In the past month three of the world’s largest tech firms have been hit with legal actions that could lead to billion-dollar damages suits for alleged violations of Europe’s privacy law, the General Data Protection Regulation (GDPR). Unusual for Europe, the complaints are led by a consumer rights group and a U.K. citizen rather than regulators.

The Privacy Collective launched a class-action lawsuit in a Dutch court in August against U.S. tech firms Oracle and Salesforce for alleged GDPR violations over their use of “cookies”—the bits of code that mark an internet user visiting a Website—to harvest personal data. The data rights group is preparing to file a similar lawsuit in England and Wales.

On Sept. 14, Duncan McCann, a U.K.-based father of three, launched a representative action in the U.K.’s High Court against Google-owned video streaming service YouTube over claims the platform routinely breaks U.K. and European data protection laws by unlawfully targeting up to five million children—who cannot legally consent to their data being processed—with addictive programming and then harvesting their data for advertisers.

If the complainants win their cases, the companies involved could face eye-watering damages awards: The Privacy Collective estimates damages could exceed €10 billion (U.S. $11.7 billion), while Google could owe affected children and parents more than £2 billion (U.S. $2.5 billion).

The rights for EU citizens to take legal redress over data privacy infringements is enshrined in Articles 77-82 of the GDPR. When the privacy regulation came into force in May 2018, there were expectations in some quarters that the floodgates would open for U.S.-style class-action lawsuits to finally hit Europe.

So far, that hasn’t happened.

The problem, says Matthew Dando, a partner at law firm Wiggin, is that “while the GDPR speaks of data subjects being able to bring claims on a collective basis, it doesn’t specify a procedure for doing that, so prospective claimants have to fall back on the processes available to them under national procedural laws”—if they exist.

According to research by European consumer rights group BEUC, only 19 of the EU’s current 28 member states (including the United Kingdom) allow for collective compensatory redress, and of those about half relate to specific sectors only. Nine EU states (Cyprus, Czech Republic, Estonia, Greece, Hungary, Ireland, Latvia, Luxembourg, and Slovakia) do not allow for collective compensatory actions at all and, according to the EU’s own research, only six have a fully functioning, efficient collective redress system (Belgium, France, Italy, Portugal, Spain, and Sweden).

But this may not be the case for much longer. On June 22, EU institutions agreed on a new directive—probably due to come into force in a couple of years’ time following approval by the European Parliament and Council of Ministers—that will grant consumers in the bloc the right to sue collectively in cases of mass harm, ranging from air and passenger rights and financial services to tourism, energy, and telecommunications. Notably, data protection is also included. The planned legislation allows compensation to be paid not only in relation to a breach, but also for cross-border actions (subject to various conditions).

In the meantime, consumers and consumer groups are left with limited legal options to bring mass claims in most EU countries, and—even in those countries where it is technically possible—it is not cheap. Lawyers warn legal costs can quickly get into the hundreds of thousands of pounds, if not millions—especially in England and Wales, where losers pay winners’ legal costs. Individual claimants are therefore often understandably reluctant to take the risk, especially where the claim value may be relatively low.

According to Ali Vaziri, managing associate at law firm Lewis Silkin, there are two principle mechanisms that allow claimants to bring class actions: group litigation orders, where large numbers of individual claimants “opt in” to having their claims brought under the same case management framework; and representative actions, where a lead claimant acts as the representative of other individuals (unless they opt out) who have the same interest as the lead claimant.

Vaziri describes the latter as a “game changer”—particularly in regard to data protection claims—because damages can be awarded to compensate for an individual’s loss of control of personal data without the need to establish financial loss or distress. Kenny Henderson, a partner at global law firm CMS, adds that representation actions “materially increase” litigation risk for corporates. “These mechanisms automatically include affected persons in a claim unless and until they choose to leave the class, making them powerful devices for aggregating large claims,” he says.

While such mechanisms may enable class actions to be brought more easily, they do not guarantee their success or a quick turnaround. Vaziri says the ideal situation for claimants is to bring a claim off the back of an adverse finding by a regulator, “because the taxpayer has already paid for much of the grunt work in working out whether the defendant is at fault and so reduces the risk of bringing a claim.”

Indeed, the U.K. Information Commissioner’s Office’s intention to hit airline British Airways and hotel group Marriott with 9-figure GDPR fines have since formed the groundwork for a group litigation order and a representative action, respectively.

“An adverse finding by the regulator could have devastating effects for a company’s liability to data subjects and be a real boost for affected individuals looking to get a class action up and running to claim compensation directly,” warns Dando.