Senior Associate, Mathilde Gérot and Trainee, Simon Fitzpatrick discuss the surge of class actions against tech companies regarding their data security practices, in Fintech Direct.
Mathilde and Simon’s article was published in Fintech Direct, 11 Februay 2020, and can be found here.
Just recently, The New York Times reported that Facebook settled a class action regarding its facial recognition technology for $550 million (Natasha Singer & Mike Isaac, “Facebook to Pay $550 Million to Settle Facial Recognition Suit”, The New York Times, 29 January 2020). Yahoo has recently announced a $117.5 million settlement for data breaches related to their email services (Lily Hay Newman, “How to Get Your Yahoo Breach Settlement Money,” Wired, 8 February 2020).
Should we expect the next wave to begin in Europe? 20 months after GDPR’s entry into force, European class actions on personal data have yet to really take off. But in 2018, the French data protection authority recorded 1,170 personal data violation notices and 11,077 complaints from the public, a 32% increase over 2017’s figures (Commission nationale de l’informatique et des libertés (CNIL), rapport d’activité 2018, p. 2). While class action figures may be low at the present, the number of cases is expected to rise.
GDPR’s Article 80 (2) granted Member States the choice to allow class actions that claim monetary damages. Some countries, such as France, Austria, and Belgium decided to allow damage claims (Alexia Pato, The national adaptation of Article 80 GDPR: towards the effective private enforcement of collective data protection rights, in National adaptations of the GDPR, p.106 (Karen McCullagh et. al. eds., 2019). For France, the last piece of legislation came into force in mid-2019. Presently, members of the legal community and the general public have moved on from trying to understand the new provisions and are beginning to think about bringing a claim.
French law on class actions seems to have played a role in limiting personal data class actions. Class actions were introduced into French law starting in 2014 with consumer protection claims. More and more grounds were progressively added, including personal data class actions in 2016. But at the time, data subjects could only bring suit to stop personal data violations or force data controllers to change their data practices. With GDPR’s entry into force and France’s complementary legislation, French data subjects may now seek damages. Since there is now a financial incentive for data subjects, more than likely we will see an increase in personal data class actions. We are already starting to see proof of this with two forthcoming class actions by French groups: Internet Society France commenced pretrial procedures against Facebook relating to various shortcomings regarding data security, cookies, use of sensitive data, consent (Internet Society France Chapter, “Action de groupe Internet Society France VS Facebook : Facebook s’estime au-dessus des lois”, 26 March 2019), and the consumer protection group UFC-Que Choisir is considering bringing a class action against Google based on its geolocation practices (UFC-Que Choisir, “Vie privée/données personnelles : Action de groupe contre Google”, 26 June 2019).
The low number of personal data class actions in France may also be explained by France’s choices on class action procedures. France chose the “opt-in” procedure rather than the “opt-out” procedure, common in the US. The “opt-out” procedure is what most people think of when considering class actions. In an “opt-in” procedure, data subjects have to “opt-in” to the class rather than automatically being a part of it. In France, they would have to give consent by joining the case brought by an approved non-profit group. These groups must be either a government-approved consumer protection group (Institut national de la consommation, “Les associations de consommateurs”, 18 September 2019), a trade union, or another non-profit group that has existed for five years, has a statutory object that includes protection of personal data (Laurence Neuer, “Données personnelles : ‘L’action de groupe est amenée à se développer’”, Le Point, 19 June 2019). The non-profit group effectively takes charge of the individual claims, organises them and hires a lawyer to bring the claim before the courts. If damages are awarded, the non-profit group will also handle disbursement of the individual awards. The system presents an advantage to individuals who may not be able to act on their own and class actions provide much more visibility on these issues.
Depending on how cases progress in French courts, the government could decide to switch to an “opt-out” procedure common in the US. Considering all existing class action claims (consumer protection, data protection, discrimination, health & safety), less than 20 cases have been brought to French courts. Of all those claims, only one class action has reached the merits of the case. Two were settled and most of the others are pending procedural challenges.
Nevertheless, personal data class actions may have an important place in mass litigation over the next few years. All aspects of GDPR and France’s data protection law may provide grounds to bring class actions. Data security breaches will remain the driving force of personal data class actions, but other compliance related suits may appear from time to time. The French legal community is also observing the changes coming from American counterparts, where lawyers are starting to specialise in data protection issues and develop class actions on data subjects’ behalf. In France and the EU, we are starting to see the same developments. Currently, these practices are not prevalent, but there is room for growth in France and across Europe. Opening a data protection practice is strategic, especially for firms that specialise in litigation and alternative dispute resolution.