Last week, the British journalist Martin Bryant revealed through his blog that he has brought a class action before the High Court of England and Wales representing seven million guests residing in England and Wales. The purpose was to obtain compensation due to the loss of control of personal data suffered as a result of a data breach which took place between 2014 and 2018, through which there was unauthorized access to the reservation database of the Starwood Group (since acquired by the Marriott Group), including, inter alia, passport numbers, dates of birth and possibly credit card details.
This class action was brought based on an opt-out, in other words, all the guests residing in England and Wales who made reservations with Starwood Group hotels up to September 2018 were automatically included as plaintiffs, unless they had opted to exclude themselves.
Oracle and Salesforce were also subject to a class action filed in the Netherlands, on August 14 this year, by The Privacy Collective, a not-for-profit association, due to the alleged undue use of personal data through the third-party cookies 'Bluekai' and 'Krux', with the objective of obtaining compensation for the damage suffered. This was the largest class action ever brought in that country, with the plaintiff estimating, based on the envisaged number of users affected, that the total extent of the damage could exceed €10 billion.
And what if this happened in Portugal?
Let us first see what the General Data Protection Regulation (GDPR) says about collective protection mechanisms available to the data subjects in order to safeguard their rights.
Article 80 of the GDPR states the following: “[…] the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, […] to exercise the right to receive compensation […], where provided for by Member State law”.
It also states that “Member States may provide that any body, organisation or association […], independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent […] and to exercise the rights referred to in Articles 78 and 79 (of the GDPR), if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing”.
We therefore see that the GDPR refers to national legislators the decision regarding the type of procedural representation and extent of the mandate (especially whether or not this includes the right to request compensation) within the scope of collective protection mechanisms.
Let us now see what Portuguese legislations says.
The right to class action is established under article 53 of the Constitution of the Portuguese Republic, with point 3 stating that “Everyone is conferred, personally or through associations defending the interests in question, the right to a class action in the cases and terms established by law, particularly the right to request the prevention, cessation or legal prosecution of infringements against public health, damage to the environment and the quality of life or damage to cultural assets, and to request the corresponding compensation for the damaged party or parties”. As stated by Gomes Canotilho and Vital Moreira, Constituição da República Portuguesa Anotada, 3rd edition, “class actions do not have to be limited to the individual cases of point 3 (of article 53), but rather this regulation is by way of example, as seen from its actual wording “particularly”. The Class Action Act (Lei da Ação Popular) (Act nº 83/95, dated August 31) (LAP) subsequently regulated the right to class action in Portuguese legislation.
According to the Resolution of the Supreme Court of Justice, Proceedings 97B503, article 1 of the LAP not only covers different interests (interests of a whole community) and individual homogeneous interests (which are polarized in identified groups of holders juxtaposed in parallel), which seems to us to be the case of certain infringements of personal data protection legislation.
In fact, the Supreme Court stated that “The possibility of the defendant in a class action invoking various defenses against various parties can be used […] as a practical criterion for verifying whether they are holders of the same individual homogeneous interest”.
As regards procedural representation, the LAP establishes that “in class action proceedings, the plaintiff, at their own initiative, dispending with any mandate or express authorization, represents all the other holders of the rights or interests in question who have not exercised the right to self-exclusion established in the following article, with the consequences described in this act”. Opting out was also enshrined within the scope of procedural representation.
As an aside, according to the Report from the Commission to the European Parliament, the Council and the European Economic and Social Committee on the implementation of the Commission Recommendation of 11 June 2013 (on common principles for injunctive and compensatory collective redress mechanisms in the Member States concerning violations of rights granted under Union law (2013/396/EU)), of those EU Member States where collection protection redress mechanisms exist, only Netherlands and Portugal exclusively apply the principle of self-exclusion.
As regards the right of the damaged parties to compensation, the LAP establishes liability for any damage caused through a deliberate or negligent breach of the interests protected.
Law no. 58/2019, dated August 8 (implementing the GDPR in Portugal) stipulates in its article 35 that the data subjects can instruct a body, organization or not-for-profit association, with a certain corporate purpose, to exercise the right to compensation specifically on their behalf, in the terms of article 82 of the GDPR. We should recall that, according to the aforementioned regulation, it is not up to the plaintiff to prove the liability of the defendant, but rather the defendant must prove that it was not responsible for the damage, in particular because it complied with the obligations imposed by the GDPR (reversal of the burden of proof), the case being that the concept of “damage” should be interpreted in view of the case law of the Court of Justice, in the terms of Whereas 146 of the GDPR.
Therefore, although Law no. 58/2019, dated August 8, established the possibility of a “class action” based on the affected parties joining in, we see that the LAP already conferred on all the holders of different interests or individual homogeneous interests a right to a class action based on an opt-out.
Therefore, the response to the question that brought us here is that, in the absence of any doctrine or case law to the contrary, and in view of the abovementioned legislation, it is conceivable that Portuguese courts sustain a class action brought on behalf of data subjects that have suffered tangible or intangible damages, with no need for any mandate or adhesion.
From what we saw this August, class actions are starting to proliferate in Europe (in particular in countries adopting an opt-out system). It will be a question of time until the Portuguese judicial system is involved in a class action of the type described above, the outcome of which we are unable to foresee, and companies should therefore be prepared for when this happens.
In order to obtain evidence of the facts giving rise to an infringement, particularly after a data breach, the class action’s plaintiff may file, on behalf of one or more of the affected parties, a complaint with a competent supervisory authority, in order to make use of the investigation that will be carried out by such authority, benefiting from the verdict thereof. In addition, in the terms of the GDPR, the plaintiffs may make use of their right of access in order to gather signs of potential infringements of data protection legislation that they may subsequently use in a class action.
Companies (data controllers and data processors) should design a suitable pre-litigation strategy, ranging from the fulfilment of the principle of accountability bearing in mind a possible class action, to the control of the information made available to the supervisory authority and the mitigation of risks through the management of the communication of a data breach to the affected data subjects. It may also be relevant to rethink the voluntary payment of fines for a reduced amount in view of the implications of such an action regarding assumption of guilt.