Mass litigation for GDPR compensation claims have become a common legal challenge for many companies in Germany in recent years. You might think that only large platforms, especially those that operate globally, are at risk of facing mass litigation. But in fact, almost any company that processes personal data can be sued by a large number of individuals. This blog post will give you a brief overview of the phenomenon of GDPR mass litigation:

How it works

Mass claims are typically initiated by legal tech companies and consumer law firms. In the past, driven by lucrative business models (e.g. the diesel scandal), these companies were able to develop a digital infrastructure that makes it easy for claimants to join mass litigation cases. These firms use online platforms and social media campaigns to attract and register potential claimants who have been affected by a data breach or data scraping incident involving a company. They then use various legal strategies and business models to finance and conduct the litigation, such as legal expenses insurance, litigation funding or contingency fees. The companies use their infrastructure to send out their ‘model statement of claim’ for each acquired claimant.

What triggers mass litigation

A GDPR mass litigation always starts with the (alleged) processing of personal data in breach of the GDPR. In our practice, we have seen that the following scenarios, among others, can trigger mass litigation.

• Data breaches and leaks: Data breaches and leaks are arguably one of the most feared and well-known issues for any organization. For example, they could be caused by a simple API bug, a faulty update or an external cyber attack. When major incidents become public, companies can quickly become the target of mass litigation, with people whose data has been affected taking legal action against the company. As most companies typically hold large amounts of data, this can involve lawsuits from many thousands of affected individuals. 
• Scraping: Scraping has been the central focus of the GDPR mass litigation over the past three years. Unlike hacks, scraping does not involve third parties gaining unauthorized access by bypassing security measures. Rather, publicly available data is literally scraped from websites. In high-profile scraping cases, those allegedly affected by scraping have filed claims for damages against the website operator. Scraping is also particularly popular when it comes to collecting AI training data. It can therefore be expected that the importance of scraping in GDPR mass litigation will increase, rather than decrease. 
• Unlawful email marketing:  Unlawful email marketing and newsletter distribution is an ongoing issue for companies of all sizes. The GDPR and German competition law both contain provisions against which email marketing must be measured. German courts tend to be very strict in applying these legal principles. As marketing emails and newsletters always reach a large number of people, there is also the potential for mass damages claims. 
• Unlawful data processing:  Last but not least, unlawful data processing, in particular unlawful data transfers, is of course also a gateway to mass litigation. This is demonstrated by the current development of mass litigation, in which the legal basis has become the focus of judicial assessment.

Challenges

The main challenge for companies facing these mass proceedings is to defend themselves against a large number of similar claims, which may vary in terms of factual and legal basis, amount of damages sought and jurisdiction. Companies have to deal with complex and costly litigation processes that may involve multiple instances and appeals, as well as potential reputational damage and public scrutiny. In addition, companies have to deal with the evolving and inconsistent case law on GDPR compensation claims, which can affect the outcome and risk assessment of litigation. 

How to react to the recent developments of mass litigation? 

Ideally, companies should not wait until the first statement of claim is served before dealing with potential mass litigation. Instead, an initial assessment of the risk should be made earlier and prophylactically. Companies should review their internal processes for this purpose.

• Compliance.  Are your company's internal processes compliant with legal requirements, particularly GDPR?
• Security Measures.  What are the company's security measures against unauthorized external access? 
• Incident response.  Is there a strategy for dealing with cyber security incidents from a legal and PR perspective? Are employees trained on potential threats?
• Technical assistance: Should mass litigation actually occur, it should be examined whether technical support could be used to deal with the incoming complaints and enquiries.

Conclusion

GDPR mass proceedings are a growing phenomenon in Germany that poses significant legal and practical challenges for companies that process personal data. The legal framework and the case law on this topic are still developing and uncertain, and may change in the light of new legislation or jurisprudence. Therefore, companies should be aware of the potential risks and costs of these claims, and take appropriate measures to prevent and respond to them, such as ensuring compliance with the GDPR, monitoring the legal developments, and seeking expert advice.

Over the next few weeks and months, we will also be looking more closely at the legal requirements of Art. 82 GDPR. Stay tuned!

                                                                               *****

Takeaways:

• Mass litigation is a common legal challenge for companies that process personal data in Germany, especially in the context of GDPR violations. 
• Mass litigation is usually initiated and conducted by legal tech companies and consumer law firms that use online platforms and social media campaigns to attract and register potential plaintiffs. 
• Mass litigation poses significant legal and practical challenges for companies, such as complex and costly litigation processes, inconsistent and evolving case law, and potential reputational damage and public scrutiny. 
• Companies should take proactive measures to prevent and respond to mass litigation, such as ensuring compliance with the GDPR, monitoring the legal developments, and seeking expert advice and technical support.