With the EU General Data Protection Regulation (GDPR) now in effect, one of the emerging considerations is whether its provisions – specifically Article 80 – open the door to 'class action' style privacy cases. Several European countries have already legislated for varying degrees of collective actions, particularly in the area of consumer protection, and post the coming into effect of the GDPR on 25th May, GDPR privacy class-action suits were commenced in several jurisdictions. Class action in any similar form would be a dramatic departure in this jurisdiction. Coupled with the extension of damages to non-material (as well as material) losses, many businesses are concerned that the financial ramifications of GDPR from data subject claims may be even more severe than the threat from GDPR's well-publicised administrative fines.
Implications of Article 80
Article 80 of the GDPR introduces a collective action mechanism whereby not-for-profit bodies dedicated to personal data protection can initiate claims on behalf of data subjects whom allege their rights have been infringed. In theory, this provision should enhance the protections GDPR affords to data subjects by giving authorised associations in each Member State the power to consolidate claims and represent them on a larger scale.
Article 80 has been welcomed by privacy campaigners, most notably Max Schrems, whose recent effort to build a collective action against Facebook was thwarted by the ECJ - see our report on that case here.
Whilst the GDPR provides that data subjects "shall have the right to" initiate actions, it does not actually provide them with any actionable tool or procedural framework to kick-start the process. It has left that particular task up to the individual Member States.
Implementation of Article 80 in Ireland – The Data Protection Act 2018
As an EU Regulation, the GDPR has direct effect, and does not generally require transposition into Irish law. Certain provisions give Member States flexibility however, and in Ireland, the Data Protection Act 2018 legislates for the Irish position in those areas.
Article 80 is one such provision, the result being that the implementation of the class action mechanism is almost entirely at the discretion of the national legislature. The provision has the following mandatory and discretionary parts:
- Member States must give effect to the data subject’s right to mandate a non-profit to lodge complaints with a data protection authority and seek a judicial remedy against a controller or processor;
- Member States may provide that a non-profit can seek damages on behalf of a data subject; and
- Member States may provide that a non-profit can, of its own accord, lodge a complaint with a data protection authority and seek a judicial remedy against a controller or processor.
The 2018 Act has given effect to (1) and (2) above, the latter of the two being discretionary. It has not given effect to (3). In practice, this means that certain practices will go unchallenged unless the data subject in question is identified and willing to step forward, which is unlikely if, for example, the infringement at issue relates to special categories personal data.
In practical terms, the Data Protection Commission (DPC) has facilitated the implementation of Article 80 into Irish law by publishing an updated "Raise a Concern" form which provides a mechanism for data subjects to authorise third parties to make a complaint on their behalf.
Has the GDPR introduced class actions in this jurisdiction?
Not exactly, but it does move us closer by enhancing a citizen's opportunity to enforce their data privacy rights. Although the claims consolidation mechanism under GDPR falls short of a US-style 'class action' right, the possible introduction of class action lawsuits has also been put back on the political agenda in recent times in light of the tracker mortgage scandal. 2017 saw the publication of a "Multi-Party Actions Bill" which proposed that proceedings involving multiple parties and which involve common or related issues of fact or law be certified by the Court as "multi-party actions" (see our previous article on this here).
The full impact of Article 80 remains to be seen, but permitting qualified not-for-profit bodies to initiate claims on behalf of data subjects with their mandate should now give ordinary litigants recourse to seek redress in circumstances where they would otherwise not have had the resources to do so.