GDPR and Mass Claims

31.08.2022 Tilbe Birengel

Introduction

The procedural rules on mass claims[1] within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”).[2] The impact of the Directive is expected to make collective redress in data protection and other fields much easier.

GDPR and Mass Claims
% 0

Timeline

The Directive was passed by the European Parliament on 24 November 2020 and entered into force by the end of 2020. It will be implemented by the EU Member States by 25 December 2022. The measures shall be applicable in each Member State as of 25 June 2023.

The Scope of the Directive

The Directive creates stronger protection for consumer groups than those that existed previously. In case of breach of EU law on subjects including data protection, financial services, energy, telecommunications, health and the environment, the Directive is expected to pave the way for mass claims against businesses. In order to minimize abusive mass claims, the Directive limits standing for bringing collective actions on behalf of consumers to “designated institutions.”

Due to the fact that Member States have diverging procedures regarding mass claims, the Directive was necessary in order to harmonize mass claim litigation within the EU. That being said, each Member State has a level of discretion in implementation of the Directive on some matters. For instance, Member States can decide whether or not to implement an opt-out mechanism for claims. If this mechanism is applied, anyone falling into a class of claimants is automatically added as a party to the claim unless they specifically opt-out. Likewise, Member States have a say in defining the criteria for designated institutions for domestic actions.[3] However, criteria for designated institutions to stand on behalf of customers in EU-wide claims is not at their discretion.

Thus, companies doing business with mass numbers of consumers will need to keep track of nuances in different jurisdictions to monitor risks of mass claims they might face.

Impact of the Directive on General Data Protection Regulation (“GDPR”) Related Mass Claims

By regulating cross-border mass claims, the Directive eases initiation of proceedings in other Member States. Consequently, it is anticipated to trigger a peak in data infringement related mass claims. In fact, the increase in claims has already started.

Recently, a consumer protection association in Germany sought an injunction against Meta Platforms Ireland before a German court. The Federal Court of Justice in Germany referred the matter of the standing of the association on behalf of consumers to the Court of Justice of the European Union (“CJEU”). On 28 April 2022, in Meta Platforms Ireland, the CJEU rendered a decision:

“In the light of all the foregoing considerations, the answer to the question referred is that Article 80(2) of the GDPR[4] must be interpreted as not precluding national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.” [5]

In sum, the CJEU confirmed that the GDPR does not preclude national provisions allowing standing for such associations on behalf of consumers. Most importantly, the CJEU added that associations enjoy “independent” standing and can act without a mandate from data subjects in such actions.[6] The caselaw in EU is likely to establish a pattern in favor of GDPR related mass claims.

Conclusion

The Collective Redress Directive allows consumer associations to bring EU-wide and cross-border mass claims against businesses on behalf of consumers (data subjects). This legislative trend is supported by CJEU’s recent rulings.

Since consumer associations will enjoy standing in a widened scope of matters, including in GDPR-related cases, companies doing business with high number of consumers are expected to face a flood of data-related mass claims in the near future.

Source
  • In this article mass claims term is preferred to cover mechanism for the protection of the collective interests of consumers via representative/collective/class actions, with no further classification on the action types.
  • The Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC, OJ L 409, 04.12.2020, p. 1–27.
  • Tjon-En-Fa Evelyn, Hurst Bryony, Lanzkron Louise: “In preparation for the new Collective Redress Directive our dispute resolution lawyers have created some tools to help”, Bird & Bird Insight, 23.06.2022, https://www.twobirds.com/en/insights/2022/global/in-preparation-for-the-new-collective-redress-directive (Access date: 24.08.2022).
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119, 04.05.2016, p. 1–88.
  • C-319/20, Meta Platforms Ireland Limited, formerly Facebook Ireland Limited v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V., April 28, 2022, ECLI:EU:C:2022:322.
  • De Cicco Diletta, Downes James, Mallon Leigh, Helleputte Charles-Albert: “European Court Boosts Representative Actions for GDPR Infringements”, Steptoe Client Alert, 05.05.2022.

All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.

Other Contents

Briefing for the Impact Assessment of the Data Act Has Been Published
Newsletter Articles
Briefing for the Impact Assessment of the Data Act Has Been Published

In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...

Personal Data Protection 31.07.2022
The Regulation on Protection and Processing of Personal Data by the Social Security Institution
Newsletter Articles
The Regulation on Protection and Processing of Personal Data by the Social Security Institution

The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...

Personal Data Protection February 2022
A New Era: The Personal Information Protection Law of the People’s Republic of China
Newsletter Articles
A New Era: The Personal Information Protection Law of the People’s Republic of China

The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...

Personal Data Protection February 2022
All Eyes of the Data Protection Authorities are on Cookies!
Newsletter Articles
All Eyes of the Data Protection Authorities are on Cookies!

In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...

Personal Data Protection January 2022
The Right to Be Forgotten
Newsletter Articles
The Right to Be Forgotten
Personal Data Protection November 2021
A Groundbreaking Whatsapp Decision by the Irish Supervisory Authority
Newsletter Articles
Healthcare Sector Publishes a Guideline on Data Protection
Newsletter Articles
Healthcare Sector Publishes a Guideline on Data Protection
Personal Data Protection September 2019
The General Data Protection Regulation in Force
Newsletter Articles
The General Data Protection Regulation in Force
Personal Data Protection May 2018
Destruction of Personal Data
Newsletter Articles
Destruction of Personal Data
Personal Data Protection November 2017
The EU General Data Protection Regulation and Its Territorial Scope
Newsletter Articles

For creative legal solutions, please contact us.