Media Centre

European Parliament Endorses Collective Actions for Data Protection Violations

26 November 2020


Technology & eCommerce Regulation in the Spotlight

The European Parliament has endorsed legislation that would provide EU consumers with a right to file class action lawsuits with regard to their collective interests.

Currently, collective redress systems only exist in certain EU jurisdictions. This new legislation, titled ‘the Collective Redress Directive‘ (“Directive“), is aimed to revise and harmonize the current legal regime regarding for representative class actions across the EU and to remove financial barriers, which could limit the ability of individuals to file lawsuits in cases of mass harm. As this new legislation is a directive, rather than a regulation, it will not automatically apply across and each member state would have to implement it in national legislation.

The scope of the Directive is broad and covers all infringement of EU law by traders (such as multinational companies), which harm the collective interests of EU consumers. Consequently, this new legislation would also cover data protection violations, including infringements of the General Data Protection Regulation (“GDPR“). Successful lawsuits may lead to legal remedies including, inter alia, declaratory orders or compensations.

Under the Directive, only qualified entities, namely consumer organizations or public bodies (rather than law firms), may represent groups of consumers and bring lawsuits to court. In cases of cross-border actions, such qualified entities will have to comply with the same threshold all across the EU. For example, they will have to demonstrate their public activity, prove a certain degree of stability, and that they are a non-profit organization. In cases of domestic actions, qualified entities would be subject to criteria as set out in the implementing national law.

While the Directive increases the risk of litigation for consumer-facing entities doing business in the EU, it also provides various safeguards with the goal of protection such entities from abusive lawsuits, aside from restricting the bodies that can bring a representative action to certain qualified entities. For example, the Directive implements the “loser pays principle”, which ensures that the defeated party pays the costs of the proceedings of the successful party. In addition, courts or administrative authorities are allowed dismiss manifestly unfounded cases in early stages of the proceedings. Qualified entities must also avoid conflict of interest and external influence.

Member states will have two years to transpose the Directive into their national laws, and an additional six months to apply it.

This regulatory development presents additional significant litigation risks in cases of non-compliance with data protection requirements, which are added to the existing risks of regulatory scrutiny and fines. Feel free to contact us if you have any questions regarding your compliance efforts.


Feel free to contact us with any further question or comments regarding the update and subjects detailed above.

Kind regards,

Ariel Yosefi, Partner

Head of Technology & eCommerce Regulation

Herzog Fox & Neeman


Search by +