Menu

Collective action under the GDPR: A civil law perspective from Spain

Javier Fernández-Samaniego, Blas Piñar Guzmán and Manuela Rojas of Samaniego Law report from Madrid.


Since Spain’s first Data Protection Law entered into force almost 25 years ago Spain has been, without exaggeration, the EU Member State with the most stringent system of data protection law enforcement in the EU.




Since Spain’s first Data Protection Law entered into force almost 25 years ago Spain has been, without exaggeration, the EU Member State with the most stringent system of data protection law enforcement in the EU. Its legal system provides for penalties for non-compliance of up to €600,000 and a strict Supervisory Authority (the Agencia Española de Protección de Datos – the “Agencia”-) imposing an average total of €20 million in fines per year to private sector organisations.

In that context, one – particularly if coming from the US - could think that judicial remedies for breaches of Spanish DP Law and compensation for damages suffered as a result of unlawful processing operations [1] were also amounting to millions. But the reality is that claims for compensations in the civil courts were limited to a relatively small number of individual cases mainly based on unlawful inclusion in bad debtor’s data files/credit bureaus.  For the time being, the maximum compensation awarded by Spanish Courts to an individual, due to immaterial damage suffered by unlawful processing, has been circa €10,000 [2].

The influential Spanish consumers association OCU [3] on 30 May this year launched a campaign (“My data is mine” [4]) together with its allied organizations from Portugal, Italy and Belgium (Euro-consumers), announcing a collective action against Facebook to seek compensation of €200 per user due to  the Cambridge Analytica affair. By 16 October, 33,315 people had joined this campaign [5]. Such a campaign is fuelling the idea that the time of personal data class actions has arrived in Europe, but neither the GDPR nor the civil procedure rules of the EU Members States, nor the so-called New deal for European Consumers [6] provides for a US-style class action in Europe for data protection wrongdoings.

Divergence across the EU


The Charter of Fundamental Rights of the EU (“Charter”) and most of the EU States’ Constitutions clearly differentiate:
  • the legal regime for the protection of personal data (Article 8 of the Charter) and,
  • a high level of consumer protection (Article 38 of the Charter).
These areas have a different legal nature, regulatory framework, scope, remedies, liabilities, actions and judicial redress mechanisms. In this regard, several aspects must be highlighted:
  1. Consumer organizations are not per se automatically allowed to represent data subjects for the purposes of Article 80 GDPR, which refers to the not-for-profit body, organization or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data. That means that only what will be regarded as Privacy Not for Profit Organisations (NPOs) - which comply with requirements of Article 80 - have the right to represent data subjects for these purposes.
  2. Article 80 of the GDPR provides Privacy NPOs with rights of action both with a mandate and without a mandate from data subjects. Having said that, it is important to highlight that the actions available to Privacy NPOs without a data subject’s mandate under Article 80.2 GDPR (such as the right to lodge complaints before supervisory authorities and to exercise the rights referred to in Articles 78 and 79 GDPR) do not include the right to receive compensation for damages suffered (Article 82 GDPR) which would always require a data subject’s mandate.
  3. The actions provided by EU Member States to consumer organizations under EU Consumer Directives are not exactly the same as the actions provided to Privacy NPOs by the GDPR. Article 80.1 GDPR refers to the procedural regulations of EU Member States in relation to the possibility of initiating a claim’s consolidation mechanism i.e. to collect mandates of data subjects prior to claiming for compensation on their behalf. So, the key is in the national/Member State rules on mechanisms for collective claims.

Collective actions in Spain

Spain’s current Data Protection Bill does not refer to collective actions so the regulation to take into account the collective claim’s mechanism is Spain’s Civil Procedure Law. The collective redress mechanisms provided in this law aims to protect consumers’ rights and interests and not the protection of data protection rights, which are two different areas of law, as stated above. However, it could be the case that some unlawful processing of personal data could also be deemed an infringement harming the collective interest of consumers. The discussion below refers to these cases.

In accordance with the Injunction Directive for the protection of consumers' interests [7] as implemented in Spain, Spanish Law provides (i) injunctive redress and (ii) compensatory redress in cases where a group/class of affected consumers launch a collective action for compensatory redress if it meets certain requirements.
  1. Collective actions aiming to receive compensation (Compensatory collective redress): As stated above and as per Article 80.1 GDPR, Privacy NPOs are not entitled to start an action without the mandate of data subjects claiming compensation for damages suffered based on Article 82 GDPR. Having said that, in those infringements of GDPR which could also be deemed a consumers’ infringement subject to compensation, Spain’s Procedure Law provides the possibility of a compensatory collective redress with the following aspects to be considered:
 
Entitlement to claim or standing to sue: If the group of consumers harmed is identified or easily identifiable – a classic example is a group victim of a food poisoning by a restaurant - standing to sue is in:
 
  1. the group of harmed people to the extent the claim is sustained by the majority of the harmed group (Articles 6.1.7 and 11.2 Spain’s Procedure Law);
  2. consumers and users’ associations, and
  3. legal entities incorporated for the protection of the harmed identifiable or easily identifiable group - for instance and in the example above, an association of consumers affected by the food poisoning which is incorporated ad hoc for that purposes.
 
If the group of consumers harmed is vague and difficult to identify, the standing to sue is exclusively based on the legally deemed representative consumers’ and users’ associations (Article 11.3 of Spanish Procedure Act).

Procedural mechanisms and publicity measures to allow opt-in: In order to allow the group of harmed people to gain standing to sue and be able to join together as the majority of the harmed consumers, Article 256.1.6 of Spain’s Procedure Law sets out a preparatory measure aimed to identify the harmed consumers, which also allows a limited discovery against the future defendant, so it cooperates in the identification of specific harmed individuals.

