ARTICLE
13 December 2024

Privacy Rights Group NOYB Now Qualified To Bring Collective Redress Actions

AP
Arnold & Porter

Contributor

Arnold & Porter  logo
Arnold & Porter is a firm of more than 1,000 lawyers, providing sophisticated litigation and transactional capabilities, renowned regulatory experience and market-leading multidisciplinary practices in the life sciences and financial services industries. Our global reach, experience and deep knowledge allow us to work across geographic, cultural, technological and ideological borders.
On December 2, 2024, NOYB – European Center for Digital Rights was approved as a "qualified entity" (QE) to bring representative actions in European courts for data protection breaches.
United States Privacy

On December 2, 2024, NOYB–European Center for Digital Rights wasapprovedas a "qualified entity" (QE) to bring representative actions in European courts for data protection breaches. Representative actions are the European equivalent of a U.S. class action. Unlike in the United States, however, collective redress in the European Union (EU) must be brought by non-profit organizations approved to bring enforcement actions.

Under theEU Representative Action Directive((EU) 2020/1828) (Directive), QEs must have a "non-profit-making character." QEs approved under the Directive are authorized to bring representative actions before European national courts or administrative authorities on behalf of consumers to seek injunctive measures, redress measures, or both. Injunctive measures cease or prohibit businesses' unlawful actions (for instance, violations of the General Data Protection Regulation (GDPR)), while redress measures include remedies such as compensation, price reduction, contract termination, or reimbursement of price paid, and could include, for example, compensation claims where a business has unlawfully processed individuals' personal data. Representative actions may be domestic, initiated by a QE in the same European country where the QE is established, or cross-border and initiated in a different EU Member State to that of the QE.

NOYB is a non-profit organization based in Vienna which was co-founded by privacy activist Max Schrems in 2017. Schrems challenged theU.S.-EU Safe Harbor Frameworkand theEU-U.S. Privacy Shield Framework, and was successful in having both declared invalid by the Court of Justice of the European Union in 2015 and 2020, respectively. NOYB was approved as a QE in Austria, the country of its main establishment, and Ireland, which is a country of interest given the large number of headquarters of international tech companies in its territory. However, as a QE, NOYB can bring actions in any EU Member State.

NOYB intends to bring injunctions against companies that breach the GDPR in the EU and to bring representative actions where thousands, if not millions, of users can seek damages if their personal data has been used unlawfully. Activities that are likely to be the subject of a representative action for injunctive measures include, for example, "the tracking of users without valid consent, the use of 'dark patterns' to unlawfully gain consent, the sale of personal data without a legal basis, absurd wording in privacy policies or the transfer of personal data to a jurisdiction that does not provide adequate protection." Regarding redress measures, NOYB states that, "[w]hile non-material damages can be rather low and only amount to €100 to €1,000 per user, this can quickly add up if a company has violated the rights of millions of users." NOYB has stated that it will bring its first representative actions in 2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More