This paper analyses the potential of group actions as an instrument for data protection law enforcement in Europe. The first part investigates whether art. 80 GDPR may provide a legal basis for aggregate litigation in data protection law. The second part of the essay explores the relationship between directive (EU) 2020/1828 and the GDPR, and evaluates the potential of the new European representative action to enforce data protection rights and deter Big Tech’s unfair practices. Lastly, this essay outlines a private enforcement framework to ensure data protection and consumer rights in Europe, one that is able to balance the freedom of data, market needs and the protection of individuals.