Collective legal remedies now apply to data protection – are you prepared?

There have recently been several data breaches with a vast number of private persons as victims, both in Finland and abroad. This has highlighted how difficult it has been for private persons in Finland to access justice in data protection matters, also in cases with a large number of injured parties. 

The GDPR does, as such, provide for the data subjects’ right to compensation for material and non-material damage caused by an infringement of the Regulation. However, in Finnish case law, the compensations have been rather modest. As an example, the Personal Injury Advisory Board recommends a compensation of only EUR 200–5,000 for damages related to a data protection or personal privacy violation. This, coupled with the toll taken by trials, has often resulted in private persons having a very limited interest to claim damages in data protection matters.

The legal state of injured parties improved in June 2023 with the entry into force of the new Act on Representative Actions for Injunctive Measures and the Act Amending the Act on Class Actions. These two acts make it possible to bring class actions and representative actions in data protection matters, among others. It remains to be seen whether this legislative reform, aiming to strengthen collective legal protection, has major practical effect; to date, only one consumer organisation has taken advantage of the new possibility to register as a consumer organisation and represent consumers in class action and representative action processes.

From a fully authority-driven class action process towards organisations’ right to bring actions

The legislative amendments follow the national implementation of the EU’s Representative Actions Directive. Before these amendments entered into force, the Consumer Ombudsman had the right to bring class actions in certain matters under its jurisdiction, but this option was never used. An authority-driven class action process has proved challenging due to the authorities’ limited resources, among other reasons. The amendments aim to fix the situation by making bringing class actions possible also for consumer organisations that may be more motivated as well as better equipped to raise funding for pursuing actions, for example.

The amendments make it possible to bring so-called representative actions and class actions in data protection matters. A representative action can seek to prohibit a trader from continuing a certain practice, while a class action can claim compensation for damage suffered by the consumers. A consumer organisation or an authority set out in law can bring an action on behalf of consumers. However, a consumer organisation may only bring actions if the Ministry of Justice has designated it as a ‘qualified entity’. Organisations can apply for this designation in accordance with the Act on the Designation of Organisations Promoting the Collective Interests of Consumers as Qualified Entities. The new possibility to bring actions has not yet gained much popularity, which is reflected by the fact that, at the time of writing, the Ministry of Justice has received only one designation application from a consumer organisation.

It is interesting to note that while the Data Protection Ombudsman is a qualified entity for representative actions for injunctive measures, only a consumer organisation can bring a class action for a redress measure in a data protection matter. The appropriateness of this solution remains unclear, as even before entry into force of the amendments, the Data Protection Ombudsman had the power to prohibit a data controller from acting illegally or from handling personal data in a certain way, reinforced also with a conditional fine. In any case, the consumer organisations’ new possibility to promote the interests of consumers in data protection matters in the form of class and representative actions means a new collective legal remedy, the practical significance of which remains to be seen.

Two-forum model and looming legal costs limit bringing class actions

In Finland, the amendments widened the scope of application of class actions from what it used to be in the era preceding the Representative Actions Directive. Now, in addition to matters concerning consumer transactions, class and representative actions can be brought also in matters concerning data protection, financial services, passenger rights and telecommunications. Class actions will continue to be heard in the Helsinki District Court, but representative actions for injunctive measures will be handled by the Market Court. This model of two separate processes for injunctive measures and redress measures can prove problematic especially for smaller consumer organisations, as they may need to institute matters in different forums.

The legislative decision to have two forums is interesting particularly against the backdrop of the 2013 Market Court reform, in which the injunctive and redress claims under the Unfair Business Practices Act were instead centralised to the Market Court. The goal of this centralisation was to repair the then-current arrangement in which the injunctive matters under the Unfair Business Practices Act were heard by the Market Court, whereas the compensation matters under the same Act were heard by general courts. This arrangement was deemed impractical, and it was abolished in the Market Court reform. It will be interesting to see whether the two-forum model in class actions will be long-lived.

The amendments at hand bring complexity to the terminology concerning different actions: in Finnish legislation, the representative actions referred to in the Representative Actions Directive are divided into edustajakanteet (representative actions) that cover injunctive measures and ryhmäkanteet (class actions) that cover redress measures. Together, these two form the collective remedies required under the Representative Actions Directive. The terminological confusion is reflected in the Swedish-language versions of the Act on Class Actions and Act on Representative Actions for Injunctive Measures, in which both types of action are referred to with the same umbrella term of grupptalan.

The procedural rules governing legal costs remain unchanged, and the general rule for collective actions is that the losing party bears the legal costs of both parties. This practice that potentially burdens the consumer organisation with the legal costs of both parties is likely to further raise the bar for bringing class and representative actions. Class and representative actions can be financed with third-party funding, but the law lays down relatively strict conditions for such funding in order to prevent abusive litigation. In any case, the incentives for bringing actions in Finland remain rather moderate compared to, for example, the United States, where each party often bears its own legal costs in class action lawsuits.

The future remains open

It is, without question, important that the rights of private persons suffering from infringements are realised efficiently also in data protection matters. At the same time, we must be careful as to avoid overreactions. In the United States, for example, class actions are very common, and while they may contribute to companies taking regulatory matters seriously, it can also be claimed that the Finnish authority-driven tradition results in decisions that are more appropriate for the overall situation.

The future will show how the European class and representative action landscape will develop as a result of the amendments. It will be interesting to see whether the number of actions will truly increase or whether the possibility of being faced with a class action will remain merely a theoretical risk as it has been until now.