As application of the European Union’s (EU’s) General Data Protection Regulation (GDPR)1 quickly approaches, the enforcement authority of the European data protection authorities (DPAs) is rightfully on everyone’s mind. The power to issue monetary fines against non-compliant entities of up to four percent of the entity’s past year worldwide turnover is one of the GDPR’s most striking provisions.2 But, the GDPR also includes a provision that may prove to be equally important: giving individuals the right to bring collective legal action against non-compliant entities. If these collective actions become common, understanding by whom, under what grounds, and where these suits may be brought will be critical in assessing the importance of compliance and the benefits and risks of launching European data initiatives.
Who May Bring a Claim—European Class Actions
On January 25, 2018, the Court of Justice of the European Union (CJEU) ruled that Maximilian Schrems could not lead a collective-action lawsuit in his home country of Austria against Facebook.3 Schrems’ suit claims that Facebook committed numerous violations of applicable data protection provisions.4 The CJEU ruled that in a collective action, the plaintiff assigned the claims cannot benefit from the EU consumer forum rule, which would have allowed Schrems to bring the case in his home country, when the other members of the class are not themselves a party to the contract in question.5
The CJEU’s ruling barring his class action suit may be only a temporary setback for Schrems and other plaintiffs seeking to bring privacy-based collective action suits, as the GDPR gives individuals unprecedented power to enforce their privacy rights.6 First, and similar to Directive 95/46/EC, data subjects may individually bring a claim.7 Second, and more importantly, the GDPR now allows these same individuals to assign their claim to a not-for-profit entity established, in part, to protect individual privacy interests.8 In fact, the GDPR’s Recital 147 expressly states that general jurisdiction rules shall not prejudice the right to bring legal action.9 The GDPR’s collective redress mechanism comes as European initiatives regarding private rights of action are at an important crossroads.
Unlike the U.S., which has been at the forefront of collective actions with its far-reaching class action regime, European states have traditionally been hesitant to adopt such an expansive and powerful redress mechanism.10 Nonetheless, many member states have begun to adopt some form of collective action as a way of providing access to justice under local laws.11 Additionally, the EU has previously passed directives impacting the availability of collective actions.12 Although these directives sought to make it easier to pursue redress in civil courts (e.g., in relation to intellectual property rights, environmental law, financial services, etc.), the most comprehensive examination of collective redress at the European level came with the European Commission’s 2013 Recommendation on Collective Redress (the Recommendation).13 The Recommendation encouraged all EU member states to include a general system of collective redress, applicable to all areas of law. At the same time, however, the Recommendation encouraged member states to prevent claimants from recovering punitive damages.14 The Recommendation recognized that the potential efficiency of dealing with similar claims at the same time comes with certain risks. Experience in other jurisdictions has certainly shown that the opportunity to aggregate claims does not always lead to efficient outcomes, and in some cases leads to litigation abuse.15 This abuse is particularly likely where there is a financial incentive to file weak or entirely meritless claims. Despite the Recommendation’s suggested ban on punitive damages, the GDPR may have opened the door to frivolous profit-motivated lawsuits by recognizing the right to seek monetary compensation for non-pecuniary damages.
Causes of Action and Monetary Awards
Under the GDPR’s Article 79, data subjects, or the entity handling their claim, may seek compensation for “material or non-material”16 damages from any entity that: (a) processed the data subjects’ personal data in violation of the GDPR and, in doing so, (b) infringed the data subjects’ rights. In this context, the term “non-material” is used to describe non-pecuniary injuries such as emotional harm and suffering.
Hopefully, however, courts in Europe will interpret the right to seek monetary damages for non-material harms narrowly, understanding that collective actions are not government enforcement proceedings and should not be treated as such. For example, minor violations of one of the more technical requirements of the GDPR should not be enough to satisfy the requirement that the data subjects’ rights were infringed. As the GDPR takes effect, it will be critical for courts to draw a bright line on when monetary damages may be sought. Collective actions should provide fair compensation for actual damage suffered rather than delivering an undeserved windfall to profit-seeking claimants and their attorneys.
In the U.S., this abuse has to some extent been kept in check in privacy and data security class action litigation by the U.S. Supreme Court’s 2016 ruling in Spokeo v. Robins.17 In Spokeo, the Supreme Court held that to establish Article III standing, there must be an injury that is “real” and not “abstract” or merely “procedural.” To establish such an injury, the plaintiff must allege a statutory violation that caused him or her to suffer some tangible—as opposed to purely legal—harm. Because the GDPR recognizes the right for data subjects to seek compensation for non-monetary damages, a similar guardrail against frivolous suits in Europe may be lacking.
