Author: Saida Nhass
Translation from Dutch: Algina Grigragliunaite- Bouman and S. Nhass

Hotel chain Marriott announced last year that due to a data leak 500 million records were compromised and that these records got in the wrong hands. This turned out to be one of most impactful data leakage incidents up until now. After a system hack which took place for at least 4 years, it turned out that the records that were compromised concerned personal data such as passports and financial records. The reaction to this announcement was swift and powerful: several ‘class actions’ against Marriott were announced.

In some countries in the EU it is also possible to initiate class actions. The question is not whether there will be a collective action after a data leakage, but rather when.

Class Action within the EU

In the United States it has been possible to start a class action already for years. Since 2005 it is in the Netherlands regulated by the “Wet Collectieve Afhandeling Massaclaims (WCAM). The introduction of this law fits with the Dutch ambition to be pioneers in the field of class actions within the EU. In the Netherlands there have already been class actions filed, for example the much discussed “woekerpolissen”. In this case many consumers took out investment based insurances and it turned out that due to alleged hidden charges of their investment products many customers paid more to cover their investments than they earned from them.

In the rest of the EU different member states have been wrestling for years to develop a properly working system to enable collective actions. For example, in France it is only attainable to initiate class action just for some areas of the law such as in case of breaches related to personal data. In Belgium the same applies: class actions are also possible in case of breaches related to personal data. In Germany however the possibility to initiate a class action is still very limited. It is in this context interesting to learn that since the GDPR has entered into force only 442 data breaches were reported to the Belgian authorities while in the Netherlands in 2018, 21.000 data breaches were reported to the Dutch authorities.

Border crossing scandals, such as the Diesel gate, show how important it is to enable class actions within the EU. The European Commission (EC), therefore, has made a proposal to make collective actions easier within the EU, especially when it comes to accepting responsibility for safeguarding personal data. The objective of these class actions is to protect the needs of the consumer. The EC stated strongly that the goal is not to harmonize different national systems.

Organizational resilience and the dynamics around GDPR

The Dutch Data Protection has indicated already before the starting date of GDPR that when an organization does not comply with the new law, it will not directly get the maximum fine of 4% of worldwide revenue. Therefore, many organizations do not feel the pressure anymore to fully comply with GDPR. Additionally, even eight months after GDPR came into force, there are still companies that believe they own little to none personal details within their organization, for example, simply because they operate only within the business-to-business setting. Because of this false belief they take no necessary actions to become GDPR compliant.

If you focus only on GDPR, the risk of being non-compliant seems to be static and calculatable. This statement is false if you are looking from the risk impact perspective. There are already new risks introduced to the landscape. In the Netherlands there has not yet been a class action lawsuit after a data leakage, but it is only a matter of time before a lawyer is asked to start a collective action for multiple victims. Yet another additional peril is a reputational risk. After the initiation of the Duty to Report Data Leakages, this subject has been in the headlines many times. It is important to take these risks seriously by anticipating and taking control measures to prevent data leakages in a timely manner.

Does your organization already comply with GDPR or are there additional measures needed? How do you prevent data leakages from happening in the future? And, should it be needed, is crisis management strategy readily available? We are ready to discuss all these topics with you.