Large group claims following data protection infringements are an increasing feature of commercial life internationally – although the shape of these actions and experience for businesses differs between jurisdictions in Europe. What then is happening on the ground across Europe in relation to mass data protection claims and what non-financial losses can claimants currently claim?
Osborne Clarke's international data protection litigation team recently addressed these questions in a discussion of the state of data protection litigation and developments on the horizon in Europe. Charlie Wedin from the UK, Dr Flemming Moos and Anne Wittmann from Germany, Samuel Martinez from Spain, and Laurens Dauwe, covering both Belgium and the Netherlands, addressed these questions – and offered some practical tips on how businesses can handle these claims.
Of all the European jurisdictions, mass data claims have arguably advanced most in the UK; if a business suffers a public data breach or other public data protection infringement, it is now quite likely to face claims. Many of these claims are still highly speculative and often spurious, though.
We await a Supreme Court judgment that is set to determine (among other things) how easy or otherwise it will be in the UK to bring US class action-style opt-out data protection claims, and whether individuals can recover damages for mere loss of control over their data, even. In the meantime, individuals whose data rights have been infringed in a manner which cases them distress can theoretically seek to recover damages for that, although they need to prove their case and any damages awarded tend to be very low.
Germany has seen certain mass damage claims, usually arising from hacks and data leaks. However, there is no longstanding tradition of class actions, and there are only limited options to pursue mass claims in court.
Options for claimants are to: do a joinder of parties (which is complex); assign claims (though this is a disputed approach); bring many identical claims (which is time and money consuming); or undertake a model declaratory action, which is an opt-in procedure introduced in 2018. However, take-up of this last option has been limited because damages are not awarded directly to claimants, and consequential proceedings have to be commenced.
The implementation of the EU Representative Actions Directive in Germany is likely to result in an increase in mass data claims. There have been approximately 40 German court decisions on whether non-material damage should be compensated for in damages, and in what amount.
It is still unsettled; some courts find that a mere loss of control over data should give rise to damages; others find that some damage is too minor (for example, because just one unsolicited email has been received). In a decision from February 2021, Germany's Federal Constitutional Court requested that the question of a materiality threshold be referred to the Court of Justice of the EU (CJEU ); until the CJEU determines the issue, the national courts cannot deny a claimant damages with the argument the breach is too minor. Courts have awarded damages of between €400-€4,000, and in one case awarded €5,000.
In many cases, who has the burden of proof is controversial; usually it is the claimant, but there are some courts that have forced the data controller to prove its compliance with the General Data Protection Regulation (GDPR).
Spain does not have a tradition of mass claims; those that do arise tend to relate to consumer law, rather than data protection. There is, however, some recent data privacy litigation; for example, the claims brought by a consumer association in relation to the Cambridge Analytica case.
Claimants in Spain most commonly seek "moral damages" in connection with a breach of the GDPR. Claimants file a complaint with the data protection authority (DPA) and obtain a decision in their favour, and then file a claim at court to seek moral damages that cannot be awarded by the Spanish DPA.
Moral damages are awarded on a case-by-case basis. Benchmarking of damages is not subject to specific thresholds as opposed to e.g. in relation to road traffic accidents. Moral damages are usually very low by comparison with the time and legal costs of making a claim. Where compensation containing high amounts corresponding to moral damages are awarded in data breach claims, this is usually because the court is compensating for the data breach and another cause of action.
Again, class actions are not common. There have been a few, mainly since the economic crisis of 2008, but the complexities of Belgian law limit the scope for such claims. The Belgian Procedural Code was amended in 2014, and class actions can now be brought by a limited number of organisations. The actions are opt-in, and the body bringing the claim needs to demonstrate that it has a specific mandate from each individual it purports to represent. Claims were also brought in Brussels in relation to the Cambridge Analytica incident.
Under Belgian law individuals can also claim moral damages, but these are symbolic, and often only €1. Judges are usually very conservative in ordering moral damages. The DPA can impose fines on a data controller or processor, but cannot award damages to data subjects. A claimant can file a complaint with the DPA but to recover its damages it needs to file a claim at court – this is onerous for claimants.
The trend is different in the Netherlands where there has been an increase in class actions. Dutch law provides for a framework to bring class actions on behalf of a group of persons. On the basis of the Class Actions (Settlement of Large-scale Losses or Damage) Act, an organisation can bring a class action before the Dutch courts and ask, for example, for a declaration that the defendant is liable and is obliged to compensate the damages of the individuals in the group. There is also an option that a settlement is concluded by the claim organisation, which is declared binding by the Dutch court.
Dutch law provides a basis for compensation of non-financial loss (article 6:106 Dutch Civil Code). In cases regarding data protection, the amounts awarded to individuals are generally limited (on average EUR 500). However, in a class action, this may lead (in aggregate) to a considerable amount of compensation to be paid.
What practical steps can businesses in the UK, Germany, Spain, Belgium and the Netherlands consider when there has been a data breach or other data protection infringement?
In the UK, if a business does experience a data breach or other data protection infringement, the reporting strategy needs to factor in litigation risk as well as regulatory risk. Further, when a business receives claims, it should take a strategic approach from the outset – is this a one-off claim or could more follow? Be aware that different claimant firms have different modus operandi – understanding how they operate is key. Another consideration in the UK is the timetable of the claim and the speed at which it is progressed. Strategic thought is needed as to whether large numbers of claims should be case managed separately or together (and, if together, whether a group litigation order is appropriate).
In Germany, businesses should consider whether there has actually been an infringement of the GDPR. Cases are not heard by expert (administrative) courts but by civil courts – the claims could end up in a court that has never handled a GDPR case before.
Businesses should consider the use of legal tech and, in particular, a case management platform to manage group claims (and this applies to group claims in any jurisdiction, not just Germany). OC has built platforms to deal with group claims and this is a far more efficient and effective tool than the old-fashioned route of using email and Excel.
For businesses in Spain, it worth considering the external messaging following a data breach, which may have an impact on the perception of a judge. For those that are likely to face mass damage claims in Spain, it is valuable to appoint a third-party forensic IT expert to explain what has happened in a clear, simple manner.
In Belgium, it is important for businesses to think about prevention – the best protection is for companies to create a paper trail of decision-making, to demonstrate the logic of the approach to data security and data protection compliance more generally. This will make it more difficult for a claimant to prove their case.
In the Netherlands, in general, if preventive measures have not worked and if a company is faced with potential claims, it is important first to assess the likelihood that a claim is awarded. If this is likely, a company should consider entering into settlement discussions with a claim organisation and discuss a settlement. This may limit the (reputational) damage.
Osborne Clarke's webinar on data protection litigation was held on 1 July 2021.