US, UK, and EU collective actions in the privacy and cybersecurity space

Trends in class and collective actions.

Unlike the United States, the United Kingdom and, so far, the EU Member States do not all have domestic class action regimes or a cross-border class action regime (as detailed below), and instead have collective actions. While there are some similarities, there are some fundamental differences.

Whereas the United States is typically opt-out, with members being in the class unless they actively decline, it’s often the opposite for the UK and EU, where plaintiffs typically must opt in. Below we take a look at trends in class and collective actions with a focus on the privacy and cybersecurity space.

United States

The modern class action is arguably a US invention and only a little more than 50 years old. In short, this is a device that allows one or more individuals to bring a case on behalf of a larger group of individuals who are similarly situated and have similar claims.

There can be a lot of efficiency for all involved when cases are brought and resolved this way. It can also protect the defendant from inconsistent obligations, and can protect the interest of absentees who are not actually directly joined and participating.

Perhaps most significant in the US is the economic incentive that can derive from, say, a typical privacy case in which the claims on an individual basis might be limited. For example, the statutory penalties available for an individual in a data breach case in California might be $150, but when multiplied by a large group of people who are impacted by a data breach throughout the state, maybe hundreds of thousands of people, the numbers can increase dramatically.

A recent article from Forbes showed that in 2022 class actions resulted in recovery of $63bn.

Importantly, under the Federal Rules of Civil Procedure, plaintiffs cannot simply declare a case as a class action; they must demonstrate that the class represents a sufficient number of individuals who have been impacted. Typically, in the United States, the threshold is between 40 and 50. But there also must be common questions of law and the claims must be typical from the class representatives and across the rest of the class.

A recent article from Forbes showed that in 2022 class actions resulted in recovery of $63bn. Of that total, 15 of the class actions saw settlements of $1 billion or more.

Substantively, privacy and cyber claims are becoming a big part of the class action landscape. Class actions can happen anytime there’s a major data breach in the US. We have also seen a wave of class actions alleging that the collection of information online violates statutes that are traditionally targeted at wiretapping or designed to counter espionage. Biometrics is another area that has seen significant settlements. Meanwhile, the Video Privacy Protection Act and the Telephone Consumer Protection Act have driven increased activity.

It is worth noting that the US does not have a comprehensive consumer privacy law such as those found in the UK and EU.

It is worth noting that the US does not have a comprehensive consumer privacy law such as those found in the UK and EU. Rather, it operates within a patchwork that depends on the sector and the nature of the data involved. Some breaches are only enforced by government agencies, while others allow for class actions.

Notwithstanding federal uniformity, many issues are common such as consideration of what is a protectable privacy interest, what is required for consent, and whether injury/damages be shown through classwide proof. On this last point, treatment as a class can break down under scrutiny of the actual injury and damages and how they might be awarded to individuals across a large class.

United Kingdom

Somewhat in contrast, and somewhat similar, the UK has recently seen claims under two themes, one of which governs breaches under the data protection framework laws. These are currently covered by the Data Protection Act of 2018 (DPA) and the General Data Protection Regulation (GDPR).

As noted, the UK operates under an opt-in system, though with two exceptions:

  • competition (antitrust), where matters go before the competition appeals tribunal; and
  • representative actions, a category similar to the United States in terms of bringing actions on the basis that people have the same interest.

Given the broad reach of GDPR and ease with which potential claims can be brought to the attention of consumers, we can expect robust future activity.

The first case heard under the DPA established in the UK that compensation for distress for privacy breaches is allowed and does not require a pecuniary loss. Various cases have since tested the threshold for representative groups in being able to successfully seek damages and uncertainty still looms about whether a General Litigation Order (GLO) is an efficacious way to bring a large number of small-value claims arising from the same fact pattern. As such, this is a wait-and-see environment.

As to the more recently enacted GDPR, important cases have provided clarity, but the landscape is unsettled. That said, we can see the general scope for class actions under that regulation. Given the broad reach of GDPR and ease with which potential claims can be brought to the attention of consumers, we can expect robust future activity.

European Union

On November 24, 2020, the EU adopted a directive to implement a consumer class action in each Member State, which directive has two objectives:

  1. Establishing a domestic class action regime enabling the defense of consumer interests: each Member State is free to define procedures, consistent with their domestic law, and choose between an opt-in or opt-out mechanism.
  2. Enabling a group of consumers to file a class action in any EU Member State, called a cross-border class action, aimed at obtaining injunction measures and protecting the collective interests of consumers.

The class is to be represented by a qualified entity that is registered in the Member State. The qualified entity must be nonprofit, independent, engaged in the protection of consumers’ interests for at least 12 months, and financially solvent and transparent. (To date, only three Member States have complied.)

While some jurisdictions already have fairly well-developed collective action procedures, some others have very little. As such, during this phase of inconsistent implementation, risk assessment is quite uncertain. Adding to the unpredictability are customs and rules governing the funding of class actions, the details of which should be carefully assessed by defendants in shaping strategy.

France

Class actions were implemented in France starting in 2014. They were initially limited to consumer law, until 2016 when officials extended this to a category of general class actions, addressing health product liability, environmental liability, personal data protection, and discrimination.

Thirty-two class actions have been filed since 2014, including 20 consumer class actions. Of those, six enabled the victims to obtain compensation (three through a declaration of liability and three through an out-of-court settlement).

Although still not in compliance with the EU directive, France nevertheless requires that a class action be filed by an accredited association. Likewise, there is an opt-in mechanism to join a class action. These matters are adjudicated in a two-step process: first, a liability judgment, and, second, a ruling on compensation.

France requires that a class action be filed by an accredited association.

Although consumer class actions do not require formal notice, general actions require four-month formal notice except in cases related to health product liability. Each category includes important differences as to cause, scope, compensation, and claimant qualification.

The parties always have the option to settle the action outside of the court through mediation or amicable settlement. Class actions are time-barred after five years from the date on which the victim knew or should have known of the facts enabling them to exercise this right. The competent court is the one of the defendant’s domicile, unless the defendant is located abroad, in which case the court of Paris presides. Last, it is important to note that class actions in France are treated at a very confidential level.

Eventually, these regimes will be merged when the EU directive takes hold – and that will likely prove true across the continent, where continuity is rising.

For more information on recent trends in collective actions in the UK and EU for US companies as it relates to privacy and cybersecurity in further detail, check out the presentation Collective Action: A UK and EU Perspective for US Companies, part of the Morgan Lewis Technology Marathon webinar series.

Pulina Whitaker is a partner and co-head of the global privacy and cybersecurity practice. Chris Warren-Smith is a partner and represents clients in a broad range of corporate investigation and dispute matters. Alexandre Bailly is a partner and works with clients at every phase of their disputes, from prelitigation to expertise proceedings stage. Ezra D. Church is a partner and leader of the firm’s privacy and cybersecurity litigation practice and co-chair of the firm’s Class Action Working Group. Morgan Lewis