Fashion & Luxury Law Academy

Collective actions following IT incidents: GDPR compensation in light of the new EU collective redress

In this session of our Fashion & Luxury Law Academy our legal experts Lene Kohl, Tobias Rothkegel and Paul Brouwer will give insights and discuss on collective actions following IT incidents.

IT-Incidents have almost become a daily occurrence. Either companies are being hacked and blackmailed by illicit actors or suffer internal breaches, e.g. via an individual error of an employee. Such incidents usually affect the personal data processed by the respective company. In case of a GDPR breach caused by sub-par IT security measures implemented by the company, it could be held liable by the data subjects for damages. In practice, however, any such enforcement by data subjects did not amount to a relevant risk in the aftermath of IT incidents. There are, however, two recent major developments that are changing the risk landscape of post-breach litigation:

• Firstly, the CJEU has recently ruled (C 340/21) that not only do companies carry the burden of proof that their IT-security level was appropriate (i.e. in line with the GDPR), but also that the mere fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties is in itself capable of constituting a non-material damage. Therefore, it may generally be sufficient that personal data has merely been affected by an IT-incident (without any occurred misuse or other suffered detriment) to warrant damages. 
• Secondly, the recently implemented EU Collective Redress Directive allows collective actions for compensation of damages. So-called qualified entities, in particular consumer protection associations, now can enforce claims for damages against companies on their own initiative for a large number of consumers at the same time across the EU. Thus, even with low individual damage amounts, companies can be endangered if a large number of consumers is affected. 

In this webinar, you will learn about the new collective action in Germany as well as the class actions available in the Netherlands which has a deep history of collective redress mechanisms preceding the EU regulation. Further, we will provide insights regarding the requirements to receive damages under the GDPR and how companies can protect against it pro- and reactively.