Data class actions. The era of mass data litigation

Transcription

1 Data class actions The era of mass data litigation 2018

2 1 Hogan Lovells Data class actions The era of mass data litigation 3 Introduction Contents Class actions are commonplace in the United States but relatively rare in Europe. The European Union wants to change that, by facilitating class actions for mass privacy and data breaches. With the development of big data, the scope and impact of potential data breaches or losses have indeed significantly increased. Every day, somewhere in the world, the media report that data for large numbers of individuals, often millions of people, have been breached. It seems then only natural that public authorities would consider class actions as a potential remedy for these breaches, if not a way to prevent them. At first glance, nothing is more rational: data breaches cause for each individual only a very limited damage, if any. This damage is very often unlikely to be sufficient to motivate the individual to seek compensation for it (or even seek who is actually liable for the breach). Yet, there may be an interest for the entire group affected by the breach to seek compensation for the aggregate damage, hence the idea of allowing class actions. But, what if it were not that simple? Taking a step back and further analysing this topic is the purpose of this Guide which endeavours to: 4 Data class actions in the US 8 The General Data Protection Regulation timidly opens the doors to data class actions in Europe 12 Four key lessons when facing data class actions in Europe 16 A focus on certain Member States 16 French initiatives: "class action" or "collective action" for personal data protection? 18 Create means to an end the German Act and a new bill 22 Italy would the current collective redress mechanisms protect against data breaches? 26 Poland will GDPR breathe some life into the Polish class actions? 28 Spain how class actions would work under the GDPR in Spain 30 The Netherlands will the future collective damages action boost data litigation? 34 United Kingdom the Morrisons' effect the dawn of a new wave of class action for personal data breaches in the UK? put the US experience over the last years into perspective ; look into the choice of the European Union to timidly open the doors to data class actions ; share four key lessons to bear in mind when facing data class actions in Europe; and provide a focus on certain Member States.

3 4 Hogan Lovells Data class actions The era of mass data litigation 5 Data class actions in the US Over the past few years, there has been a surge in class actions challenging companies privacy and data security practices. But, while the number of class actions continues to grow, the suits face several significant challenges, have afforded limited relief to individual consumers, and have provided no coherent privacy standards in the US By comparison, the primary government regulator, the US Federal Trade Commission (FTC), has proven much more effective in enforcing privacy and data security practices. The first hurdle: the requirement of 'standing' or the need for an 'injury in fact' Class action litigation has not proven to be an efficient mechanism for claimants in the US to seek redress for alleged privacy damages. This stems from the difficulty of having a compensable harm arise from a violation of a privacy-related right under US law. This creates an important threshold problem in the US federal courts. Indeed, litigants must demonstrate that they have 'standing' to be able to pursue their claims before a federal court. 'Standing' has in turn been interpreted to require plaintiffs to establish, among other things, that they suffered an 'injury in fact' that is concrete and actual or imminent, not hypothetical or conjectural. Numerous class actions based on the collection, use and disclosure of data have been derailed because plaintiffs have not adequately alleged an 'injury in fact' sufficient to confer 'standing' 1. The challenges plaintiffs face in establishing standing also apply in the context of data breach class actions. There has been a split in decisions among the US courts, with many having dismissed claims arising out of cyberattacks for lack of 'standing', holding that plaintiffs allegations regarding the threat of future harm they face from the potential misuse of their data is not sufficient. These courts hold that what may or may not be done with data collected from the victim of a cyber-attack is too speculative and not a concrete and immediate injury sufficient to confer 'standing' 2. Other courts have found depending on the type of data involved that the mere improper access to that personal data creates an increased 'risk of harm' sufficient for a claim 3. Where plaintiffs can allege that their data has been misused by criminals, courts are more likely to find such allegations of fraudulent activity sufficient to establish 'injury in fact' 4. Nonetheless, the US Constitution s 'injury in fact' standing requirement remains an often insurmountable hurdle for plaintiffs. The US Supreme Court has reminded the lower courts that a plaintiff in data-related cases, who often cannot point to clear financial harm, must allege an injury that is both particularised, meaning that the named plaintiff was personally affected by the defendant s conduct, and concrete, meaning there must be an 'injury in fact'. Simply alleging that a statute is violated is not enough 5.

4 6 Hogan Lovells Data class actions The era of mass data litigation 7 The second hurdle: causes of action Even where consumers are able to overcome the threshold question of whether they have suffered a compensable privacy harm, there is further difficulty in finding viable causes of action through which plaintiffs can seek redress. That challenge is already difficult with respect to federal statutes, as most privacy claims do not fit neatly into the existing federal statutory scheme. No current law provides an express means of redress for individuals who allegedly suffered privacy harms. Plaintiffs have instead tried to press their claims under various other federal statutes, including those designed primarily to protect systems and communications from hackers and eavesdroppers. For instance, the Computer Fraud and Abuse Act targets various computerrelated activities, but, in order to bring an action under its provisions, a plaintiff must allege at least US$5,000 in actual damages. Because they are based on a patchwork of differing state laws, however, these claims rarely afford nationwide relief and do not result in a national standard that companies can follow and consumers can rely upon. The challenges plaintiffs face in establishing standing also apply in the context of data breach class actions. Recent examples of settlements of privacy and security class actions Despite these challenges, attorneys in the US have continued to file a slew of class actions. One of the primary motivations for this deluge of litigation is the attorneys fees plaintiffs counsel hope to recover. Numerous privacy class actions have been resolved by settlement agreements that provide little of value to the consumer while handsomely rewarding the plaintiffs lawyers. For instance, in a data breach class action against Target, Target paid US$10m to a fund for consumers, an amount of less than US$1 per plaintiff, while the plaintiffs counsel received US$6.75m in fees. In a data case against LinkedIn, the named plaintiff was awarded US$5,000 leaving less than US$1 for each additional class member while the plaintiff's attorneys were awarded over US$321,000. A total award of less than US$1 or even 10 cents per class members is arguably generous because some privacy class action settlements require defendants to make only cy pre payments payments to charitable organisations that support work that indirectly benefits the class and the public interest, or to make prospective changes to their data practices. In other instances, data breach settlements have established funds to provide free credit monitoring to victims as well as to reimburse class members for documented damages. Many settlements, however, provide no monetary compensation to class members whose personal information was stolen. FTC's enforcement actions as a better contribution to privacy standards Because many class actions are resolved through settlement or are dismissed, class action litigation has not established comprehensive privacy standards. By contrast, regulatory action through the FTC has been a strong force in enforcing such standards. The FTC has extracted numerous far-reaching consent orders from corporate defendants, which require substantive changes in corporate policy and have established certain privacy norms. The consent orders resolving FTC privacy enforcement actions typically: 1) prohibit the activities that were the subject of the agency s complaint; 2) establish monetary penalties; 3) require that corporations delete or refrain from using any wrongfully collected personal data; 4) require the maintenance of records and compliance reports to facilitate the FTC s enforcement of the order; and 5) require corporations to notify the FTC of any material changes that might affect compliance obligations. FTC regulations have been confirmed by federal courts, notably in a court of appeal's opinion upholding the Commission's authority 6.

