Legal action: a new dynamic for class actions?

Legal Watch No. 53 – November 2022

Legal action: a new dynamic for class actions? Legal recourse concerning personal data protection issues is still rare in France and Europe.

While the press regularly reports on sanctions against tech giants, these sanctions are mainly the work of the supervisory authorities.

In particular, the damages are often difficult to assess in matters of violation of privacy, given the costs of legal action.

The situation could change soon, with the transposition at national level of Directive (EU) 2020/1828 on representative actions.

Member states have until December 25 of this year to comply with this directive, which aims to protect the collective interests of consumers.

Class actions already exist in France, and their scope has gradually expanded. Class actions have existed since the law of March 17, 2014, on consumer affairs.

It was gradually extended to different areas including personal data by the law of November 18, 2016, which created a new article 43ter in the Data Protection Act.

The text nevertheless limits the right to bring a class action to approved consumer protection associations, to associations more than five years old whose statutory purpose is the protection of privacy, and to trade union organizations representing employees or civil servants.

This legal framework did not allow for compensation for damages to the persons concerned.

This is now possible, since the law of June 20, 2018 which adapts the Data Protection Act to the GDPR.

Class action now allows for the compensation of material and moral damages before the courts.

The GDPR also allows for such redress to be obtained by mandating bodies, organisations or associations to lodge a complaint on their behalf with the supervisory authority.

France is therefore not the worst off today in terms of representative actions, as shown, for example, by the actions of organizations such as La Quadrature du Net, which is very active in the field of data protection.

Other countries, however, go further.

Class action in France is based on an “opt-in” and only involves people who explicitly join the procedure, unlike the "class action" which a priori includes all people who correspond to the profile of the injured parties, and gives them the possibility of withdrawing from the procedure. In such a case, we speak of "opt-out".

While these two types of procedures are still relatively rare in Europe, class action in the sense of an “opt-out” procedure is even rarer.

The Netherlands allows both types of appeal.

Over the past two years, several foundations have been set up there with the aim of bringing class actions.

These foundations have, for example, attacked the anti-competitive behavior of Apple and Google, the data collection practices of TikTok, Salesforce and Oracle, and Airbus and Airbnb.

The fact that the representative organization can claim damages for an entire class of claimants unless they "opt out" is a significant game changer for data protection class actions, where individual damages awards are generally low.

The economically viable nature of such actions has made the Netherlands the leading European jurisdiction for class actions., and there is an increase in third-party funding of this type of organization.

Today, Twitter is being sued in the Netherlands for tracking its users.

The same is true for other popular apps including Shazam, Vinted, but also more sensitive apps like Grindr and menstrual cycle tracking apps.

The European Directive allows EU countries to choose the opt-in or opt-out model, except for the action for injunction which - logically - provides for an opt-out.

It should be noted that the text gives organisations the possibility of bringing cross-border actions and gives them the choice between several jurisdictions. : the action may be brought in the Member State where the defendant company has its registered office but also in any Member State where it has a branch and in the State of domicile of the injured person.

France will therefore have to prepare to deal with pan-European appeals.

It will also have to adapt its legal framework to the “loser pays” principle with regard to attorney's fees and procedural costs, and provide for a discovery procedure, as it exists in Common Law countries, and which allows, by reasoned decision of the judge, the production of documents useful to the dispute (such as the identity of the injured parties).

While the coming months will clarify the conditions for applying the directive, it already seems certain that it will have an impact on the number of representative actions in Europe.

It would be good to prepare for it and closely monitor its transposition in France.

And also

France:

The CNIL has fined DISCORD INC. 800,000 euros for failing to comply with several GDPR obligations, particularly with regard to data retention periods and the security of personal data.

The CNIL also highlights a lack of data protection by default: users were not informed that their conversations could still be heard when they thought they had left a voice chat room.

Finally, the company was criticized for not having carried out an impact analysis before implementing the treatments.

The Commission also published an action plan on November 24 aimed at supporting the compliance of mobile applications and protecting users' privacy.

It intends to deepen its expertise, support professionals and inform citizens, for example in the form of guides and recommendations.

Finally, it will carry out targeted checks and, if necessary, take repressive action against organisations that do not respect their obligations.

Following a large number of complaints, the CNIL has clarified the conditions under which supplementary health insurance organisations can collect health data.

It notes that the applicable texts are not sufficiently precise and recommends the adoption of a law.

January 1, 2023 will mark the end of paper receipts.

This "anti-waste" measure raises questions about privacy protection because retailers will be able to identify their entire customer base, including those who do not have a loyalty card.

