France’s Law on the “Modernization of the judiciary in the 21st century”, adopted on November 18, 2016, creates a new general framework for class actions in France and a specific class action right for violations of the French data protection law.
Although the introduction of a data protection class action represents a ground-breaking development in French data protection law, the conditions for bringing a class action are restrictive, and the permissible remedies are limited.
After the introduction in 2014 of consumer class actions by the so-called “Hamon law”, and health class actions earlier this year by the so-called “Touraine law”, the new law on the “Modernization of the judiciary in the 21st century” (the “Law”) expands the scope of the class action mechanism to data protection violations (as well as discrimination and environmental law violations).
The Law lays down the legal and procedural framework for all class actions in France (except for consumer class actions, which remain subject to the Hamon law), and creates a new Article 43 ter in the French data protection law, with specific provisions regarding data protection class actions.
Who can file a class action? Data protection class actions may only be brought by:
- Associations that have been duly registered for at least 5 years and whose statutory purpose is the protection of privacy and personal data;
- Consumer protection associations recognized at national level and approved in accordance with Article L. 811-1 of the French Consumer Code, when the personal data processing affects consumers; and
- Trade unions representing employees, civil servants or judges, when the processing affects the interests of those persons.
In what circumstances can a class action be filed? When several individuals who are in a similar situation suffer a loss resulting from a violation of the French data protection law committed by a data controller or a data processor, a class action may be filed before a civil or administrative court having jurisdiction.
The substantive scope of the class action is very broad as it concerns any violation of the French data protection law.
It is also interesting to note that French data protection law places nearly all data protection obligations on the controller; but under the Law, class actions may also be filed against the processor. Direct processor liability is however consistent with Article 28 of the GDPR, which enshrines a principle of data processor liability in specific circumstances.
Finally, the Law is ambiguous as to whether the plaintiff must have received / collected complaints from several victims in order to launch a class action. Indeed, whereas the new Article 43 ter of the data protection law remains silent on this issue, Article 62 of the Law, which applies subject to Article 43 ter, provides that a class action may be exercised “in view of the individual cases presented by the plaintiff”.
For what purpose? Unlike other class actions, data protection class actions can only seek injunctive relief; the class action cannot be used to claim damages. While this restriction could conceivably be explained by the fact that it may be difficult to prove individual damages, it should be noted that Article 80 of the GDPR allows Member States to provide that certain bodies, organizations and associations have the right to exercise a data subject’s rights to an effective judicial remedy, including financial compensation.
The fact that class action litigants cannot claim damages will undoubtedly limit the impact of the Law, although unwelcome publicity and harm to the defendant’s reputation can certainly still ensue from the filing of a class action, let alone an injunctive order.
How? The action must be filed in accordance with the rules set forth in the French Civil Procedure Code or the French Administrative Justice Code, as applicable. Pursuant to Article 64 of the Law, the plaintiff must, prior to introducing a class action, send a formal notice to the defendant. The class action cannot be filed before the expiration of a 4 month period after the receipt of the formal notice, and in such case the judge may automatically declare the action inadmissible. We note that this notice period is longer than the ones usually given by the French data protection authority (the “CNIL”) when issuing cease and desists (see e.g., recent cease and desists against companies like Facebook, Microsoft or CDiscount granting three months to comply; other cease and desists, such as the one against W.M.G (Gossip app), have given controllers only one month to comply).
 Decision No. 2016-007 of January 26, 2016
 Decision No. 2016-058 of June 30, 2016
 Decision No. 2016-083 of September 2016
 Decision No. 2016-079 of September 26, 2016