Personal data breached? Group action for redress

In the digital age, our personal data has become a bargaining chip, a coveted resource, but also a potential source of vulnerability. Every day, we entrust information about ourselves to companies, administrations and online platforms. While most organisations do their utmost to comply with the rules, incidents do occur: massive data leaks exposing millions of users, misuse of information for non-consensual commercial purposes, breaches of security obligations, etc.

When a breach of data protection rules affects a large number of people in a similar way, the consequences can be manifold: increased risk of identity theft, financial loss, loss of control over one's information, but also moral damage linked to the feeling of intrusion or powerlessness. Faced with such failings, acting alone can seem an insurmountable task. It is in this context that group action specifically for the protection of personal data comes into play. Created by the law on the modernisation of justice in the 21st century (J21 law) in 2016, then amended in 2018 to fully incorporate compensation for harm, this action offers a means of collective redress.

This article explores the contours of this group action: who can use it? What types of data breaches are covered? What losses can be compensated, and how does the procedure work?

Who can use this group action?

As with other group actions, the legislator has precisely defined the parties who can initiate or benefit from this procedure.

Victims: individuals concerned

Article 37 of Law no. 78-17 of 6 January 1978 (known as the "Loi Informatique et Libertés", amended to incorporate the RGPD and the group action) specifies that the action may be brought when "several natural persons in a similar situation suffer damage". linked to a breach of data law.

Only private persons whose personal data has been processed unlawfully can therefore be part of the group of victims. Companies or other legal entities, even if their data (which is generally not considered to be "personal" in the strict sense of the term, with some exceptions) was affected by processing, cannot benefit from this specific group action. Once again, the victims must be in a position of trust. "similar situation as a result of the breach.

The person responsible: controller or processor

The action must be brought against the person or persons responsible for the breach. Article 37 explicitly refers to "a personal data controller or processor".. These concepts are defined by the General Data Protection Regulation (GDPR):

• Le data controller is the entity (natural or legal person, public authority, etc.) that determines the purposes and means of data processing.
• Le subcontractor is the person who processes the data on behalf of the data controller.

The text uses the singular ("a controller... or processor"), which, interpreted strictly, could prevent action being taken against several controllers or processors jointly in the same group action, even if they have all contributed to the damage. This potential limitation is regrettable, as data processing often involves several players.

Applicants: a trio of authorised players

Who can take legal action? Article 37, IV of the Data Protection Act designates three categories of actors:

1. The associations that have been duly registered for at least five years and have as one of their statutory purposes the protection of privacy or the protection of personal data. These are associations specialising in this field. No specific approval is required, but the length of time the association has been in existence and the appropriateness of its objects are checked.
2. The nationally representative and approved consumer protection associations (the same 15 associations as for the consumer action), but only "where the processing of personal data affects consumers".. Their intervention is therefore conditional on the quality of the victims.
3. The trade unions (of employees or representative civil servants) or the representative unions of magistratesbut only "when the processing affects the interests of persons whom the statutes of these organisations require them to defend".. An employee trade union could therefore take action if a company's employees' data has been unlawfully processed by the employer.

This openness to several types of players (specialist associations, consumer associations, trade unions) is interesting, but each is restricted to acting within the framework of its own object or target audience.

What breaches of personal data law are covered?

The triggering event for this group action is very precisely defined. Article 37 of the French Data Protection Act refers to damage having the following common causes "a breach of the same nature of the provisions of Regulation (EU) 2016/679 of 27 April 2016 [RGPD] or of this Law [Informatique et Libertés]".

Only breaches of the RGPD and the Data Protection Act

The action can therefore only be based on a breach of one or more of the rules contained in these two fundamental texts on the protection of personal data. This covers a very wide range of possible breaches:

• Collection of data without an appropriate legal basis (absence of valid consent, failure to comply with legitimate interest, etc.).
• Failure to inform data subjects.
• Failure to respect individuals' rights (right of access, rectification, opposition, deletion, etc.).
• Violation of the principles of data minimisation, purpose limitation or retention period.
• Breach of security obligations resulting in a data leak.
• Illegal transfer of data outside the European Union.
• Non-compliance with rules specific to sensitive data.
• And so on.

On the other hand, the wording seems exclude breaches of other obligations, even if they relate to personal data. For example, the breach of a contractual confidentiality clause not directly linked to a GDPR/LIL obligation, or the breach of a rule resulting from a simple implementing decree (such as decree no. 2019-536) could, according to a strict interpretation, not give rise to a right to specific "personal data" group action, even if they cause harm. Other courses of action would then have to be considered.

