More than 15 years after the adoption of the Data Protection Directive1, the European Commission noticed that the current legislative framework on data protection did not adequately deal with the risks associated with online activity2.
Acknowledging this, the General Data Protection Regulation (GDPR)3 was finally adopted by the European Parliament on 14 April 2016, entering into force in May 2016 and becoming directly applicable in all Member States on 25 May 20184.
The GDPR targets the data controller or its processor and provides a set of standardised rules relating to personal data processing by such entities.
It also provides means to enforce these provisions.
Specifically, the GDPR introduces, everywhere in Europe, collective actions, which can be initiated by not-for-profit bodies dedicated to personal data protection thanks to consolidation mechanisms.
An action before national courts against a controller or a processor
Without prejudice to any available administrative or non-judicial remedy, the GDPR enables the data subjects to bring a claim against a controller or processor in national courts when they consider that their rights under the GDPR have been infringed as a result of a processing (Article 79).
In this respect, the GDPR provides the data subject with a real choice of forum, allowing data subjects to bring their action before different courts (Article 79) as well as a lis pendens system requiring courts to suspend their proceedings or decline jurisdiction where identical proceedings are pending before another court (Article 81).
A right to compensation and liability
The GDPR enables the data subject to seek compensation from the controller or processor for the material or non-material damage resulting from an infringement of their rights under the GDPR before national courts (Articles 79 and 82).
The following overview describes the conditions of liability as required by Article 82(1):
- claimants: any person who has suffered damage due to a data protection violation has the right to receive compensation for the damages suffered. This primarily applies to data subjects. In addition, other individuals are also entitled to claim damages if certain requirements are met. This might be the case if a family member of the data subject suffers mental impairment or other material or non-material damages due to the data protection breach.
- the defendant: controllers and processors can be obliged to pay damages. That means that all companies processing personal data will face increased liability risks.
- culpable breach of the GDPR: to constitute civil liability under the GDPR, the controller or processor must breach the provisions of the GDPR in a culpable manner. In this respect, the GDPR provides for a shift of the burden of proof: from the moment that a violation is recorded, compensation will be automatic, unless the controller or processor manages to prove that it is not the source of the non-compliance with the Regulation (Articles 82(2) and (3)).
The text also sets the principle of full compensation of the plaintiffs which is very protective of the data subjects’ rights: when several processors/controllers are involved, they are jointly liable for compensation (Article 82(4)).
The GDPR does not expressly provide for class actions but Article 80 enables claims to be brought by third parties on behalf of data subjects and to transform themselves into collective claims under a consolidation mechanism.
Claims consolidation mechanism
Although the GDPR spreads over 88 pages and almost 100 articles, the long-awaited class-action mechanisms are located in a single short article called “Representation of data subjects” (Article 80).
First, this Article defines the type of legal entity which will be entitled to exercise the data subject’s rights on their behalf: organisations or associations having statutory objectives which are in the public interest, and are active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data.
Second, this Article creates three different rights of action:
- a representative joint action: data subjects shall have the right to mandate an authorised entity to lodge a complaint on their behalf, to exercise the actions defined in Articles 77, 78 and 79 (Article 80(1)).
- a limited compensatory representative joint action: data subjects shall have the right to mandate an authorised entity to exercise their right to receive compensation only if the law of the Member State enables it (Article 80(1)).
- a limited class action: authorised entities shall be entitled to act on behalf of data subjects without having obtained a mandate from such data subjects in case of a violation of the rights of a data subject under the Regulation, provided that the Member State provided for such a possibility. Claims for compensation are, however, excluded from this mechanism (Article 80(2)).
What are processors/controllers really facing?
Nothing new under the sun?
The GDPR actually fails to provide a consistent class action or even a procedural framework to launch an efficient representative joint action.
In this respect, it brings nothing new and simply formalises a practice already established in the Member States.
In France for instance, it has been possible for a long time for a person to collect mandates before starting proceedings, which would consequently result in a collective action.
The representative joint action could, however, bring some light on the data protection issues in Europe and eliminate the usual hurdle to the development of representative actions, notably in France, which is the limited exposure and publicity and the difficulty in obtaining a sufficient number of mandates so that the collective action reaches a critical size.
Combined with the new methods of disseminating information relating to collective actions through the Internet5, the GDPR’s media impact may put the personal data collective actions at the heart of public awareness.
Finally, since the class action mechanism is only optional, its implementation depends on the Member States’ position and could, therefore, be limited.
A European right to 28 national collective actions?
The GDPR does not create a European class action but rather a European right to collective actions. Indeed, the GDPR only states that the data subject “shall have the right to” initiate actions, but does not provide the data subject with an actionable tool, and leaves it to the Member States to provide such a tool.
Consequently, there soon could be as many personal data collective action procedures as European countries, which would be contrary to the Regulation’s objective of consistency.
Are pan-European and global class actions possible?
Processors which are processing personal data all around the globe can legitimately wonder whether the GDPR could give rise to multi-jurisdictional collective actions, including European and non- European data subjects.
In this respect, the first issue lies with the GDPR’s scope:
- the GDPR does not restrict its application to the European citizens/residents (Article 1);
- although not limitless, the territorial scope of the GDPR (Article 3) is very broad and could lead to the application of the GDPR beyond EU borders.
The combination of potentially broad application of the GDPR and the choice of forum it provides to the data subject could, in theory, give birth to pan-European data protection collective actions, which could include non-EU data subjects under certain circumstances.
Nevertheless, the European data protection class action regime remains unclear at this stage. Its procedural framework and its application will need to be specified and improved. In this respect, some answers may come from the European Data Protection Board, which has been given the mission to issue guidelines, recommendations and best practice procedures (Recitals nos. 77 and 124 and Article 70).
Applicability of the GDPR depending on the origin of the processor / controller and the data subject
|EU processor / controller (main establishment in the EU)||Non-EU processor / controller (main establishment outside the EU) with an affiliated entity having an activity in the EU||Non-EU processor / controller (main establishment outside the EU) with no affiliated entity having an activity in the EU|
|EU data subject||Applicable||Applicable*||Applicable**|
|Non-EU data subject||Applicable||Applicable*||Not applicable|
* provided that the processing of personal data was made in the context of the activities of the EU establishment, regardless of whether the processing takes place in the EU
** provided that the processing activity is related to the offering of goods or services or the monitoring of the data subject’s behaviour
- Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and of the free movement of such data (the “Data Protection Directive”).
- Explanatory Memorandum of the Regulation Proposal 2012/0011 on the protection of individuals with regard to the processing of personal data and the free movement of such data (General Data Protection Regulation) published by the European Commission on 25 January 2012.
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- C.f. https://www.eugdpr.org.
- Such as in Austria with Max Schrem’s case and the website fbclaim.com.
This article forms part of our Data class actions: the era of mass data litigation guide.
Take advantage of the far-reaching changes brought about by the GDPR with our European Privacy Tool, which offers realistic, practical and workable insights as well as templates, helping to ensure that you are successful in meeting the applicable regulatory requirements.
For more news and analysis that is tailored to you, as well as access to Hogan Lovells’ cutting-edge interactive Lawtech tools, register for free on Engage.
You can also keep track of all the Engage content by following our LinkedIn page.