Collective action now a credible litigation risk in the EU

The news which I expect to become increasingly significant in the EU for both companies and consumers is the announcement on 2 December that noyb, the consumer advocacy organisation, can now bring collective actions in any EU Member State.

This is a clear achievement for noyb, whose chairperson is Max Schrems, the EU’s most famous litigant for consumer rights in the EU.

The approval by the Austrian Bundeskartellanwalt was issued on 2 December and the approval by the Irish Ministry for Justice was issued on 10 October this year. Noyb’s new status as a Qualified Entity under the Representative Actions Directive (EU) 2020/1828 means that while it has been approved in Ireland and Austria, it can bring actions for injunctive or redress measures in any EU Member State.

The rationale for Austria is because noyb is based there, and the rationale for Ireland is that this is the country where many US-based companies, such as Meta and Apple, have their EU headquarters. In fact, the American Chamber of Commerce in Ireland has a membership of 950+ companies, many of which will be very aware of the risks of such class actions in the US.

Differences between US and EU collective actions

There are major differences between the US and EU forms of collective action. In the US, any law firm can initiate a claim (often on a no-win, no-fee basis) on the understanding that the law firm usually takes 25-35% of the judges’ awards if the claims are successful.

In the EU, by contrast, the system is designed to remove financial incentives for plaintiffs so Art. 80.1 GDPR allows only not-for-profit organisations, such as noyb to bring cases to court. The right to compensation specifically covers “material or non-material damage as a result of infringement” of the GDPR (Art. 82.1).
This Qualified Entity status means that noyb can now bring representative actions before national courts on behalf of groups of consumers to seek both injunctive stop orders and other types of redress measures.

Injunctive measures: Noyb explains injunctive measures as allowing a Qualified Entity to request a company to stop a certain illegal practice. “In the case of noyb, this could be the tracking of users without valid consent, the use of ‘dark patterns’ to unlawfully gain consent, the sale of personal data without a legal basis, absurd wording in privacy policies or the transfer of personal data to a jurisdiction that does not provide adequate protection. Generally, many other patterns of non-compliance, such as incomplete or delayed responses to access or deletion requests under the GDPR could be enforced via this new instrument.”

Redress measures: Noyb explains that redress cases can relate to past and ongoing unlawful data processing. “Typically, such cases would include damages claims, or claims for the return of any unlawful profits made from illegal processing. While non-material damages can be rather low and only amount to €100 to €1,000 per user, this can quickly add up if a company has violated the rights of millions of users. In most EU Member States, each user has to ask a not-for-profit to represent them ("opt-in" system). However in some jurisdictions, like in the Netherland or Portugal, a Qualified Entity can represent any user that has not objected to be represented ("opt-out" system).”

For consumers, such collective action enables them to supplement enforcement efforts of DPAs with this type of direct action in cases where a national DPA may not have the resources or wish to pursue an enforcement action against well-financed multinational companies. Some issues may not be on a DPA’s priority list but they may be important for the interests of specific types (classes) of individuals.

Noyb is now the best known organisation qualified to bring representative actions in the EU and has brought, represented or assisted more than 800 GDPR complaints and dozens of cases before national courts, the European General Court and the Court of Justice of the EU in Luxembourg.

Other organisations qualified to bring representative actions

There are currently 43 other organisations which have become Qualifying Entities across the EU.(1) Some of them cover data protection issues, such as the Irish Council for Civil Liberties and Finland’s Data Protection Ombudsman, the current Chair of the European Data Protection Board.

I think it is significant that Romain Robert, who until April this year was Program Director at noyb in Austria, is now a Legal Officer at the European Data Protection Supervisor and a member of the litigation chamber of the Belgian DPA. This means that a person with experience of preparing collective action cases, is now at the centre of the EU data protection eco-system. This compares with most DPAs in EU Member States who usually do not have this experience, even if they are qualified lawyers.

Other Qualified Entities in the EU have a wider consumer issues remit, such as the Danish Consumer Council and The Foundation for Market Information Research in the Netherlands.

For an organisation to pass the test to become a Qualified Entity, it has to be well prepared. Schrems explained that noyb has prepared for this step for several years and went through a rigid process to get this approval, where the independence and also the organisational stability of the organisation was reviewed.(2)

Should companies be worried?

Schrems has announced “We are planning to bring the first actions in 2025.” So with Schrems’ successful track record, companies should certainly pay attention to this type of liability and litigation risk resulting from claims for both material and non-material damage.

The legal position is different across the EU. For example, litigation funding is not currently permitted in Ireland and this is considered to be a barrier to Qualified Entities taking representative actions. But noyb is largely financed by individual donations, likely to be increased if it brings a case to court which resonates with the public. So companies should take seriously this litigation risk from mass claims by noyb and other Qualified Entities.

Data opportunities in Ireland is the conference on 6 February in Dublin organised by Privacy Laws & Business in cooperation with leading law firm McCann FitzGerald.

The conference includes:

  • A presentation by the Data Protection Commissioner, Dr Des Hogan
  • A session on Claims for non-material damage with a leading barrister and solicitor.

PL&B Report subscribers can register for free.

We look forward to meeting you there or online.

Regards

Stewart Dresner
Publisher, Privacy Laws & Business

REFERENCES
  1. Cross-border Qualified Entities
  2. noyb - Information in accordance with Directive (EU) 2020/1828 on Collective Redress

December 2024

News & Blogs

December 2024 Report Contents

Next