The General Data Protection Regulation (GDPR) brought unprecedented opportunities for civil society’s strategic litigators. Yet, as we discussed during the DFF workshop on unlocking the litigation opportunities of the GDPR, how to infuse it in our litigation practices remains uncharted territory. This is particularly true when it comes to how we can best represent individuals before the courts.

First and foremost, the law. Article 80 of the GDPR is twofold. Article 80(1) makes it possible for a not-for-profit to be mandated by a data subject to lodge a complaint with a supervisory authority, or to exercise the right to a judicial remedy on their behalf. It may even enable the not-for-profit to seek compensation on behalf of the data subject, depending on Member State law. Article 80(2) leaves a discretionary power to Member States to give certain organisations the mandate to lodge complaints and seek judicial remedies independently of individuals when they observe that those individuals’ rights have been infringed. To avoid confusion with North American law, none of these paragraphs are setting up a collective compensation mechanism.

The mandate of Article 80(1) seems to hold the promise of the ability to empower and support data subjects to bring more claims through representative organisations. Yet, in practice, building and maintaining a collaboration for several years with an individual requires a wealth of resources that not-for-profits, particularly NGOs, rarely have. More importantly, a mandate to represent vulnerable data subjects (such as children, elderly people, people with a diminishing condition) would still require numerous legal safeguards to be valid.

Furthermore, members of the public usually engage when they have an issue with a service, not because of long term stakes or because they view their own circumstances as a “test case”. Furthermore, if an individual’s specific case is resolved or they become uneasy facing off against a powerful multinational company, they might decide to step away from it or the cause. Due to these factors, employees of not-for-profits tend to put themselves forward as data subjects in strategic cases, but it can put a considerable strain on their relationship with their employer.

The ramifications of the hurdles touched upon above may lead one to conclude that Article 80(2) is the best route for strategic litigation. Yet, participants at DFF’s meeting observed that given its discretionary terms, implementation is fragmented throughout the European Union. This has stripped entire nations from a robust opportunity for securing data subjects’ redress.

Nonetheless, the GDPR does not exist in a vacuum. On 11 April 2018, the European Commission (EC) published its New Deal for Consumers proposal package, comprising a proposal for a directive on representative actions for the protection of the collective interests of consumers. Interestingly, amendments by the Parliament on 26 March 2019 recommend that the Directive should apply when more than two data subjects’ rights are infringed, as long as they may be qualified as consumers. The Council is now analysing the proposal and next year the trilogue will take place. Civil society will have to make sure the GDPR remains expressly provided for in the text, so that we can ally with consumer organisations or request that independent public bodies bring representative actions to protect digital rights. NGOs may even want to push for the broadening of the criteria for who can bring such claim, as data subjects acting as consumers may be better off if more public interest organisations can bring a claim to defend their rights.

In the meantime, the lesson learned from GDPR litigation so far is it is necessary that, in its formal two-year report of May 2020 on the implementation of the GDPR, the European Commission stresses that the current implementation of Article 80 requires improved harmonisation to meaningfully foster and defend data subjects’ rights across jurisdictions.

About the author: Lori Roussey is a lawyer specialised in European data protection law in the context of intelligence and humanitarian data processing activities.