against Facebook in relation to data protection breaches arising out of, among other things, the Cambridge Analytica scandal.
If OCU succeeds with its action, it is foreseeable that Spain may become another hotspot for collective action in the data protection sphere. The Spanish data protection authority is very active in its investigations and enforcement and has issued some relatively large fines in recent times. That said, it has not pursued Big Tech to the near exclusion of all other organisations in the way certain other data protection authorities have, and the Spanish courts have to date issued only low damages awards for data protection infringement. For claimant law firms going after the obvious targets (Big Tech) and looking for a strong return on investment, this jurisdiction may require further testing before it becomes a firm favourite.
A version of this article first appeared in Global Data Review.