The GDPR should have strong and effective enforcement mechanisms. However, in practice, these mechanisms are lacking, as Data Protection Authorities (DPAs) are underfunded and undermanned. Collective claims could be a solution. By pooling resources, individually insignificant damages (scattered damages) can be claimed in an economically sensible way. To facilitate collective claims, in December 2020 the European Union (EU) adopted a new directive containing a union-wide framework for collective claims. This paper explores whether collective claims are a feasible enforcement mechanism for data protection violations given the concept of damages under article 82 GDPR. So, it will be explained what types of damages can be claimed collectively. The current concept of damages under article 82 GDPR is analysed at the EU level, taking into account the principle of autonomy, case law, and literature. This will show the boundaries within which Member States must operate when awarding damages under the GDPR. The paper explores the Dutch jurisdiction, to illustrate the interchange between EU law and Member state law. The Dutch jurisdiction is of special interest here, first, because Dutch courts have recently been applying the GDPR to award damages of up to € 2,500 per case. Second, because the Dutch framework for collective damages was renewed in 2020, which contains many similarities with the Collective Claim Directive. Currently, several collective GDPR claims have been filed in the Netherlands under the new framework, with a collective worth of several billion euros. A 'perfect storm' is forming due to the combination of stronger collective claims frameworks and a tentative trend to award non-pecuniary GDPR damages on an individual level. GDPR non-compliance can thus lead to multi-billion claims that scale with the number of victims. Such claims can dwarf even the heftiest GDPR fines DPAs can impose. Collective GDPR claims have the potential to become a bright scenario for data subjects and daring legal entrepreneurs, and to result in a daunting future for data controllers and processors, who face scalable liability in a world of scalable business models. However, all hinges on the concept of damages.
Keywords: GDPR | Enforcement Deficit | The Netherlands | Collective Claim Directive