14.11.2023

Collective legal remedies now apply to data protection – are you prepared?

There have recently been several data breaches with a vast number of private persons as victims, both in Finland and abroad. This has highlighted how difficult it has been for private persons in Finland to access justice in data protection matters, also in cases with a large number of injured parties. 

The GDPR does, as such, provide for the data subjects’ right to compensation for material and non-material damage caused by an infringement of the Regulation. However, in Finnish case law, the compensations have been rather modest. As an example, the Personal Injury Advisory Board recommends a compensation of only EUR 200–5,000 for damages related to a data protection or personal privacy violation. This, coupled with the toll taken by trials, has often resulted in private persons having a very limited interest to claim damages in data protection matters.

The legal state of injured parties improved in June 2023 with the entry into force of the new Act on Representative Actions for Injunctive Measures and the Act Amending the Act on Class Actions. These two acts make it possible to bring class actions and representative actions in data protection matters, among others. It remains to be seen whether this legislative reform, aiming to strengthen collective legal protection, has major practical effect; to date, only one consumer organisation has taken advantage of the new possibility to register as a consumer organisation and represent consumers in class action and representative action processes.

From a fully authority-driven class action process towards organisations’ right to bring actions

The legislative amendments follow the national implementation of the EU’s Representative Actions Directive. Before these amendments entered into force, the Consumer Ombudsman had the right to bring class actions in certain matters under its jurisdiction, but this option was never used. An authority-driven class action process has proved challenging due to the authorities’ limited resources, among other reasons. The amendments aim to fix the situation by making bringing class actions possible also for consumer organisations that may be more motivated as well as better equipped to raise funding for pursuing actions, for example.

The amendments make it possible to bring so-called representative actions and class actions in data protection matters. A representative action can seek to prohibit a trader from continuing a certain practice, while a class action can claim compensation for damage suffered by the consumers. A consumer organisation or an authority set out in law can bring an action on behalf of consumers. However, a consumer organisation may only bring actions if the Ministry of Justice has designated it as a ‘qualified entity’. Organisations can apply for this designation in accordance with the Act on the Designation of Organisations Promoting the Collective Interests of Consumers as Qualified Entities. The new possibility to bring actions has not yet gained much popularity, which is reflected by the fact that, at the time of writing, the Ministry of Justice has received only one designation application from a consumer organisation.

It is interesting to note that while the Data Protection Ombudsman is a qualified entity for representative actions for injunctive measures, only a consumer organisation can bring a class action for a redress measure in a data protection matter. The appropriateness of this solution remains unclear, as even before entry into force of the amendments, the Data Protection Ombudsman had the power to prohibit a data controller from acting illegally or from handling personal data in a certain way, reinforced also with a conditional fine. In any case, the consumer organisations’ new possibility to promote the interests of consumers in data protection matters in the form of class and representative actions means a new collective legal remedy, the practical significance of which remains to be seen.

Two-forum model and looming legal costs limit bringing class actions

In Finland, the amendments widened the scope of application of class actions from what it used to be in the era preceding the Representative Actions Directive. Now, in addition to matters concerning consumer transactions, class and representative actions can be brought also in matters concerning data protection, financial services, passenger rights and telecommunications. Class actions will continue to be heard in the Helsinki District Court, but representative actions for injunctive measures will be handled by the Market Court. This model of two separate processes for injunctive measures and redress measures can prove problematic especially for smaller consumer organisations, as they may need to institute matters in different forums.

The legislative decision to have two forums is interesting particularly against the backdrop of the 2013 Market Court reform, in which the injunctive and redress claims under the Unfair Business Practices Act were instead centralised to the Market Court. The goal of this centralisation was to repair the then-current arrangement in which the injunctive matters under the Unfair Business Practices Act were heard by the Market Court, whereas the compensation matters under the same Act were heard by general courts. This arrangement was deemed impractical, and it was abolished in the Market Court reform. It will be interesting to see whether the two-forum model in class actions will be long-lived.

The amendments at hand bring complexity to the terminology concerning different actions: in Finnish legislation, the representative actions referred to in the Representative Actions Directive are divided into edustajakanteet (representative actions) that cover injunctive measures and ryhmäkanteet (class actions) that cover redress measures. Together, these two form the collective remedies required under the Representative Actions Directive. The terminological confusion is reflected in the Swedish-language versions of the Act on Class Actions and Act on Representative Actions for Injunctive Measures, in which both types of action are referred to with the same umbrella term of grupptalan.

