The entry into force of the European General Data Protection Regulation (GDPR) – and, in particular, of its Article 80 – created a new playing field where collective redress actions may take place. Still, the present post shows that the intertwinement of collective redress and the data protection field generates several legal difficulties, which need to be addressed. The recent class actions started in France offer a striking illustration.
It takes two to tango: the intertwinement of collective redress & data protection in the EU
Collective redress is perceived as a serious procedural instrument to improve access to justice. The European Union (EU) has thus carried out several initiatives aiming to ensure the implementation of collective redress in all Member States. In 2018, as part of its “New Deal for Consumers” package, the Commission published a Proposal for a Directive on representative actions (see here for more information). Additionally, the recently adopted Article 80 GDPR enables representative entities to exercise certain rights of data subjects on their behalf (for an in-depth analysis of this provision, see here and here (p. 102 and ff)), thereby stimulating the private enforcement of collective rights.
Despite its direct applicability, many legislatures have adopted procedural rules on representative actions based on Article 80 GDPR. This has resulted in important differences between the European text and national laws. For example, the French law on data protection adds more stringent criteria regarding standing to sue. Yet, it is not clear whether the GDPR offers such room for manoeuvre. Because of those variances, representative entities may face important procedural hurdles if they start proceedings abroad.
The Proposal for a Directive on representative actions partially solves that problem by imposing the mutual recognition of standing to sue. However, since the exact scope of mutual recognition under the Directive will eventually be shaped by Member States (e.g., they may define which entities have a “legitimate interest” to sue (Article 4(1)(b)) and they may restrict the right to bring certain actions by virtue of Article 4(4)), representative entities, which have standing under the GDPR, will not automatically benefit from the Directive’s regime.
On Sirtaki tempos: data protection class actions in France
Sirtaki, the traditional Greek dance, starts with a low tempo accompanied with smooth actions, and then gradually evolves into faster and more vivid ones, often concluding with leaps and hops. In France, data protection class actions have followed a similar rhythm.
Their first steps have been slow and hesitant. In November 2016, the possibility to initiate class actions (initially limited to consumer protection and competition law) was introduced in the field of data protection, but only actions for injunctive relief were available. In 2018, the possibility to start class actions for compensatory purposes was introduced, following an amendment proposed by the National Assembly.
In a nutshell, data protection class actions – now enshrined in Art. 37 of the amended French Data Protection Act (FDPA)- work as follows: a representative entity that fulfills the requirements of Article 37(IV) FDPA can start a class action when similarly-situated individuals suffer material or moral loss(es) resulting from a violation of the GDPR or the FDPA committed by a controller/processor. The action follows a tripartite procedure.
- The representative entity first sends a formal notice to the defendant indicating the nature of the alleged infringement(s). The defendant then has four months to respond. The French Data Protection Agency (Commission Nationale de l’Informatique et des Libertés – “CNIL”) must be informed about the action, and may present observations to the court or provide information as regards the context in which the alleged breach occurred.
- In a second phase, the court rules on the liability of the alleged wrongdoer. The ruling contains information regarding the nature and scope of the damage, the requirements to opt in (this system is peculiar since claimants may only opt in after the court’s decision on liability), the method to advertise the case, etc.
- Once the group is constituted, the final phase, that of compensation, starts. Based on experiences collected after 5 years (2014-2019), French class actions tend to remain rather lengthy and complex.
Subsequent evolutions have however been faster with two potentially very influential class action cases currently pending. In November 2018, the organisation Internet Society France started a class action against Facebook in the context of its “E-Bastille initiative” launched in late 2017, and aimed at “encourag(ing) European citizens to take charge of their digital destiny”. In its formal notice to the company, the organisation listed 7 grievances, including the failure to secure the personal data of Facebook’s users, the unauthorized collection of users’ information, and security breaches. Facebook replied to this notice in March 2019. Proceedings are ongoing, and the organisation claimed €1,000 per plaintiff, which corresponds to a total amount of approximately €100 million.
In June 2019, the consumer association UFC-Que Choisir started an action against Google alleging several breaches of EU data protection rules, as regards, in particular, the exploitation of users’ personal data through Android devices. The association asked for €1,000 per plaintiff, and several thousands of plaintiffs may potentially be involved in the case. The class action was initiated in the aftermath of a CNIL decision of January 2019. Acting upon four complaints of associations, the CNIL then imposed a €50 million fine on Google for several breaches of the GDPR, in particular ‘lack of transparency, inadequate information and valid consent regarding the ads personalization’.
Slowly getting into a groove: compensating plaintiffs
In France, the two filing organisations claimed €1,000 per plaintiff. According to UFC-Que Choisir, this amount is a “fair compensation in view of the massive and continuous nature of the violation” and respects the privacy of users. However, the association added that the amount does not correspond to the value of the data irregularly collected, but is mostly aimed at repairing the privacy violation.
Understanding the value to be assigned to personal data nowadays has become a key issue for all stakeholders potentially involved in these class action proceedings. An experiment conducted in the US by a team of researchers in 2013 pointed out “the sensitivity of privacy valuations to contextual, non-normative factors”. Another recent study shows that American users would be willing to pay “just $5 dollar per month to maintain data privacy, but would demand $80 to allow access to personal data”. The Californian Consumer Privacy Act (CCPA), which will enter into force next year, limits the recoverable amount for certain data breaches: between $100 and $750 per consumer per incident or actual damages, whichever is greater. Additionally, the law lists some elements that the court shall consider in order to quantify the damage, including “the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth” (see section 1798.150(a)(2) CCPA).
It is unclear whether Europeans value their personal data in the same way Americans do. In a 2016 Eurobarometer study surveying 27,000 Europeans, 78% of respondents considered it very important that personal information can only be accessed with their permission. In TLT & Ors v The Secretary of State for the Home Department & Anor, the England and Wales High Court awarded damages ranging from £2,500 to £12,500 to 3 data subjects, after the accidental disclosure of raw, personal data (including names) pertaining to the claimants by the Home Office. The Court found that the claimants had suffered distress, which entitled them to ask for compensation.
To sum up, the allocation of damages in case of violation of data protection laws varies from state to state – not to say from case to case – and tends to remain low. Article 82 GDPR, which implements the right to full and effective compensation, does not improve the current landscape, as no quantitative threshold or assessing criteria have been adopted.
The entry into force of the GDPR is a significant step towards the effective enforcement of collective rights in the data protection field. The several class actions started in France prove that point. Still, the intertwinement of data protection and collective redress has created some issues that need to be addressed. Those issues include the overlap between Article 80 GDPR and national laws, procedural hurdles in cross-border proceedings and the quantification of the damage.
Any views or opinions represented in this blog post are personal and belong solely to the author of the blog post. They do not represent those of people, institutions or organizations that the blog or author may or may not be associated with in professional or personal capacity, unless explicitly stated.
Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.
All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site.
The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.