Ticket to ride: class actions and the GDPR

When John Lennon wrote “you may say I’m a dreamer, but I’m not the only one; I hope one day you’ll join us”, he (probably) didn’t have the GDPR’s class action mechanism in mind.  

Collective redress is a relatively new phenomenon in Europe, particularly for data protection.  Art. 80(1) of the GDPR allows data subjects to mandate a not-for-profit or similar organisation to come together and bring actions on their behalf, in what is known as the opt-in model.  The opt-out model in Art. 80(2) allows those organisations (if permitted by member state law) to bring actions on behalf of data subjects without having obtained a mandate to do so – albeit claims for money aren’t allowed under this limb.      

Some folks in Europe worried (and still do) that the inclusion of these provisions would enable the worst excesses of US litigation culture.  You can’t do that, they said.  Don’t let me down, they’d say. That hasn’t happened yet, and those excesses are likely to be at the end of a long and winding road, if they develop any time at all.  Rather, things have moved slowly – but something is now starting to change.

In the past couple of months, big class actions have been launched in the UK and Belgium because of corporate data breaches and cookie non-compliance, respectively.  And this week:

·      On Tuesday, the App Drivers & Couriers Union launched a crowed-funded lawsuit against Uber, alleging that the rideshare firm uses automated algorithms to deactivate drivers.  The GDPR provision in question (Article 22, which regulates automated decision-making, including profiling) is a fascinating one.  Many of us are slaves to the (algo)rhythm in some way, and how organisations use these tools – including being transparent about how they’re used and when users challenge the robot’s decision – will often involve difficult, and novel, issues for businesses to grapple with. 

·      On Monday, the European Court of Justice approved a request for a preliminary ruling from the German supreme court to clarify whether competitors and not-for-profit organisations are entitled to bring proceedings (i) irrespective of the infringement of data subjects’ rights, and (ii) without receiving a mandate from the data subjects.  In other words, could the App Drivers & Couriers Union – or another entity set up for the purpose of litigating consumer rights cases – bring a separate action for no one other than on its own account?        

What does this all mean? Well, tomorrow never knows, and there’s not a revolution (1 or 9) in data protection class actions in Europe just yet.  But this week’s developments are further evidence that the landscape is increasingly taking shape and it’s unlikely to slow down.  GDPR collective redress: it’s more than a beginning – and it’s certainly not the end.