Hogan Lovells 2024 Election Impact and Congressional Outlook Report
In Spain, it is more appropriate to refer to 'collective actions', so how does this defer from 'class actions' and who can bring proceedings in respect of privacy and data breaches?
The Spanish Procedural Law regulates collective actions (the Spanish rough equivalent to 'class actions') and the impact that a judgment issued in a proceeding of this type may have on third parties who did not participate in the proceeding but who under certain circumstances might be entitled to request the enforcement in their favour of a ruling resolving the collective action's petitions and awarding a compensation to the "class" that has suffered the damage due to the breach of data protection rights.
This said, it should be noted that the term 'class action', frequently used in Anglo-Saxon systems cannot be literally applied to the Spanish jurisdiction.
It is more appropriate to speak about 'collective actions', since the scope given by the Spanish legislation to 'class action' has been limited to consumers and users.
As a starting point, we have to distinguish between the different types of interests regulated under Spanish law depending on the possibility of identifying the affected parties where:
The right to initiate proceedings on behalf of collective interests is regulated under article 11.2 of the Spanish Procedural Law, under which three different categories are entitled to bring class actions:
1) As regards the groups of affected people, in order to act validly and be entitled to bring a lawsuit as a group they must be necessarily constituted by the majority of the affected parties in order to bring a lawsuit (as per Article 6.1.7 of the Spanish Procedural Law).
Taking into account that the burden of proof of proving this majority relies on the group of affected people, the Spanish judicial system has made available to them the possibility of starting a separate judicial proceedings aimed at carry out investigations concerning the total number of affected people.
In any case, the practical difficulties of bringing actions under this category are evident because of said requirement.
In relation to entities legally constituted (that is, associations different from consumer and user associations or cooperatives); they will also be entitled to bring actions on behalf of collective interests as long as they have been duly constituted with the corporate purpose of protecting the interests and rights of its members and such rights are the ones that give rise to the claim.
2) As per the most important category, consumer and user associations, which are governed by the General Law for the Protection of Consumers and Users, are entitled to bring actions regarding defense of collective interests of consumers and users, as well as diffused or vague interests.
As per privacy and data breach cases, the association with legal entitlement to initiate legal actions regarding data protection rights would be one of the associations to which Article 80 of the GDPR refers and which has been authorised to act in Spain.
Once a judgment has been delivered by the court, the parties that did not take part in the proceedings will be able to enforce the judgment so long as they are able to prove to the court they meet the requirements to be deemed an affected party.
Once they are acknowledged by the court as an affected party, they will be able to request the enforcement of the judgment issued in the class action proceeding for their own benefit.
Unlike other jurisdictions, the Spanish legal system does not provide an 'opt out' option for those affected people who prefer not to be bound by the result of the class action but advertising duties rely on the parties intending to bring class actions so that other affected people are aware of the proceeding and have the opportunity to join ('opt in').
In spite of a collective action having being brought, the affected parties that have not opted in and wish to bring their own lawsuit are entitled to do so separately or they can wait until the collective action is resolved and then request the enforcement of the ruling for their benefit provided they meet the criteria set out in the ruling for third parties to do so.
In our case, the criteria would refer to the circumstances in which it will be considered that the data protection rights of a specific individual have been breached, for example if the medical data of a hospital have been leaked the ruling would indicate that the people who were patients at the said hospital during a specific period of time would be able to benefit from the compensation established in the ruling, which might be graded according to how sensitive the information leaked was.
To learn more about data class actions in other jurisdictions, you can view our Data class actions: the era of mass data litigation guide, of which this article forms part.
Take advantage of the far-reaching changes brought about by the GDPR with our European Privacy Tool, which offers realistic, practical and workable insights as well as templates, helping to ensure that you are successful in meeting the applicable regulatory requirements.