At the end of the year, the German Federal Court of Justice (BGH) delivered one of the most significant rulings of 2024 on Art. 82 GDPR. The judges' remarks on "loss of control" were particularly unexpected by some and have already been extensively discussed and criticized in legal circles. While the legal implications for various mass proceedings have already been discussed in several articles (you can find our podcast on the judgment here), the impact on the business model of GDPR mass litigation has been somewhat overlooked. There are chances that this ruling marks the preliminary end of mass proceedings as we have known them in the past. However, this does not mean that the phenomenon of GDPR lawsuits will disappear completely. Instead, it is more likely that the involved actors will adapt their business models. We therefore dare to look into the future and present you with the current business model as well as possible procedural claim designs.

Current Situation: 

Present situation. Until now GDPR mass litigation was mostly initiated by consumer law firms which previously advertised potential compensation claims up to 5000 EUR. But if an affected person really wanted to take action against the company for the alleged violations, in most cases the consumer law firms indicated that a lawsuit could only be pursued with legal protection insurance. Legal protection insurers then provided coverage for the lawsuits of the affected individuals up to 5,000 EUR for damages as well as additional claims (e.g. injunctive relief). 

The Ruling: The ruling has made it clear that compensation claims of 5,000 EUR are highly unrealistic. Consumer law firms would now have to claim amounts ranging from 10 to 200 EUR, and legal protection insurers can reject higher compensation claims.

BUT: A significant feature of legal protection insurance in Germany is that most policies have a deductible of around 100 to 200 EUR. With a potential gain of 100 EUR, the cost-benefit ratio is disproportionate. From a risk perspective, it no longer makes sense for plaintiffs to sue. Additionally, people are less willing to litigate if the potential sum is only 100 EUR and not 5,000 EUR because of course, litigation also means effort and stress for the plaintiffs.

As a result, the previous mass litigation model is practically no longer feasible.

Future: 

However, this is unlikely to be the end of GDPR litigation. Consumer law firms are therefore less likely to abandon their business model than to adapt it. Here are four possible options:

I. Factoring:

Some providers are bundling GDPR claims through factoring. So there are already players in the market who want to take this concept further. In this case a (debt collection) company buys the compensation (Art. 82 GDPR) and possibly data access claims (Art. 15 GDPR) from allegedly affected individuals for a certain amount (e.g. 25 EUR). The factoring providers then bundle these claims and asserts the claims with a consumer law firm in one major lawsuit.

II. Representative Action:

The issue that claiming small amounts is often economically unfeasible due to legal costs has been known for some time in Europe and in Germany. The European legislator has created a new instrument for this through the class action directive. The representative actions ("Abhilfeklage") that are now in force in Germany allow qualified entities to file a lawsuit and directly enforce possible judgments for the claimants.

III. Success Fee:

It is conceivable that consumer law firms could set up their processes so cost-effectively that they agree on a success fee with plaintiffs or that litigation funders cover the litigation costs in exchange for a share of the later compensation. This would allow plaintiffs to sue without risk, and legal protection insurers would not be needed.

IV. Model Declaratory Actions:

Another option could be the model declaratory action ("Musterfeststellungsklage"), which was created to handle the diesel cases. Since GDPR is often referred to as "the new diesel," this would be a like “back to the roots”.

A German consumer protection agency recently filed a model declaratory action for an alleged GDPR violation. 

Challenges:

• A model declaratory action can only provide binding clarification of certain factual or legal issues. For example, it could clarify whether a particular processing was lawful.
• However, unlike a representative action, the judgement cannot be enforced.
• Instead, each individual user would have to prove and claim his or her own damages in a separate lawsuit, but the risk would be significantly reduced by the established violation. 

Conclusion:

As seen above, one thing is certain: the mass proceedings of 2025 will be different from those of recent years. We doubt that the phenomenon of GDPR mass litigation will completely end. It is more likely that the business model will continue to evolve. Ultimately, it will also depend on what the European Court of Justice decides regarding Article 82 GDPR in the coming years.

Moreover, it is only a matter of time before the next legal area, after Diesel, GDPR, or antitrust damages, triggers the next mass litigation area.

Last but not least, our two hot-takes:

1. Companies should look to Luxemburg for the decision C-295/23 on the ban on third-party ownership of law firms. If the ban is lifted, it will be interesting to see how private equity and venture capital providers will influence the market environment, particularly that of consumer law firms or legal tech businesses (at the time of publication, the judgment had not yet been published).
    
2. So far, only platform operators have been involved as defendants in GDPR mass litigation. We consider it quite possible that, due to the constant hunger for data, scrapers themselves or AI companies that use scraped data could become the subject of such proceedings in the future.