The enhanced private right of action under the EU General Data Protection Regulation has seen a recent uptick, and that trend might continue. 

A development in Belgium this week could catalyze increased efforts for civil litigation in that member state. Belgium's Ministry of Employment, Economy and Consumer Affairs granted NOYB, a nonprofit group created by Max Schrems, status as a "qualified entity," allowing it to bring collective-action suits under the Belgian Code of Economic Law. Belgium requires an approval procedure for any out-of-country nonprofit consumer organizations seeking to bring class suits to its courts.

In a public release, NOYB Senior Lawyer Robert Romain applauded the news, saying, "Some member states do not even have a procedure close to a class action or a collective redress mechanism. … In Belgium, not only do class actions exist, but they are open to non-Belgian non-profit organizations."

Fieldfisher Partner Tim Van Canneyt, CIPP/E, said that, to his recollection, NOYB is the first data-protection-focused nonprofit that has achieved qualified entity status in Belgium.

NOYB said the decision will pave the way for it to represent users against companies in suits over GDPR violations. The new legal capabilities could place additional pressure on multinationals in the EU — or at least that's NOYB's hope.

"Consumer organizations can have real leverage with representative actions," Romain said. "It is likely that companies will finally comply with the law to avoid big financial claims. Going to court may also be more efficient since the case does not have to go through the (GDPR's) one-stop-shop mechanism."

This avenue offered by the Belgian regime is relatively new, according to Van Canneyt, who noted it only just came into effect in 2014. Only groups of consumers or small- and medium-sized enterprises represented by nonprofit groups or public bodies can bring a case.

"The action is only admissible if it appears that it is more effective than an individual action," Van Canneyt said. "Both an opt-in and opt-out approach are possible, and — interestingly — it is the judge who will decide which option shall be retained for a particular case at the time when he renders the decision on the admissibility. In some cases, the opt-in system is mandatory."

Van Canneyt added NOYB's new status and future actions could be "a game-changer" due largely to the fact that many organizations' EU operations are headquartered in Belgium. He added if the nonprofit "starts initiating data-protection-related actions for collective redress on a regular basis, companies that do not comply with the GDPR will now also need to factor in the risk of having to pay substantial amounts of compensation to data subjects." 

However, NOYB will not have free rein over the actions it chooses to bring before the Belgian courts. Steptoe & Johnson Partner Charles-Albert Helleputte, CIPP/E, indicated any company seeking to bring an action will have to square it up the Code of Economic Law.

"While allowing those actions for a number of instruments, including the GDPR, their admissibility should pass a form of 'efficiency test,'" Helleputte said. "The procedure has, however, the benefit of including the opportunity for settlement in due course.

"Whether or not you agree that collective redresses should prevail on (data protection authority) investigations, this is just a new reality that both companies and the Belgian Data Protection Authority will need to embrace."

Van Canneyt surmised it is possible "that the risk of class action becomes the main driver for GDPR compliance throughout the EU." 

Photo by Yannis Papanastasopoulos on Unsplash