Privacy Rights Group NOYB Now Qualified To Bring Collective Redress Actions

On December 2, 2024, NOYB – European Center for Digital Rights was approved as a “qualified entity” (QE) to bring representative actions in European courts for data protection breaches. Representative actions are the European equivalent of a U.S. class action. Unlike in the United States, however, collective redress in the European Union (EU) must be brought by non-profit organizations approved to bring enforcement actions.

Under the EU Representative Action Directive ((EU) 2020/1828) (Directive), QEs must have a “non-profit-making character.” QEs approved under the Directive are authorized to bring representative actions before European national courts or administrative authorities on behalf of consumers to seek injunctive measures, redress measures, or both. Injunctive measures cease or prohibit businesses’ unlawful actions (for instance, violations of the General Data Protection Regulation (GDPR)), while redress measures include remedies such as compensation, price reduction, contract termination, or reimbursement of price paid, and could include, for example, compensation claims where a business has unlawfully processed individuals’ personal data. Representative actions may be domestic, initiated by a QE in the same European country where the QE is established, or cross-border and initiated in a different EU Member State to that of the QE.

NOYB is a non-profit organization based in Vienna which was co-founded by privacy activist Max Schrems in 2017. Schrems challenged the U.S.-EU Safe Harbor Framework and the EU-U.S. Privacy Shield Framework, and was successful in having both declared invalid by the Court of Justice of the European Union in 2015 and 2020, respectively. NOYB was approved as a QE in Austria, the country of its main establishment, and Ireland, which is a country of interest given the large number of headquarters of international tech companies in its territory. However, as a QE, NOYB can bring actions in any EU Member State.

NOYB intends to bring injunctions against companies that breach the GDPR in the EU and to bring representative actions where thousands, if not millions, of users can seek damages if their personal data has been used unlawfully. Activities that are likely to be the subject of a representative action for injunctive measures include, for example, “the tracking of users without valid consent, the use of ‘dark patterns’ to unlawfully gain consent, the sale of personal data without a legal basis, absurd wording in privacy policies or the transfer of personal data to a jurisdiction that does not provide adequate protection.” Regarding redress measures, NOYB states that, “[w]hile non-material damages can be rather low and only amount to €100 to €1,000 per user, this can quickly add up if a company has violated the rights of millions of users.” NOYB has stated that it will bring its first representative actions in 2025.

Please contact the author of this post or your principal Arnold & Porter contact if you have any questions about NOYB or EU privacy compliance more generally.

© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.