The GDPR’s Influence on Class and Collective Proceedings
When thinking about class action lawsuits, most people envision legal proceedings occurring in the United States. However, class and collective proceedings modeled after those in the U.S. are becoming increasingly popular abroad – specifically in the U.K. and European Union (EU). Other countries with rising class and collective proceedings are turning to the U.S. for guidance on how to navigate this lengthy and often complicated process. Since class actions are a well-established proceeding in the States, the logistics around administering cases like these are fully developed and perfected by US-based settlement administration firms and their law firm partners. That expertise is critical to the success of this emerging process in the U.K. and EU. Yet, when considering best practices for these proceedings abroad, it is critical to factor in how the General Data Protection Regulation (GDPR) affects the process. Specifically, law firms and their administrative partners should be aware of EU-specific requirements around collection of data in relation to management of these proceedings.
Keeping Consent at the Forefront
Best practices for lawyers handling these proceedings falling under the GDPR’s purview will revolve around consent. It is critical to take caution when creating a centralized place to disseminate information to a class. In the states there is generally a dedicated website that provides information about the case, helps increase awareness of a collective claim, and can collect data. In the EU and U.K., creating this website would make an administrator a data processor and the firm for which the data is being collected is the data controller. Anyone providing their contact information on the sites would be data subjects. Since this would constitute data processing under the GDPR certain rights, responsibilities, and disclosures come into play.
Another major consideration includes what to do when a data subject requests access to their information or consent withdrawal, which are key rights under the GDPR. If there is withdrawn consent, the best practice would be to ensure data is deleted from all locations in which it is stored. The process for this should be clear and memorialized. Additionally, both the processor and controller need to be aware of the process since both entities will need to comply with the request. Internal policies about data subject access requests should include who responds to them, appropriate timeframes, what mechanisms to implement for data deletion, and any other information pertinent to handling these requests in a manner consistent with GDPR compliance obligations.
Standard Contractual Clauses
Besides the consent factor, a recent development on cross-border data transfers between the U.S. and the U.K. or EU also influences class proceedings. Before July 2020, these countries could transfer data under privacy shield frameworks, however, now that has been deemed an unsafe mechanism. As such, a law firm using a US-based administrator on a collective proceeding in the EU or U.K. should now utilize the appropriate standard contractual clause with that vendor to ensure the protection of the data being transferred. The European Commission issues these clauses, which declare that there are sufficient privacy safeguards on data transferred to another country. Without this, there could be GDPR implications that halt or delay the collective proceeding.
Considerations for Avoiding GDPR Violations
For more information on this topic, please view the full article written by Epiq’s Lauren McGeever and Loree Kovach.