5 8 Hogan Lovells Data class actions The era of mass data litigation 9 The General Data Protection Regulation timidly opens the doors to data class actions in Europe More than 15 years after the adoption of the Data Protection Directive 7, the European Commission noticed that the current legislative framework on data protection did not adequately deal with the risks associated with online activity 8. 2) the defendant: controllers and processors can be obliged to pay damages. That means that all companies processing personal data will face increased liability risks. 3) culpable breach of the GDPR: to constitute civil liability under the GDPR, the controller or processor must breach the provisions of the GDPR in a culpable manner. In this respect, the GDPR provides for a shift of the burden of proof: from the moment that a violation is recorded, compensation will be automatic, unless the controller or processor manages to prove that it is not the source of the non-compliance with the Regulation (Articles 82(2) and (3)). The text also sets the principle of full compensation of the plaintiffs which is very protective of the data subjects' rights: when several processors/controllers are involved, they are jointly liable for compensation (Article 82(4)). The GDPR does not expressly provide for class actions but Article 80 enables claims to be brought by third parties on behalf of data subjects and to transform themselves into collective claims under a consolidation mechanism. Acknowledging this, the General Data Protection Regulation (GDPR) 9 was finally adopted by the European Parliament on 14 April 2016, entering into force in May 2016 and becoming directly applicable in all Member States on 25 May The GDPR targets the data controller or its processor and provides a set of standardised rules relating to personal data processing by such entities. It also provides means to enforce these provisions. Specifically, the GDPR introduces, everywhere in Europe, collective actions, which can be initiated by not-for-profit bodies dedicated to personal data protection thanks to consolidation mechanisms. Individual actions An action before national courts against a controller or a processor Without prejudice to any available administrative or non-judicial remedy, the GDPR enables the data subjects to bring a claim against a controller or processor in national courts when they consider that their rights under the GDPR have been infringed as a result of a processing (Article 79). In this respect, the GDPR provides the data subject with a real choice of forum, allowing data subjects to bring their action before different courts (Article 79) as well as a lis pendens system requiring courts to suspend their proceedings or decline jurisdiction where identical proceedings are pending before another court (Article 81). A right to compensation and liability The GDPR enables the data subject to seek compensation from the controller or processor for the material or non-material damage resulting from an infringement of their rights under the GDPR before national courts (Articles 79 and 82). The following overview describes the conditions of liability as required by Article 82(1): 1) claimants: any person who has suffered damage due to a data protection violation has the right to receive compensation for the damages suffered. This primarily applies to data subjects. In addition, other individuals are also entitled to claim damages if certain requirements are met. This might be the case if a family member of the data subject suffers mental impairment or other material or non-material damages due to the data protection breach. The GDPR does not expressly provide for class actions [ ].

6 10 Hogan Lovells Data class actions The era of mass data litigation 11 Claims consolidation mechanism Although the GDPR spreads over 88 pages and almost 100 articles, the long-awaited class-action mechanisms are located in a single short article called "Representation of data subjects" (Article 80). First, this Article defines the type of legal entity which will be entitled to exercise the data subject's rights on their behalf: organisations or associations having statutory objectives which are in the public interest, and are active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data. Secondly, this Article creates three different rights of action: 1) a representative joint action: data subjects shall have the right to mandate an authorised entity to lodge a complaint on their behalf, to exercise the actions defined in Articles 77, 78 and 79 (Article 80(1)). 2) a limited compensatory representative joint action: data subjects shall have the right to mandate an authorised entity to exercise their right to receive compensation only if the law of the Member State enables it (Article 80(1)). 3) a limited class action: authorised entities shall be entitled to act on behalf of data subjects without having obtained a mandate from such data subjects in case of a violation of the rights of a data subject under the Regulation, provided that the Member State provided for such a possibility. Claims for compensation are, however, excluded from this mechanism (Article 80(2)). What are processors/controllers really facing? Nothing new under the sun? The GDPR actually fails to provide a consistent class action or even a procedural framework to launch an efficient representative joint action. In this respect, it brings nothing new and simply formalises a practice already established in the Member States. In France for instance, it has been possible for a long time for a person to collect mandates before starting proceedings, which would consequently result in a collective action. The representative joint action could, however, bring some light on the data protection issues in Europe and eliminate the usual hurdle to the development of representative actions, notably in France, which is the limited exposure and publicity and the difficulty in obtaining a sufficient number of mandates so that the collective action reaches a critical size. Combined with the new methods of disseminating information relating to collective actions through the Internet 11, the GDPR's media impact may put the personal data collective actions at the heart of public awareness. Finally, since the class action mechanism is only optional, its implementation depends on the Member States' position and could, therefore, be limited. A European right to 28 national collective actions? The GDPR does not create a European class action but rather a European right to collective actions. Indeed, the GDPR only states that the data subject "shall have the right to" initiate actions, but does not provide the data subject with an actionable tool, and leaves it to the Member States to provide such a tool. Consequently, there soon could be as many personal data collective action procedures as European countries, which would be contrary to the Regulation's objective of consistency. Are pan-european and global class actions possible? Processors which are processing personal data all around the globe can legitimately wonder whether the GDPR could give rise to multi-jurisdictional collective actions, including European and non- European data subjects. In this respect, the first issue lies with the GDPR's scope: 1) the GDPR does not restrict its application to the European citizens/residents (Article 1); 2) although not limitless, the territorial scope of the GDPR (Article 3) is very broad and could lead to the application of the GDPR beyond EU borders. The combination of potentially broad application of the GDPR and the choice of forum it provides to the data subject could, in theory, give birth to pan-european data The European data protection class action regime remains unclear at this stage. Its procedural framework and its applicability will need to be specified and improved. protection collective actions, which could include non-eu data subjects under certain circumstances. Nevertheless, the European data protection class action regime remains unclear at this stage. Its procedural framework and its application will need to be specified and improved. In this respect, some answers may come from the European Data Protection Board, which has been given the mission to issue guidelines, recommendations and best practice procedures (Recitals nos. 77 and 124 and Article 70). Applicability of the GDPR depending on the origin of the processor / controller and the data subject EU data subject Non-EU data subject EU processor / controller (main establishment in the EU) Non-EU processor / controller (main establishment outside the EU) with an affiliated entity having an activity in the EU Applicable Applicable * Applicable ** Applicable Applicable * Not Applicable Non-EU processor / controller (main establishment outside the EU) with no affiliated entity having an activity in the EU * provided that the processing of personal data was made in the context of the activities of the EU establishment, regardless of whether the processing takes place in the EU ** provided that the processing activity is related to the offering of goods or services or the monitoring of the data subject's behaviour

