Landmark Microsoft class action marks ‘pivotal moment’ for Ireland

The case, which has now been formally admitted to the Irish Commercial Court, is an action by the Irish Council for Civil Liberties (ICCL) against Microsoft for alleged breaches of the GDPR in the country’s first case under the Collective Interests of Consumers Act 2023 – also known as the Representative Actions Act.

Commenting on the development, Zara West, a Dublin-based commercial litigation expert at Pinsent Masons, said: “The admission of the case into the Commercial Court marks a pivotal moment for consumer mass actions in Ireland. This has set a precedent for future collective actions.”

Since the new regime, which came into force on 30 April 2024, the ICCL is one of two recognised qualified entities registered in Ireland that are permitted to bring representative actions on behalf of consumers for breaches of consumer protection laws.

The ICCL alleges that Microsoft’s ‘real time’ bidding process in its Xandr advertising platform is not GDPR compliant because it fails to effectively monitor or control what happens to personal data once it has been broadcast to potential advertisers. The ICCL alleges that this has resulted in major data breaches and left “a black hole of data open to any malicious actor”. The ICCL also claims that this data includes sensitive personal data which is protected under Article 9 of the GDPR.

During the hearing, two critical issues were raised which could have significant implications for how the case progresses. Firstly, it was put to the court that Xandr, a Microsoft subsidiary, should be identified as the correct defendant, as opposed to Microsoft. The court directed Microsoft to contact the ICCL within one week and indicate which entity it believed should be the defendant.

Secondly, Microsoft questioned the ICCL’s source of funding, asserting its view that the ICCL must provide additional details of the sources of funding of the representative action to comply with section 19 (10) (a) of the Representative Actions Act. As third-party litigation funding for representative actions is generally prohibited under Irish law, this provision allows the courts to prevent conflicts of interest and protect the collective interests of consumers.

As the first mass action lawsuit under Ireland’s new representative actions regime, the case has attracted considerable interest. West said it also serves as a reminder to other companies to ensure they fully understand their obligations of managing data under GDPR and maintain compliance, to ensure they minimise the risk of mass claims.