Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Among many other things, the GDPR introduces, everywhere in the EU, collective actions, which can be initiated by not-for-profit bodies dedicated to personal data protection thanks to consolidation mechanisms
More than 15 years after the adoption of the Data Protection Directive1, the European Commission noticed that the current legislative framework on data protection did not adequately deal with the risks associated with online activity2.
Acknowledging this, the General Data Protection Regulation (GDPR)3 was finally adopted by the European Parliament on 14 April 2016, entering into force in May 2016 and becoming directly applicable in all Member States on 25 May 20184.
The GDPR targets the data controller or its processor and provides a set of standardised rules relating to personal data processing by such entities.
It also provides means to enforce these provisions.
Specifically, the GDPR introduces, everywhere in Europe, collective actions, which can be initiated by not-for-profit bodies dedicated to personal data protection thanks to consolidation mechanisms.
An action before national courts against a controller or a processor
Without prejudice to any available administrative or non-judicial remedy, the GDPR enables the data subjects to bring a claim against a controller or processor in national courts when they consider that their rights under the GDPR have been infringed as a result of a processing (Article 79).
In this respect, the GDPR provides the data subject with a real choice of forum, allowing data subjects to bring their action before different courts (Article 79) as well as a lis pendens system requiring courts to suspend their proceedings or decline jurisdiction where identical proceedings are pending before another court (Article 81).
A right to compensation and liability
The GDPR enables the data subject to seek compensation from the controller or processor for the material or non-material damage resulting from an infringement of their rights under the GDPR before national courts (Articles 79 and 82).
The following overview describes the conditions of liability as required by Article 82(1):
The text also sets the principle of full compensation of the plaintiffs which is very protective of the data subjects' rights: when several processors/controllers are involved, they are jointly liable for compensation (Article 82(4)).
The GDPR does not expressly provide for class actions but Article 80 enables claims to be brought by third parties on behalf of data subjects and to transform themselves into collective claims under a consolidation mechanism.
Although the GDPR spreads over 88 pages and almost 100 articles, the long-awaited class-action mechanisms are located in a single short article called "Representation of data subjects" (Article 80).
First, this Article defines the type of legal entity which will be entitled to exercise the data subject's rights on their behalf: organisations or associations having statutory objectives which are in the public interest, and are active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data.
Second, this Article creates three different rights of action:
Nothing new under the sun?
The GDPR actually fails to provide a consistent class action or even a procedural framework to launch an efficient representative joint action.
In this respect, it brings nothing new and simply formalises a practice already established in the Member States.
In France for instance, it has been possible for a long time for a person to collect mandates before starting proceedings, which would consequently result in a collective action.
The representative joint action could, however, bring some light on the data protection issues in Europe and eliminate the usual hurdle to the development of representative actions, notably in France, which is the limited exposure and publicity and the difficulty in obtaining a sufficient number of mandates so that the collective action reaches a critical size.
Combined with the new methods of disseminating information relating to collective actions through the Internet5, the GDPR's media impact may put the personal data collective actions at the heart of public awareness.
Finally, since the class action mechanism is only optional, its implementation depends on the Member States' position and could, therefore, be limited.
A European right to 28 national collective actions?
The GDPR does not create a European class action but rather a European right to collective actions. Indeed, the GDPR only states that the data subject "shall have the right to" initiate actions, but does not provide the data subject with an actionable tool, and leaves it to the Member States to provide such a tool.
Consequently, there soon could be as many personal data collective action procedures as European countries, which would be contrary to the Regulation's objective of consistency.
Are pan-European and global class actions possible?
Processors which are processing personal data all around the globe can legitimately wonder whether the GDPR could give rise to multi-jurisdictional collective actions, including European and non- European data subjects.
In this respect, the first issue lies with the GDPR's scope:
The combination of potentially broad application of the GDPR and the choice of forum it provides to the data subject could, in theory, give birth to pan-European data protection collective actions, which could include non-EU data subjects under certain circumstances.
Nevertheless, the European data protection class action regime remains unclear at this stage. Its procedural framework and its application will need to be specified and improved. In this respect, some answers may come from the European Data Protection Board, which has been given the mission to issue guidelines, recommendations and best practice procedures (Recitals nos. 77 and 124 and Article 70).
EU processor / controller (main establishment in the EU) | Non-EU processor / controller (main establishment outside the EU) with an affiliated entity having an activity in the EU | Non-EU processor / controller (main establishment outside the EU) with no affiliated entity having an activity in the EU | |
EU data subject | Applicable | Applicable* | Applicable** |
Non-EU data subject | Applicable | Applicable* | Not applicable |
* provided that the processing of personal data was made in the context of the activities of the EU establishment, regardless of whether the processing takes place in the EU
** provided that the processing activity is related to the offering of goods or services or the monitoring of the data subject's behaviour
This article forms part of our Data class actions: the era of mass data litigation guide which can be downloaded below.
Take advantage of the far-reaching changes brought about by the GDPR with our European Privacy Tool, which offers realistic, practical and workable insights as well as templates, helping to ensure that you are successful in meeting the applicable regulatory requirements.
Authored by Christine Gateau and Eduardo Ustaran.