In the U.S., it is quite common to sign a waiver at everything from your local gym, the tanning salon (you aren't still tanning, are you?) or the kids' playplace indicating that you assume the risk of the activity and agree not to sue the company facilitating it in the case of injury. That's because companies are well aware of Americans' proclivities to sue, in some cases, as part of a class action, when an injury occurs. To date, much of Europe hasn't experienced the same court clogs that American courts have. But that seems to be changing. 

The EU General Data Protection Regulation ushered in an enhanced private right of action for violations of the law, both for material or non-material damage. Plaintiffs can sue for compensation based on the damage suffered. Attorneys say there's now a significant uptick in cases brought alleging such a grievance has occurred, often as a "follow-on" to data protection authorities' investigations. And depending on any given judge's sympathy for plaintiffs alleging data misuse, as well as how sizable the class is, the cost to organizations could be significant.

Tim Wybitul, CIPP/E, an attorney at Latham & Watkins in Germany, says Article 82 of the GDPR has been a "game-changer" for civil litigation. 

"Normally, under German law, you just don’t compensate for immaterial, emotional damages except for under extreme circumstances, and even then we’re just talking about peanuts," he said. "So the situation is that whenever a plaintiff argues or used to argue, 'My data was processed in an unlawful manner,' a judge would look at you and say, 'So what, what’s the damage?' But the change we have here is that the GDPR pretty much says you need to compensate for immaterial damages. And as you can imagine, that’s quite a feast for litigation funders and consumer protection lawyers." 

That's because when there has been a case of unlawful data processing — say, a data breach has occurred, for example — there are typically thousands or even millions of individuals potentially involved. And that makes it very easy for an on-the-rise enterprise, litigation "funders," to assemble a class of people to file a case. In some instances, litigation funders hear about a breach and then advertise on websites for individuals who think they could be part of the affected group and want to get in on a cashout. 

In addition, Wybitul noted, Article 5, Paragraph 2 of the GDPR states the controller must be in a position to document and prove it processed personal data in a manner that is compliant with the GDPR, which essentially shifts the burden of proof from the plaintiff to the defendant.

Wybitul has successfully defended a number of clients in such cases by alleging to German judges that the case isn't about how the data was processed but simply about money. 

"And then obviously you argue that the GDPR actually doesn't mean or doesn't intend to shift the burden of proof in procedures," he said. 

In the U.K., Orrick's Keily Blair, CIPP/E, and James Lloyd are seeing a similar trend.  

“What we’re seeing now on the ground in the U.K. is, I would say, about five years behind the American market," Blair said. "The interesting thing in the U.K. is we’re seeing an emergence of group actions in this space either through group litigation orders — which are opt-in class litigations, essentially — but also the possibility of opt-out actions or representative actions."

She said such actions are relatively new in the U.K. because it has been reticent to let class actions take hold "for fear it would open the floodgates." But changes to the U.K.'s Civil Procedure Rule made space for such claims. 

"Folks have been trying to use group actions for about a decade now, if not more," Lloyd said. "The difficulty has been identifying the class. The courts have always struggled to figure out where certain claimants have had a specific loss. Everyone is alleging ‘distress,’ now there is a push to try and rely on misuse of data and user damages, which means that the differences fall away.”

But there's another trend seen by Wybitul in Germany and Blair and Lloyd in the U.K.: "follow-on" claims — claims brought based mainly on a regulatory finding and seeking private damages. That has changed both the organization's risk appetite in its decision to accept or appeal a DPA's fine, as well as the relationship between organization and DPA in talks leading up to a fine. 

“In the past, pre-GDPR, when the fine was low, organizations may have been willing to take (a fine) as a slap on the wrist and move on. And what we’re seeing now is organizations are looking in detail at the text of regulatory findings that could give rise to civil litigation, and we’re seeing them appealing the fines even if comparatively low, because of the level of damages they could end up paying there.”

That's because a DPA's findings are being used in such follow-on claims, often verbatim. 

Lloyd said a regulator’s decision for a potential claimant is so key now because it "bears your liability ready-baked. All of your work you’d normally have to do to be bringing a case — investigating, getting together disclosure and discovery, interviewing witnesses and getting the evidence to producing ultimately will back up what you’re saying — is already done for you. The regulator has taken all the trouble."

He said the text of the decision is critical because if the organization involved believes the case might incite follow-on claims, it's going to want to push back on any perceived hyperbole or unsupported statements before they hit the public domain. 

Blair said the changing landscape has in turn changed the way she and her colleagues advise clients on how to deal with the regulator. Whereas the phrase they used to use was "whole cooperation," where the client might go in for sandwiches and a chat, that's now shifted to "considered cooperation," mindful of the outcome. 

"Certainly in Europe, we’re immature in terms of treating privacy regulators with the respect they deserve, but also with the caution they deserve, too," she said. "The change in risk really changes that dynamic, and I think companies have been a little bit slow to recognize that."

Lloyd said the GDPR and subsequent U.K. Data Protection Act 2018 have "completely changed the dynamic of these discussions because just the risk for companies now even entering into those discussions is so much greater. ... The risk is potentially even greater than the fine in terms of the total amount of damages claimed by a potential class-action. It’s all very well the regulators are saying ‘We want nice fireside chats,’ but companies ought to be thinking, 'This is a regulator, much like any other regulator. It has serious powers to investigate, to fine, and we’re at risk of having a decision that goes against us in any potential litigation.'”

And that's being facilitated by a rising number "ambulance chasers," in a sense — groups looking for potential claims to file on behalf of a class, the only real job being to assemble the class itself.

Given the trend of seeking claims for immaterial damages, Wybitul predicts a future in which firms are facing litigation for things like not presenting a privacy notice to a plaintiff — technically, a GDPR violation, but was there damage done? Does anyone actually read a privacy notice? And that will probably happen via the DPA, to start. 

"Whenever a plaintiff’s attorney wants to pursue a company, it makes a lot of sense to issue a complaint to a DPA on behalf of their client, and then that forces the DPA to investigate the case, and then after a while, using the Freedom of Information Act, you request the file and the decision. And then it is all black and white. If you have a case where the DPA ruled this type of data protection is unlawful, that’s a pretty easy case for a plaintiff’s lawyer."

Said Llyod, “If I was a betting man, I’d say in five years' time the landscape is going to look very different, and those interactions with the regulator are going to be much more similar to the types of interactions folks have with financial regulators.”

Time will tell if judges lose their appetite for these kinds of claims, but it seems only the beginning of a winning proposition for claims groups and potentially a losing one for companies. 

Photo by Bill Oxford on Unsplash