Countries like the Netherlands and Belgium have long traditions of collective action for consumers, while in other EU countries legal routes have been limited or don’t exist. But before the directive, legal avenues to take consumer group actions were “quite patchy” across the EU, said Florence Danis, also a lawyer at Linklaters.
The first article of the EU directive on collective redress says it will put in place “appropriate safeguards to avoid abusive litigation.” The power to take up cases is granted only to not-for-profit, independent, consumer-focused organizations, while EU countries are required to create a legal route for these “qualified entities.”
According to Karen Shin, a California-based privacy lawyer at law firm Blank Rome, non-profits might be less inclined to take genuine cases due to the costs they could trigger. In many EU countries as well as in the United Kingdom, the losing side of a court case pays for attorney’s fees and costs, which “may limit the usage of class actions in the EU,” she said.
New privacy battlegrounds
Enforcement of the GDPR was designed to be the domain of national data protection authorities across the EU. Because the principle of a “one-stop shop” regulator was built into the law, most of the landmark privacy cases have fallen into the hands of Ireland’s chief regulator, the Irish Data Protection Commission.
Charged with regulating the many Big Tech companies headquartered in the country, the Irish regulator has handed down most of the biggest fines in the history of the GDPR, including the €1.2 billion against Meta over data transfers to the U.S. and the €530 million against TikTok relating to Chinese data transfers.
But those fines took years to decide. For years, civil society and other data protection regulators were left frustrated over perceived inaction by the Irish DPC. Noyb has repeatedly criticized the Irish regulator over what it describes as tardy or lenient enforcement against Big Tech.