7 12 Hogan Lovells 13 Four key lessons when facing data class actions in Europe It is of critical importance for the controller to keep records of all measures, actions and elements likely to evidence compliance with the GDPR. Damages In the US, many class actions are dismissed for lack of 'standing', i.e. because the litigants do not demonstrate that they suffered an 'injury in fact' that is concrete and actual or imminent. Does the US 'injury in fact' standard apply for data class actions in Europe? Under the GDPR, data subjects have the right to recover both material damages and non-material damages (Article 82). Hence, in the event of liability, all damages which have been caused by the data protection infringement have to be compensated. This extended liability is remarkably different to the current legal situation under many Member States' data protection laws. Quick glance at France: the data class action 12 may be used to put an end to an infringement of the provisions governing the protection of personal data. The law expressly specifies that this class action cannot give rise to compensation in the form of damages. It is a purely injunctive form of collective redress. Yet, this position may evolve in the future as a bill is currently being debated and provides for the creation of a compensatory data class action 13. Quick glance at Germany: on 24 February 2016, a new German Act entered into force aimed at strengthening consumers' data privacy laws 14. Among other things, it adopted the mechanism called Verbandsklage. This is a representative action enabling qualified entities, e.g. consumer protection organisations, to bring an action against companies and individuals violating data privacy laws. It only enables organisations to claim for cease-and-desist judgments (injunctions). So, current claims for damages must be brought by individuals. The existing Verbandsklage does not provide for collective compensation, but may be a dooropener for large-scale lawsuits in Germany. The GDPR does not set forth any criteria for the assessment of the recoverable damage and leaves it to the applicable national laws. So Member States use their own national standards to determine whether the litigants have 'standing' and whether hypothetical, future or even anxiety damage may be compensable for instance. Article 82 of the GDPR is intended to act as a deterrent, making data protection breaches economically unattractive. Furthermore, the case-law of the Court of Justice of the European Union concerning non-material damages must be taken into account. According to the case law, the amount awarded should have a deterrent effect. This goal can only be achieved if the amount of damages awarded reaches a sufficiently significant level. Burden of proof Under the GDPR, the controller is responsible for ensuring and demonstrating that its processing activities are compliant with the provisions set out in the GDPR as well as with the laws of the Member States implementing the said Regulation. The controller must implement appropriate technical and organisational measures to ensure as well as to be able to demonstrate that processing is performed in compliance with the GDPR (Article 24).

8 14 Hogan Lovells Data class actions The era of mass data litigation 15 The broad territorial application of the GDPR and the choice of forum it provides to the data subject could give rise to forum shopping and multijurisdictional collective actions. The controller must keep records in writing including in electronic form of its processing activities and make the records available to the supervisory authority on demand (Article 30). The controller must record and document all personal data breaches comprising the facts relating to the personal data breach, its effects and the remedial action taken. These records must be disclosed to the supervisory authority on demand (Article 33). The GDPR imposes a strict liability regime on controllers: from the moment that a violation is recorded, compensation will be automatic. Data subjects can bring an action without having to prove any fault or negligence on the part of the controller. The burden of proving that it is not responsible for the event giving rise to the harm (i.e. the processing of personal data is performed in accordance with the GDPR and the national laws implementing the GDPR) falls on the defendant controller (Article 82). Controllers have to meet the new data protection requirements and must be able to demonstrate that the processing of personal data is performed in accordance with the GDPR and the laws of the Member States. So it is of critical importance for the controller to keep records of all measures, actions and elements likely to evidence compliance with the GDPR. Controllers must treat the GDPR's accountability mechanisms as pre-litigation strategy, designed to create documentation to show that the defendant applied appropriate technical and organisational measures. Territoriality The broad territorial application of the GDPR, and the choice of forum it provides to the data subject, could give rise to forum shopping and multi-jurisdictional collective actions, including European and non-european data subjects. The GDPR applies to: businesses that are established in the EU and process personal data (Article 3(1)); businesses that are established outside the EU if they process the personal data of EU residents when offering them goods or services or when monitoring the behaviour of EU residents (to the extent that such behaviour occurs in the EU) (Article 3(2)). Businesses not currently subject to the Data Protection Directive may become subject to the GDPR if they offer goods or services to EU residents or monitor their behaviour. Proceedings against a controller or processor may be brought by the data subject before: the courts of the Member State where the controller or processor has an establishment; or the courts of the Member State where the data subject resides (Article 79(2)). This choice of forum may lead data subjects to bring individual and class actions in a specific Member State to benefit from the differences in the national laws (e.g. 'injury in fact' standard, compensatory actions, compensation of material and nonmaterial damages). Quick glance at Austria: on 1 August 2014, an Austrian law student, Maximilian Schrems, filed a lawsuit against Facebook Ireland Ltd before the Vienna court based on allegations that Facebook's practices would breach privacy laws in numerous ways. In order to initiate a so-called "class action", Max Schrems created a website to invite any person having suffered the same alleged violations of their rights to join the lawsuit. On 12 September 2016, the Austrian Supreme Court referred two preliminary rulings to the Court of Justice of the European Union. On 25 January 2018 (case C-498/16), the CJEU found that Article 16(1) of Regulation 44/2001 could not be read as creating forum for claims that are assigned to Mr. Schrems. The CJEU explains that the exclusion from assigned claims is necessary for the attribution of jurisdiction to be predictable, which is one of the objectives of the Regulation. Discovery The GDPR does not create a pre-litigation discovery process. Yet, it sets forth some provisions requiring controllers to disclose evidence proving compliance with the GDPR. This may enable data subjects to build their case before filing a claim. The GDPR provides data subjects with a comprehensive right to access their own personal data through a subject access request (Article 15). The controller must respond to the subject access request within one month of receipt of the request (Article 12) and provide the data subject with a copy of all personal data which the subject has made available to it. The GDPR expands the mandatory categories of information which must be supplied in connection with a data subject access request (e.g. information about the purposes of the processing, the categories of data being processed, the period for which the data will be stored) (Article 13). This allows data subjects to be able to verify the lawfulness of the processing of their personal data. The controller may refuse to respond to a subject access request if it is manifestly unfounded or excessive. But the controller bears the burden of proving the request is manifestly unfounded or excessive (Article 12). Companies should be prepared that data subjects will exercise their right to lodge a complaint with a supervisory authority to access the findings of the administrative investigation (Article 77). It is likely that the data subjects will use this information in the course of civil proceedings. Due to this approach, data subjects can easily create a presumption of a data protection violation, and an even greater administrative burden is placed on controllers. Companies must be able to demonstrate that processing is performed in accordance with the GDPR (Article 24). This evidence should refer to the general efforts the company undertakes to implement the GDPR in accordance with the law. Additionally, the evidence should display the measures the company implemented with regard to the respective claimant. For this purpose, the companies should establish a system for logging individual processing operations to be able to prove who had access to a given individual's personal data, and what actions were taken with regard to the data. Conclusion Given the diversity of procedural rules in European Member States and the GDPR's broad territorial scope, we can expect plaintiffs to conduct forum-shopping to find the best national courts for launching data class actions. The GDPR's accountability provisions require defendants to affirmatively prove that they deployed "appropriate technical and organisational measures". Data processing records should be designed with this pre-litigation strategy in mind. Plaintiffs will use data access requests and complaints to Data Protection Authorities to help build a litigation file.

