A UK High Court judge has granted permission for a class-action style privacy lawsuit to proceed against TikTok over its handling of children’s data. The lawsuit was filed by a then 12-year-old girl who has been granted anonymity by the court to bring the claim that the social networking site is processing children’s data unlawfully.
The suit is seeking damages on behalf of millions of children for alleged abuse of their information — and if the legal action succeeds TikTok could be on the hook to pay billions of euros in compensation.
A similar compensation-seeking children’s data suit has also been filed against TikTok in the Netherlands.
Both class action lawsuits are depending on GDPR’s article 80.
The privacy officers of many larger companies and e-commerce platforms have had some sleepless nights thinking about the possible consequences of article 80 GDPR. Article 80 GDPR contains rules on the powers of non-profit entities active around the protection of data subjects’ rights and freedoms with regard to GDPR.
In the first place, article 80(1) GDPR gives those non-profits the right to act when they are directly mandated by a specific data subject. So a non-profit can lodge a complaint or file a court case concerning GDPR in the name of and on behalf of a specific person, when they can provide proof (e.g. a signed mandate) that the specific person asked the non-profit to do so. This, of course, is not what keeps privacy officers awake at night.
It is the next part that causes their concern. Article 80(2) GDPR contains an opening clause: Where provided for by Member State law, a non-profit has the right to lodge complaints or to file judicial remedies under GDPR independently of a data subject’s mandate, if the NPO considers that the rights of a data subject under the GDPR have been infringed as a result of the processing.
This, of course, opens the door for the dreaded class action lawsuits, and that is exactly what recently happened: two Courts from 2 different EU Member States granted permission for a GDPR related Class Action.
In a decision of 26.05.2021 The Commercial Court of Vienna ruled that legal actions by an Austrian consumer protection institution under the Austrian Consumer Protection Act may also be based on violations of the GDPR. And in its decision of 12.07.2021 the District Court of Amsterdam held that the Data Privacy Foundation, a non-profit organization in the Netherlands, could litigate in a Dutch court against Facebook on behalf of Dutch Facebook users, on the question of whether Facebook has a valid legal basis for its processing activities.
Both decisions made direct reference to article 80(2) and allowed the non-profits to act independent of a direct mandate and thus, hold class action proceedings.
Since then, we have seen class actions against Facebook, Tik Tok, Salesforce, Youtube… There is no doubt more will follow suit.
Let’s consider the fact that according to the EDPB all participants on an e-commerce platform are joint controllers. So if a retailer on the platform is in breach with GDPR, the platform operator can also be liable for the breach by this retailer.
If we combine this knowledge with the fact that GDPR related class actions are possible, it is easy to see why privacy officers are having sleepless nights.