The procedural rules governing legal costs remain unchanged, and the general rule for collective actions is that the losing party bears the legal costs of both parties. This practice that potentially burdens the consumer organisation with the legal costs of both parties is likely to further raise the bar for bringing class and representative actions. Class and representative actions can be financed with third-party funding, but the law lays down relatively strict conditions for such funding in order to prevent abusive litigation. In any case, the incentives for bringing actions in Finland remain rather moderate compared to, for example, the United States, where each party often bears its own legal costs in class action lawsuits.

The future remains open

It is, without question, important that the rights of private persons suffering from infringements are realised efficiently also in data protection matters. At the same time, we must be careful as to avoid overreactions. In the United States, for example, class actions are very common, and while they may contribute to companies taking regulatory matters seriously, it can also be claimed that the Finnish authority-driven tradition results in decisions that are more appropriate for the overall situation.

The future will show how the European class and representative action landscape will develop as a result of the amendments. It will be interesting to see whether the number of actions will truly increase or whether the possibility of being faced with a class action will remain merely a theoretical risk as it has been until now.

Latest references

We advised WithSecure Corporation in the sale of its cybersecurity consulting business to Neqst. WithSecure is a global cyber security company (listed on NASDAQ OMX Helsinki). Neqst is a Swedish investment firm, focusing on technology companies. The closing of the transaction remains subject to customary conditions and regulatory approvals.
Case published 24.1.2025
We assisted Smarter Contracts Ltd in the process where the Finnish Transport and Communications Agency Traficom confirmed it to be an EU-recognised data intermediation service. Non-EU companies must have a legal representative in some EU country so that they can offer data intermediation services in accordance with the Data Governance Act. Smarter Contracts is based in Great Britain and selected Finland for the task. Smarter Contracts is the first non-EU data intermediation service registered by Traficom. Wayne Lloyd, Founder & CEO of Smarter Contracts, remarked:  The support from the Castrén team was exceptional from start to finish. Pioneering new territory is never without its challenges, and as the first non-EU data intermediation service provider, we faced significant legal uncertainties. Despite these complexities, the Castrén team expertly guided us through each step with remarkable efficiency, providing the certainty we needed. Smarter Contracts leverages its proprietary Pulse Permissions Protocol® to deliver advanced consent and access rights management services. This milestone highlights Castrén & Snellman’s proficiency in navigating intricate regulatory landscapes, whilst recognising the relevance of Smarter Contracts’ innovative approach to secure, compliant data management.
Case published 11.12.2024
We assisted Pharmaca Health Intelligence in its acquisition of Mediaattori Ltd’s PODIUM Connect® and PODIUM Visits businesses. Through the acquisition, Pharmaca Health Intelligence strengthens its extensive service offerings in medical information, data-driven management, and education for both healthcare and pharmaceutical companies. Pharmaca Health Intelligence is a pioneer in digital medical information and a reliable partner for wellbeing services counties, the private healthcare sector and pharmacies. The company invests in the development of technology and service solutions related to pharmaceutical information, also on an international scale.
Case published 5.12.2024
The Finnish Supreme Administrative Court has handed down decision KHO 2024:115 on balancing data protection and national security interests in cyber security incidents. We acted for the Finnish Ministry of Foreign Affairs in this precedent setting case, in which the Supreme Administrative Court agreed with our client’ core submissions and decided to overturn key parts of a data protection authority decision against our client. The court held that the Ministry had acted lawfully when taking a bit of time between discovering information about a cyber incident concerning certain diplomats and notifying all potentially affected people. The key point of principle for our client was the extent to which Article 34 of the GDPR requires such (essentially public) notifications when foreign policy and national security might require a more discrete initial approach. The court’s reasoning is important: since Finland has voluntarily, but not unreservedly, extended the scope of the GDPR to also cover foreign policy and national security, the primacy of EU law does not apply in that extended context. Thus, more specific local Finnish rules on freedom of information/confidentiality in these areas override the general Article 34 notification obligation (under the classic lex specialis derogat legi generali rule), even absent express statutory carve-outs to Article 34. Had Article 34 applied as a matter of EU law, the outcome could have been different, since the GDPR, under primacy, would override all local Finnish rules, irrespective of whether they are lex specialis or not. It’s important to understand why, and on what basis, an EU law applies to any given situation, since this could affect the principles of interpretation so much that the outcome changes significantly. The court did, however, hold that the Ministry will need to notify the DPA itself within the customary deadlines, since the DPA under Finnish law has the right to receive information confidentiality rules notwithstanding. We hope this outcome will contribute to authorities dealing with foreign policy and national security being able to balance all relevant interests going forward. Read the decision in Finnish or in Swedish .
Case published 15.11.2024