BRUSSELS — Europe’s powerful privacy activists are wielding a sharp new legal tool that, if successful, could see the cost of privacy breaches balloon into the billions for Big Tech.
European consumers in recent years have seen a law take effect that allows them to club together to look for compensation for damages caused by companies. Armed with Europe’s blockbuster privacy law, the General Data Protection Regulation, internet users — often represented by savvy digital rights groups — are now gunning for big payouts.
The European Union has had a Collective Redress Directive in force since 2020, designed in the wake of the Volkswagen emissions scandal to better protect large groups of consumers from suffering the same harm, and to collectively look for compensation. One of the laws the directive can help enforce is the GDPR.
Already, Dutch non-profit SOMI has launched collective redress actions against TikTok and Meta; the Irish Council for Civil Liberties has lodged one against Microsoft; and Austrian privacy group Noyb is preparing to launch its first action against credit ratings agency CRIF.
Privacy groups see “a lot of potential” in collective redress as a new avenue, especially for GDPR breaches by Big Tech, said Ursula Pachl, who last year took on the role of spearheading collective redress actions at Noyb — one of Europe’s most prolific privacy watchdogs — after more than a decade working at powerful Brussels consumer lobby association BEUC.
“Enforcement has always been the Achilles heel of the European Union, particularly in regards to consumer protection,” Pachl said.
The GDPR in particular lends itself well to collective action because “everybody in Europe probably suffers from the same illegal behavior if there is a Big Tech company who does something which doesn’t respect the GDPR,” she said.
Guillaume Couneson, a data protection lawyer with the firm Linklaters, said that when a breach is confirmed by a data protection authority, collective redress actions could “immediately [pop] up like mushrooms.”
Multiplying fines
A recent landmark court case highlighted just how much collective redress actions could sting tech firms and others alike.
A judge at the EU’s General Court ruled in January that a complainant, Thomas Bindl, was entitled to damages when he was faced with “some uncertainty” about what happened to his data. Bindl’s case rested on his having clicked a “Sign in with Facebook” hyperlink displayed on a European Commission webpage.
The judge ruled Bindl was owed €400 in damages — a judgement that was quickly seen as setting the bar for compensation for a single breach of the GDPR .
Couneson said the case “surprised many by the height of the damages” and had raised immediate concerns for businesses about the multiplier effect of what happens if “it’s a million people claiming €400.”
That’s a daunting prospect for Big Tech firms, especially if such class action cases take off in Europe, where the tech sector has faced much heavier regulatory scrutiny and court losses than in the United States.
Class actions are predominantly a phenomenon of the U.S. legal system, where they are seen as a way to relieve courts of many similar cases and for consumers to get compensation in a more cost-effective way.
But the U.S. system has also led to court cases driven by opportunistic litigation, with lawyers actively rallying plaintiffs to bring forward a case in order to take a cut of the winnings.
Countries like the Netherlands and Belgium have long traditions of collective action for consumers, while in other EU countries legal routes have been limited or don’t exist. But before the directive, legal avenues to take consumer group actions were “quite patchy” across the EU, said Florence Danis, also a lawyer at Linklaters.
The first article of the EU directive on collective redress says it will put in place “appropriate safeguards to avoid abusive litigation.” The power to take up cases is granted only to not-for-profit, independent, consumer-focused organizations, while EU countries are required to create a legal route for these “qualified entities.”
According to Karen Shin, a California-based privacy lawyer at law firm Blank Rome, non-profits might be less inclined to take genuine cases due to the costs they could trigger. In many EU countries as well as in the United Kingdom, the losing side of a court case pays for attorney’s fees and costs, which “may limit the usage of class actions in the EU,” she said.
New privacy battlegrounds
Enforcement of the GDPR was designed to be the domain of national data protection authorities across the EU. Because the principle of a “one-stop shop” regulator was built into the law, most of the landmark privacy cases have fallen into the hands of Ireland’s chief regulator, the Irish Data Protection Commission.
Charged with regulating the many Big Tech companies headquartered in the country, the Irish regulator has handed down most of the biggest fines in the history of the GDPR, including the €1.2 billion against Meta over data transfers to the U.S. and the €530 million against TikTok relating to Chinese data transfers.
But those fines took years to decide. For years, civil society and other data protection regulators were left frustrated over perceived inaction by the Irish DPC. Noyb has repeatedly criticized the Irish regulator over what it describes as tardy or lenient enforcement against Big Tech.
A 2023 report from the Irish Council of Civil Liberties estimated that 67 percent of the Irish DPC’s EU-level investigations had been overruled by a majority of its European counterparts demanding tougher enforcement action.
Ireland has also thrown up barriers to the use of collective action, through both centuries-old laws and its implementation of the new directive.
The country’s legal system prohibits third-party funding of collective actions, harking back to old laws from as early as the 14th century that were reaffirmed by the Irish Supreme Court in 2017. Ireland has also limited contributions from consumers to collective cases at €25 per person.
This is something that Noyb, a familiar presence in Irish courts, has raised as a concern with the European Commission, arguing it infringes on the EU directive. EU countries “[have] a positive obligation to make sure that financially it’s not an obstacle” to start collective action cases, Pachl said.
Ireland will still be an “obvious forum” for GDPR collective redress actions, given that many Big Tech defendants are based there, said Linklaters’ Danis.
But, she added, consumers are not geographically bound by the directive: “Even if you’re an Irish plaintiff or representative, you could go before the French court to claim damages to the benefit of French consumers, for instance.”
The post Europe’s privacy groups take on Big Tech with class action cases appeared first on Politico.