The CNIL stressed in its white paper that an email address collected for the purpose of sending a receipt or electronic payment cannot be used for commercial prospecting purposes, these two purposes being quite distinct.

It will be important to obtain the consent of the person concerned, or, in the case of prospecting concerning products or services similar to those already provided by the company, to inform them of the purposes and the possibility of objecting beforehand at the time of collection.

The Court of Cassation considered in its ruling of 7 November that the unlock code for a telephone home screen can constitute a "decryption key".

If it is likely to have been used in the preparation or commission of a crime or offense, its holder is required to give investigators the unlock code for the home screen.

If he refuses to communicate this code, he commits the offense of "refusal to deliver a secret decryption agreement", punishable by a fine and imprisonment.

Europe:

On November 16, 2022, the Digital Services Regulation (DSA) came into force.

This regulation provides new responsibilities for digital platforms, in order to limit the dissemination of illegal content and products, increase the protection of minors, and give users more choice and better information.

The European Data Protection Board (EDPB) has published its recommendations on the approval procedure and elements to be included in Binding Corporate Rules (BCRs) for data controllers.

The document is open for public consultation until January 10, 2023.

The European Data Protection Supervisor (EDPS) has published its opinion on the proposed regulation on cybersecurity.

The text aims to define EU-wide cybersecurity requirements for a wide range of hardware and software products such as browsers, operating systems, firewalls, network management systems, smart meters or routers.

The EDPS recommends integrating the principles of data protection into this text by design and by default.

He also stressed that a European cybersecurity certificate could not replace GDPR certification.

The EDPS also commented on the proposal for a regulation establishing a common framework for media services: In its opinion of 14 November, it highlights the inadequacy of the measures envisaged to protect journalists, their sources and media service providers.

It recommends clarifying that any journalist would benefit from this protection, and urges further narrowing the exceptions that allow the interception of communications by spyware or other forms of surveillance.

After two years of negotiations with Microsoft, the joint committee of the German Federal Data Protection Authority and 16 state regulators has issued a statement that is likely to have far-reaching implications: data controllers cannot currently legally use MS365 under the GDPR.

The Dutch data protection authority issued a warning to its government on November 14, dissuading it from using American cloud services. She urges the government to use European alternatives.

The Hungarian DPA has ordered the operator of a weather forecast website to stop transferring data to the United States via Google.

The DPA found that the website operator used Google Analytics without implementing adequate safeguards for data transfers to the United States.

On November 17, the Irish Council for Civil Liberties pointed out in a letter to the European Commission that Meta was in breach of the GDPR and could not comply with the Digital Markets Regulation (DMA).

The ICCL cites recently unsealed court documents in California that say Meta failed to respond to a request for information about what 149 of its data processing systems do, indicating that the operation of those systems was not understandable to humans.

The Irish Data Protection Commission issued its decision on November 25 in its investigation into Facebook's data scraping, which concerns the online availability of personal data of more than 530 million users.

The principles at stake concerned data protection by design and by default as provided for by the GDPR.

The decision imposes administrative fines totaling €265 million and corrective measures.

Meta faces three other GDPR infringement proceedings in Europe.

These concern the general conditions of Facebook but also of Instagram and WhatsApp.

The EDPB's findings on the latter are expected to be published on 5 December and are eagerly awaited. 

They concern the legal basis for collecting data from social media users.

Meta has changed this legal basis from consent to the necessity of processing under a contract, with legal repercussions that, if approved by data protection authorities, would go far beyond the context of this case.

The Information Commissioner's Office published an update to its guidelines on international transfers on 17 November.

This update includes a new section on Transfer Risk Assessments (TRA) and a tool for controllers.

The UK has concluded an agreement on the transfer of personal data with Korea, which will come into force on 19 December.

It says its agreement is "broader" than the EU's, allowing companies to transfer data relating to credit information.

International :

Google has agreed to pay a record $391.5 million in a settlement over privacy violations in 40 US states.

The case concerns the company's geolocation practices: according to the attorneys general, users were misled about the conditions for deactivating their geolocation in their account settings.

European data protection authorities have warned that the two apps Ehteraz and Hayya imposed by Qatari authorities for entry into the country generate massive privacy violations, by allowing extensive access to user data, including location data and call data.

The CNIL has recommended that people traveling to Qatar use a blank or reset phone.

The Global Privacy Control, created in October 2020, is now seeing its use grow thanks to its adoption by major publishers and online consent management platforms.

The GPC allows users to opt out of the sale of personal information at the browser level with one click, for all or some websites.

Unlike opt-out handlers, which often load content and begin collecting data before the user has a chance to opt out, GPC honors the user's choice before the site loads.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.