Risk of data protection mass claims persists for businesses in Europe

Heightened awareness of data protection rights, coupled with a rise in the availability of third-party litigation funding, has emboldened claimants that see an opportunity to derive compensation for data subjects, often by piggy-backing on regulatory findings. News of a mass data protection claim raised against Google in the Netherlands is just the latest in a string of high-profile cases in recent years.

The courts, though, have confirmed the high bar that claimants must meet – first, in respect of grouping together data protection claims for sometimes millions of data subjects in a way which is admissible, and second, around the degree of harm they must be able to evidence to be eligible for damages.

However, the dynamic around data protection mass claims is set to change again with the implementation of the EU Representative Actions Directive, and some campaigners believe it will spur a rise in the number of data protection mass claims in the years ahead.

Read more of our 'GDPR at five' series

• Business strategies adapt to the GDPR and its effect on technological change
• Data protection enforcement looks set to evolve further under the GDPR
• International impact of the GDPR felt five years on
• UK carves own path on data-related innovation under the GDPR

Article 80 of the GDPR provides data subjects with the right to mandate a not-for-profit body, organisation or association to lodge data protection complaints and pursue judicial remedies against organisations or data protection authorities on their behalf. Data subjects can further mandate those not-for-profits to receive compensation they are entitled to under article 82 of the GDPR on their behalf too, where they have suffered material or non-material damage as a consequence of an organisation’s breach of the GDPR.

Article 80 further provides EU member states with scope to enable those not-for-profits to lodge complaints or pursue judicial remedies of their own volition if they consider data subjects’ rights under the GDPR have been infringed.

The EU’s highest court, the Court of Justice of the EU (CJEU), considered the latter discretionary ‘opt out’ regime in a ruling last year, confirming that the GDPR does not preclude national legislation being implemented in EU member states that provides consumer protection associations with a right to pursue data protection claims on a representative basis, without a mandate from the individuals they profess to represent, where those associations believe there is a link between data processing practices and alleged non-compliance with consumer protection laws.

The scope for data protection claims in the EU is set to be enhanced under the Representative Actions Directive (RAD). Depending on which EU country is in question, the RAD will introduce new provisions or enhance or at least supplement existing provisions on mass claims. In the Netherlands, for example, the Act on Redress of Mass Damages in Collective Action (WAMCA) already provides interest groups, associations or foundations with rights to claim damages on behalf of groups of people.

By 25 June 2023, each EU member state must have put in place at least one procedural mechanism which meets minimum standards set out in the RAD, for consumers to seek collective redress when they claim to have been harmed by a business through breaches of certain European consumer laws – including the GDPR. 

One group that has pursued data protection claims under the GDPR already, noyb, said recently that it believes the RAD will “allow collective actions by European users for GDPR violations”.

Noyb also said it believes the value of compensation businesses could be liable for under mass GDPR-related claims could “far exceed” the record fine of €1.2 billion issued by data protection authorities under the GDPR. It cited a recent ruling by the CJEU on the interpretation of Article 82 of the GDPR, which concerns the right to compensation, as the basis for that view.

On 4 May 2023, the CJEU ruled that the mere infringement of the GDPR is not sufficient to confer a right to compensation but that EU member states are precluded from imposing rules or practices that require claims for compensation based on non-material damage to reach “a certain degree of seriousness”.

The CJEU considered how to interpret article 82 in the context of a dispute that has arisen in Austria where a man has sued the Austria Post over data processing that led the Austria Post to infer the man had a high degree of affinity with a certain Austrian political party. This information was not communicated to third parties, but the man is seeking €1,000 in damages from the Austria Post over the temporary adverse emotional effects he claims to have suffered from the company’s retention of the information.

The CJEU found that it is for member states to decide the rules on compensation for non-material damages, so it will be for the Austrian courts to apply the CJEU’s ruling to determine whether the man does have a right to compensation in this case.

The CJEU‘s decision was also received with interest in Germany.

