Senior Associate Mathilde Gérot and Trainee Simon Fitzpatrick, discuss the differences between Europe and the United States on class actions and data security practices, in Thomson Reuters and Law360.
A breach of financial data, even a criminal one, may cost a financial institution dear, as the 2017 Equifax data breach demonstrated.
On February 10, 2020, the U.S. Department of Justice announced that it was charging four members of China’s armed forces for crimes related to the data breach. In January 2020, Equifax’s class action settlement received final approval from the Federal District Court. Equifax will compensate affected data subjects up to $425 million and pay $77.5 million in fees for the plaintiffs’ attorneys.
The Equifax case is just one example of the surge in data protection litigation in the United States. Twenty-one months after the General Data Protection Regulation’s (GDPR) entry into force, however, Europe has yet to see major class actions relating to data security practices. There are some practical challenges to the European class action system, but the number of data protection class actions is expected to rise.
Class actions in the United States
In the United States, class actions are much more common than in Europe and part of this relates to court procedures. Most U.S. states and the federal court system only require one person to represent the class, and that the case meets four conditions:
the class is so numerous that it is impractical for them to be feasibly joined;
there are questions of law or fact that are common to the class;
the class representative’s claims are common to those of the class; and
the class representative will fairly and adequately protect the class’ interest.
Once the class is certified, the court will order notice to all class members, including that all affected persons are considered to be a part of the class until they take an affirmative step to remove themselves. Hence, they “opt out” of the class.
EU Collective Redress Directive
In the European Union, many member states have decided to go further than existing EU requirements and have created their own class action systems. At present, the European Union is preparing the Collective Redress Directive, which will greatly expand class actions into different sectors, including data protection. The new directive also plans to allow for cross-border claims, where class members from multiple member states may form a class in another member state’s courts.
Class actions in France
Most member states’ class action procedures will remain unchanged by the Collective Redress Directive, however, and member states will continue to determine their own procedures. For data protection issues, although France’s Data Protection Act does allow for class actions, individuals are not allowed to act as class representatives. To bring a class action in France, the data subjects would need to turn to a government-approved consumer protection group, a trade union, or a non-profit group which has existed for at least five years with a relevant statutory purpose. If the group agrees to take the case, it will represent the class in court and would distribute damages if they were granted. To be a part of the class, the data subject would have to request affirmatively to join. Hence, they “opt in”.
Of the fewer than 20 French class actions, only two relate to data protection issues, and neither of those has been formally brought to court. Internet Society France is attempting to bring a claim against Facebook relating to various alleged shortcomings regarding data security, cookies, the use of sensitive data and consent. Meanwhile, the French consumer group UFC-Que Choisir is attempting to bring a claim against Google for its geolocation policies. Due to the relatively low number of claims, it seems possible that the French legislator may intervene and decide to create an opt-out-based system.
Another reason why data protection class actions have yet really to take off could be explained by the legislation itself. Unlike in the United States, where there is no comprehensive national data protection law, the GDPR does provide comprehensive data protection policies across the European Union. To allow for class action-type claims, some member states, such as France, needed to adjust their existing legislation to be GDPR-compliant. France’s last legislative modification came into force in mid-2019. Under French law, data subjects may seek both injunctive relief and monetary damages not only for data security violations but also for all potential claims under the GDPR and France’s Data Protection Act.
U.S. federal legislation
No claim to original U.S. Government Works. -2- Despite multiple bills pending in the U.S. Congress, it remains to be seen whether a bill will be passed before the upcoming elections and the new Congress in 2021. Especially for financial services, however, there is federal legislation that does cover data security issues, such as the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act. Individual states have also introduced bills in their state legislatures that intend to cover data protection issues. On February 14, 2020, the Washington state senate passed its own legislation that is purported to be the most comprehensive data protection legislation. The California Consumer Privacy Act (CCPA), however, which entered into force on January 1, 2020, was largely inspired by the GDPR. The CCPA allows data subjects to seek monetary damages or injunctive relief for data security violations, so long as it is not pre-empted by federal legislation. Most other claims relating to the CCPA requirements are reserved for the California attorney general. While the financial services industry must consider the CCPA’s requirements, it seems likely that most class actions would be brought under the existing federal provisions.
GDPR class actions set to become more prevalent
In Europe, personal data class actions under the GDPR are expected to become more prevalent in the next few years. Data security breaches will be the main focus of class actions, but all aspects of the GDPR and France’s Data Protection Act may be used to support a claim. Legal practitioners in Europe are also observing the changes coming from their U.S. counterparts. Law practices and lawyers are starting to specialise in data protection litigation as a strategy to prepare for the next wave of mass litigation.