Eye-Watering Damages for GDPR Violations Might be the New Normal

30th Sep 2020

An article in Compliance Week reports that, in the past month “three of the world’s largest tech firms have been hit with legal actions that could lead to billion-dollar damages suits for alleged violations of Europe’s privacy law, the General Data Protection Regulation (GDPR). Unusual for Europe, the complaints are led by a consumer rights group and a UK citizen rather than regulators”.

These massive actions against Google, Salesforce, and Oracle will soon be the norm throughout Europe. In the coming months, the European Union is expected to adopt a Directive on Representative Actions, which will create the first EU-wide class action system. The Directive provides that qualified entities can sue for damages for breaches of consumer rights derived from a list of 66 existing EU laws, including data privacy.  Ali Vaziri, managing associate at the Lewis Silkin law firm, calls representative actions a “’game changer”, especially in data protection claims, where consumers do not need to prove harm.

Kenny Henderson, a partner at global law firm CMS, adds that representation actions “materially increase” litigation risk for corporates. “These mechanisms automatically include affected persons in a claim unless and until they choose to leave the class, making them powerful devices for aggregating large claims”, he says.