Where—The Potential for Forum Shopping
Under the GDPR, legal proceedings against a private entity may be brought in the European member state where: (a) the entity has an establishment, or (b) the data subject has his or her residence.18 The GDPR does not define the term establishment, but Recital 22 gives the term broad meaning: “[e]stablishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”19 This broad interpretation is consistent with the CJEU’s and the Article 29 Working Party’s interpretation of the term.20
In Weltimmo v. NAIH, the CJEU considered the definition of the term “establishment” as used under the Directive. In that case, the CJEU decided whether Weltimmo—a Slovakian corporation that ran a website advertising Hungarian properties in Hungarian—was established in Hungary and thus subject to the authority of Hungary’s DPA. Weltimmo argued that, as a Slovakian corporation, Hungarian law did not apply to its operations. In deciding that Hungarian law did apply to Weltimmo, the CJEU confirmed that “establishment” is a broad and flexible phrase and an organization may be established wherever it exercises “through stable arrangements in the territory of that Member State, a real and effective activity even a minimal one.” The relevant factors taken into account by the CJEU in the Weltimmo decision were: (i) the website’s targeting of Hungarian consumers as evidenced by the presence of Hungarian properties and the use of the Hungarian language; (ii) Weltimmo’s use of a representative in Hungary who represented Weltimmo in administrative and judicial proceedings; and (iii) Weltimmo’s Hungarian bank accounts and letter box.
To the extent the term “establishment” is afforded a similarly broad meaning under the GDPR, it is possible that technology companies will find themselves parties to privacy litigation in member states whose local laws favor consumer initiated legal action. Although Article 81 contains a mechanism to consolidate similar claims, the ability for aggrieved data subjects to bring legal claims in countries where they are not domiciled nor the defendant incorporated presents the risk of forum shopping. First, because the GDPR links the “collective action” right to national laws on collective action, individuals in one member state may try to join a collective action in another member state that offers more advantageous collective action rules.21 In addition, to the extent courts in a particular member state adopt a particularly expansive interpretation of the types of non-material harms that warrant monetary compensation, it is likely that data subjects and their attorneys will flock to those jurisdictions.
Like most facets of the GDPR, the ultimate impact of the collective action right will in large part depend on how the rights and obligations laid out in the GDPR are interpreted. There is little doubt, however, that Maximilian Schrems will utilize these new rights to advance his cause. In fact, Schrems has already established a non-profit body in Austria, None of Your Business (NYOB), that, “[t]ogether with the many new enforcement possibilities under [GDPR], [ ] will be able to bring privacy cases in a much more effective way than before.”22 Interpretation of the GDPR under these private suits will not be conducted at the direction of DPAs with years of privacy and data protection experience, but by the courts. Hopefully these courts will take a pragmatic approach and recognize the dangers of awarding undeserved windfalls to profit-seeking claimants and their attorneys.
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 J.O. (L 119) (EU) [hereinafter GDPR].
2 GDPR at Article 83.
3 Case C-498/16, Maximilian Schrems v. Facebook Ireland Limited, judgment of 25 January 2018, http://curia.europa.eu/juris/document/document.jsf?text=&docid=198764&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=248410.
4 Id. at ¶ 14.
5 Id. at ¶ 48.
6 See GDPR at Articles 79 – 84.
7 Id. at Article 79 of the GDPR; see Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995 O.J. (L 281) [hereinafter the Directive], art. 23.
8 GDPR at Article 80.
9 GDPR at Recital 147.
10 See C. Hodges, The Reform of Class and Representative Actions in European Legal Systems, Oxford, UK.
11 See id.
12 See e.g., Directive 2004/48 of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights O.J. (L 195/16), Article 4; Directive 2005/35/EC of the European Parliament and of the Council of 7 September 2005 on ship-source pollution and on the introduction of penalties for infringements O.J. (L 255/11); Directive 2004/35/EC of the European Parliament and of the Council of 21 April 2004 on environmental liability with regard to the prevention and remedying of environmental damage O.J. (L 143/56).
13 Commission Recommendation 2013/396/EU of 11 June 2013 on common principles for injunctive and compensatory collective redress mechanisms in the Member States concerning violations of rights granted under Union Law ) O.J. (L 201/60).
15 See e.g., Amy Korte, Illinois Employers Flooded with Class Action Lawsuits Stemming from Biometric Privacy Law, Illinois Policy, (March 5, 2018, 10:54 AM), https://www.illinoispolicy.org/illinois-employers-flooded-with-class-action-lawsuits-stemming-from-biometric-privacy-law/.
16 GDPR at Article 82.
17 136 S. Ct. 1540 (2016).
18 GDPR at Article 79.
19 GDPR at Recital 22.
20 See C-230/14 Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, judgement of 1 October 2015, ECLI:EU:C:2015:426; Article 29 Working Party Update of Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain, WP 179 Update.
21 GDPR at Article 80.
22 See None of Your Business, Our Detailed Concept (March 12, 2018, 10:51 AM), https://noyb.eu/concept.