Italy – would the current collective redress mechanisms protect against data breaches?

Italian law provides for two different collective redress mechanisms: injunctive redress and compensatory redress (class action).

Both mechanisms are open for the protection of the consumers' rights and interests set forth by the Italian Consumer Code, which consolidates provisions implementing inter alia several consumer-oriented EU Directives.

Although data protection rights are not listed among those fundamental consumer rights that the Consumer Code protects, certain data breaches and violations of the GDPR could amount to unfair commercial practices and, as such, fall within the scope of application of the collective redress mechanisms described below.

Injunctive collective redress

Consumer associations that are considered to adequately represent consumers on a national scale and are duly enrolled in the relevant national register may act for the protection of consumers' collective interests by requesting the court to take the following actions:

1. prohibit conduct that may harm consumers' and users' interests;
2. take any appropriate action capable of correcting or eliminating the damage caused by the ascertained violations; and
3. order that the decision be made public on local and national newspapers, should this be helpful to correct or eliminate the damage caused.

In cases of justified reasons for urgency, this type of claim may be heard by the court with the same summary procedure as that provided by the Italian Code of Civil Procedure for interim measures.

When declaring the proceedings closed, the court sets a deadline for the losing defendant to comply and can also order the payment of a fixed amount for each day’s delay in complying with it.

Only authorised consumer protection entities listed in the above central registry have standing to sue in these proceedings.

The single consumer or user lacks an autonomous standing to sue with reference to injunctive redress for collective consumer interests, albeit retaining their standing to sue in a parallel action in their own individual interest.

The Italian Consumer Code makes no reference to the availability of such a mechanism for data breaches.

Consequently, it might be inferred that no collective injunctive redress mechanism would be available to consumers who suffered violation of collective interests under the Italian data protection law currently in force or under the GDPR with, possibly, the exception of repeated and unsolicited offers via telephone, fax, email or other means of communication, which could be considered as aggressive commercial practices.

This conduct could fall within the scope of an injunction only if considered to be an unfair practice.

Compensatory collective redress

By means of a class action, claimants can seek compensation or merely seek a declaratory judgment that the defendant is liable without seeking compensation.

The causes of action for a class action claim are the enforcement of "individual homogeneous rights of consumers and users" and "collective interests" with reference to the following rights:

1. contractual rights of a group of consumers/users in similar or the same circumstances vis-à-vis the same company (such as in case of standard agreements);
2. similar or the same rights of end consumers and final users of a product vis-à-vis the manufacturer (irrespective of whether or not there is a direct contractual relationship between them and the producer);
3. similar or the same rights of consumers in respect of unfair business practices or anti-competitive conduct.

Standing to sue only lies with the individual member of a class.

However, consumer associations can be mandated by consumers – by means of powers of attorney – to file class action claims before the court.

Although the Italian Consumer Code does not provide any mandatory indication to this purpose, generally consumer associations bringing class actions are selected from among certain registered consumer associations (i.e. those consumer associations entitled to file injunctive actions).

The individual class member may also bring the action via an association of which they are part of.

In Italy, the procedure requires a preliminary admissibility check to be carried out by the court in order to assess whether requirements for a collective action are met.

Only once the admissibility stage is positively cleared, may the court hear (and rule on) the merits of the case.

For the case to be admissible, the relevant requirements are the following:

1. non-manifest groundlessness of the claim;
2. no conflict of interests (e.g. between class members or between the consumer association bringing the action and the complainant);
3. homogeneity of the individual rights claimed;
4. lead claimant's prima facie ability to adequately pursue the interest of the class (e.g. sufficient economic means to pursue the litigation).

The court evaluates whether the above requirements are met and rules on the admissibility of the collective action after the first hearing.

Further because of the limited criteria under which a class action may be declared admissible, the Italian class action mechanism has not proven to be appealing nor very successful.

Italian law sets forth an opt-in system.

By the order admitting the class action, the court defines, among other things, the eligibility criteria for the applicants to be included in the relevant class of consumers bringing the action.

Once the class action is declared admissible, the claim is publicly circulated and class members may opt in within a peremptory deadline set by the court. No appointment of an attorney is required in order to opt in.

By opting in, the subject joining to the class action (applicant) waives their rights to bring any individual claim for compensation or redress based on the same cause of action.

The court's judgment is binding on both the plaintiff and the class, irrespective of its content.

Any settlement between the parties is not binding on any of the applicants who have opted in, unless the latter expressly declared itself to be willing to settle.

If the claim is deemed well-grounded by the court, an order is issued awarding damages to those who joined the class action suit.

Alternatively, the court may simply establish the homogenous criterion for the liquidated damages so that the parties will have a three-month period to reach an agreement on liquidated damages.

For the same reasons outlined for the collective injunctive redress, it may be inferred that class action is available only to those consumers who suffered violation of homogenous rights under the Italian data protection law currently in force or under the GDPR.

Moreover, class action is also available if those data breaches can be deemed as amounting to unfair commercial practices.

How to prevent and protect from class action?

How to prevent a possible class action?

Being fully compliant with the GDPR provisions and adopting a suitable and efficient privacy business model based on the following principles:

1. Transparency and lawfulness of the data processing.
2. Purpose limitation.
3. Data minimisation.
4. Accuracy.
5. Storage limitation.
6. Accountability.
7. Privacy by design and by default.
8. Security.

With particular respect to the accountability obligation, the data controller (i.e. the entity which decides the purposes and modalities of the processing of personal data) shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR, taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.

Among those measures, which need to be reviewed and updated, where necessary, are:

1. Data protection policies.
2. Record-keeping obligations.
3. Co-operation with Privacy Authority requests.
4. Security and notification of breaches.
5. Privacy impact assessments (risk assessment).
6. Prior consultation with Privacy Authority in high-risk cases.
7. Appointment of a Data Protection Officer when required by the GDPR.

Next steps

To learn more about data class actions in other jurisdictions, you can view our Data class actions: the era of mass data litigation guide, of which this article forms part.

Take advantage of the far-reaching changes brought about by the GDPR with our European Privacy Tool, which offers realistic, practical and workable insights as well as templates, helping to ensure that you are successful in meeting the applicable regulatory requirements.