This article is the first in a three-part series on collective claims and class actions in the EU and the US. As collective claims become more prevalent in the EU, companies offering platforms, products, and services in both jurisdictions will benefit from implementing and maintaining a coordinated global class action defense strategy.
In this inaugural post, we introduce the new legal regime on collective claims (Collective Redress Directive), which companies offering services in the EU need to be mindful of. From a business perspective, collective claims can be advantageous: A collective claim is often preferable to facing several thousand individual claims simultaneously.1
Emergence of collective GDPR claims in the EU?
Recent EU case law opens door for sweeping creative damages claims
In the past year, the European Court of Justice (ECJ) issued five important judgments on individual compensation claims for nonmaterial damages due to a General Data Protection Regulation (GDPR) violation:
- 4 May 2023, Österreichische Post AG, C-300/21.
- 14 December 2023, Natsionalna agentsia za prihodite, C-340/21.
- 14 December 2023, Gemeinde Ummendorf, C-456/22.
- 21 December 2023, Krankenversicherung Nordrhein, C-667/21.
- 25 January 2024, MediaMarktSaturn,C-687/21.
These five judgements will impact future damages claims under the GDPR.2 In Krankenversicherung Nordrhein, the court held that compensation under Article 82 of the GDPR requires three cumulative conditions:
- The existence of damage.
- An infringement of the GDPR.
- A causal relationship between the infringement and the damage.
The concept of ‘damage’ is not defined in the GDPR, but the latest judgments from the ECJ show that the court is interpreting the term broadly – and there is no ‘seriousness degree’ for when damage can be awarded.3
Compensation claims for nonmaterial damages under the GDPR
Considering the latest judgments on compensation for nonmaterial damages under the GDPR, a question arises: How can individuals enforce these claims? Even if an individual successfully establishes a claim for compensation under Article 82, the amount of damages awarded is determined by each member state. Most individuals will not pursue damage claims when the time and financial cost of litigation is significantly larger than, and disproportionate to, the actual compensation.
To assist individuals in such circumstances, EU legislators passed the Collective Redress Directive (CRD), which allows certain organizations to represent multiple individuals across EU member states in collective claims for damages. Below, we describe the key aspects of the CRD that companies processing personal data under the GDPR should consider.
Why was the CRD enacted?
Minimum procedural standard for certain collective claims
The CRD is designed to ensure that all European consumers can sue for infringement of certain EU consumer rights by having a ‘qualified entity’ represent them in a collective claim. To achieve this purpose, the CRD imposes a requirement on all member states to adopt procedural legislation allowing for consumer collective claims. These collective claims need to be based on specific EU consumer legislation listed in Annex 1 to the CRD, covering a broad range of economic activity, such as financial services, travel and tourism.
Under the CRD, member states have significant discretion to determine the conditions necessary for collective claims. They may either rely on their existing general civil procedural rules or establish specific regulations governing collective claims. While this post is focused on claims brought by and for consumers under the GDPR, the CRD also permits member states to grant businesses a right to pursue collective claims.
CRD implementation deadline
The CRD was scheduled to be implemented by all EU member states by 25 December 2022, and the national procedural rules should apply from 25 June 2023. While the European Commission noted in a January 2023 press release that only three out of the 27 EU member states had properly implemented the CRD into their national legislation, at least nine member states had enacted national implementing legislation by May 2024.
Who can represent consumers?
Only a ‘qualified entity’ can bring collective claims
The collective claim can only be brought by a ‘qualified entity’, which is defined under the CRD as an organization or public body representing consumers’ interests and designated by a member state as qualified to bring representative actions in accordance with the CRD.
Requirements to be appointed as a qualified entity
- The qualified entity must be an independent nonprofit organization whose purpose reflects a legitimate interest in protecting consumer interests.
- The qualified entity must demonstrate 12 months of actual public activity in consumer protection prior to the request for designation, and it cannot be subject to insolvency proceedings or declared insolvent.
- The qualified entity must only act in the interests of consumers, and it must establish procedures to prevent conflicts of interest between itself, consumers and any third-party funders.
To ensure transparency, the qualified entity must make publicly available, in clear language, information showing compliance with the criteria listed above, as well as information about sources of funding, organizational management, membership structure, statutory purposes, and activities.
The CRD imposes different requirements if the qualified entities are representing a ‘domestic’ claim or a ‘cross-border’ claim:
Rights granted to qualified entities
Qualified entities have the rights and obligations of the claimant party. As individuals are not part of the proceedings, they cannot interfere with the procedural decisions taken by the qualified entities or may not individually request evidence within the proceedings.
Member states will publish a publicly available list of all qualified entities designated for cross-border representative actions and include information about their name and their statutory purposes. Germany and the Netherlands have already created websites informing consumers about pending collective claims. The CRD also envisions that information about collective claims can be published on social media and local and national newspapers.
Opt-in versus opt-out mechanisms
The two fundamental mechanisms in collective claims are opt-in and opt-out mechanisms. Under the opt-in mechanism, consumers must take active steps to become part of the collective claim, while under the opt-out mechanism, consumers must take active steps not to be part of the collective claim. Most EU member states adopted procedural rules based on the opt-in mechanism (e.g., Denmark and France). A notable exception is the Dutch opt-out mechanism, which is mentioned below. Belgium implemented a combination of the opt-out and opt-in mechanism.
For cross-border collective claims, the opt-in mechanism will always apply for consumers not domiciled in the same country as the court or the administrative authority in which the representative action is brought.
Which claims can be brought by qualified entities?
Injunctive measures
Injunctive measures – such as stopping a business from processing personal information or transferring personal data to a certain jurisdiction – may be sought irrespective of any loss or damage suffered by individual consumers.
Redress measures
Redress can be in the form of compensation, price reduction or contract termination, as appropriate and available under EU or national law, depending on the circumstances of each case. The CRD does not define which types of harm which it covers. One complicating factor is that a GDPR violation can impact individuals very differently. For example, whether an individual has suffered a nonmaterial harm due to a data breach usually depends on that individual’s specific and unique circumstances. It remains to be seen how such claims will be handled under the CRD.
On punitive damages, the CRD notes that punitive damage awards should be avoided, which underlines that EU legislators did not want a mechanism based on the US ‘class action’ claims, in which punitive and exemplary damages can be sought.
CRD will result in forum shopping
The CRD does not regulate where collective claims can be initiated. Instead, it the Brussels I Regulation will regulate which member state(s) have jurisdiction for a collective claim. As the CRD is a minimum directive, we expect that collective claims will be initiated in the EU jurisdictions with the most favorable terms for the qualified entities, such as:
- Average time for a case to be settled (e.g., by settlement or a final decision).
- Access to discovery under national procedural rules.
- Lenient rules allowing for third-party funding.
- Lenient procedural rules for opt-out claims.
- Favorable national rules allowing for the damages for nonmaterial claims under the GDPR.
Based on these listed factors, we note that the Dutch rules on collective claims4 have opt-out mechanisms and lenient rules for third-party funding.
To maximize their readiness and minimize their risk, businesses operating in the EU should continue to follow the evolving landscape on collective claims. Our next installment in this series will look at US class actions from an EU and global perspective, including what lessons businesses should draw from recent developments in US class actions, and how those lessons can be integrated into a comprehensive and coordinated global class action/collective claim strategy.
[View source.]