noyb is now qualified to bring collective redress actions

02 December 2024

noyb is now approved as a so-called "Qualified Entity" to bring collective redress actions in courts throughout the European Union. Such action under Directive (EU) 2020/1828 can either be an "injunction" or a "redress" measure. "Injunctions" generally prohibit a company from engaging in illegal practices, including any GDPR violations. "Redress" measures allow a European version of a "Class Action", where thousands or millions of users could be represented by noyb and for example ask for non-material damages when their personal data was unlawfully processed. Contrary to US Class Actions, EU law requires that such actions are brought on a purely non-profit basis.

A large group of people in different shades of magenta form the shape of an arrow pointing to the right.

Approval in Austria and Ireland - valid throughout the EU. The EU's system for collective redress is based on non-profit organisations that must be approved as "Qualified Entities" (QE) to actually bring enforcement action. Other than the "wild west" approach under US law, where any law firm can bring so-called "Class Actions" (often also for their own benefit), the EU system is meant to remove financial incentives for plaintiffs and only allows non-profits, such as noyb, to bring cases. While the Directive should have been fully implemented by 25 June 2023, many Member States were delayed and approval processes for qualified entities were not yet available or opened. noyb sought an approval as qualified entity in two Member States: Ireland and Austria. Austria being the main establishment of noyb and Ireland being a specific country of interest, given the large number of headquarters of international tech companies in Ireland. Both approvals were now granted and are valid within these two Member States, but also throughout the EU. Qualified Entities in one Member State can bring actions in any EU Member State.

Max Schrems, Chair of noyb: "noyb prepared for this step for the past years and went through a rigid process to get this approval, where the independence but also the organisational stability of the organisation was reviewed. This will now allow us to bring injunctions against any company that violates the GDPR on the EU market. In addition, we can also form EU 'class actions' where thousands or millions of users can seek damages if their personal data was abused. We are planning to bring the first actions in 2025. So far, collective redress is not really on the radar of many - but it has the potential to be a game changer."

The approval by the Austrian Bundeskartellanwalt was issued on 2 December 2024, the approval by the Irish Ministry for Justice was issued on 10 October 2024.

Injunctive measures. Injunctive measures under Article 8 of the EU Directive allow a Qualified Entity to request a company to stop a certain illegal practice. In the case of noyb, this could be the tracking of users without valid consent, the use of "dark patterns" to unlawfully gain consent, the sale of personal data without a legal basis, absurd wording in privacy policies or the transfer of personal data to a jurisdiction that does not provide adequate protection. Generally, many other patterns of non-compliance, such as incomplete or delayed responses to access or deletion requests under the GDPR could be enforced via this new instrument.

Ursula Pachl, Head of Collective Redress at noyb: "Injunctions are successfully used by consumer organisations for decades when it comes to unfair contract terms or commercial practices. The new EU law now allows noyb to also use such injunctions when it comes to GDPR violations or other consumer protection infringements - and we all know there are thousands of them."

Typically, a non-profit would first reach out to a company directly, demanding the stop of an unlawful activity and sign a so-called "cease and desist" agreement. If the company refuses to sign such an agreement to stop the infringement, the non-profit can file a case in any EU Member State the company is active or at its headquarter in the EU.

Redress measures. The new law also allows "redress" cases for past and ongoing violation for any unlawful data processing. Typically, such cases would include damages claims, or claims for the return of any unlawful profits made from illegal processing. While non-material damages can be rather low and only amount to € 100 to € 1,000 per user, this can quickly add up if a company has violated the rights of millions of users. In most EU Member States, each user has to ask a non-profit to represent them ("opt-in" system), however in some jurisdictions, like in the Netherland or Portugal, a Qualified Entity can represent any user that has not objected to be represented ("opt-out" system).

Ursula Pachl: "For an individual consumer, it is usually too difficult and not worth it to bring a lawsuit over € 200 against some Big Tech company. However, if millions of affected users group together, the dynamics quickly turn and the costs and risks for every individual user become manageable. This is exactly the power of 'collective redress' actions."

Next steps. noyb has in the past years prepared the organisational and technical means to bring collective redress actions and expects the first cases to be brought in 2025. While injunctive measures can quickly be implemented and there is a lot of experience in this field under the Unfair Terms Directive 93/13/EEA, redress measures require longer preparation and there is less experience. So far, collective redress actions were limited to specific Member States, such as Portugal, the Netherlands, Germany or Austria with vastly different approaches than the new EU Directive.