Many organisations tend to look at the activity of the supervisory authorities to assess enforcement risk related to their data processing activities. Although still a meaningful indicator, data breaches, unlawful data sharing activities as well as any other data protection infringements can also trigger an alternate enforcement track which might potentially leave organisations exposed to massive collective compensation claims. In Belgium, especially, where a tangible risk now exists for collective redress actions as Belgian law contains a comprehensive – and from a European perspective – unique class action scheme in its Code of Economic Law. Since NOYB – the non-profit organisation of activist Max Schrems – has been granted the status of ‘group representative’ by a Ministerial Decree last September 2020, this new type of private privacy watchdogs should be factored into your enforcement risk assessment.
The Belgian collective redress scheme allows a group of consumers (or SMEs) to claim, in their personal capacity, damages suffered as a result of a common cause. The causes that may be invoked concern breaches by a company of its contractual obligations or infringements of (among others) the GDPR and the Belgian cookie rules.
The group of claimants needs to be represented by an entity that qualifies as a ‘group representative’ as defined by the Code of Economic Law. One way to become a representative is to seek approval from the Minister of Economy and Consumer Affairs. Belgium, as one of the only EU countries, allows consumer organisations not established in its territory, to apply for such approval. That is why NOYB – as an Austrian organisation – could acquire legal standing equivalent to Belgian organisations such as Test Achats, Gezinsbond and the Federation of Enterprises in Belgium (FEB), to take collective legal action before the Courts of Brussels, who have exclusive jurisdiction to administer these cases.
Apart from conditions relating to the type of infringement (conditions 1) and to the initiating party (condition 2), Belgian law contains – as a third admissibility condition – an effectiveness criterion. The action for collective redress must “appear more effective” than an individual action. Individual claims and circumstances need to be sufficiently similar and related. For example, in the collective claim of Test Achats against Facebook, the Brussels Court agreed that massive unlawful data sharing could satisfy this requirement.
Under the Belgian scheme, group representatives will need to collect mandates from consumers who – where infringements of the GDPR are at stake – qualify as data subjects. When an action would be declared admissible, an interval will be set during which consumers can opt-in or opt-out, depending on what the Court finds appropriate in a particular case. Interestingly, these consumers do not need to be Belgian consumers. Consumers who do not reside in Belgium will have the opportunity to opt-in to a particular claim. As a result, an organisation like NOYB – which recently received much international attention – may be able to collect a large number of mandates way beyond the Belgian consumer market.
A high number of mandates may result in substantial claims for compensation. In absence of any legal cap, these claims may, at least theoretically, even surpass the maximum for administrative fines by DPA’s (4% of the annual worldwide turnover or 20 million euros) set by the GDPR. However, the greatest burden for the group representative will likely be the damage assessment. As in any case, it might be hard to prove any pecuniary damage caused by unlawful processing activities that is common to all the individual group members.
Although the collective redress scheme of the Code of Economic Law has been used for data protection claims before, the granting of the status of group representative to NOYB might serve as a prelude to a next stage of data protection enforcement in Belgium.
Private enforcement through collective redress claims contains more incentives for data subjects to (participate to) file a claim as they might receive some financial compensation where the claim is successful, in contrast to claims before the data protection authorities where data subjects cannot be granted financial compensation caused by an infringement.
It seems that companies and organisations will be subject to additional scrutiny of their GDPR compliance in Belgium. In the future, the possibility of private collective redress actions might become an important factor in assessing enforcement risks as is already the case in other areas of the law.