9 16 Hogan Lovells Data class actions The era of mass data litigation 17 A focus on certain Member States French initiatives: "class action" or "collective action" for personal data protection? Both the French Council of State in its annual report for 2014 as well as the National Digital Council (hereinafter, "CNNum") in its "Digital Ambition" report voiced support for the creation of an action enabling consumers to collectively seek redress for violations of regulations protecting personal data. However, their recommendations are different regarding the goal of this action. After some hesitation and numerous debates, the collective action for data protection finally became a reality in November 2016 thanks to the adoption of the law on the modernisation of 21 st century justice. Creation of a general framework applicable to class actions in France In the scope of the adoption of the Law on 21 st century justice, the French lawmaker intended to create a common general set of rules which would be applicable to various specific class actions. The ambition was, therefore, to create what could be described as a "class action common law", composed of a corpus of general rules which would be applicable to specific class actions, unless otherwise provided. Article 60 of the Law on 21 st century justice lists five specific class actions to which the common set of rules relates and is applicable and relating to: the fight against discrimination; discrimination in the workplace; environmental claims; health issues; and computer technology, data and freedoms (see below). Regarding the persons having the capacity to bring such a class action, only registered associations and associations which have been duly declared for at least five years, the statutory purpose of which includes defending interests that have been harmed will be able to initiate a claim 15. As to the goal of the class action, the Law on 21 st century justice specifies that the newly created action aims to either put an end to violations, compensate the damages, or both 16. Creation of a collective action for personal data protection A new Article 43 ter was created in Law no of 6 January 1978 relating to computer technology, data and freedoms (the "French Data Protection Law"). This Article provides a "class action" for "individuals" (hence excluding legal persons) who sustain a loss resulting from a breach of similar nature of the French Data Protection Law by a data controller or data processor. Article 43 ter of the French Data Protection Law expressly specifies that the action may only aim at putting an end to the infringement. Therefore, it cannot give rise to compensation of the damage suffered by the individuals. During the debates, the Rapporteur of the Law Commission of the Senate underlined the paradox consisting in requiring a proof of damage to bring this class action whereas this action does not enable the compensation of such damage 17. Lastly, Article 43 ter of the French Data Protection Law provides a list of the people entitled to pursue this action: mainly, authorised consumers or privacy protection associations and employees or civil servants' trade unions. A "class action" for "Individuals" [which] may only aim at putting an end to the infringement.

10 18 Hogan Lovells Data class actions The era of mass data litigation 19 Create means to an end the German Act and a new bill On 24 February 2016, a new German Act entered into force aiming at strengthening consumers' data privacy laws 18. Among other things, it adopted the mechanism called Verbandsklage. This is a representative action enabling qualified entities, e.g. consumer protection organisations, to bring action against companies and individuals violating data privacy laws. The downside of this action for claimants, however, is that it only enables the organisations to claim for cease-and-desist judgments (injunctions) that are not binding for further actions for damages. This problem could be tackled by the outcome of political initiatives seeking to introduce a means of collective action for declaratory judgments in consumer matters into German law. While the necessity to act is consensus among the political stakeholders in Germany, there is still discussion about the procedural means to be adopted. In particular, it remains unclear whether the action is going to be a representative action or a type of group action. Neither the injunction mechanism nor the planned collective action provide for compensation to victims and cannot be considered to be proper class actions. Having said that, we expect professional claimants, legal service providers, litigation funders and plaintiff lawyers to offer their services to the victims or "buy" claims from victims and thus bundle many fairly little claims into big claims worth pursuing. Another accelerating factor for future data privacy litigation could be the fact that German courts often rule that evidence which has been gathered in violation of data privacy rules needs to be excluded from civil litigation. Where courts rule that GDPR violations or infringements of other data protection laws result in the exclusion of evidence, there is also a high likelihood of financial compensation for immaterial data privacy damages. Representative action for injunctions an old mechanism extended to a new area The 2016 Act extends the scope of the socalled "Verbandsklage" limited to actions for injunctions in cases of violations of consumer protection laws to the data privacy field. This already existing mechanism of representative actions is a well-used instrument in cases of violations of consumer protection laws. The Federal Supreme Court, for example, declared some general terms and conditions of banks regarding high processing fees for loans void after the consumer association had brought an action 19. In such actions, qualified entities such as consumer protection organisations are entitled to sue without a special mandate by a victim. Before suing, the organisation is supposed to send a warning to the party liable and ask it to deliver a declaration of discontinuance. If the other party declines, the association can file a complaint with the court. In the proceedings, there are two special procedural changes: (1) before taking a decision, the court has to hear the competent data protection authority; and (2) if the action is successful, the claimant has the right, upon application to the court, to publish the judgment, including the name or designation of the defendant, in the German Federal Gazette, provided this would allow to inform defendants' customers that might be affected by the judgment. Collective actions for compensation in Germany not by a long shot The German Federal Ministry for Justice and Consumer Protection published a socalled "draft for discussion" concerning the introduction of a "Musterfeststellungsklage" (engl: "exemplary declaratory action") in the summer of According to the draft, proceedings have to be brought by a qualified entity. Consumers are not party to the proceedings but may benefit from the proceedings by registering with the action in the litigation register. By registering their claims, consumers can avoid the claim becoming time-barred. Goal of the action is a declaratory judgment on existence or non-existence of elements that are prerequisites for claims or legal relationships between consumers and entrepreneurs. The coalition agreement of the recently formed government takes up the plan to introduce the "Musterfeststellungsklage" and calls for a minimum quorum of 10 individual parties to register for bringing the action and an additional 50 applicants to join within two months before proceedings are initiated. The breach of the GDPR rules could be a typical subject matter for such an action. Consumers that registered can invoke the declaratory judgment in their own follow-on against the entrepreneur. The proceedings between the qualified entity and the entrepreneur can also end by a settlement option which includes the registered consumers.

