Class actions are commonplace in the United States but relatively rare in Europe.

The European Union wants to change that, by facilitating class actions for mass privacy and data breaches.

With the development of big data, the scope and impact of potential data breaches or losses and of other privacy violations have indeed significantly increased. In the EU, the GDPR comes into effect. Due to its extraterritorial applicability, it will affect business globally. Every day, somewhere in the world, the media report that data for large numbers of individuals, often millions of people, have been breached. It seems then only natural that public authorities would consider class actions as a potential remedy for these breaches, if not a way to prevent them.

At first glance, nothing is more rational: data breaches cause for each individual only a very limited damage, if any. This damage is very often unlikely to be sufficient to motivate the individual to seek compensation for it (or even seek who is actually liable for the breach). Yet, there may be an interest for the entire group affected by the breach to seek compensation for the aggregate damage, hence the idea of allowing class actions.

But, what if it were not that simple? In this guide, we take a step back and further analyse this topic by endeavouring to:

— put the U.S. experience over the last years into perspective ;

— look into the choice of the European Union to timidly open the doors to data class actions ;

— share four key lessons to bear in mind when facing data class actions in Europe; and

— provide a focus on certain Member States.