14.11.2023

Collective legal remedies now apply to data protection – are you prepared?

There have recently been several data breaches with a vast number of private persons as victims, both in Finland and abroad. This has highlighted how difficult it has been for private persons in Finland to access justice in data protection matters, also in cases with a large number of injured parties. 

The GDPR does, as such, provide for the data subjects’ right to compensation for material and non-material damage caused by an infringement of the Regulation. However, in Finnish case law, the compensations have been rather modest. As an example, the Personal Injury Advisory Board recommends a compensation of only EUR 200–5,000 for damages related to a data protection or personal privacy violation. This, coupled with the toll taken by trials, has often resulted in private persons having a very limited interest to claim damages in data protection matters.

The legal state of injured parties improved in June 2023 with the entry into force of the new Act on Representative Actions for Injunctive Measures and the Act Amending the Act on Class Actions. These two acts make it possible to bring class actions and representative actions in data protection matters, among others. It remains to be seen whether this legislative reform, aiming to strengthen collective legal protection, has major practical effect; to date, only one consumer organisation has taken advantage of the new possibility to register as a consumer organisation and represent consumers in class action and representative action processes.

From a fully authority-driven class action process towards organisations’ right to bring actions

The legislative amendments follow the national implementation of the EU’s Representative Actions Directive. Before these amendments entered into force, the Consumer Ombudsman had the right to bring class actions in certain matters under its jurisdiction, but this option was never used. An authority-driven class action process has proved challenging due to the authorities’ limited resources, among other reasons. The amendments aim to fix the situation by making bringing class actions possible also for consumer organisations that may be more motivated as well as better equipped to raise funding for pursuing actions, for example.

The amendments make it possible to bring so-called representative actions and class actions in data protection matters. A representative action can seek to prohibit a trader from continuing a certain practice, while a class action can claim compensation for damage suffered by the consumers. A consumer organisation or an authority set out in law can bring an action on behalf of consumers. However, a consumer organisation may only bring actions if the Ministry of Justice has designated it as a ‘qualified entity’. Organisations can apply for this designation in accordance with the Act on the Designation of Organisations Promoting the Collective Interests of Consumers as Qualified Entities. The new possibility to bring actions has not yet gained much popularity, which is reflected by the fact that, at the time of writing, the Ministry of Justice has received only one designation application from a consumer organisation.

It is interesting to note that while the Data Protection Ombudsman is a qualified entity for representative actions for injunctive measures, only a consumer organisation can bring a class action for a redress measure in a data protection matter. The appropriateness of this solution remains unclear, as even before entry into force of the amendments, the Data Protection Ombudsman had the power to prohibit a data controller from acting illegally or from handling personal data in a certain way, reinforced also with a conditional fine. In any case, the consumer organisations’ new possibility to promote the interests of consumers in data protection matters in the form of class and representative actions means a new collective legal remedy, the practical significance of which remains to be seen.

Two-forum model and looming legal costs limit bringing class actions

In Finland, the amendments widened the scope of application of class actions from what it used to be in the era preceding the Representative Actions Directive. Now, in addition to matters concerning consumer transactions, class and representative actions can be brought also in matters concerning data protection, financial services, passenger rights and telecommunications. Class actions will continue to be heard in the Helsinki District Court, but representative actions for injunctive measures will be handled by the Market Court. This model of two separate processes for injunctive measures and redress measures can prove problematic especially for smaller consumer organisations, as they may need to institute matters in different forums.

The legislative decision to have two forums is interesting particularly against the backdrop of the 2013 Market Court reform, in which the injunctive and redress claims under the Unfair Business Practices Act were instead centralised to the Market Court. The goal of this centralisation was to repair the then-current arrangement in which the injunctive matters under the Unfair Business Practices Act were heard by the Market Court, whereas the compensation matters under the same Act were heard by general courts. This arrangement was deemed impractical, and it was abolished in the Market Court reform. It will be interesting to see whether the two-forum model in class actions will be long-lived.

The amendments at hand bring complexity to the terminology concerning different actions: in Finnish legislation, the representative actions referred to in the Representative Actions Directive are divided into edustajakanteet (representative actions) that cover injunctive measures and ryhmäkanteet (class actions) that cover redress measures. Together, these two form the collective remedies required under the Representative Actions Directive. The terminological confusion is reflected in the Swedish-language versions of the Act on Class Actions and Act on Representative Actions for Injunctive Measures, in which both types of action are referred to with the same umbrella term of grupptalan.

