The Irish Council for Civil Liberties (‘ICCL’) has been granted liberty by the Irish High Court to initiate class action proceedings against Microsoft. This represents the first class action brought in Ireland under the Collective Redress Directive (EU) 2020/1828 (‘the Directive’), which was transposed in Ireland through the Representative Actions for the Protection of the Collective Interests of Consumers Act 2023 (‘the Act’).

Real-Time Bidding

The claim which the ICCL is bringing relates to ‘Real-Time Bidding’ within Microsoft’s advertising system, which it alleges causes sensitive personal data of users to be shared with third parties. The ICCL has stated it is ‘taking legal action on behalf of all affected people in Ireland under the Directive’, including users of popular Microsoft products and services, such as Windows, Xbox and web-based Office (Word, Excel and Outlook) and aims to force Microsoft to bring its systems into compliance with the EU’s General Data Protection Regulation (GDPR).

The ICCL contends that this system is exposing users to malicious profiling and discrimination, and that it is undermining European security.

ICCL as a Qualified Entity

The Act provides that a representative action may only be brought by a qualified entity (QE) for the protection of the collective interests of consumers. To be considered a QE under the Act, an organisation is required to be able to demonstrate they have 12 months of public activity in the protection of consumer interests, it has legitimate interest in protecting consumer interests, it is a non-profit organisation and is independent and not influenced by persons other than consumers. The ICCL is currently one of two organisations considered to be a QE in Ireland, the second organisation being ‘noyb’.

Under the Act, in order for a representative action to be deemed admissible, a QE will provide to the court information relating to the source of funding of the representative action, the nature of the claim and the class(es) of consumer(s) affected by the alleged infringement. Reliefs which may be sought by a QE include injunctive relief and redress measures. It is understood the main reliefs being sought by ICCL are injunctive, including orders restraining Microsoft from processing certain identified categories of personal data. Individual consumers will not need to ‘opt-in’ for collective redress seeking such injunctive relief however, in circumstances where ICCL are seeking redress measures, consumers will have already ‘opted-in’ prior to the ICCL being granted liberty to issue proceedings by the court.

Conclusion

This landmark decision to grant the ICCL liberty to initiate a class action against Microsoft under the Act demonstrates the first collective redress claim for breaches of the GDPR and Data Protection Act in Ireland. The application by the ICCL, and the granting of leave by the court, signals that systemic privacy breaches which impact a multitude of consumers may face concerted legal challenges under the Act. The outcome of the action taken by ICCL could directly affect a vast number of Microsoft customers and furthermore, could have a considerable, far-reaching impact on the governance of digital privacy rights should they be successful.