GDPR and Mass Claims

31.08.2022 Tilbe Birengel

Introduction

The procedural rules on mass claims[1] within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”).[2] The impact of the Directive is expected to make collective redress in data protection and other fields much easier.

GDPR and Mass Claims
% 0

Timeline

The Directive was passed by the European Parliament on 24 November 2020 and entered into force by the end of 2020. It will be implemented by the EU Member States by 25 December 2022. The measures shall be applicable in each Member State as of 25 June 2023.

The Scope of the Directive

The Directive creates stronger protection for consumer groups than those that existed previously. In case of breach of EU law on subjects including data protection, financial services, energy, telecommunications, health and the environment, the Directive is expected to pave the way for mass claims against businesses. In order to minimize abusive mass claims, the Directive limits standing for bringing collective actions on behalf of consumers to “designated institutions.”

Due to the fact that Member States have diverging procedures regarding mass claims, the Directive was necessary in order to harmonize mass claim litigation within the EU. That being said, each Member State has a level of discretion in implementation of the Directive on some matters. For instance, Member States can decide whether or not to implement an opt-out mechanism for claims. If this mechanism is applied, anyone falling into a class of claimants is automatically added as a party to the claim unless they specifically opt-out. Likewise, Member States have a say in defining the criteria for designated institutions for domestic actions.[3] However, criteria for designated institutions to stand on behalf of customers in EU-wide claims is not at their discretion.

Thus, companies doing business with mass numbers of consumers will need to keep track of nuances in different jurisdictions to monitor risks of mass claims they might face.

Impact of the Directive on General Data Protection Regulation (“GDPR”) Related Mass Claims

By regulating cross-border mass claims, the Directive eases initiation of proceedings in other Member States. Consequently, it is anticipated to trigger a peak in data infringement related mass claims. In fact, the increase in claims has already started.

Recently, a consumer protection association in Germany sought an injunction against Meta Platforms Ireland before a German court. The Federal Court of Justice in Germany referred the matter of the standing of the association on behalf of consumers to the Court of Justice of the European Union (“CJEU”). On 28 April 2022, in Meta Platforms Ireland, the CJEU rendered a decision:

“In the light of all the foregoing considerations, the answer to the question referred is that Article 80(2) of the GDPR[4] must be interpreted as not precluding national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.” [5]

In sum, the CJEU confirmed that the GDPR does not preclude national provisions allowing standing for such associations on behalf of consumers. Most importantly, the CJEU added that associations enjoy “independent” standing and can act without a mandate from data subjects in such actions.[6] The caselaw in EU is likely to establish a pattern in favor of GDPR related mass claims.

Conclusion

The Collective Redress Directive allows consumer associations to bring EU-wide and cross-border mass claims against businesses on behalf of consumers (data subjects). This legislative trend is supported by CJEU’s recent rulings.

Since consumer associations will enjoy standing in a widened scope of matters, including in GDPR-related cases, companies doing business with high number of consumers are expected to face a flood of data-related mass claims in the near future.

References
  • In this article mass claims term is preferred to cover mechanism for the protection of the collective interests of consumers via representative/collective/class actions, with no further classification on the action types.
  • The Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC, OJ L 409, 04.12.2020, p. 1–27.
  • Tjon-En-Fa Evelyn, Hurst Bryony, Lanzkron Louise: “In preparation for the new Collective Redress Directive our dispute resolution lawyers have created some tools to help”, Bird & Bird Insight, 23.06.2022, https://www.twobirds.com/en/insights/2022/global/in-preparation-for-the-new-collective-redress-directive (Access date: 24.08.2022).
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119, 04.05.2016, p. 1–88.
  • C-319/20, Meta Platforms Ireland Limited, formerly Facebook Ireland Limited v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V., April 28, 2022, ECLI:EU:C:2022:322.
  • De Cicco Diletta, Downes James, Mallon Leigh, Helleputte Charles-Albert: “European Court Boosts Representative Actions for GDPR Infringements”, Steptoe Client Alert, 05.05.2022.

All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.

Other Contents

Artificial Intelligence Act Adopted by the European Parliament
Newsletter Articles
Artificial Intelligence Act Adopted by the European Parliament

The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...

Personal Data Protection 31.07.2023
CJEU Decides That A Mere Infringement of the GDPR Is Not Sufficient for Non-Material Compensation
Newsletter Articles
CJEU Decides That A Mere Infringement of the GDPR Is Not Sufficient for Non-Material Compensation

In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...

Personal Data Protection 31.05.2023
ChatGPT: A Grey Zone Between Privacy, Cybersecurity, Human Rights and Innovation
Newsletter Articles
ChatGPT: A Grey Zone Between Privacy, Cybersecurity, Human Rights and Innovation

ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...

Personal Data Protection 30.04.2023
A Comparative Approach to Joint Controllers
Newsletter Articles
A Comparative Approach to Joint Controllers

The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...

Personal Data Protection 31.03.2023
The EU’s Digital Operational Resilience Act for Financial Services Industry Actors Entered into Force
Newsletter Articles
The EU’s Digital Operational Resilience Act for Financial Services Industry Actors Entered into Force

The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...

Personal Data Protection 31.01.2023
Smartwatch Privacy: A Beginner’s Guide
Newsletter Articles
Smartwatch Privacy: A Beginner’s Guide

Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...

Personal Data Protection 31.01.2023
An Examination of Loyalty Programs Under Personal Data Protection Legislation
Newsletter Articles
An Examination of Loyalty Programs Under Personal Data Protection Legislation

The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...

Personal Data Protection 30.11.2022
Is the Missing Piece of the Puzzle Found in the Intersection Between GDPR and Antitrust Law?
Newsletter Articles
Is the Missing Piece of the Puzzle Found in the Intersection Between GDPR and Antitrust Law?

The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...

Personal Data Protection 31.10.2022
Guidelines on Personal Data Protection in the Banking Sector Published by the Turkish Personal Data Protection Authority
Newsletter Articles
Guidelines on Personal Data Protection in the Banking Sector Published by the Turkish Personal Data Protection Authority

Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...

Personal Data Protection 30.09.2022
Briefing for the Impact Assessment of the Data Act Has Been Published
Newsletter Articles
Briefing for the Impact Assessment of the Data Act Has Been Published

In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...

Personal Data Protection 31.07.2022
The Regulation on Protection and Processing of Personal Data by the Social Security Institution
Newsletter Articles
The Regulation on Protection and Processing of Personal Data by the Social Security Institution

The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...

Personal Data Protection February 2022
A New Era: The Personal Information Protection Law of the People’s Republic of China
Newsletter Articles
A New Era: The Personal Information Protection Law of the People’s Republic of China

The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...

Personal Data Protection February 2022
All Eyes of the Data Protection Authorities are on Cookies!
Newsletter Articles
All Eyes of the Data Protection Authorities are on Cookies!

In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...

Personal Data Protection January 2022
The Right to Be Forgotten
Newsletter Articles
The Right to Be Forgotten
Personal Data Protection November 2021
A Groundbreaking Whatsapp Decision by the Irish Supervisory Authority
Newsletter Articles
Healthcare Sector Publishes a Guideline on Data Protection
Newsletter Articles
Healthcare Sector Publishes a Guideline on Data Protection
Personal Data Protection September 2019
The General Data Protection Regulation in Force
Newsletter Articles
The General Data Protection Regulation in Force
Personal Data Protection May 2018
Destruction of Personal Data
Newsletter Articles
Destruction of Personal Data
Personal Data Protection November 2017
The EU General Data Protection Regulation and Its Territorial Scope
Newsletter Articles

For creative legal solutions, please contact us.