On 4 May 2023, the Court of Justice of the European Union (the CJEU) issued its judgment in the Österreichische Post case. In this judgment, the CJEU provided more clarity on the concept of damages in the General Data Protection Regulation (the GDPR): see also the blogpost written on this subject by our colleagues Frederiek Fernhout and Minke Reijneveld. The main question addressed by the CJEU was whether a breach of the GDPR as such is sufficient for awarding damages, without the need to establish that actual damage was suffered. The CJEU found that a breach of the GDPR does not automatically grant an individual a right to claim damages: damage is a prerequisite.
This will be a relief for all companies facing claims for damages under the GDPR, especially in view of the Act on the Settlement of Mass Damages Claims in Collective Actions (the WAMCA, in Dutch: Wet afwikkeling massaschade in collectieve actie). If the CJEU had ruled that a breach of the GDPR automatically gives rise to a right to damages, the threshold for initiating proceedings for damages would have been lowered significantly. It is likely that the number of mass damages claims would then have increased substantially.
Even after Österreichische Post, however, the question remains whether the GDPR is even suitable for such collective actions. It has still not been determined whether a mass claim for damages under the GDPR can be brought on an 'opt-out' basis, i.e. without the instruction to claim damages from the persons whose privacy has been violated. Article 80(1) GDPR provides that organisations may claim compensation for damage suffered by a person due to a GDPR breach, under a mandate and on behalf of that person.
Several class actions have now been filed in the Netherlands based on the WAMCA (Article 3:305a of the Dutch Civil Code), and thus on an opt-out basis. Billions of euros are being claimed for alleged breaches of the GDPR. These proceedings were brought by claim organisations against social media platform TikTok, as well as against software companies Oracle and Salesforce (in March 2023, a claim was also brought against the Dutch State). The competent courts have not yet ruled in any of the aforementioned proceedings on the question whether the GDPR is suitable for mass damages claims under the WAMCA.
In this blogpost, we will therefore outline, with reference to various sources, the extent to which it appears to be possible to initiate mass damages claims for alleged breaches of the GDPR, as provided in the WAMCA, on an 'opt-out' basis.
GDPR mass damages claims: possible without a mandate?
The WAMCA entered into force on 1 January 2020, with the objective of making it possible to seek damages in class action procedures. An organisation does so for the benefit of persons who claim to have suffered damage, but not on their behalf or under a mandate. An instruction or mandate is not required. The question is how this relates to the relevant provision in the GDPR, because Article 80(1) GDPR reads: "The data subject shall have the right to mandate [an] (…) organisation (…) to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law."
This raises the question whether compensation under Article 80(1) GDPR is possible through WAMCA proceedings. Opinions differ on this matter. In a 2021 judgment in proceedings against software companies Oracle and Salesforce, for instance, the Amsterdam District Court highlighted that it is unclear how the WAMCA and the GDPR relate to each other. In paragraph 5.19 of the judgment, the court found: "The parliamentary history of the WAMCA, the [Dutch] GDPR Implementation Act (…) and the literature to date has not addressed the question whether Article 80 GDPR precludes a class action for damages for breach of the GDPR." There are, however, indications that breaches of the GDPR cannot be addressed through WAMCA proceedings. These are set out below.
- First, Article 80(2) GDPR provides that member states may provide that organisations, even when not mandated, may exercise specific rights under the GDPR. However, the right to compensation is not mentioned there. This fuels the idea that the GDPR (intentionally) does not provide a specific basis for instituting proceedings for damages on an opt-out basis.
- In addition, recital 142 of the GDPR may contain a translation error (our colleague Nynke Brouwer wrote an editorial on this in Computer Law 2022/49). The current Dutch text, translated verbatim, reads as follows: "For [such organisations] it may be provided that they are not allowed to claim compensation on a data subject's behalf independently of the data subject's mandate."
However, when the Dutch translation is compared with the text in other languages, it does not seem to be fully in line with, for example, the English text: "[Such organisations] may not be allowed to claim compensation on a data subject's behalf independently of the data subject's mandate."
- Finally, it could be argued that allowing mass damages claims for breaches of the GDPR is contrary to Union law, because the European Council in fact wanted to prevent a commercial claims culture in the context of data protection.
On the other hand, there are concrete indications that it is indeed possible to seek damages on an opt-out basis for alleged breaches of the GDPR.
- First, the goal of the Union legislature has been for the GDPR to provide broad protection of personal data. It therefore makes sense also to keep the possibility of private enforcement broad.
- The Representative Actions Directive is also relevant here. That Directive forces member states to allow for collective actions for damages in the interest of consumers. Annex I to the Directive provides that, among other things, representative actions brought against breaches of the GDPR should be possible. On the basis of the Directive, member states can choose between an opt-in and an opt-out system.
- Moreover, the Dutch Minister for Legal Protection has confirmed in the Explanatory Memorandum to the legislative proposal for implementation of the Representative Actions Directive that WAMCA proceedings involving breaches of the GDPR are possible.
- The most explicit indication can be found in the CJEU's Meta judgment of 2022. In this ruling, the CJEU set the bar quite low for organisations to represent the collective interests of individuals under Article 80(2) GDPR. Not only did the CJEU emphasise that organisations need only ‘consider’ that the GDPR has been breached (paragraphs 71-72), it also found that it is not necessary to identify in advance which individuals are or may be affected by the breach (paragraph 68). This is in keeping with the trend of the CJEU interpreting the personal data protection broadly. Some authors believe that the Meta judgment unambiguously confirms that it is possible to claim damages under the WAMCA for alleged breaches of the GDPR, even in the absence of a mandate. In that context, it has even been argued that, because of the Meta judgment, the representativeness criterion in the WAMCA does not apply to claims based on the GDPR (see D.F. Berkhout (lawyer for one of the claim organisations in the TikTok case) in JBP 2022/90). We believe that representativeness may still be expected of a claim organisation, since the representativeness requirement under the WAMCA also does not require "individual identification" of those persons. Moreover, Article 80(1) GDPR allows collective compensation claims only "where provided for by Member State law", while Dutch law does require representativeness of all claim organisations.There certainly seems to be room for a narrower interpretation of the Meta judgment. K. Saarloos and L.J. Knap, for instance, argue in NTBR 2023/3 that the Meta judgment merely clarifies that Article 80(2) GDPR does not require an organisation to identify in advance the data subjects on whose behalf it acts. However, this does not answer the question whether it should be possible to bring a mass damages claim based on GDPR breaches on an opt-out basis, since it is a fact that Article 80(2) GDPR does not mention the possibility of claiming damages. The Meta judgment therefore does not provide a clear answer to the question whether a claim organisation can claim damages on the basis of a GDPR breach without a mandate.
Also after the Österreichische Post ruling, it remains uncertain whether mass damages claims without an explicit mandate are possible under the GDPR.
What does this mean for companies? For as long as mass damages claims on an opt-out basis remain possible, it is important for companies that process personal data to be aware of the risk of such claims. Although Österreichische Post offers some relief, that risk remains. Not only because of potential fines, but also because of the threat of collective actions, it is therefore important that personal data processing takes place in accordance with the GDPR.
For more information on this topic please contact Branda Katan or Nynke Brouwer.