"Common cause" and "breaches of the same kind

As in the case of environmental action, the text requires that the damage must have an impact on the environment. "common cause resulting from a "failure of the same kind. This means that all the victims in the group must have suffered harm as a result of the same type of violation data protection rules by the same manager or processor. For example, all the victims of the same data leak due to a specific security flaw, or all the people whose data has been used for a non-consensual purpose as part of the same marketing campaign.

This does not necessarily preclude the breach from being repeated over time, but it must be of "the same nature" for all the victims included in the group defined by the judge.

What losses can be compensated?

Initially, when it was created in 2016, this group action only made it possible to request the cessation of the breach. The Personal Data Protection Act 2018 corrected this and paved the way for the compensation for damage.

Article 37, III of the French Data Protection Act specifies that the action may aim to "to hold the person who caused the damage liable in order to obtain compensation for damages material and moral suffered"..

• Material AND moral damage : This is a significant difference from the consumer action (limited to material damage) and the health action (limited to physical damage). Here, the two main categories of loss are explicitly covered:
  • Equipment : These may be direct financial losses resulting from the breach (for example, bank charges following identity theft made possible by a data leak, the cost of changing telephone numbers if necessary, etc.).
  • Morals : This is often the main loss when it comes to personal data. It covers invasion of privacy, the feeling of intrusion, anxiety generated by the loss of control over one's data or the risk of malicious use, damage to reputation, etc. The RGPD itself (Article 82) recognises the right to compensation for any material or non-material damage suffered as a result of a breach of the regulation.
• Probable exclusion of personal injury : The wording ("material and moral") suggests, in contrast to other texts, that bodily injury that might result (very indirectly) from a data breach is not covered by this specific action. We would then have to turn to other grounds (health action if a product is involved, or traditional liability action).
• Individual damages : Even if the text does not specify this as clearly as it does for consumer actions, the aim is still to compensate the losses suffered individually by each individual member of the group.

How does the procedure work?

The "personal data" group action follows the common procedural framework defined by the J21 Act and the Code of Civil Procedure, but with a few important points:

• Action for injunction possible : As was the case originally, the action may still seek to obtain an order from the court requiring the party responsible or the subcontractor to cease the breach data protection rules (article 37, III of the French Data Protection Act).
• Prior formal notice MANDATORY : Before going to court to seek compensation or an injunction, the plaintiff association or trade union must must give formal notice the responsible party/subcontractor to cease the breach and/or compensate the damage. Legal action may only be taken after the expiry of a period of 4 months after receipt of this formal notice (article 64 of the J21 law). Failure to comply with this stage will result in the action being inadmissible.
• Legal proceedings : The action is brought before the Court of First Instance jurisdiction (that of the place where the defendant lives).
• Individual assessment of damages : The "J21 ordinary law" regime applies, but Article 37 of the Data Protection Act explicitly refers to the "J21 ordinary law" regime. individual compensation procedure (articles 69 to 71 of the J21 law). This means that the "collective" liquidation procedure (global negotiation by the association) does not apply here. Each victim will have to submit his or her claim for compensation individually to the party responsible, and then take the case to court if the compensation is refused or contested (potentially via the mandated association).
• Application deferred over time : A very important point: if the action in termination of the breach is possible since the J21 Act (for breaches after 20 November 2016), the action in repair is only available in respect of damage for which the claimant's the operative event (the breach) is after 24 May 2018 (article 37, III of the French Data Protection Act). This date corresponds to the effective entry into force of the RGPD. Damages caused by earlier breaches cannot therefore be compensated via this group action.

The protection of your personal data is a fundamental right enshrined in the RGPD and the Loi Informatique et Libertés. If you suspect that a company or organisation has breached your rights and those of many others (for example, following a communication from the CNIL or the revelation of a data leak), group action may be a remedy to stop the illegality and obtain compensation. Contact our firm to discuss your situation.

Sources

• Law no. 78-17 of 6 January 1978 on data processing, data files and individual liberties (amended, in particular Article 37)
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (RGPD)
• Law no. 2016-1547 of 18 November 2016 on the modernisation of the justice system for the 21st century (Articles 60, 62 et seq.)
• Law no. 2018-493 of 20 June 2018 on the protection of personal data
• Code of Civil Procedure (Articles 849 et seq.)