A few weeks ago, France passed the Digital Republic Act which significantly enhances French citizens’ rights to privacy by offering new avenues to exercise rights and granting new powers to the French data protection authority. A recent amendment to the Data Protection Act, adopted November 18, 2016, goes a mile farther and introduces a new type of class action for privacy-related matters.
Class actions were introduced into the French Consumer Code quite recently, in 2014. Although largely inspired by the U.S.-style class action, class actions in France have a slightly different scope:
- In contrast to the U.S., in France punitive damages are not allowed, and where compensation may be sought, it must correspond to actual damages or loss suffered.
- Only certain matters or industries fall within the scope of the Consumer Code provisions: unfair commercial practices and anti-competitive behavior by professionals in the context of the sale of goods or the provision of a service have been the trigger for class actions since 2014. The November 18 law extends class actions to privacy-related claims, and other matters such as discrimination, damage to the environment, and medical damages arising from treatments and products.
- Only specific, approved associations may bring a class action on behalf of consumers, who must give them a mandate to act in court. Consumers may give such mandates from the start of proceedings or may opt-in to proceedings at a later stage, within a time period established by the court.
- Representative associations may introduce class actions where (i) at least two consumers who are placed in a similar situation, (ii) suffer from a material loss, (iii) as a result of a breach of a legal or contractual obligation by a professional.
Given the procedural restrictions described above, only seven class actions have been introduced in France to date. However, the significant extension in scope under the new law may modify the state of play.
For privacy-related class actions, (i) at least two individuals placed in a similar situation (ii) who suffer from a damage caused by a breach of the French Data Protection Act, (iii) may bring an action before a civil or administrative court, (iv) against a data controller or a data processor, (v) through an approved consumer association, a declared privacy rights association, or an official employee union, (vi) in order to seek an injunction to stop the infringement. Note that, unlike other types of French class actions, individuals may not obtain monetary compensation for damage caused.
It can be expected that the new regime will increase litigation on privacy-related grounds. However, consumer associations have started to litigate in the field of privacy without a class-action mandate. In March 2014, French leading consumer association Que Choisir brought internet giants Twitter, Facebook and Google to court, arguing that modifications of the companies’ respective terms and conditions constituted unfair commercial practices. Associations such as Que Choisir may now directly rely on the French Data Protection Act, thus bringing privacy into the spotlight.
The timing of the new French regime is no mere coincidence. It anticipates the application of the General Data Protection Regulation (“GDPR”) on May 25, 2018. The GDPR expressly sets forth a right for individuals to mandate not-for-profit bodies, organizations or associations, whose statutory objective is data protection in the public interest, to lodge a complaint, exercise the right to an effective judicial remedy, and/or obtain compensation for damages. The new French regime also resembles German provisions that went into force on February 24, 2016.
It is clear, more than ever, that companies should take privacy seriously and get ready for the GDPR by its May 25, 2018 deadline. While class actions for privacy infringements may not result in awards for financial damage in France, they raise other substantial risks for companies, including reputational harm and litigation expense.
For more information about French and European privacy, contact Jim Harvey.