With regulators faltering, privacy activists are turning to the courts to get the rules enforced.
8/30/20, 5:00 PM CET
Updated 9/1/20, 7:29 PM CET
The shift toward lawsuits hints at growing disappointment with a hydra-headed privacy system that counts dozens of EU regulators | Stephane de Sakutin/AFP via Getty Images
Forget regulators. Consumer groups and campaigners who want to see their GDPR complaints wrapped up in a timely manner are increasingly turning to Europe’s court system for results.
A nonprofit group is planning to sue Chinese-owned app TikTok in a Dutch court as EU regulators squabble over who has jurisdiction over the company. Oracle and Salesforce face legal complaints over privacy in the U.K. and the Netherlands. And while the U.K. data regulator has spent more than a year grappling over a planned £99 million fine against hotel chain Marriott, a complainant has now sued the company over the same privacy breach.
The shift toward lawsuits hints at growing disappointment with a hydra-headed privacy system that counts dozens of EU regulators, but is still struggling to finalize a single major investigation more than two years after the GDPR came online.
While France’s regulator hit Google with a €50 million fine in 2019, the grouping of European privacy watchdogs — which is meant to sign off on major regulatory action — has yet to do so for any major tech company despite dozens of open probes.
Much of the criticism lands on the doorstep of Ireland’s Data Protection Commission, which is in charge of overseeing many of the biggest Silicon Valley companies. The watchdog finalized its first cross-border investigation of the GDPR era, targeting Twitter, in May. But the terms of that decision, which have not been made public, have triggered a formal dispute between regulators, delaying a final outcome by many more months.
“Given the delays, this is certainly worth a go” — Michael Veale, British computer scientist and privacy campaigner
“Data protection law is primarily enforced by regulators, who have investigative powers, but in theory can be enforced directly by citizens in courts. Given the delays, this is certainly worth a go,” said British computer scientist and privacy campaigner Michael Veale.
Taking back control
Rebecca Rumbul, a U.K. researcher and representative for a data protection claim against tech companies Oracle and Salesforce, pointed to a range of weaknesses among regulators as the reason she decided to bring her complaint to the courts.
“They [regulators] don’t have the resources to investigate an individual complaint and take on a massive organization like Oracle,” she said.
It’s not just the promise of a speedier resolution that is pushing complainants to shun regulators. Going to court gives them much more control over a case, as well as the ability to set a legal precedent once a verdict is rendered.
Filing a complaint with EU privacy regulators leads to years of wrangling that can end up with cases being bounced to the Court of Justice of the European Union. Regulators can also decide to settle complaints with the companies directly, cutting out the complainants.
“If you go straight to the court, you skip the first step [of going to a regulator], and you retain control over whether or not you settle,” said Veale.
Another enticement is the fact that courts, unlike the regulatory process, offer the promise of compensation for victorious parties.
“Regulatory fines do not provide recompense to individuals who had their data stolen,” said Martin Bryant, who recently launched a data breach claim against the Marriott hotel chain. He added that his claim was meant to “complement” regulatory enforcement and act as a “deterrent.”
Next up: Class actions
Collective legal claims — called class actions — have historically been far less common in Europe than in the United States, where the threshold for launching them tends to be lower. But that could be changing, including for privacy-focused cases.
“The right to claim immaterial damages in combination with mass action mechanisms may well lead to something very similar to a U.S.-style class action culture in Europe,” said German data protection lawyer Tim Wybitul.
He noted that a German court had recently awarded a claimant €5,000 because their former employer, a private company, allegedly failed to properly respond to an access to data request.
Before 2018, many EU jurisdictions did not allow people to claim compensation for data protection violations that did not harm them financially. The GDPR changed that.
The EU is also finalizing a new law called the Collective Redress Directive, which will boost the ability of consumers to bring data protection claims to court.
“EU collective redress rights may give this already explosive situation an additional boost. But in most countries there already are mechanisms in place to bundle claims for immaterial GDPR damages,” Wybitul said.
The threshold for launching class action lawsuits tends to be lower in the U.S. | Tasos Katopodis/Getty Images
Data breach class actions have also become de rigueur in the U.K., where a London court last year ruled that a case against Google tracking iPhone users could proceed, overturning a lower court’s decision and potentially widening the scope of claims that can be brought under the GDPR.
An April ruling in an English court also left the door open to companies being held liable for data breaches they aren’t directly responsible for.
Going directly to court opens up a new front in the fight against data protection abusers, but is not necessarily straightforward.
Courts might not yet be savvy enough to deal with technical data protection questions in the same way as regulators. Companies may choose to throw money at claimants in court rather than follow regulator orders to fix underlying issues with their practices.
Launching a court case also doesn’t come cheap. Rumbul’s case was only made possible by a litigation funder, for instance. And the influx of for-profit companies also raises questions about the motivation behind claims.
Class actions are a big business in the U.S., and according to Wybitul, European consumer lawyers and litigation funders seem to be waking up to the opportunities offered by claiming immaterial damages under the GDPR.