11 20 Hogan Lovells Data class actions The era of mass data litigation 21 Now that a new government has been formed, this initiative might get some further traction. It remains unclear what a draft bill would look like, in particular whether it will incorporate amendments. As mentioned above, the concept does not aim at collective compensation. This might change in a future draft bill. The scope of the "draft for discussion" is not limited to a specific area of civil law. The only limitation is that the subject matter must involve a relationship between a consumer and an entrepreneur. It is, therefore, possible that a future collective action will be applicable to claims for damages under the GDPR. Claims for damages increased risk of bundling of claims Currently, claims for damages must be brought by the individual. Neither the existing Verbandsklage nor the potential Musterfeststellungsklage provide for collective compensation. There are three main scenarios for damage claims against entrepreneurs under German law: Option 1: damages are claimed and proven by each consumer individually. As long as damages are low, victims are not very likely to pursue their damages claims at their own as the cost of pursuing their claims is relatively high ("rational lack of interest"). Option 2: damages are claimed by not-for-profit bodies. We rather expect not-for-profit organisations to couple up with specialised lawyers to overcome this problem of a rational lack of interest as soon as the GDPR comes into force. Especially after a Verbandsklage, they may use the respective cease-and-desist judgment to actively promote mass claims for damages (e.g. on the internet). In contrast to the "Verbandsklage" and similar to the Musterfeststellungsklage the consumer organisation needs a concrete mandate by a victim to claim damages. In practice, it is therefore conceivable that if the breach of privacy laws affects a great number of victims, the not-for-profit organisations will actively call for the victims to mandate them and then bring mass claims. Option 3: similarly, we also expect professional claimants and plaintiff lawyers as we see them in product liability and antitrust cases offering to bundle damage claims for victims after data privacy breaches. As the GDPR explicitly provides for standing in order to sue on behalf of individuals by not-for-profit organisations we expect a rise in their numbers. The bundling of individual claims is often structured through special purpose vehicles ("SPV"), i.e. companies or foundations set up specifically to collect and pursue these claims. These SPVs use fully automated interactive web services and social media to collect or "buy" claims and thus keep their costs to a minimum. This approach enables them to build big cases with small claims. However, under current German case law, this option seems to work only for material damages, whereas non-material damages can be claimed only by the damaged persons themselves. This seems to be in conflict with the intention of the GDPR, though. This is why it is likely that nonmaterial damages will also be claimable by professional claimants in the future. In a nutshell, it seems very likely that Germany will see considerable GDPR-related data privacy litigation moving forward. Germany will very likely see considerable GDPR-related data privacy litigation moving forward.

12 22 Hogan Lovells Data class actions The era of mass data litigation 23 Italy would the current collective redress mechanisms protect against data breaches? Italian law provides for two different collective redress mechanisms: injunctive redress and compensatory redress (class action). Both mechanisms are open for the protection of the consumers' rights and interests set forth by the Italian Consumer Code, which consolidates provisions implementing inter alia several consumer-oriented EU Directives. Although data protection rights are not listed among those fundamental consumer rights that the Consumer Code protects, certain data breaches and violations of the GDPR could amount to unfair commercial practices and, as such, fall within the scope of application of the collective redress mechanisms described below. Injunctive collective redress Consumer associations that are considered to adequately represent consumers on a national scale and are duly enrolled in the relevant national register may act for the protection of consumers' collective interests by requesting the court to take the following actions: 1) prohibit conduct that may harm consumers' and users' interests; 2) take any appropriate action capable of correcting or eliminating the damage caused by the ascertained violations; and 3) order that the decision be made public on local and national newspapers, should this be helpful to correct or eliminate the damage caused. In cases of justified reasons for urgency, this type of claim may be heard by the court with the same summary procedure as that provided by the Italian Code of Civil Procedure for interim measures. When declaring the proceedings closed, the court sets a deadline for the losing defendant to comply and can also order the payment of a fixed amount for each day s delay in complying with it. Only authorised consumer protection entities listed in the above central registry have standing to sue in these proceedings. The single consumer or user lacks an autonomous standing to sue with reference to injunctive redress for collective consumer interests, albeit retaining their standing to sue in a parallel action in their own individual interest. The Italian Consumer Code makes no reference to the availability of such a mechanism for data breaches. Consequently, it might be inferred that no collective injunctive redress mechanism would be available to consumers who suffered violation of collective interests under the Italian data protection law currently in force or under the GDPR with, possibly, the exception of repeated and unsolicited offers via telephone, fax, or other means of communication, which could be considered as aggressive commercial practices. This conduct could fall within the scope of an injunction only if considered to be an unfair practice. Compensatory collective redress By means of a class action, claimants can seek compensation or merely seek a declaratory judgment that the defendant is liable without seeking compensation. The causes of action for a class action claim are the enforcement of "individual homogeneous rights of consumers and users" and "collective interests" with reference to the following rights: 1) contractual rights of a group of consumers/users in similar or the same circumstances vis-à-vis the same company (such as in case of standard agreements); 2) similar or the same rights of end consumers and final users of a product vis-à-vis the manufacturer (irrespective of whether or not there is a direct contractual relationship between them and the producer); 3) similar or the same rights of consumers in respect of unfair business practices or anti-competitive conduct. Standing to sue only lies with the individual member of a class. However, consumer associations can be mandated by consumers by means of powers of attorney to file class action claims before the court. Although the Italian Consumer Code does not provide any mandatory indication to this purpose, generally consumer associations bringing class actions are selected from among certain registered consumer associations (i.e. those consumer associations entitled to file injunctive actions). The individual class member may also bring the action via an association of which they are part of. In Italy, the procedure requires a preliminary admissibility check to be carried out by the court in order to assess whether requirements for a collective action are met. Only once the admissibility stage is positively cleared, may the court hear (and rule on) the merits of the case. For the case to be admissible, the relevant requirements are the following: 1) non-manifest groundlessness of the claim; 2) no conflict of interests (e.g. between class members or between the consumer association bringing the action and the complainant); 3) homogeneity of the individual rights claimed; 4) lead claimant's prima facie ability to adequately pursue the interest of the class (e.g. sufficient economic means to pursue the litigation). The court evaluates whether the above requirements are met and rules on the admissibility of the collective action after the first hearing. Further because of the limited criteria under which a class action may be declared admissible, the Italian class action mechanism has not proven to be appealing nor very successful. Italian law sets forth an opt-in system. By the order admitting the class action, the court defines, among other things, the eligibility criteria for the applicants to be included in the relevant class of consumers bringing the action. Once the class action is declared admissible, the claim is publicly circulated and class members may opt in within a peremptory deadline set by the court. No appointment of an attorney is required in order to opt in. By opting in, the subject joining to the class action (applicant) waives their rights to bring any individual claim for compensation or redress based on the same cause of action.

