Collective Damages for GDPR Breaches: A Feasible solution for the GDPR Enforcement Deficit?

The GDPR should have strong and effective enforcement mechanisms. However, in practice, these mechanisms are lacking, as Data Protection Authorities (DPAs) are underfunded and un-dermanned. Collective claims could be a solution. By pooling resources, individually insignifi-cant damages (scattered damages) can be claimed in an economically sensible way. To facili-tate collective claims, in December 2020 the European Union (EU) adopted a new directive con-taining a union-wide framework for collective claims. This paper explores whether collective claims are a feasible enforcement mechanism for data protection violations given the concept of damages under article 82 GDPR. So, it will be explained what types of damages can be claimed collectively. The current concept of damages under article 82 GDPR is analysed at the EU level, taking into account the principle of autonomy, case law, and literature. This will show the bound-aries within which Member States must operate when awarding damages under the GDPR. The paper explores the Dutch jurisdiction, to illustrate the interchange between EU law and Mem-ber state law. The Dutch jurisdiction is of special interest here, first, because Dutch courts have recently been applying the GDPR to award damages of up to € 2,500 per case. Second, because the Dutch framework for collective damages was renewed in 2020, which contains many simi-larities with the Collective Claim Directive. Currently, several collective GDPR claims have been filed in the Netherlands under the new framework, with a collective worth of several billion eu-ros. A 'perfect storm' is forming due to the combination of stronger collective claims frameworks and a tentative trend to award non-pecuniary GDPR damages on an individual level. GDPR non-compliance can thus lead to multi-billion claims that scale with the number of victims. Such claims can dwarf even the heftiest GDPR fines DPAs can impose. Collective GDPR claims have the potential to become a bright scenario for data subjects and daring legal entrepreneurs, and to result in a daunting future for data controllers and processors, who face scalable liability in a world of scalable business models. However, all hinges on the concept of damages.