The procedural rules governing legal costs remain unchanged, and the general rule for collective actions is that the losing party bears the legal costs of both parties. This practice that potentially burdens the consumer organisation with the legal costs of both parties is likely to further raise the bar for bringing class and representative actions. Class and representative actions can be financed with third-party funding, but the law lays down relatively strict conditions for such funding in order to prevent abusive litigation. In any case, the incentives for bringing actions in Finland remain rather moderate compared to, for example, the United States, where each party often bears its own legal costs in class action lawsuits.

The future remains open

It is, without question, important that the rights of private persons suffering from infringements are realised efficiently also in data protection matters. At the same time, we must be careful as to avoid overreactions. In the United States, for example, class actions are very common, and while they may contribute to companies taking regulatory matters seriously, it can also be claimed that the Finnish authority-driven tradition results in decisions that are more appropriate for the overall situation.

The future will show how the European class and representative action landscape will develop as a result of the amendments. It will be interesting to see whether the number of actions will truly increase or whether the possibility of being faced with a class action will remain merely a theoretical risk as it has been until now.

Latest references

We are acting as the lead counsel to Fortum in a cross-border transaction in which Fortum is selling its recycling and waste business. The business is sold to thematic impact investing firm Summa Equity through its portfolio company NG Group. The debt-free purchase price is approximately EUR 800 million. The transaction is subject to authority approval and customary closing conditions. Fortum’s recycling and waste business to be sold comprises municipal and industrial waste management and end-to-end plastics, metals, ash, slag and hazardous waste treatment and recycling services. These businesses are located in Finland, Sweden, Denmark and Norway and currently employ approximately 900 employees.
Case published 18.7.2024
We advised Andritz Oy, a part of ANDRITZ group, with their acquisition of all the shares in Procemex Oy. The acquisition further strengthens ANDRITZ’s automation and digitalisation portfolio. Procemex is a global leader in integrated web monitoring and web inspection solutions for the pulp and paper industry. It has a team of more than 100 vision systems experts and has subsidiaries in Germany, Japan and the US. ANDRITZ offers a broad portfolio of innovative plants, equipment, systems, services and digital solutions for a wide range of industries and end markets. ANDRITZ is a global market leader in all four of its business areas – Pulp & Paper, Metals, Hydropower and Environment & Energy. The publicly listed group has around 30,000 employees and over 280 locations in more than 80 countries.
Case published 18.7.2024
We successfully acted as the lead external counsel for Citycon Plc in an arrangement whereby Citycon outsourced its Nordic Accounting and Lease Administration operations and related workforce in Finland, Sweden, Norway, Denmark and Estonia to Staria Plc. The outsourcing is expected to take place as of 1 August 2024. With this outsourcing arrangement, Citycon aims to align the size and capabilities of the company’s finance organisation with its future development, ensuring it can adapt to meet the company’s needs at any given time. During the assignment, we assisted Citycon in drafting the necessary contract documentation and planning the contract negotiations and timetable. We led the outsourcing agreement negotiations and advised Citycon on employee transfer and data privacy related matters. We also coordinated legal advice for other in-scope countries. Citycon is the leading owner and developer of urban hubs in the Nordics and Baltics. Citycon’s 33 mixed-use, necessity-based centres are located in the major cities in Finland, Sweden, Norway, Denmark and Estonia. Citycon transforms unique locations into sustainable communities and cities full of life, serving 140 million people each year and delivering long-term share value. Citycon brings value to communities by developing urban hubs for living, working, socialising and shopping. Citycon has extensive experience as an urban developer and uses its expertise in creating mixed-use centres that include retail, offices, hotels, housing, food & beverage as well as healthcare, culture and leisure services.
Case published 13.5.2024
We acted as Zendesk, Inc.’s Finnish legal counsel in its acquisition of Ultimate Enterprises Oy, an industry leading provider of service automation using AI technology. The cross-border acquisition was completed in cooperation with the transaction’s lead counsel Allen & Overy. Zendesk is a leading global technology company that provides software-as-a-service and customer experience (CX) products based in the US. The acquisition of Ultimate expands Zendesk’s AI-powered CX offerings.
Case published 26.3.2024