An Austrian privacy advocacy organization gained new powers to bring collective actions against companies in the European Union, threatening to force US digital platforms to reshape how they handle personal data in the bloc.
Noyb—European Center for Digital Rights, led by privacy activist Max Schrems, on Dec. 2 secured “qualified entity” status in Austria and Ireland under a 2020 EU directive that allows approved organizations to represent the collective interests of consumers in court actions against companies violating EU laws, including the landmark General Data Protection Regulation. The directive has yet to spark significant litigation, partly because some countries hadn’t adopted the directive until earlier this year.
But with the rule now approved across nearly all 27 countries, entities like Noyb are free to take Europe into an era of class action litigation.
The designation could further bolster privacy enforcement in the EU, where regulators have already imposed more than $760 million in fines this year against US companies including
What sets it apart is its ability to wield resources most other qualified groups lack, said Stephan Zimprich, partner in Fieldfisher’s Hamburg office where he advises on data protection and competition law.
“Max Schrems’ organization is the first to combine both: They have the funds and they have the reach. They will be able to farm claimants,” said Zimprich. “That makes it actually a game changer.”
Success for Noyb could shape US platforms’ approach to data collection in Europe—especially those the group has already probed, like
“You’ve got an organization that’s extremely committed to privacy rights. They have now been given another sort of arrow that they can put in their quiver—and it’s a big one,” said Philip Yannella, partner at Blank Rome LLP and co-chair of the firm’s privacy, security, and data protection practice.
New Era
Even headline-grabbing fines haven’t deterred companies’ unlawful behavior, prompting criticism about the impact of EU data-privacy regulators’ GDPR enforcement.
The Representative Actions Directive seeks to bridge that gap by allowing qualified organizations to seek injunctive measures, in addition to monetary redress, on behalf of consumers. For Noyb, this means the ability to demand companies halt practices such as tracking users without valid consent, selling personal data without consent or other legal basis, transferring data to jurisdictions without adequate data protections, and using dark patterns—such as manipulative designs—to unlawfully gain consent.
Combining regulatory and private enforcement could have a broader impact on platforms’ data collection practices in the EU. As regulators continue to investigate companies’ wrongdoings, the directive could fuel an uptick in follow-on actions from groups like Noyb.
“You could have that kind of compounding the loss that companies are suffering,” said Michael Byrne, partner in Matheson’s Dublin office. “Not only do they have to pay whatever fine they’ve been ordered to pay by the national regulator, you will then have the possibility of this wave of consumer actions following on after that.”
While collective actions may not generate the same monetary impact as GDPR fines, the threat of injunctions could shape changes to companies’ business models.
Collective redress in the EU is similar to the US concept of class action, and now “needs to be somewhere at the top of companies’ concerns when complying with multiple digital laws in Europe,” said Alice Portnoy, associate in Alston & Bird’s Brussels office and member of the privacy, cyber, and data strategy team.
The directive also applies to the EU Digital Services and Markets Acts, which regulate online platforms operating in the EU to ensure fair business practices, curb targeted advertising, and remove harmful content.
Max Schrems and Noyb didn’t respond to requests for comment.
One-Soldier Army
Noyb has already proven to be an influential force in privacy enforcement. Schrems, its founder, challenged two previous data-transfer agreements between the US and the EU, both of which were thrown out in the resulting decisions by the EU’s highest court.
In 2024 alone, Noyb filed 36 complaints asking EU data protection regulators to investigate or take action. Most of those complaints were against US platforms, including 23 against Meta, Twitter, and Microsoft.
But the EU’s framework for cross-border collective actions remains in its early stages. Whether the effort will be successful, and if more privacy-focused qualified entities will emerge to replicate and support Noyb remains to be seen.
The directive lists more than 60 consumer protection laws available for collective redress, which means consumer groups will be juggling a host of priorities. This is what makes Noyb’s designation significant for consumer data protections, said Carlijn van Rest, partner in the Scott+Scott’s Amsterdam office, where she focuses on collective actions.
“It’s a very positive development, in the sense that Noyb is a really well-known, very well-respected privacy rights organization, so for them also now to be able to start their own collective actions will be a positive development, at least for privacy rights,” said van Rest.
“Will it be groundbreaking? I don’t know,” she added.
Looking ahead, Noyb has already vowed to bring its first actions in 2025.
The organization will likely continue to be “focused on high-risk data processing and larger data breaches” and on “the same kinds of companies that they typically file complaints against with data protection authorities,” Yannella said. “If you’re one of those companies that already faces a lot of risk in the EU, then this is something else to worry about.”
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.