A PYMNTS Company

Tech Companies Face New Legal Challenges in Europe Over GDPR

By  |  July 15, 2025

U.S. and China-based Big Tech companies are facing new legal pressure in Europe over GDPR violations from consumer groups wielding the European Union’s Collective Redress Directive, Politico is reporting. Enacted in 2020 in the wake of the Volkswagen emission’s scandal, the directive allows for lawsuits similar to class actions in the U.S. The consumer groups have recently seized on the tactic out of frustration with slow and uncertain enforcement of GDPR by national data privacy authorities.

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    The Dutch non-profit SOMI has brought separate actions against Meta and TikTok, while the Irish Council on Civil Liberties has brought one against Microsoft. Per Politico, the Austrian privacy group Noyb is also preparing one against the credit rating agency CRIF.

    Under the GDPR, enforcement is left to individual country’s privacy regulator. As practical matter, that has meant most enforcement actions have been taken by the Irish Data Protection Commission because many U.S. tech companies have based the European headquarters there. In 2023 it leveled a €1.2 billion ($1.4 billion) fine against Meta over data transfers to the U.S. and earlier this year fined TikTok €530 million ($615 million) over transfers to China, the two largest GDPR penalties to date.

    But privacy groups have complained of slow and lax enforcement by the Irish regulator. The investigations that led to the Meta and TikTok fines took years, and a 2023 report by the Irish Data Protection Commission estimated that 67% of the actions taken by the IDPC had been overturned by its counterparts in other countries as too lenient.

    Read more: Align Technology Settles Antitrust Lawsuit Over SmileDirectClub Deal for $31.75 Million

    Privacy groups see “a lot of potential” in collective redress actions as a new avenue for enforcement of GDPR breaches, Noyb chief Ursula Pachtl told Politico.

    “Enforcement has always been the Achilles heel of the European Union, particularly in regards to consumer protection,” Pachl said. The GDPR lends itself well to collective action because “everybody in Europe probably suffers from the same illegal behavior if there is a Big Tech company who does something which doesn’t respect the GDPR.”

    In January, the EU’s General Court in Luxembourg awarded Thomas Bindl €400 ($464) in a case he brought after clicking a “sign in with Facebook” button on a website. That judgment was widely seen in Europe as setting the benchmark for a single GDPR violation. Where tens of millions of consumers are potentially affected by a breach the total judgment against a tech company could be substantial.

    Some EU legal expects, however, warn that the collective redress tool is limited, according to the Politico report. Authority to bring such cases is provided only to not-for-profit, consumer-focused organizations unaffiliated with any for-profit entity. It also requires member countries to put in place “appropriate safeguards to avoid abusive litigation.”

    Ireland raised new barriers to collective actions in implementing the directive, based on centuries-old statutes, which were upheld by the Irish Supreme Court. It also limited damages in collective actions to €25 per person.