Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Data protection rights are not listed among those fundamental consumer rights that the Consumer Code protects, but certain data breaches of the GDPR could amount to unfair commercial practices and, as such, fall within the scope of application of the collective redress mechanisms
Italian law provides for two different collective redress mechanisms: injunctive redress and compensatory redress (class action).
Both mechanisms are open for the protection of the consumers' rights and interests set forth by the Italian Consumer Code, which consolidates provisions implementing inter alia several consumer-oriented EU Directives.
Although data protection rights are not listed among those fundamental consumer rights that the Consumer Code protects, certain data breaches and violations of the GDPR could amount to unfair commercial practices and, as such, fall within the scope of application of the collective redress mechanisms described below.
Consumer associations that are considered to adequately represent consumers on a national scale and are duly enrolled in the relevant national register may act for the protection of consumers' collective interests by requesting the court to take the following actions:
In cases of justified reasons for urgency, this type of claim may be heard by the court with the same summary procedure as that provided by the Italian Code of Civil Procedure for interim measures.
When declaring the proceedings closed, the court sets a deadline for the losing defendant to comply and can also order the payment of a fixed amount for each day’s delay in complying with it.
Only authorised consumer protection entities listed in the above central registry have standing to sue in these proceedings.
The single consumer or user lacks an autonomous standing to sue with reference to injunctive redress for collective consumer interests, albeit retaining their standing to sue in a parallel action in their own individual interest.
The Italian Consumer Code makes no reference to the availability of such a mechanism for data breaches.
Consequently, it might be inferred that no collective injunctive redress mechanism would be available to consumers who suffered violation of collective interests under the Italian data protection law currently in force or under the GDPR with, possibly, the exception of repeated and unsolicited offers via telephone, fax, email or other means of communication, which could be considered as aggressive commercial practices.
This conduct could fall within the scope of an injunction only if considered to be an unfair practice.
By means of a class action, claimants can seek compensation or merely seek a declaratory judgment that the defendant is liable without seeking compensation.
The causes of action for a class action claim are the enforcement of "individual homogeneous rights of consumers and users" and "collective interests" with reference to the following rights:
Standing to sue only lies with the individual member of a class.
However, consumer associations can be mandated by consumers – by means of powers of attorney – to file class action claims before the court.
Although the Italian Consumer Code does not provide any mandatory indication to this purpose, generally consumer associations bringing class actions are selected from among certain registered consumer associations (i.e. those consumer associations entitled to file injunctive actions).
The individual class member may also bring the action via an association of which they are part of.
In Italy, the procedure requires a preliminary admissibility check to be carried out by the court in order to assess whether requirements for a collective action are met.
Only once the admissibility stage is positively cleared, may the court hear (and rule on) the merits of the case.
For the case to be admissible, the relevant requirements are the following:
The court evaluates whether the above requirements are met and rules on the admissibility of the collective action after the first hearing.
Further because of the limited criteria under which a class action may be declared admissible, the Italian class action mechanism has not proven to be appealing nor very successful.
Italian law sets forth an opt-in system.
By the order admitting the class action, the court defines, among other things, the eligibility criteria for the applicants to be included in the relevant class of consumers bringing the action.
Once the class action is declared admissible, the claim is publicly circulated and class members may opt in within a peremptory deadline set by the court. No appointment of an attorney is required in order to opt in.
By opting in, the subject joining to the class action (applicant) waives their rights to bring any individual claim for compensation or redress based on the same cause of action.
The court's judgment is binding on both the plaintiff and the class, irrespective of its content.
Any settlement between the parties is not binding on any of the applicants who have opted in, unless the latter expressly declared itself to be willing to settle.
If the claim is deemed well-grounded by the court, an order is issued awarding damages to those who joined the class action suit.
Alternatively, the court may simply establish the homogenous criterion for the liquidated damages so that the parties will have a three-month period to reach an agreement on liquidated damages.
For the same reasons outlined for the collective injunctive redress, it may be inferred that class action is available only to those consumers who suffered violation of homogenous rights under the Italian data protection law currently in force or under the GDPR.
Moreover, class action is also available if those data breaches can be deemed as amounting to unfair commercial practices.
How to prevent a possible class action?
Being fully compliant with the GDPR provisions and adopting a suitable and efficient privacy business model based on the following principles:
With particular respect to the accountability obligation, the data controller (i.e. the entity which decides the purposes and modalities of the processing of personal data) shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR, taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
Among those measures, which need to be reviewed and updated, where necessary, are:
To learn more about data class actions in other jurisdictions, you can view our Data class actions: the era of mass data litigation guide, of which this article forms part.
Take advantage of the far-reaching changes brought about by the GDPR with our European Privacy Tool, which offers realistic, practical and workable insights as well as templates, helping to ensure that you are successful in meeting the applicable regulatory requirements.