Could the GDPR give rise to foum shopping and are there any pre-litigation strategies that should be considered? Here, we review four key elements that should be kept in mind in respect of data class actions in the EU.
In the US, many class actions are dismissed for lack of 'standing', i.e. because the litigants do not demonstrate that they suffered an 'injury in fact' that is concrete and actual or imminent.
Does the US 'injury in fact' standard apply for data class actions in Europe?
Under the GDPR, data subjects have the right to recover both material damages and non-material damages (Article 82).
Hence, in the event of liability, all damages which have been caused by the data protection infringement have to be compensated.
This extended liability is remarkably different to the current legal situation under many Member States' data protection laws.
Quick glance at France: the data class action12 may be used to put an end to an infringement of the provisions governing the protection of personal data.
The law expressly specifies that this class action cannot give rise to compensation in the form of damages.
It is a purely injunctive form of collective redress.
Yet, this position may evolve in the future as a bill is currently being debated and provides for the creation of a compensatory data class action1.
Quick glance at Germany: on 24 February 2016, a new German Act entered into force aimed at strengthening consumers' data privacy laws2.
Among other things, it adopted the mechanism called “Verbandsklage”.
This is a representative action enabling qualified entities, e.g. consumer protection organisations, to bring an action against companies and individuals violating data privacy laws.
It only enables organisations to claim for cease-and-desist judgments (injunctions).
So, current claims for damages must be brought by individuals.
The existing “Verbandsklage” does not provide for collective compensation, but may be a door- opener for large-scale lawsuits in Germany.
The GDPR does not set forth any criteria for the assessment of the recoverable damage and leaves it to the applicable national laws.
So Member States use their own national standards to determine whether the litigants have 'standing' and whether hypothetical, future or even anxiety damage may be compensable for instance.
Article 82 of the GDPR is intended to act as a deterrent, making data protection breaches economically unattractive.
Furthermore, the case-law of the Court of Justice of the European Union concerning non-material damages must be taken into account.
According to the case law, the amount awarded should have a deterrent effect.
This goal can only be achieved if the amount of damages awarded reaches a sufficiently significant level.
Burden of proof
Under the GDPR, the controller is responsible for ensuring and demonstrating that its processing activities are compliant with the provisions set out in the GDPR as well as with the laws of the Member States implementing the said Regulation.
The controller must implement appropriate technical and organisational measures to ensure as well as to be able to demonstrate that processing is performed in compliance with the GDPR (Article 24).
The controller must keep records in writing – including in electronic form – of its processing activities and make the records available to the supervisory authority on demand (Article 30).
The controller must record and document all personal data breaches – comprising the facts relating to the personal data breach, its effects and the remedial action taken.
These records must be disclosed to the supervisory authority on demand (Article 33).
The GDPR imposes a strict liability regime on controllers: from the moment that a violation is recorded, compensation will be automatic.
Data subjects can bring an action without having to prove any fault or negligence on the part of the controller.
The burden of proving that it is not responsible for the event giving rise to the harm (i.e. the processing of personal data is performed in accordance with the GDPR and the national laws implementing the GDPR) falls on the defendant controller (Article 82).
Controllers have to meet the new data protection requirements and must be able to demonstrate that the processing of personal data is performed in accordance with the GDPR and the laws of the Member States.
So it is of critical importance for the controller to keep records of all measures, actions and elements likely to evidence compliance with the GDPR.
Controllers must treat the GDPR's accountability mechanisms as pre-litigation strategy, designed to create documentation to show that the defendant applied appropriate technical and organisational measures.
The broad territorial application of the GDPR, and the choice of forum it provides to the data subject, could give rise to forum shopping and multi-jurisdictional collective actions, including European and non-European data subjects.
The GDPR applies to:
businesses that are established in the EU and process personal data (Article 3(1));
businesses that are established outside the EU if they process the personal data of EU residents when offering them goods or services or when monitoring the behaviour of EU residents (to the extent that such behaviour occurs in the EU) (Article 3(2)).
Businesses not currently subject to the Data Protection Directive may become subject to the GDPR if they offer goods or services to EU residents or monitor their behaviour.
Proceedings against a controller or processor may be brought by the data subject before:
the courts of the Member State where the controller or processor has an establishment; or the courts of the Member State where the data subject resides (Article 79(2)).
This choice of forum may lead data subjects to bring individual and class actions in a specific Member State to benefit from the differences in the national laws (e.g. 'injury in fact' standard, compensatory actions, compensation of material and non- material damages).
Quick glance at Austria: on 1 August 2014, an Austrian law student, Maximilian Schrems, filed a lawsuit against Facebook Ireland Ltd before the Vienna court based on allegations that Facebook's practices would breach privacy laws in numerous ways.
In order to initiate a so-called "class action", Max Schrems created a website to invite any person having suffered the same alleged violations of their rights to join the lawsuit.
On 12 September 2016, the Austrian Supreme Court referred two preliminary rulings to the Court of Justice of the European Union.
On 25 January 2018 (case C-498/16), the CJEU found that Article 16(1) of Regulation 44/2001 could not be read as creating forum for claims that are assigned to Mr. Schrems.
The CJEU explains that the exclusion from assigned claims is necessary for the attribution of jurisdiction to be predictable, which is one of the objectives of the Regulation.
The GDPR does not create a pre-litigation discovery process.
Yet, it sets forth some provisions requiring controllers to disclose evidence proving compliance with the GDPR.
This may enable data subjects to build their case before filing a claim.
The GDPR provides data subjects with a comprehensive right to access their own personal data through a subject access request (Article 15).
The controller must respond to the subject access request within one month of receipt of the request
(Article 12) and provide the data subject with a copy of all personal data which the subject has made available to it.
The GDPR expands the mandatory categories of information which must be supplied in connection with a data subject access request (e.g. information about the purposes of the processing, the categories of data being processed, the period for which the data will be stored) (Article 13).
This allows data subjects to be able to verify the lawfulness of the processing of their personal data.
The controller may refuse to respond to a subject access request if it is manifestly unfounded or excessive.
But the controller bears the burden of proving the request is manifestly unfounded or excessive (Article 12).
Companies should be prepared that data subjects will exercise their right to lodge a complaint with a supervisory authority to access the findings of the administrative investigation (Article 77).
It is likely that the data subjects will use this information in the course of civil proceedings.
Due to this approach, data subjects can easily create a presumption of a data protection violation, and an even greater administrative burden is placed on controllers.
Companies must be able to demonstrate that processing is performed in accordance with the GDPR (Article 24).
This evidence should refer to the general efforts the company undertakes to implement the GDPR in accordance with the law.
Additionally, the evidence should display the measures the company implemented with regard to the respective claimant.
For this purpose, the companies should establish a system for logging individual processing operations to be able to prove who had access to a given individual's personal data, and what actions were taken with regard to the data.
Given the diversity of procedural rules in European Member States and the GDPR's broad territorial scope, we can expect plaintiffs to conduct forum-shopping to find the best national courts for launching data class actions.
The GDPR's accountability provisions require defendants to affirmatively prove that they deployed "appropriate technical and organisational measures".
Data processing records should be designed with this pre-litigation strategy in mind.
Plaintiffs will use data access requests and complaints to Data Protection Authorities to help build a litigation file.