In principle, immaterial damage claims within the meaning of section 253 (1) of the German Civil Code are conceivable in any amount. However, it is usually assumed that there is a limit for minor cases in which no compensation can be claimed. This must be seen against the background of German legal history and the long-held view that immaterial damages should be the absolute exception.

As a result, many German courts had advocated a threshold of significance for claims for data protection violations. At the same time, however, there are also some German courts that have set low requirements for such claims and have allowed the violation of a data protection provision to be sufficient without the claimant having to provide further demonstration of immaterial damage. For example, a company was ordered to pay €10,000 in damages to an employee who requested information after the company failed to comply with that request.

In a January 2021 decision, the Federal Constitutional Court stated that it is up to the CJEU to decide on the interpretation of the GDPR and thus on a threshold of significance.

Following the implementation of the Representative Actions Directive, which is currently taking place, it will still be up to the courts in Germany to determine whether there is any damage at all and how much it should be quantified in a given situation. For the latter, there is a relaxation of the burden of proof in section 287 (1) of the German Code of Civil Procedure, which claimants are likely to take advantage of.

How the decision in the Austria Post case influences the landscape for mass data protection claims more broadly in future is unclear, though it is clear from the noyb’s statement that it feels emboldened by it. The threshold of seriousness was only imposed previously in Germany and Austria, so the decision’s impact on the interpretation of domestic rules elsewhere is less obvious.

There are several references making their way through the CJEU on compensation and non-material damages. In a recent non-binding opinion on a reference from Bulgaria around unauthorised access to the Bulgarian National Revenue Agency’s systems, the view of an advocate general to the CJEU was that fear of a possible misuse of the data in the future can constitute non-material damage which gives rise to a right to compensation but only if it is actual and certain emotional damage and not simply trouble or inconvenience. It remains to be seen whether the court will take a different view in the ruling, and we may see further references to answer the outstanding questions on compensation for non-material damages in the EU.

In the UK, the Supreme Court, in the case of Lloyd v Google in which Pinsent Masons acted, rejected the notion that data subjects affected by a non-trivial data breach are entitled to an award of compensation for the mere “loss of control” of their personal data. Rather, the court confirmed that an award of compensation for a non-trivial breach of data protection laws can be made only if the data subject has suffered some form of material damage, i.e. tangible financial loss, or if they have suffered non-material damage in the form of distress.

The ruling concerned claims for compensation made under the Data Protection Act 1998 which was replaced when the GDPR took effect, but even if a different approach to damages was taken under the UK GDPR, it is not clear that it would have any practical effect.  

As the Lloyd v Google case also showed, there are procedural and practical hurdles to overcome in bringing mass data protection claims. In its ruling, for example, the Supreme Court deemed it impermissible for the claimant to seek to disavow the individual circumstances of each of the millions of individuals who he said formed part of the class he sought to represent. Lord Leggat said that in most cases there will need to be an individualised assessment of what has happened to each individual class member in order to establish the damage they have suffered, and that a representative action is an unsuitable vehicle for this because individual class members do not participate in the action.

Since the Lloyd v Google ruling, we have seen claimants change tack in bringing data-related claims. The challenges associated with bringing a representative action for breach of data protection law has spurred claimants to look to bring claims under other civil torts. In a recent example of this, the High Court in London summarily dismissed a representative claim brought against Google and DeepMind Technologies – Google’s AI arm – over alleged misuse of private patient information.

Among other things, the High Court considered that there was no realistic prospect of the claims succeeding, citing issues the claimants had in meeting core thresholds for bringing a successful representative action for misuse of private information. Pinsent Masons acted for Google in the case.

As EU member states seek to implement RAD, the ruling in the Lloyd v Google case is a reminder that there are procedural hurdles, not just evidential hurdles, that those being mass data protection claims must overcome. With member states having some flexibility under RAD to determine procedural matters – such as whether their domestic collective redress regime should operate on an opt-in or opt-out basis, what certification process and criteria should apply for a mass action to proceed, and which bodies are eligible to bring such proceedings – it seems likely that claimants may seek to engage in ‘forum shopping’ in future to bring mass GDPR claims in Europe.