New Privacy Directive puts collective action right under pressure

Today, Privacy First Foundation sent the letter below to the House of Representatives:

Honourable MPs,

Under the General Consultation on 7 March on review of EU personal data protection legislation Privacy First hereby draws your attention to an important aspect that as yet does not seem to have received public attention: the proposed remedies for the protection of personal data in a collective sense. We are referring to the current draft Privacydirective, art. 53(1) juncto art. 50(2), last sentence: "The organisation or association must be duly mandated by the data subject(s)."[1] This condition is missing in parallel provisions of the draft Privacyregulation and will therefore only apply in the sphere of police in justice. The underlying motivation of the European Commission is as yet unknown to Privacy First.

In the Dutch translation of the draft guideline the relevant provision reads as follows: "The organisation or association must be duly authorised to do so by the person(s) concerned." This provision constitutes a blocking of access to justice for foundations and associations which under current Dutch law are in the public interest privacy lawsuits against the government (including the police and judiciary) without being authorised to do so by individual citizens in advance. In this sense, the provision raises an illegal barrier against taking so-called 'public interest actions' to protect everyone's privacy.

Even if this provision were to be read 'merely' as a so-called 'representativeness requirement', it is contrary to collective action law as it has applied in the Netherlands since 1994; see Art. 3:305a BW and Art. 1:2(3) Awb (general interest action) plus related legislative history and case law. When these Dutch articles of law were drafted, no representativeness requirement was expressly imposed on the foundation or association in question. In early 2010, the Supreme Court confirmed this as follows:

"As can be seen from the legislative history (...) the legislator deliberately refrained from including representativeness of the claimant legal entity as a condition in the law, so that it cannot be a requirement that the collective action can count on the support of a substantial part of the eligible stakeholders."[2]

In this context, Privacy First also refers to the current bill on collective settlement of mass damages: a representativeness requirement previously included in this bill was recently removed following justified criticism by the Council of State and the Dutch Association for the Judiciary.[3]

During the General discussion on 15 September 2011 State Secretary Teeven additionally stated the following:

"To the question of whether we will regulate a collective complaint right for those involved, I can answer that there is already a possibility of bundling complaints. Article 3:305a of the Civil Code has that possibility. A specific possibility for privacy complaints would be better regulated at European level. Initiatives are being taken to that end. We will discuss this at a future meeting of the European Council and I still want to take those developments on board. Currently, such a possibility already exists, but you may wonder whether it is sufficiently effective.”[4]

However, the proposed provision in the draft directive actually makes the collective action right less effective, because depending on prior authorisation by individual citizens. General-interest actions for the protection of everyone's right to privacy would (could) become a thing of the past as a result.

Finally, it should be noted here that the collective action right previously existed in (inter alia) Section 10 of the former Personal Records Act (Wpr):

"On this important point for practice, enforcement of the law has not been left exclusively to the individual registrant. According to Section 10, legal entities which, by virtue of their objectives and according to their actual activities, represent the interests of registrants are also entitled to bring an action before the civil courts. This may also include a legal entity that ideally represents the interest of privacy protection. The field of social forces can thus influence the enforcement of the law."[5]

With the introduction of Art. 3:305a of the Civil Code, this provision was dropped from the Wpr. A similar provision was subsequently not included in the Personal Data Protection Act (Wbp), as it was considered superfluous due to the generally effective Art 3:305a BW and Art 1:2 paragraph 3 Awb.

How does State Secretary Teeven reconcile the above observations? And was the relevant passage in Article 50(2) draft Directive 'inserted' by the Netherlands or ended up there on the initiative of the European Commission or other EU Member States? If so, which Member States? Does the Dutch government recognise that this aspect of the draft Directive is out of step with Dutch law and causes a deterioration in collective legal protection (perhaps also in other EU Member States)? If so, is the Dutch government willing to make this a negotiating point in Brussels and have this passage deleted or revised?
(…)
Sincerely,

Privacy First Foundation

———————————
[1] Proposal for an EU Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, COM(2012) 10 (25 January 2012), Article 50(2).

[2] Supreme Court 26 February 2010, LJN: BK5756, para 4.2; JBPr 2010/30, m.nt. Wijers; NJ 2011/473, cf. Snijders.

[3] See Parliamentary Papers II 2011/12, 33126, no. 3, p. 6.

[4] Parliamentary Papers II 2011/12, 32761, no. 2, p. 20 (emphasis SPF).

[5] Parliamentary Papers II 1984/85, 19095, no. 3 (MoT Wpr), p. 32. See also ibid., p. 39.