Large companies risk a lot if they don't comply with the RGPD

The use of class actions in Europe to sue large companies for non-compliance with the RGPD has begun and this bodes well for very large fines

Article 80 of the GDPR clearly provides for collective actions, leaving the modalities and procedures to the Member States on the basis of national law. But today the possibility of bringing a collective action, i.e. several citizens or consumers joining together or entrusting a legal action to a body that represents them, is not provided for in the legislative arsenal of all Member States. 

But it is only a matter of time because a draft European directive is in preparation that will allow this kind of action throughout Europe, and therefore the risk for large groups such as GAFA to be attacked by groups of European citizens will increase.

In a few months, three multinationals have been taken to court for non-compliance with the RGPD, with the risk of fines that could reach hundreds of millions of dollars, as the RGPD provides for fines of up to 4% of global turnover.

• Salesforce attacked in Holland for its use of cookies
• Oracle attacked in Holland for the same reason
• Youtube attacked in England for targeting children

Decisions are expected in the coming months and some other legal actions are expected soon. And let's not forget that these American companies are now facing the abolition of the Privacy Shield, the agreement that allowed data transfers between the US and Europe, so GAFA and other American companies are facing potential complaints as well as the European users of their services.

In the majority of European countries, each party pays its own legal fees, which may be partially reimbursed or compensated by damages. Cost can therefore be a barrier. But the distribution of costs among a large number of plaintiffs may make it more likely that collective actions will be organized, for example, by a consumer protection organization.

Large organizations, multinationals, but let's not forget all companies, and even NPOs and self-employed people are facing two types of risk:

• A complaint to the data protection authority that can be made in a few minutes and at no cost by completing an online form
• Lawsuits and damages are all the more likely as class actions will remove the cost barrier by spreading it among many plaintiffs.