13 24 Hogan Lovells Data class actions The era of mass data litigation 25 The Italian class action mechanism has not proven to be appealing nor very successful. The court's judgment is binding on both the plaintiff and the class, irrespective of its content. Any settlement between the parties is not binding on any of the applicants who have opted in, unless the latter expressly declared itself to be willing to settle. If the claim is deemed well-grounded by the court, an order is issued awarding damages to those who joined the class action suit. Alternatively, the court may simply establish the homogenous criterion for the liquidated damages so that the parties will have a threemonth period to reach an agreement on liquidated damages. For the same reasons outlined for the collective injunctive redress, it may be inferred that class action is available only to those consumers who suffered violation of homogenous rights under the Italian data protection law currently in force or under the GDPR. Moreover, class action is also available if those data breaches can be deemed as amounting to unfair commercial practices. How to prevent and protect from class action? How to prevent a possible class action? Being fully compliant with the GDPR provisions and adopting a suitable and efficient privacy business model based on the following principles: 1) Transparency and lawfulness of the data processing. 2) Purpose limitation. 3) Data minimisation. 4) Accuracy. 5) Storage limitation. 6) Accountability. 7) Privacy by design and by default. 8) Security. With particular respect to the accountability obligation, the data controller (i.e. the entity which decides the purposes and modalities of the processing of personal data) shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR, taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. Among those measures, which need to be reviewed and updated, where necessary, are: 1) Data protection policies. 2) Record-keeping obligations. 3) Co-operation with Privacy Authority requests. 4) Security and notification of breaches. 5) Privacy impact assessments (risk assessment). 6) Prior consultation with Privacy Authority in high-risk cases. 7) Appointment of a Data Protection Officer when required by the GDPR. How to prevent a possible class action? Being fully compliant with the GDPR provisions and adopting a suitable and efficient privacy business model.

14 26 Hogan Lovells Data class actions The era of mass data litigation 27 Poland will the GDPR breathe some life into the Polish class actions? At present Currently, class action regulations in Poland are contained in the Act of 17 December 2009 on pursuing claims in group proceedings. Under the Act, a class may be formed by individuals whose civil law claims belong to the same category and are based on the same or analogous circumstances. Proceedings may be initiated by a minimum of 10 persons. The claims can be based on the following legal bases: 1) product liability; 2) tort; 3) non-performance or breach of contract; or 4) obtaining undue benefits. as well as other specific circumstances, but only with respect to consumers (e.g. claims resulting from the sale agreement, lease, etc.). Claims for infringement of moral rights cannot be pursued in group proceedings (unless they result from bodily harm). In the majority of cases, the infringement of rights protecting personal data amounts from the civil law perspective to the infringement of moral rights, thus cannot be the subject of group proceedings. However, there are cases when the infringement of personal data is a different form of tort. In these cases, class action is available. It should be noted, however, that group proceedings are not popular in Poland, as they are very time consuming and formalistic. Recent changes in the class action regulations aimed at making the proceedings quicker and easier have not as yet been tested in practice. After the GDPR Currently, there are two acts being drafted, which are aimed at ensuring appropriate application of the GDPR in Poland. One of these acts expressly gives the data subjects the possibility of pursuing civil law claims in connection with infringement of their personal data. The claims available, however, are limited to requesting cessation of infringing actions and restitution of the legal status to that which existed before the infringement happened.

15 28 Hogan Lovells Data class actions The era of mass data litigation 29 Spain how class actions would work under the GDPR in Spain The Spanish Procedural Law regulates collective actions (the Spanish rough equivalent to 'class actions') and the impact that a judgment issued in a proceeding of this type may have on third parties who did not participate in the proceeding but who under certain circumstances might be entitled to request the enforcement in their favour of a ruling resolving the collective action's petitions and awarding a compensation to the "class" that has suffered the damage due to the breach of data protection rights. This said, it should be noted that the term 'class action', frequently used in Anglo-Saxon systems cannot be literally applied to the Spanish jurisdiction. It is more appropriate to speak about 'collective actions', since the scope given by the Spanish legislation to 'class action' has been limited to consumers and users. Different types of collective actions As a starting point, we have to distinguish between the different types of interests regulated under Spanish law depending on the possibility of identifying the affected parties where: 1) the affected parties are determined or can be easily determined, for instance, the victims of a coach accident, Spanish law refers to collective interests; 2) those affected parties cannot be easily determined, for instance, consumers affected by a misleading advertising campaign, Spanish law refers to vague interests or "diffused" interests (intereses difusos) The right to initiate proceedings on behalf of collective interests is regulated under article 11.2 of the Spanish Procedural Law, under which three different categories are entitled to bring class actions: (1) groups of affected people; (2) entities legally constituted to defend such interests; and (3) consumer and user associations. 1) As regards the groups of affected people, in order to act validly and be entitled to bring a lawsuit as a group they must be necessarily constituted by the majority of the affected parties in order to bring a lawsuit (as per Article of the Spanish Procedural Law). Taking into account that the burden of proof of proving this majority relies on the group of affected people, the Spanish judicial system has made available to them the possibility of starting a separate judicial proceedings aimed at carry out investigations concerning the total number of affected people. In any case, the practical difficulties of bringing actions under this category are evident because of said requirement. In relation to entities legally constituted (that is, associations different from consumer and user associations or cooperatives); they will also be entitled to bring actions on behalf of collective interests as long as they have been duly constituted with the corporate purpose of protecting the interests and rights of its members and such rights are the ones that give rise to the claim. 2) As per the most important category, consumer and user associations, which are governed by the General Law for the Protection of Consumers and Users, are entitled to bring actions regarding defense of collective interests of consumers and users, as well as diffused or vague interests. Collective actions in privacy and data breaches cases As per privacy and data breach cases, the association with legal entitlement to initiate legal actions regarding data protection rights would be one of the associations to which Article 80 of the GDPR refers and which has been authorised to act in Spain. Once a judgment has been delivered by the court, the parties that did not take part in the proceedings will be able to enforce the judgment so long as they are able to prove to the court they meet the requirements to be deemed an affected party. Once they are acknowledged by the court as an affected party, they will be able to request the enforcement of the judgment issued in the class action proceeding for their own benefit. Unlike other jurisdictions, the Spanish legal system does not provide an 'opt out' option for those affected people who prefer not to be bound by the result of the class action but advertising duties rely on the parties intending to bring class actions so that other affected people are aware of the proceeding and have the opportunity to join ('opt in'). In spite of a collective action having being brought, the affected parties that have not opted in and wish to bring their own lawsuit are entitled to do so separately or they can wait until the collective action is resolved and then request the enforcement of the ruling for their benefit provided they meet the criteria set out in the ruling for third parties to do so. In our case, the criteria would refer to the circumstances in which it will be considered that the data protection rights of a specific individual have been breached, for example if the medical data of a hospital have been leaked the ruling would indicate that the people who were patients at the said hospital during a specific period of time would be able to benefit from the compensation established in the ruling, which might be graded according to how sensitive the information leaked was. The right to initiate a proceeding on behalf of collective interests is regulated under article 11.2 of the Spanish Procedural Law, under which three different categories are entitled to bring class actions: (1) groups of affected people; (2) entities legally constituted to defend such interests; and (3) consumer and user associations.

