GDPR’s latest gift? Class action privacy cases

Europeans will in future be able to bring US-style class actions for (alleged) privacy violations, instead of having to sue individually and expensively. It’s thanks to a little-known clause of the EU’s GDPR, which comes into force in May.

Rich and arrogant organisations have long relied on delaying tactics to evade certain of their responsibilities to individuals and small businesses. Who among us has the time and money needed to seek redress at law, when our opponent has a full-time legal staff with nothing better to do than dispute and obstruct? Especially if our reward might only be a few hundred pounds or euro.

A solution used (and yes, some would say abused) in the US is the class action. This allows a single party to lodge a claim on behalf of a group, such as all the shareholders or customers of a company. Add the ability of lawyers to work on a contingency basis, meaning they get nothing if they lose but a percentage of the total – which can be considerable, for a large group – if they win, and infringing organisations can no longer afford to be quite so arrogant.

True, the GDPR does not use the words ‘class’ or ‘group’. But it’s a logical extension of Article 80, which includes the following:

Representation of data subjects

The data subject shall have the right to mandate a not-for-profit body, organisation or association …. to lodge the complaint on his or her behalf

I say it’s a logical extension because several European countries already allow representative or collective actions in a range of cases. Typically these have been restricted to the area of consumer protection, but they demonstrate that the potential advantages to the judicial process – e.g. cost, clarity, equal treatment for claimants – are already understood.

My privacy – none of your business?

One of the first to take up the challenge, if not the first, is Max Schrems, the Austrian lawyer and privacy campaigner whose case against Facebook has been winding its way through the Austrian and European courts for almost four years (a final decision is expected soon). Schrems claims that Facebook Ireland (the company’s EU arm) has spent considerable time and legal effort simply trying to get the case thrown out on procedural grounds, such as the validity of class actions.

So he and others have formed just such an Article 80 body, called None Of Your Business, to take on class action privacy cases in the future. As well as empowering individuals to defend their GDPR rights, NOYB says it wants to support businesses that seek to comply with the law, for example by publishing guidelines and best practices, and by making it harder for cheats to gain competitive advantage.

It’s just one more incentive, if any were needed, for organisations to come to terms with the GDPR and with privacy more generally. Get it right, and you could see profitable spin-offs in areas such as data governance and customer trust; get it wrong, and you could be in the legal – and financial – firing line.