Ireland Sees Initial Class-Action Lawsuit as Think Tank Warns of Negative Effects
Ireland's first mass-litigation case could have major implications for tech companies that process data under the General Data Protection Regulation, Pinsent Masons commercial litigation attorney Zara West blogged Thursday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The European Centre for International Political Economy (ECIPE), a think tank, also said in a June podcast that all European businesses should be concerned about the rise of such lawsuits. Mass litigation is the European term for what's known as class action in the U.S.
In the first case under Ireland's Collective Interests of Consumers Act 2023, the Irish Council for Civil Liberties (ICCL) sued Microsoft in the Irish High Court in May for alleged GDPR breaches. The case marks a "pivotal moment for consumer mass actions in Ireland" and sets a precedent for future collective actions, according to West.
Under the act, which went into effect in April 2024, the ICCL is one of two recognized qualified entities in Ireland authorized to bring representative actions on behalf of consumers for breaches of consumer protection laws, West noted.
The ICCL said Microsoft's "real-time" bidding process in its Xandr advertising platform violates the GDPR because it fails to effectively monitor or control what happens to personal data once it's been broadcast to potential advertisers, West wrote. That has resulted in major data breaches and misuse of sensitive personal data, the ICCL alleged.
Among the issues raised at the High Court hearing, Microsoft questioned who paid for ICCL's collective action, since third-party funding is generally barred under Irish law, West noted.
Oscar Guinea, a senior economist for ECIPE who co-authored its report, similarly said European companies generally should worry about the growing popularity of these lawsuits.
Although consumer protection is the main reason for mass litigation, as the rules that govern such lawsuits become more flexible, there are more cases involving data, technology and the environment, Guinea said, adding that GDPR's adoption has sparked increased court action.
Mass-litigation settlements, insurance and uncertainty impose additional costs on private companies, in particular hurting innovative businesses that produce products in areas where regulations aren't yet settled, said Guinea.
The number of European collective actions rose sharply in 2021-23, the latest data available, with particularly high activity in the Netherlands, Portugal, Germany, France and Poland, he noted.
The ECIPE study found that several factors are driving increased mass litigation in some European countries, Guinea said. These include the ease of filing, the presence of lawyers with the necessary expertise to handle such cases, and the availability of money from companies known as third-party funders.
The ECIPE study, which examined 373 cases, argued that private enforcement actions, like mass litigation, are becoming a financial product as funders seek cases with the highest returns. This is a problem because it doesn't compensate people for damages in cases where they deserve it, lawyers and finders receive most of the money, and the litigation becomes a financial risk for companies, Guinea said.
ECIPE estimated conservatively that the costs of mass litigation in Europe would be around 10% of class-action litigation in the U.S., ranging from 28.3 billion euros ($33 billion) under a low-growth scenario to 84.8 billion euros ($98 billion) under a high-growth scenario, he said.
This could deter innovative companies from developing products and services on the theory of better safe than sorry, Guinea said. The report urged Europe not to go down the same "false economy-false justice" path as the U.S.
The European Consumer Organisation, whose priorities include GDPR enforcement and consumer data protection rights, emailed us that while it hasn't brought mass-litigation cases, it's looking to do so. It was granted qualified entity status under the EU Collective Redress Directive in April.
Last December, Austrian privacy nonprofit Noyb also won approval as a qualified entity under the directive. Asked for comment on the ECIPE report, Noyb founder Max Schrems told us in an email: "This report was paid for by the 'European Justice [Forum]' -- a group of large companies that lobbied against [the directive]. Do we really have to respond to paid propaganda camouflaged as a report?!"
The European Justice Forum describes itself in the report as a coalition of businesses, individuals and organizations working to build "fair, balanced, transparent and efficient civil justice laws and systems for both consumers and businesses in Europe."