• Romain Robert

    noyb

    Q: Hello Nathalie ! This kind of damage claims already exist in competition law, and the question of the nuances ins each individuals circumanstances has already be solved. Where do you see a difference here ? (to Nathalie Laneret)

  • Stef Elliott

    Q: The discussion resolves about how Accountability is made concrete. Is an alternative a Mediation concept i.e. for DPA's to use defered Article 58-2(f) "impose a temporary or definitive limitation including a ban on processing" more effectively on Data Controllers. This would mitigate against the risk of commercialisation (Ambulance chasing) through claims but will encourage Data Controllers to quickly resolve any issues / concerns that Data Subjects or DPA's raise. It could encourage Data Controllers to be more transparent - rather than rely upon seeking foregiveness they will be encouraged to seek permission. (to Sophie in 't Veld)

  • Romain Robert

    noyb

    Q: Would you agree that the Netherlands is the place to be for collective claims related to the violation of the GDPR ? - open to "ad hoc" organisations (no need to be registered, or established during 3 years) - case -law on level of damages - access to the jurisdiction of the Netherlands for foreign NGOs - possibility to include non Dutch residents (to Geert Potjewijd)

  • Romain Robert

    noyb

    Q: Google has been fined 50 millions. I am not sure the CNIL decision was so harmful for their reputation .... (to Nathalie Laneret)

  • Michalina Nadolna Peeters

    LSTS/ BPH (VUB)

    Q: Do you think the differences in GDPR "implementation" in national laws (e.g, minors consent, art. 23 but also art. 80(2)) will pose conflict of laws issues in cross-border private enforcement (also collective)? If so, how do you think they could be addressed? How does this huge leeway left to MS square with the nature of the instrument (GDPR is a regulation)? (to Jeroen Chorus)

  • Romain Robert

    noyb

    Q: Would you support (via a EU legislation e.g.) the idea of public funding of consumer organisations for collective redress ? Without that I am afraid we will not be able to fund a case (considering the current rules on funding in some Member States) (to Sophie in 't Veld)

  • Romain Robert

    noyb

    Q: You mention the one stop shop mechanism as being effective.... very concretely, in our experience: - in the SCHREMS cases it took us 7 years to have a simple draft measure by the DPC ? - we are still waiting for an update from the Dutch DPA on a simple access request filed 2 years ago and going via the one stop shop mechanism. We never heard anything from them yet. - it has been more than one year that we are still waiting for starting an investigation in half of our cases which have not even been shared with the other DPAs ... and it takes 2 years in average in Belgium to have a final decision before the courts against a multinational. Apparently similar in the Netherlands. But maybe have you other figures in mind when considering that the one stop shop is "efficient" ? Sorry for the long question ;-) (to Geert Potjewijd)

  • Vincent Böhre

    Privacy First

    Q: What are the pros and cons for privacy NGOs to start a mass damage claim through a newly established 'special purpose vehicle' (instead of filing such a claim themselves)? (to Maarten van Luyn)

  • Kim Smouter

    ESOMAR

    Q: Observation/Question for anyone on the panel really. A huge concern, and maybe the speakers can speak to this. Is there a risk of seeing US-style mass damage claims that would target whole sleuth of organisations, large or small without any regard to context, to the actual risk versus perceived risk? Mass damage claims feel like quite blunt instruments. I think there's definetely a need for instruments that enable individuals to seek redress in light of the mass usage of data particularly for economic gains. One thing we do see is that Courts are less able to offer contextual flexibility in a way that Data Protection Authorities can offer. Echoing Nathalie's comments, GDPR in practice has proven to be far more complex for many organisations commercial and non-commercial even the most well-meaning ones, there really is a continued need for pragmatic not dogmatic enforcement. (to Nathalie Laneret)

  • Stef Elliott

    Q: There are two areas here 1) Protecting leaks of data by organisations of data they lawfully have - this gets highlighted by hacks and the Public enforcement swings into place 2) Protecting Data Subjects from data that is being held by organisations that they do not have a lawful basis for. Public enforcement without a proactive investigation team here is not working. People such a noyb, Privacy international etc are filling this void. However the DPA's lack the skill to do this & appear to be preferring to kick these concerns into the long grass - If the DPA's have "opted out" is this not the natural next best solution? (to Sophie in 't Veld)

  • Romain Robert

    noyb

    Q: - Hello Nathalie ! I agree with Sophie : in our experience at noyb, sometimes companies are simply deliberately ignoring a clear GDPR rule and still the DPAs do not act (or take more than 2 years to "assess the risk for the citizens"). Don't you think that in these cases the courts are not the appropriate areas to discuss the violation of the GDPR and seek redress ? (to Nathalie Laneret)

  • Romain Robert

    noyb

    Q: - Do you think that courts are better equipped to investigate data protection violation ? - Do you think that the Collective redress is clear enough / detailed enough regarding the rules about funding by third parties ? (to Maarten van Luyn)

  • Romain Robert

    noyb

    Q: - What are you thought about overcoming the difficult question of assessment of the damage in case of GDPR violation ? That makes the claims in certain jurisdictions (NL being an exception) sometimes difficult - Do not you think that not providing explicitly (or even precluding) that consumer organisations from another member state can act is contrary to EU law ? (whereas Google and Facebook move from one country to another one as they see fit) (to Jeroen Chorus)

  • Romain Robert

    noyb

    Q: - What is the litigation is not funded by litigation investors (public funding, members, users,...). Would it make it (more) acceptable ? Fighting against big tech companies requires a lot of money that NGO can afford. - Article 80.2 does not open collective redress but only representative actions. Plus, no Member State implemented this solution so far. Therefore, I am afraid that this is not the solution. But maybe you heard about Member States implementing this possibility ? (to Geert Potjewijd)

  • Ad van Loon

    Qiy Foundation

    Q: Would you support the ecosystem that is currently being developed, in which data subjects control their own data, which they can then upload to an online platform in order to initiate a processing activity of their choice? This would give individuals more control over their data, break down data silos and promote competition (as individual will be able to upload their data to any platform of their choice). (to Sophie in 't Veld)