16 30 Hogan Lovells Data class actions The era of mass data litigation 31 The Netherlands will the future collective damages action boost data litigation? The Netherlands has a long-standing practice of collective redress with two statutory collective redress mechanisms. The first is a representative collective action which can be used by a foundation or association on behalf of interested parties to obtain a declaratory judgment against a third party. The second statutory mechanism enables a collective settlement of mass damages claims on an opt-out basis with a potential worldwide class (the class is not limited to Dutch members). Key development in the Netherlands is a legislative proposal submitted to parliament in November 2016 aimed at introducing a US-style 'class action' in the Netherlands (the "Legislative Proposal"). The Legislative Proposal introduces the option to claim monetary damages in a collective action on an opt-out basis (a collective damages action). What makes all (existing and proposed) collective redress mechanisms in the Netherlands unique within Europe is that the use is not restricted to a certain type of damages. All mechanisms can therefore be used to claim damages suffered as a result of violation of privacy laws. Although privacy litigation is not yet booming in the Netherlands, this may change with the future arrival of the GDPR and the collective damages action. Dutch Collective Settlements Act (WCAM) Dutch law firstly provides for a system based on a collective settlement on an opt-out basis. The rules governing this collective settlement can be found in the Wet Collectieve Afwikkkeling Massaschade, hereinafter, the "WCAM". The WCAM enables the collective settlement of mass damages claims. Pursuant to the WCAM, the collective settlement has to be concluded between, on the one hand, one or more associations or foundations representing the interests of a group of injured parties who suffered alleged damage and, on the other hand, the party or parties allegedly causing the damage. Once such settlement is reached, the parties can submit a joint application to the Amsterdam Court of Appeal (that has sole jurisdiction), requesting it to declare the collective settlement binding. If the Amsterdam Court of Appeal declares the collective settlement binding 20, the settlement agreement will, in principle, bind all injured parties falling within the scope of the settlement agreement, whether known or unknown and whether residing in the Netherlands or abroad. Those injured parties who do not want to be bound by the settlement agreement have the option to opt out, but they must do so within a specified limited period of time. Collective action Secondly, Dutch law provides for a collective action which can be instituted by a foundation or association whose statutory goal is to represent the interests of groups of injured parties having similar damage claims and having a similar interest in holding a third party liable for the damage suffered by such group of injured parties. The foundation or association initiating the collective action must also have full legal capacity. However, a foundation or association shall have no course of action if, in the circumstances, it has not made a sufficient attempt to achieve the objective of the collective action through consultation. The collective action can (only) be used to seek a declaratory judgment against the third party that the third party acted wrongfully. Thus, current Dutch law does not provide for a collective damages action (which is about to change). Despite the fact that currently no damages can be claimed through an action, such collective actions have been employed successfully to obtain declaratory judgments in which it is confirmed that one or more defendants acted wrongfully and are liable to pay damages. Although individual victims still need to file follow-on suits to obtain damages (or enter into a (collective) settlement with the former defendant), they can rely on the findings of the court that heard the collective action on common issues such as wrongfulness and duty of care. The future: collective damages actions The Legislative Proposal introducing a 'US style' class action may form a boost for privacy litigation in the Netherlands. The Legislative Proposal is intended to facilitate claims for monetary damages in such The new collective damages action can potentially have an international scope in privacy litigation cases.

17 32 Hogan Lovells Data class actions The era of mass data litigation 33 collective actions on the basis of an opt-out system. The class will in principle be limited to Dutch class members only, giving foreign class members the opportunity to opt in. No rule without an exception: upon request by one of the parties, the court may also apply the opt-out regime to those foreign class members who are 'easily identifiable'. In view of the fact that victims of violation of privacy law can be often be identified without too much trouble, the new collective damages action can potentially have an international scope in privacy litigation cases. The Legislative Proposal still requires approval from both chambers of Parliament. Should the Legislative Proposal be adopted (without any major amendments), it is expected that this will change the current Dutch landscape with respect to collective redress significantly. In practice no successful class actions on privacy matters yet Privacy Litigation is still scarcely out of the egg in the Netherlands, despite there being a long-standing, full-grown collective redress practice. Dutch case law shows one reportable (unsuccessful) collective action in the privacy field 21. The case concerns an action brought forward by a Dutch foundation called Privacy Claim against Precent Ltd, which used sensitive personal data (health information) without a legal basis. In this case, the Dutch District Court ruled that the privacy claim did not meet the criteria for filing a collective action, among others as the interests of the affected data subjects were not sufficiently protected, the claim was not supported by the affected data subjects and the articles of association of the foundation did not contain securities that granted damages would be paid to the affected data subjects. With the future arrival of the GDPR and a collective damages action, privacy litigation is expected to expand in the coming years.

18 34 Hogan Lovells Data class actions The era of mass data litigation 35 United Kingdom the Morrisons' effect the dawn of a new wave of class action for personal data breaches in the UK? In the UK, there are a number of ways in which litigation can involve multiple claimants. These include: (1) Claims by more than one claimant managed together under the courts' case management powers under the Civil Procedural Rules. (2) Group litigation orders (GLOs) where more than one claimant has a cause of action raising common or related issues of fact or law to be grouped and managed together. (3) Claims by representative claimants where more than one person has the same interest in a claim. Historical use of collective action mechanisms in the UK Historically, the types of claims brought under these collective action mechanisms were competition claims, personal injury or product liability claims and pensions disputes. First use of collective action in data privacy case The end of 2017 saw the first data privacy dispute to be heard by the English courts using a collective action mechanism. In Various claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB), the High Court considered whether an employer should be vicariously liable for an employee's deliberate disclosure of his co-workers' personal information. The judgment, handed down in December 2017, related to liability only (as is common in English cases). Once liability is established, damages are assessed at a separate hearing (or agreed if the case settles following the judgment on liability). In the Morrisons case, Mr Skelton was employed by Morrisons as a senior IT auditor. In his role, he had access to personal data about employees, including their payroll information. As well as his job at Morrisons, Mr Skelton sold a legal slimming drug on ebay. One day, a package he had sent through the company post room split revealing a white powder. The police were called and Mr Skelton was arrested as there was a concern that the powder was an illegal substance. When he returned to work, Mr Skelton was subjected to a disciplinary procedure for the powder incident. He lost the disciplinary action but remained at the company. Later that year, Mr Skelton

