Recent developments suggest that data protection class actions may be gaining traction in the EU, as they already are elsewhere around the globe. Class actions enable groups of individuals or entities to pursue similar legal claims collectively through a single procedure. In the EU, such actions have been relatively rare, especially compared to their prevalence in the United States. However, the fact that the kinds of rights created under data protection law are eminently suited to class litigation, combined with the presence of activist data-rights advocacy groups willing to initiate such actions, could create a perfect storm for undertakings.
In the EU, class actions are referred to as “representative actions”. Their common framework is the Representative Actions Directive (“RAD”). The goal of the RAD is to enable consumers to protect their collective interests through representative actions. However, its scope is relatively limited. Only designated organisations, known as qualified entities, are permitted to bring such actions. Moreover, these organisations can only bring those actions in cases involving alleged contractual breaches or infringements of specific legislation, such as MiFID II or the General Data Protection Regulation (“GDPR”). As a result, the RAD has not so far caused any significant surge in representative actions within the EU, except for jurisdictions where class actions were already becoming relatively common, such as the Netherlands or Portugal. In Belgium, this lack of “success” is commonly attributed to a lack of financial incentives or funding for qualified entities to bring representative actions. Data protection representative actions, however, appear to be emerging as an exception to this general state of affairs.
Data protection advocacy groups are using representative actions to flex their muscles
Shortly after transposition of the RAD in Belgium, in October 2024, a Dutch non-profit organisation, Stichting Onderzoek Marktinformatie (“SOMI”), launched a representative action before the Belgian courts against TikTok, alleging systemic infringements of consumer and data protection law, especially in relation to minors. The Belgian TikTok case is part of a larger initiative by SOMI, which has also launched similar representative actions in the Netherlands and Germany claimed damages totalling tens of billions.
SOMI likely won’t be the only data protection advocacy group to wreak this kind of havoc. Just recently, on 14 May, noyb, an Austrian-based NGO co-founded by data protection activist Max Schrems, announced that it had sent a cease-and-desist letter to Meta, following Meta’s announcement that it would use EU personal data from Instagram and Facebook users to train its new AI systems from 27 May onwards. In its announcement, noyb threatened injunctive and even redress measures under the RAD if Meta did not to cease its practices. The action against Meta is unlikely to be an isolated case, as Schrems has on multiple occasions underlined the added value of representative actions for enforcing data protection rights.
What makes alleged data breaches fertile ground for representative actions?
The recent rise in data protection representative actions appears to stem from their mutually complementary nature. Data protection infringements are particularly well suited to representative actions as they often involve large groups of individuals who have suffered similar harm because of the same unlawful conduct, a key requirement for collective redress to succeed. The class action mechanism enables these individuals to bundle their relatively small claims into a single procedure. This centralising approach significantly reduces procedural risks and costs for claimants. To this comes the fact that the expenses are largely, if not entirely, borne by the qualified entity bringing the action. As a result, claims that might otherwise be abandoned due to disproportionate costs become viable when pursued collectively.
At the same time, data protection suits appear to be less troubled by financial hurdles than other types of representative actions. Since the RAD provides that individual group members do not need to bear any portion of the procedural costs, the financial risk rests entirely with the qualified entity initiating the action. However, data protection advocacy groups, such as SOMI and noyb, are often funded through donations, so that they can bear the costs of proceedings without relying on the outcome to recover their expenses. This unique funding model enables them to pursue claims more aggressively, potentially reshaping the landscape of data protection enforcement in the EU.
The prospects for representative actions
Looking ahead, data protection class actions may gradually become a more common enforcement tool in the EU, though what impact they ultimately will have remains uncertain. One thing is certain: it will be necessary to continue monitoring how qualified entities and courts handle these cases in order to gain a complete understanding of their future role. In the meantime, maintaining strong compliance will be the most effective way for undertakings to minimise the risk of data litigation.
