When thinking about class action lawsuits, most people envision legal proceedings occurring in the United States. However, class and collective proceedings modeled after those in the U.S. are becoming increasingly popular abroad – specifically in the U.K. and European Union (EU). Other countries with rising class and collective proceedings are turning to the U.S. for guidance on how to navigate this lengthy and often complicated process. Since class actions are a well-established proceeding in the States, the logistics around administering cases like these are fully developed and perfected by US-based settlement administration firms and their law firm partners. That expertise is critical to the success of this emerging process in the U.K. and EU. Yet, when considering best practices for these proceedings abroad, it is critical to factor in how the General Data Protection Regulation (GDPR) affects the process. Specifically, law firms and their administrative partners should be aware of EU-specific requirements around collection of data in relation to management of these proceedings.

The GDPR is groundbreaking legislation that heavily promotes consumer privacy. The law invokes several things businesses must do to protect the personal data and privacy of EU citizens. Class proceedings will undoubtedly require consideration of the stricter privacy regulations around data subject to the GDPR. Because of this, developing a GDPR-compliant privacy policy and compliant data collection practices for collective proceedings involves extra steps not necessary in U.S. cases. Lawyers in these countries should be mindful of these considerations before moving forward with a case to ensure compliance at every level. For the time being, the U.K. will continue to follow the GDPR, even during their Brexit transition period, as EU law continues to remain in effect until the transition is complete.

Keeping Consent at the Forefront

Best practices for lawyers handling these proceedings falling under the GDPR’s purview will revolve around consent. It is critical to take caution when creating a centralized place to disseminate information to a class. In the states there is generally a dedicated website that provides information about the case, helps increase awareness of a collective claim, and can collect data. In the EU and U.K., creating this website would make an administrator a data processor and the firm for which the data is being collected is the data controller. Anyone providing their contact information on the sites would be data subjects. Since this would constitute data processing under the GDPR certain rights, responsibilities, and disclosures come into play.

When gathering data for a collective action from a website, consent will be necessary. Under the GDPR, consent needs to be freely given, specific, informed, unambiguous, and the data subject must provide the consent by a clear affirmative action. Consent could be in the form of a privacy policy disclosure that requires the person to read it and check a box expressing agreement to the data collection and use for purposes related to the proceedings. The privacy policy should include what the data controller and processor plan to do with the collected information – like send out communication about the claim, use for reporting purposes to the court, or analyze class demographics. Additionally, if the data will be processed outside the EU for any reason, this should be clearly articulated in the policy.

Another major consideration includes what to do when a data subject requests access to their information or consent withdrawal, which are key rights under the GDPR. If there is withdrawn consent, the best practice would be to ensure data is deleted from all locations in which it is stored. The process for this should be clear and memorialized. Additionally, both the processor and controller need to be aware of the process since both entities will need to comply with the request. Internal policies about data subject access requests should include who responds to them, appropriate timeframes, what mechanisms to implement for data deletion, and any other information pertinent to handling these requests in a manner consistent with GDPR compliance obligations.

Standard Contractual Clauses

Besides the consent factor, a recent development on cross-border data transfers between the U.S. and the U.K. or EU also influences class proceedings. Before July 2020, these countries could transfer data under privacy shield frameworks, however, now that has been deemed an unsafe mechanism. As such, a law firm using a US-based administrator on a collective proceeding in the EU or U.K. should now utilize the appropriate standard contractual clause with that vendor to ensure the protection of the data being transferred. The European Commission issues these clauses, which declare that there are sufficient privacy safeguards on data transferred to another country. Without this, there could be GDPR implications that halt or delay the collective proceeding.

Considerations for Avoiding GDPR Violations

These are just a few of the key considerations that lawyers and administrators need to make when dealing with a class or collective proceeding subject to the GDPR. Given the increasingly global nature of these proceedings, the development of a single privacy policy and data collection practice that comply with the requirements in the most restrictive jurisdiction is a practical approach that avoids inadvertent missteps. It is better to be safe than sorry, especially since the European Commission has been vigorously cracking down on GDPR violations. Regarding the U.K., it is important to monitor what happens with Brexit. If the European Commission does not issue an adequacy finding about the U.K.’s privacy safeguards, prior to the end of the transition period, then data transfers from EU countries to the U.K. would be treated in a similar fashion to those from the EU to the U.S., even if the GDPR is ultimately converted into U.K. law. As a precaution and method to avoiding GDPR roadblocks, US-based administrators storing class or collective data in the U.K. should consider moving non-U.K. data to another EU location for storage purposes.

For more information on this topic, please view the full article written by Epiq’s Lauren McGeever and Loree Kovach.