19 36 Hogan Lovells Data class actions The era of mass data litigation 37 was tasked with sending payroll data to Morrisons' external auditors. He copied this data onto a personal USB stick and then posted a file containing the personal details of almost 100,000 employees on a file-sharing website and sent it to several newspapers. Mr Skelton was arrested and charged with fraud, an offence under the Computer Misuse Act 1990 and under section 55 of the Data Protection Act 1998 (DPA). He was sentenced to eight years in prison. Over 5,500 employees whose data had been disclosed made a group civil claim against Morrisons for: 1) breach of duty under section 4(4) of the DPA, particularly non-compliance with data protection principles 1, 2, 3, 5 and 7; 2) misuse of private information; and 3) breach of confidence. The claims were typical for a breach of this nature. What made the case unusual was the fact that this was a group civil claim. The claimants argued that Morrisons had primary liability for its own acts and vicarious liability for Mr Skelton's actions. The claims for primary liability were dismissed. The court also dismissed all the claims of noncompliance with data protection principles 1, 2, 3 and 5 as it concluded that Morrisons was not a data controller for these purposes and as such did not owe a duty of care to the claimants. However, the court ruled that Morrisons had not taken appropriate technical and organisational measures under DPP7. DPP7 stands apart from the other principles as Morrisons was undoubtedly the data controller of the information at the time the duty fell to be discharged. Morrisons should have taken steps to ensure that the data stored on Mr Skelton's laptop for the legitimate purpose of transferring it to Morrisons' auditors was then deleted from his laptop. It should have had in place an organised system for the deletion of data. As far as vicarious liability was concerned, the court held that where an employee misused his position with an employer to harm others, it was only fair that the employer that had entrusted the employee with that position should be held responsible. The conclusion that Morrisons was vicariously liable was the same for the claims under the DPA, misuse of private information and breach of confidence because the actions constituting the legal wrong were the same in each case. Morrisons has been granted leave to appeal. If it is unsuccessful, even if the damages awards for each affected employee are individually small, given the number of employees involved, the financial implications for the business are potentially huge. Increased use of collective actions likely when the GDPR comes into effect With the entry into force of the GDPR, we are likely to see a greater number of similar collective actions for data privacy breaches in the UK, in particular combined with claims for breach of confidence and misuse of private information. Whether we will see a slew of class actions as in the US remains to be seen but we would expect to see more claims along the lines of the Morrisons' model, particularly where there has been a widespread cyber breach. What can organisations do now to protect themselves? Organisations must ensure that they have put in place appropriate technical and organisational measures to protect as best they can the personal data they process or control to guard against the wrongful actions of their own staff and hackers. This will become even more important after 25 May 2018 since then organisations not only risk significant damages awards under civil collective actions but also significant fines from the regulators if they lose or misuse personal data.

20 38 Hogan Lovells Data class actions The era of mass data litigation 39 Christine Gateau Partner, Paris T christine.gateau@hoganlovells.com Detlef Hass Partner, Munich T detlef.hass@hoganlovells.com References Winston Maxwell Partner, Paris T winston.maxwell@hoganlovells.com Christelle Coslin Counsel, Paris T christelle.coslin@hoganlovells.com Pauline Faron Senior Associate, Paris T pauline.faron@hoganlovells.com Eduardo Ustaran Partner, London T eduardo.ustaran@hoganlovells.com Valerie Kenyon Partner, London T valerie.kenyon@hoganlovells.com Matthew Felwick Partner, London T matthew.felwick@hoganlovells.com Marek Wroniak Partner, Warsaw T marek.wroniak@hoganlovells.com Ewa Kacperek Counsel, Warsaw T ewa.kacperek@hoganlovells.com Matthias Schweiger Partner, Munich T matthias.schweiger@hoganlovells.com Tim Wybitul Partner, Frankfurt T tim.wybitul@hoganlovells.com Martin Strauch Senior Associate, Munich T martin.strauch@hoganlovells.com Manon Cordewener Partner, Amsterdam T manon.cordewener@hoganlovells.com Joke Bodewits Counsel, Amsterdam T joke.bodewits@hoganlovells.com Sanne Bouwers Associate, Amsterdam T sanne.bouwers@hoganlovells.com Marco Berliri Partner, Rome T marco.berliri@hoganlovells.com Christian Di Mauro Partner, Milan T christian.dimauro@hoganlovells.com 1) See In re Facebook Internet Tracking Litig., No. 5:12-md EJD, 2015 WL (N.D. Cal. Oct. 23, 2015). ; LaCourt v. Specific Media, Inc., No. SACV GW(JCGx), 2011 WL (C.D. Cal. Apr. 28, 2011). 2) See, e.g., Reilly v. Ceridian Corp., 664 F.3d 28 (3d Cir. 2011); Whalen v. Michael Stores Inc., 689 Fed.Appx. 89 (2d Cir. 2017); In re SuperValu, Inc. Customer Data Breach Litig., 870 F.3d 763 (8th Cir. 2017). 3) See, e.g., In re Zappos.com Inc.. Customer Data Security Breach Litig., -- F.3d --, No , 2018 WL (9th Cir. Apr. 20, 2018); Remijas v. Neiman Marcus Grp., Inc., 794 F.3d 688 (7th Cir. 2015). 4) See, e.g., Remijas., 794 F.3d 688 (7th Cir. 2015). 5) Spokeo, Inc. v. Robbins, 136 S.Ct (2016) 6) See Federal Trade Comm n v. Wyndham Worldwide Corp., No , 2015 WL (3d Cir. 24 August 2015). 7) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and of the free movement of such data (the "Data Protection Directive"). 8) Explanatory Memorandum of the Regulation Proposal 2012/0011 on the protection of individuals with regard to the processing of personal data and the free movement of such data (General Data Protection Regulation) published by the European Commission on 25 January ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. 10) C.f. 11) Such as in Austria with Max Schrem's case and the website fbclaim.com. 12) Article 43 ter III. of the Law no of 6 January 1978 relating to computer technology, data and freedoms (the "French Data Protection Law"). 13) Bill no. 490 on personal data privacy, adopted by the French National Assembly on 13 February ) Act for improvement of civil law enforcement of consumer protecting provisions of data privacy law of February 17, 2016, BGBl I 2016, ) Law on 21st century justice, Article 63 16) Law on 21st century justice, Article 62, 2 17) Report no. 839 ( ) of Mr. Yves Détraigne on behalf of the Law Commission of the Senate, filed on 21 September 2016, p ) Act for improvement of civil law enforcement of consumer protecting provisions of data privacy law of 17 February 2016, BGBl I 2016, ) E.g. German Federal Supreme Court, judgment of 27 January 2015, file no. XI ZR 174/13 and judgment of 13 May 2014, file no. XI ZR 405/12. 20) In order to decide whether or not the collective settlement can be declared binding, the Court of Appeal has to determine whether the settlement meets the statutory requirements and whether the interests of the injured parties are sufficiently protected. In this respect, the Court of Appeal should determine, amongst other things, whether the statutory goal of the foundation or association requesting the Court of Appeal to declare the settlement binding on all injured parties, is to represent the interests of the injured parties and whether the amount of the compensation to be paid to the injured parties is reasonable (thereby taking into account the extent of the damage, the ease and speed with which the compensation may be obtained and the possible causes of the damages). 21) District Court Oost-Brabant 20 July 2016, ECLI:NL:RBOBR:2016:3892 (Privacy Claim/ Precent B.V.) Gonzalo Gállego Partner, Madrid T gonzalo.gallego@hoganlovells.com Massimiliano Masnada Counsel, Rome T massimiliano.masnada@hoganlovells.com Jose Luis Huerta Partner, Madrid T joseluis.huerta@hoganlovells.com Michelle Kisloff Partner, Washington, D.C. T michelle.kisloff@hoganlovells.com