A few weeks ago, France passed the Digital Republic Act which significantly enhances French citizens’ rights to privacy by offering new avenues to exercise rights and granting new powers to the French data protection authority. A recent amendment to the Data Protection Act, adopted November 18, 2016, goes a mile farther and introduces a new type of class action for privacy-related matters.
Class actions were introduced into the French Consumer Code quite recently, in 2014. Although largely inspired by the U.S.-style class action, class actions in France have a slightly different scope:
Given the procedural restrictions described above, only seven class actions have been introduced in France to date. However, the significant extension in scope under the new law may modify the state of play.
For privacy-related class actions, (i) at least two individuals placed in a similar situation (ii) who suffer from a damage caused by a breach of the French Data Protection Act, (iii) may bring an action before a civil or administrative court, (iv) against a data controller or a data processor, (v) through an approved consumer association, a declared privacy rights association, or an official employee union, (vi) in order to seek an injunction to stop the infringement. Note that, unlike other types of French class actions, individuals may not obtain monetary compensation for damage caused.
It can be expected that the new regime will increase litigation on privacy-related grounds. However, consumer associations have started to litigate in the field of privacy without a class-action mandate. In March 2014, French leading consumer association Que Choisir brought internet giants Twitter, Facebook and Google to court, arguing that modifications of the companies’ respective terms and conditions constituted unfair commercial practices. Associations such as Que Choisir may now directly rely on the French Data Protection Act, thus bringing privacy into the spotlight.
The timing of the new French regime is no mere coincidence. It anticipates the application of the General Data Protection Regulation (“GDPR”) on May 25, 2018. The GDPR expressly sets forth a right for individuals to mandate not-for-profit bodies, organizations or associations, whose statutory objective is data protection in the public interest, to lodge a complaint, exercise the right to an effective judicial remedy, and/or obtain compensation for damages. The new French regime also resembles German provisions that went into force on February 24, 2016.
It is clear, more than ever, that companies should take privacy seriously and get ready for the GDPR by its May 25, 2018 deadline. While class actions for privacy infringements may not result in awards for financial damage in France, they raise other substantial risks for companies, including reputational harm and litigation expense.