Furthermore, Article 15 of Spanish Procedure Law requires that in cases of vague groups which are difficult to be identified, once the claim is submitted before the Courts, it must be advertised in the media. The proceedings are then suspended for two months so that any consumers who have suffered harm may opt-in to specify their individual harm. In case of identified or easily identifiable harmed consumers, there is a requirement for the claimant to demonstrate that it has called for or collected mandates from all harmed consumers who may opt-in.

Effects of the Judgment and enforcement: Courts awarding compensatory damages must name individuals who have benefited from the Judgements or the requirements and criteria to be met in order to benefit from the right to compensation granted for those who were not in the proceedings but who wish to benefit from enforcement (Article 221 and 519 Spanish Procedure Law).

Despite not granting an opt-out option for the collective redress group, Spain’s Procedure allows people who have suffered harm, and who do not want to take part in the collective action, to bring individual actions.
 
  1. Collective actions seeking an injunction (Injunctive collective redress): Spain’s Procedure Law has implemented the EU Injunctions Directive and includes a collective injunctive redress mechanism. These injunctions include obtaining Judgements that may order the cessation or prohibition of any infringement (including the use of abusive terms and conditions). Therefore, actions for injunctions seeking the cessation of abusive Privacy Policies cannot be rejected by the court, for instance to the extent it could be deemed a consumer law infringement (Article 53 of the Consumers Statute) which could involve measures such as the publication of the decision (Article 221.2 Spain’s Procedure Law).
 
The qualified entities to bring an action for an injunction are the ones set out above depending on whether the claimants seeking an injunction are identified or easily identifiable. Furthermore, those entitled to bring an action for the protection of so-called “diffused interests” are listed in the Official Gazette of the EU as complying with the European Injunctions Directive (Art. 6.1.8 of the Spanish Procedure Law in relation to Article 54 of the Consumers Statute). Furthermore, the Public Prosecutors and the National Institute for the Protection of Consumers are entitled to bring an action for an injunction, although this is not common in practice.

The way forward

According to public sources and the news, the main campaign for collective action in which a consumer’s organization is collecting mandates in Spain is the so-called “My data is mine” against Facebook brought by OCU. However, it is still early days to predict what the outcome will be as, due to the procedural landscape described, this action may be subject to a number of procedural pitfalls and challenges.

Other consumer associations are focusing on lodging complaints before Spain’s Data Protection Agency targeting alleged breaches of Data Protection regulations with social networks and their data breaches.

Both the EU Data Protection and Consumer Protection authorities have been very clear stating that the representative actions and collective redress in the EU extend to consumers’ protection when they are online and will be distinctly different from US-style class actions. In words of Věra Jourová, Commissioner for Justice, Consumers and Gender Equality: "Representative actions, in the European way, will bring more fairness to consumers, not more business for law firms". One thing is sure, a door has been opened by Article 80 GDPR and all the stakeholders must have eyes wide open to ensure that this right is used properly and not abused.
 

[1] Article 23 of repealed Directive 95/46/EC, implemented in Spain in Article 19 of the repealed Spanish Law 15/1999 on Personal Data Protection (the so-called “LOPD”).
[2] Inter alia Judgement of the Spanish Supreme Court Civil Chamber, of 26th April 2017, confirming a compensation of Euro7,000 for “moral damage”, or Judgement of the Spanish Supreme Court, Social Chamber, of 3rd May 2016, granting a compensation of Euro10,000 for somewhat similar circumstances.
[7] Directive 2009/22/EC of the European Parliament and of the Council of 23 April 2009 on injunctions for the protection of consumers' interests (Codified version).

Original article published on Privacy Laws & Business, International Report, Issue 155, October 2018.

Javier Fernández Samaniego

Director of Samaniego Law.  His international practice focuses mainly in Commercial/IT disputes (international litigation, arbitration, and ADR) and negotiations and major Tech & Privacy projects (new cloud and big data business models, outsourcing transaction, data protection review programs, etc.). Besides Javier has vast experience assisting European clients in their expansion in Latin America and US clients in their European expansion. Before founding Samaniego Law in 2017, for over a decade Javier was managing partner of the Spanish office of Bird & Bird and headed its Commercial, Dispute Resolution and Information Technology teams. Before that he was head of the IT and Communications at Linklaters, and he had previously been the head of Technology and Data Protection team at Spanish firm Cuatrecasas, and a lawyer at the CDTI (Centre for the Development of Industrial Technology). He is an arbitrator at the information and communication technologies department of the Chamber of Commerce of Madrid. He is also a CEDR accredited mediator and member of CPR Panel of Distinguished Neutrals and its European Advisory Board. Member of Fide´s Academic Council. Senior Fellow at Steven J Green School of International and Public Affairs (FIU). -Florida International University.

Blas Piñar Guzmán

Collective action under the GDPR: A civil law perspective from Spain
Lawyer specialized in Community Legal Law and Commercial Law both national and international. Independent lawyer after working at the Commercial and Dispute Resolution Department of Bird & Bird. Degree at ICADE and master degree in Intellectual Property by the Instituto de Postgrad, both at the Universidad Pontificia Comillas.

Manuela Rojas

Collective action under the GDPR: A civil law perspective from Spain
Associated Lawyer at SAMANIEGO Law specializing in IT law with a particular focus of Privacy and Data Protection, IP law and contractual matters relevant to the tech sector. Before joining SAMANIEGO Law she worked at Google’s Commercial & Litigation Legal department in Spain and previously – in the European Patent Office, The Hague. Law Degree from the University of Granada and Master’s degree in Intellectual Property and New Technologies from Universidad Auntónoma of Madrid.