Data protection litigation, particularly collective private enforcement (CPE), is escalating in the EU. Consumer associations and other interest groups are pursuing legal actions against Tech Giants like Facebook and Uber for GDPR violations. While private enforcement is gaining traction, there is a need to systematically map pathways to CPE and assess its effectiveness in providing strong judicial protection. This protection is perceived both as an independent entitlement under Article 47 ECFR and as an auxiliary means to safeguard other fundamental rights.

The development triggered by CPE shows how procedural and remedial safeguards are co-constitutive of primary rights and duties, requiring us to go beyond the enforcement debate to discuss how litigation influences the shaping of data protection law on the ground.

Additionally, the rise of CPE necessitates contextualizing data protection litigation within a comprehensive framework that includes the fundamental rights of various stakeholders—users, consumers, workers, and citizens, both online and offline. This holistic perspective allows us to analyze the significance of private litigation and collective private enforcement in upholding fundamental rights, preserving public values, and safeguarding general interests.

Against this background, Assessing Collective Private Parties' Litigation in the Economy of Data (APPLIED) has three main objectives:

1. Developing an inclusive overview of CPE application in data protection law across different European nations.
2. Identifying and analyzing obstacles that hinder effective CPE implementation.
3. Exploring CPE's broader implications on data protection rights, obligations, and wider interests.

The APPLIED project explores the role and effectiveness of collective private enforcement (CPE) of the GDPR in providing access to justice and counterbalancing the power of digital corporations. This research combines legal-doctrinal analysis with semi-structured interviews conducted with stakeholders from six jurisdictions: the Netherlands, Italy, Belgium, Austria, Germany, and France.

A) Desk Research

• The APPLIED team conducts a comparative analysis of litigation in six 'case-study' jurisdictions (France, Italy, Germany, Austria, Belgium, and the Netherlands) and the legal frameworks regulating it—both in its European and national dimensions.

  Regarding the national dimension, we look at the grounds and venues of collective action and the available remedies. Of particular importance are Article 80 GDPR on the representation of data subjects for the exercise of their rights under Articles 77-79 and 82, and the Representative Action Directive (2020/1828), which requires member states to have mechanisms allowing qualified entities to seek injunctive and redress measures before national courts or administrative authorities on behalf of groups of consumers, including for GDPR violations.

  On remedies, the right to compensation under Article 82 GDPR is particularly important and is currently the subject of a series of interpretative rulings by the ECJ.

  For the comparative analysis, we examine cases brought in the same member states against data protection law infringements, focusing on the legal framework, procedural venue, representation, type of infringement, requested outcomes, and actual outcomes

B) Interviews

• We identified 5 key stakeholder groups: consumer/data rights organizations, qualified entities, claimant lawyers, defendant lawyers, and funders. From each group, one representative per jurisdiction is invited to participate. Participants receive a summary of our provisional findings and an interview template beforehand, ensuring informed and focused discussions.

  Interviews are conducted online, lasting up to 60 minutes, and are recorded with consent. The interview questions, both closed and open-ended, cover the participant’s role and experience, challenges encountered, the effectiveness of CPE mechanisms, impact on access to justice, future expectations, and recommendations.

  Data from interviews is securely stored and accessed only by project researchers, with deletion scheduled after 10 years. Confidentiality is strictly maintained; personal quotes are used only with explicit consent, and participants are anonymized unless they agree to be identified. The interview data informs our analysis but is not directly published.

  Approved by the Ethics Committee of the Faculty of Law at the University of Amsterdam, the study ensures voluntary participation and the right to withdraw consent at any time. The research avoids the involuntary disclosure of personal or sensitive information.

Country Reports

Click here for the preliminary results of our comparative legal analysis, which focuses on six selected jurisdictions: the Netherlands, Italy, Germany, Austria, Belgium, and France. 

Project Publications

Forthcoming

Project Presentation

1. E-Law Conference Leiden
2. ICON-S Conference 

• Episcopo, F. (2024). "UI v. Österreichische Post – A First Brick in the Wall for a European Interpretation of Art. 82 GDPR." Journal of European Consumer and Market Law: 87-96.

• Van Duin, J.M.L. et al. (2024), “Immateriële schadevergoeding in collectieve acties onder de AVG: terug naar de kern’, Nederlands Tijdschrift voor Burgerlijk Recht 2024/18: 136-146.

• Date and time: Wednesday, 23 October 2023 13:30 – 18:00

• Venue: Amsterdam Law School (Moot Court Room, 3.15)

• Convenors: Francesca Episcopo & Anna van Duin

Central question and themes

The APPLIED project aims to explore the evolving landscape of data protection litigation within the EU, focusing on the effectiveness of collective private enforcement (CPE). The central question is how CPE lives up to its purposes allowing access to justice and effective judicial protection. Which actors/factors are shaping data protection and collective redress systems? To what extent does the existing legal framework enable or constrain the realization of the interests involved? What are the main obstacles, from both a procedural and a substantive point of view to CPE living up to its full potential? Through a combination of desk research and a series of interviews with stakeholders, the project seeks insights into collective data protection litigation experiences, practices, obstacles, and strategies from various perspectives. It evaluates existing frameworks and potential improvements at the EU level and across six jurisdictions: the Netherlands, Italy, Belgium, Austria, Germany, and France.

The project concludes with an expert workshop to discuss four core themes:

I. European collective redress and representation, examining the representation of data subjects under Art. 80 GDPR and (national implementations of) the RAD

II. Strategic litigation and digital rights, highlighting the role of collective action in protecting digital rights more broadly and addressing unlawful data processing by digital corporations

III. Data and platform regulation, analysing the interplay between the GDPR and data law in the context of counter-balancing digital corporations’ economic and normative powers

IV. Remedies and funding in European data protection law, delving into the available remedies and financial mechanisms, including compensation under Art. 82 GDPR and litigation funding

For each theme, three speakers will be asked to comment on the project’s findings. The workshop’s goal is to connect the relevant debates in the field of collective redress and data protection law, as well as explore how they relate to issues of private enforcement in the emerging fields of platform and data law. To achieve this, we will bring together academics working in these fields to reflect on the current state and future of collective data protection litigation in the EU.