In this fourth alert in our series regarding the European Parliament’s formal endorsement of a new collective actions legislation titled the Directive of the European Parliament and of the Council on Representative Actions for the Protection of the Collective Interests of Consumers, we analyze the interplay between this new Directive and EU General Data Protection 2016/679, also known as GDPR.
Alleged Infringements Related to Data Privacy and Protection
The Collective Redress Directive applies to all infringements of EU law by traders that harm collective consumer interest, including those interests related to data privacy and protection. According to the Directive, “[s]ince consumers now operate in a wider and increasingly digitalised marketplace, achieving a high level of consumer protection requires that areas such as data protection, financial services, travel and tourism, energy, and telecommunications be covered by the Directive, in addition to general consumer law.” The Directive not only expressly anticipates an overlap between collective redress actions and data privacy issues, but also specifies that “[t]he consumer market has . . . evolved in the area of digital services, and there is an increased need for more efficient enforcement of consumer law, including as regards data protection.”
In some ways, the Collective Redress Directive is less revolutionary in the privacy context. The EU has already adopted a sweeping data privacy regime in the form of EU General Data Protection, or GDPR, the EU legal scheme governing data protection and privacy in the EU and European Economic Area. The Directive is to be “without prejudice” to GDPR and “should not change or extend the definitions laid down” in that regulation “or replace any enforcement mechanisms that” GDPR “might contain.” The Directive expressly provides that “the enforcement mechanisms provided for in or based on Regulation (EU) 2016/679 . . . could, where applicable, still be used for the protection of the collective interests of consumers.”
GDPR in Action
As a starting point, consider how GDPR has been used recently. Recent complaints issued pursuant to GDPR have focused on cookies and consent, as well as use of consumer data in targeted advertising. For example, earlier this year, privacy group NOYB (“None of Your Business,” also known as the European Center for Digital Rights) issued nearly 600 complaints against companies in 33 countries alleging use of noncompliant cookie banners. NYOB developed software that can identify cookie banners that do not meet GDPR’s standard for consent and auto-generates such complaints. NYOB gave companies one month to cure the alleged violations before filing formal complaints with the applicator regulators.
Similar cookie notice and consent issues were recently the focus of the Commission Nationale de l’Informatique et des Libertés (“CNIL”), France’s data protection authority. In June 2021, the CNIL issued formal notices to more than 20 companies and public organizations for not permitting internet users to reject cookies as easily as they could accept them. The companies and organizations were given 30 days to address the alleged violations, and within the month, every organization targeted had modified its practices to comply with the law.
In July 2021, Luxembourg’s National Commission for Data Protection (“CNPD”) issued Amazon a €746 million ($887 million) fine for the way Amazon uses consumer data for purposes of targeted advertising. The fine resulted from a complaint filed by French privacy group La Quadrature du Net in 2018, and dwarfed the first GDPR fine issued by France’s CNIL to Google and Facebook in 2019 for €50 million ($57 million) – which was previously viewed as a large sum — in relation to how new Android users set up a new phone and followed Android’s onboarding process.
Representative Actions Under GDPR
GDPR already requires Member States to provide for collective redress actions for claims arising under the regulation by ensuring their laws permit data subjects to allow nonprofit organizations (which must satisfy certain criteria) to assert data privacy claims for breaches of GDPR by controllers and processors which resulted in material or immaterial damage to the data subjects. Some Member States permit opt-in representative actions pursuant to Article 80(1) of Regulation (EU) 2016/679, but Article 80(2) of Regulation (EU) 2016/679 also permits Member States to allow for collective redress actions on an opt-out basis. Article 80(2) does not expressly refer to compensatory redress. However, Recital 142 GDPR states that a nonprofit organization “may not be allowed to claim compensation on a data subject’s behalf independently of the data subject’s mandate.”
The Collective Redress Directive and GDPR
The Collective Redress Directive permits Member States to elect either an opt-in or opt-out regime for collective redress actions, with the caveat that consumers must always opt-in when they do not reside in the Member State in which a representative action is filed by a qualified entity. Overall, this provides a stronger legal basis for actions than GDPR, which gives discretion to the Member States regarding whether to allow compensatory redress actions.
From the face of the Directive and GDPR, the schemes are intended to be complementary. Whether Member States will be able to adopt uniform laws for collective redress actions that encompass those arising under the Directive and GDPR is unclear. Although complementary, there are differences between the two schemes. Two examples highlight some of these differences.
Requirements for Entities Bringing Representative Actions
For example, the definitions and requirements for entities imbued with the ability to institute representative actions under each scheme are similar but not identical.
The Collective Redress Directive imposes more stringent requirements for qualified entities instituting representative actions. Both schemes impose requirements that these organizations be a nonprofit organized under a Member State’s laws with objectives in the public interest and a certain level of activity, but the Directive imposes greater requirements with regard to the entity’s solvency, degree of independence and the kinds of information the organization must make publicly available.
On the other hand, the Directive’s requirements are somewhat broader than GDPR’s, because while an organization instituting representative actions under GDPR must be active in the field of personal data protection, a qualified entity under the Directive may maintain a level of public activity in broader categories of consumer interest protection — any of those implicated by the Union Laws listed in Annex I of the Directive. Thus, while the Directive imposes greater requirements on qualified entities, it permits more than just those organizations focused on personal data protection to potentially bring representative actions.
Each scheme’s approach to cross-border matters is worthy of note. For matters across borders within the EU, Chapter VII of GDPR provides extensive rules related to cooperation and consistency among EU data protection authorities. Specifically, Article 61 provides that supervisory authorities are to provide each other with relevant information and mutual assistance in order to implement and apply GDPR in a consistent manner, and are to put in place measures for effective cooperation with one another. Article 77 GDPR, which cross-references Articles 80(1) and 80(2), addresses where data subjects may bring complaints, including “the Member State of his or her habitual residence, place of work or place of the alleged infringement.” The Collective Redress Directive, on the other hand, briefly outlines procedures for bringing cross-border representative actions across EU Member States in Article 16 of the Directive, as we previously explored. Article 4 of the Directive also specifically anticipates that representative actions, including those involving data protection rights, may be launched across borders, requiring Member States to permit representative actions for alleged infringements that impact consumers residing in different Member States.
Ultimately, the interplay between the Collective Redress Directive and GDPR will be defined by how each Member State implements the Directive into national law. However the Member States implement the Directive, it will be possible, if not likely, that companies doing business in the EU may see an increase in consumer litigation, including litigation alleging data protection and privacy-based claims, once these laws take effect in 2023. Considering your business’s approach to data privacy and protection relative to customers today may help to anticipate or avoid potential collective actions in the years to come.