Data protection and consumer law increasingly powerful allies

Norway’s significance in the data protection environment lies in at least two areas (p.1).

First, it holds an influential position outside but alongside the European Union in the European Economic Area (EEA). Norway’s Data Protection Commissioner, Bjørn Erik Thon and his team, take an active part in the work of the European Data Protection Board, and Norway was recently elected to be the rapporteur for the Board’s guidelines on Privacy by Design and by Default (p.4). Norway has an active Binding Corporate Rules programme and works with other countries as co-reviewers.

With the United Kingdom seeking a way to leave the European Union, but still work harmoniously in association with it, the EEA looks a reasonable place to reside from the data protection law perspective.

The second area of significance is that Norway shows the potential for the synergy of data protection and consumer law to stop the distribution of Internet-connected products and services, which interfere with people’s data protection rights by taking their personal data without their knowledge or consent. In Norway, consumer advocates are well resourced and influential and can use the civil procedure law to provide a remedy. Such a civil procedure law model also applies in Spain (p.14) and Romania (p.13).

In France, a collective action case was fought and won this summer by consumer association, UFC-Que Choisir, against Twitter. The Tribunal de Grande Instance in Paris published its judgement on 7 August that 256 of Twitter’s terms and conditions were unfair or unlawful, levying a €30,000 fine for “moral damage to the collective interest.” UFC-Que Choisir is still in legal combat with Google and Facebook.

Collective action against Facebook was launched on 30 May by Euroconsumers, a group of consumer organisations in Spain, Portugal, Italy and Belgium with more people opting in to join this legal action every day.

European level

At European level, the New Deal for European Consumers, published in April this year by Margrethe Vestager, European Commissioner for Competition, provides for collective (class) action remedies not only in data protection cases but also in other areas such as financial services and travel. It is no coincidence that Vestager will be addressing the 40th International Conference of Privacy and Data Protection Commissioners next week.

On 8 October, Giovanni Buttarelli, European Data Protection Supervisor, organiser of this conference, published his Opinion on the need for coordination between consumer and data protection authorities. He wrote: “… the EDPS recommends that the proposal on collective redress be adjusted to complement the provisions in the GDPR for the representation of data subjects in exercising their rights …The EDPS … calls for closer cooperation between consumer and data protection authorities, through initiatives such as the Digital Clearinghouse and the joint meetings of the European Data Protection Board and the Consumer Protection Cooperation Network.”

Recognising this trend, on Tuesday next week, Privacy Laws & Business has organised a workshop: The future for collective action under the GDPR. On the official programme, this side event to the 40th International Conference of Data Protection and Privacy Commissioners will assess the future prospects for collective action in data protection cases with presentations by lawyers, consumer organisations and academics from several countries. Will European collective action cases avoid the excesses of US class actions? In Europe, such cases are led by determined groups of consumers and privacy advocates. We have organised this event together with the privacy advocacy organisation, the Brussels Privacy Hub, to ensure that the participants benefit from views representing all sides.

Collective action in data protection cases is not going away. Facebook may be the current favourite target but will not be the only one in the future.

Laura Linkomies, Editor, and I will be in Brussels next week to bring you the highlights, not only of our workshop but also the 40th International Conference.


Stewart Dresner, Publisher

International Report 155

Lead story:

Norway takes active role on the European stage

Norway adopted a GDPR-compliant national data protection law sooner than several EU countries. Its DPA actively participates in the EU mainstream. Stewart and Merrill Dresner report from Oslo.

Contents also include:

  • Comment: A whirlwind of privacy developments
  • Ireland: One Stop Shop’s front line
  • EU Adequacy discounted: The draft Japan decision
  • Collective action under GDPR: A civil law perspective from Spain
  • Genetics goes online – privacy in the world of personal genomics
  • Is data ethics the new competitive advantage?
  • US CLOUD Act creates global data access framework
  • Brazil enacts Data Privacy Law
  • Romania’s GDPR implementation law: A few national specifics
  • Turkey requires explicit consent for export of personal data
  • India’s draft DP Bill includes many GDPR-style protections
  • First significant GDPR fines in the pipeline
  • EDPB issues opinions on DPIAs
  • Bahrain adopts DP law
  • Germany: Bavaria’s DPA conducts GDPR audits
  • Finland issues an important RTBF decision
  • France’s DPA publishes review of the GDPR’s first four months
  • EDPS consultation on data ethics
  • FTC proposes EU-US Privacy Shield settlements