GDPR and Mass Claims
Introduction
The procedural rules on mass claims[1] within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”).[2] The impact of the Directive is expected to make collective redress in data protection and other fields much easier.
Timeline
The Directive was passed by the European Parliament on 24 November 2020 and entered into force by the end of 2020. It will be implemented by the EU Member States by 25 December 2022. The measures shall be applicable in each Member State as of 25 June 2023.
The Scope of the Directive
The Directive creates stronger protection for consumer groups than those that existed previously. In case of breach of EU law on subjects including data protection, financial services, energy, telecommunications, health and the environment, the Directive is expected to pave the way for mass claims against businesses. In order to minimize abusive mass claims, the Directive limits standing for bringing collective actions on behalf of consumers to “designated institutions.”
Due to the fact that Member States have diverging procedures regarding mass claims, the Directive was necessary in order to harmonize mass claim litigation within the EU. That being said, each Member State has a level of discretion in implementation of the Directive on some matters. For instance, Member States can decide whether or not to implement an opt-out mechanism for claims. If this mechanism is applied, anyone falling into a class of claimants is automatically added as a party to the claim unless they specifically opt-out. Likewise, Member States have a say in defining the criteria for designated institutions for domestic actions.[3] However, criteria for designated institutions to stand on behalf of customers in EU-wide claims is not at their discretion.
Thus, companies doing business with mass numbers of consumers will need to keep track of nuances in different jurisdictions to monitor risks of mass claims they might face.
Impact of the Directive on General Data Protection Regulation (“GDPR”) Related Mass Claims
By regulating cross-border mass claims, the Directive eases initiation of proceedings in other Member States. Consequently, it is anticipated to trigger a peak in data infringement related mass claims. In fact, the increase in claims has already started.
Recently, a consumer protection association in Germany sought an injunction against Meta Platforms Ireland before a German court. The Federal Court of Justice in Germany referred the matter of the standing of the association on behalf of consumers to the Court of Justice of the European Union (“CJEU”). On 28 April 2022, in Meta Platforms Ireland, the CJEU rendered a decision:
“In the light of all the foregoing considerations, the answer to the question referred is that Article 80(2) of the GDPR[4] must be interpreted as not precluding national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.” [5]
In sum, the CJEU confirmed that the GDPR does not preclude national provisions allowing standing for such associations on behalf of consumers. Most importantly, the CJEU added that associations enjoy “independent” standing and can act without a mandate from data subjects in such actions.[6] The caselaw in EU is likely to establish a pattern in favor of GDPR related mass claims.
Conclusion
The Collective Redress Directive allows consumer associations to bring EU-wide and cross-border mass claims against businesses on behalf of consumers (data subjects). This legislative trend is supported by CJEU’s recent rulings.
Since consumer associations will enjoy standing in a widened scope of matters, including in GDPR-related cases, companies doing business with high number of consumers are expected to face a flood of data-related mass claims in the near future.
- In this article mass claims term is preferred to cover mechanism for the protection of the collective interests of consumers via representative/collective/class actions, with no further classification on the action types.
- The Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC, OJ L 409, 04.12.2020, p. 1–27.
- Tjon-En-Fa Evelyn, Hurst Bryony, Lanzkron Louise: “In preparation for the new Collective Redress Directive our dispute resolution lawyers have created some tools to help”, Bird & Bird Insight, 23.06.2022, https://www.twobirds.com/en/insights/2022/global/in-preparation-for-the-new-collective-redress-directive (Access date: 24.08.2022).
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119, 04.05.2016, p. 1–88.
- C-319/20, Meta Platforms Ireland Limited, formerly Facebook Ireland Limited v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V., April 28, 2022, ECLI:EU:C:2022:322.
- De Cicco Diletta, Downes James, Mallon Leigh, Helleputte Charles-Albert: “European Court Boosts Representative Actions for GDPR Infringements”, Steptoe Client Alert, 05.05.2022.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
On September 2025, the Court of Justice of the European Union (“CJEU”) delivered its judgment in Single Resolution Board (SRB) v. European Data Protection Supervisor (EDPS), providing some clarification on the identifiability of data under the EU data protection regime. The case examined whether information that...
In Türkiye, it has recently become increasingly common, especially in retail stores, to send verification codes to data subjects by SMS during the provision of goods and services and to process personal data in this way. In the complaints submitted to the Personal Data Protection Board (“Board”), it has been...
In contemporary workplaces, employers frequently implement surveillance systems for reasons such as ensuring occupational health and safety, maintaining workplace order, operating internal control mechanisms, and preventing potential misconduct. However, such monitoring practices often raise significant...
Although the Turkish Personal Data Protection Law No. 6698 (KVKK) stipulates certain rules on cross-border personal data transfer, the effective functioning of the transfer rules was limited over time due to some difficulties in practice. In particular, until late 2024, the application process for permission to transfer...
Personal Data Protection Law numbered 6698 (“PDPL”) was first drafted based on the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals about the processing of personal data and on the free movement of such data, and entered into force in 2016...
Typically, when an employee departs, their corporate email account remains active and accessible to the employer for a period of time. During this time, the email archive and new incoming messages are forwarded to the employee's manager or another colleague...
In today's world, we now have the opportunity to purchase many products and services through e-commerce platforms with a single click from wherever we are. During these purchases, our personal data are collected and used through the websites or mobile applications of e-commerce platforms for various...
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
