On 19 March 2019, the Dutch Senate approved legislation introducing collective damages actions in the Netherlands (the “Legislation”) which will broaden the regime even further. The Legislation introduces an option to claim monetary damages in a “US style” class action, including for violations of the GDPR. This Legislation together with the mechanisms already available under […]
Class actions are commonplace in the United States but relatively rare in Europe. The European Union wants to change that, by facilitating class actions for mass privacy and data breaches.
The General Data Protection Regulation entered into force on 25 May 2018. In light of the urgency to adapt Law no. 78-17 dated 6 January 1978 to the new European Union law, the French Government has initiated an accelerated procedure. This procedure led to the adoption in final reading by the French National Assembly of the bill on personal data protection on 14 May 2018. However, some French Senators lodged a constitutional complaint against the said law on 16 May 2018.
In a move counter to the trending precedent in data breach litigation, the U. S. Court of Appeals for the Seventh Circuit ruled on July 20 that data breach plaintiffs whose personal information was potentially exposed in a confirmed hacking breach of a major retailer’s network alleged enough risk of harm to meet the standing requirements of Article III of the U.S. Constitution. Plaintiffs’ lawyers will herald this decision, but standing is only the first of many hurdles data breach plaintiffs must cross to proceed to the merits in data breach litigation.
A recent federal court opinion raises concerns that privacy cases alleging violations of a standard user license agreement may be susceptible to class certification. Last week, the U.S. District Court for the Northern District of Illinois certified a class in a consumer privacy lawsuit against comScore, Inc. Plaintiffs allege that comScore exceeded the scope of the […]
The trend towards dismissal for lack of standing in privacy cases where no concrete harm is alleged continues. On a motion to dismiss, a group of consolidated privacy lawsuits against Apple and others in the Northern District of California have been dismissed for lack of standing due to the absence of any allegation of concrete injury. The court rejected attempts to invent new damage theories and while leave to re-file was granted, the court made clear the high standards of pleading required for standing and also highlighted the other pleading defects in the case that would be disabling were the plaintiffs to try again.
The Ninth Circuit recently reversed and remanded a district court denial of class certification in a FACTA case, making it easier for class certification even where there was disproportionality between the potential liability and the actual harm suffered, where the potential damages were huge and where defendant engaged in good faith compliance.
“Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?” That is the question a federal district judge in Maine has put to the Maine Supreme Court in the data security breach litigation involiving Hannaford Brothers. “If the Maine Law Court’s answer to the certified question on the cognizable harm issue favors the plaintiffs, the plaintiffs will have both a negligence claim and an implied contract claim.” Such a development could have a profound impact on the vulnerability of companies experiencing data security breaches to civil claims, something they so far largely have avoided.