2 May 2022
The European Court of Justice ("ECJ") today cleared the way for consumer protection associations to pursue infringements of the General Data Protection Regulation ("GDPR") - even without a corresponding mandate from data subjects (C-319/20). According to the ruling, associations can bring collective actions if a respective capacity to sue is provided for in national provisions of the Member States. This is in line with the goal of the GDPR to ensure a high level of protection of personal data.
According to the ECJ, consumer protection associations have capacity to sue if they pursue a breach of provisions of the GDPR that protect the rights of data subjects. So, associations may have the possibility - even without a mandate from the data subject - to bring collective actions to protect the collective interests of consumers. For this purpose, however, the Member States must make use of the discretion granted to them under Article 80 (2) GDPR and provide for the representation of data subjects by consumer protection associations in their national law.
Due to this decision, consumer protection associations will increasingly issue warning letters against data protection violations and pursue them in court. Companies that process personal data will therefore have to deal not only with administrative and fine proceedings initiated by the data protection authorities, but also with warning letters, interim injunctions and actions for injunctions in the future. The risk of such legal actions by consumer protection associations will be highest for companies working in the B2C sector. Therefore, companies should close visible gaps in data protection compliance (e.g. privacy notice) promptly.
The reference for a preliminary ruling was based on a legal dispute between the Federation of German Consumer Organisations e.V. ("VZBV") against Meta Platforms Ireland Ltd. ("Meta"), formerly Facebook Ireland Ltd.. By way of an action for injunctive relief, the VZBV complained to the Berlin Regional Court about unfair references in Meta's app centre, non-compliance with the requirements for effective consent under data protection law and unreasonable disadvantaging of users by the general terms and conditions.
The Berlin Regional Court upheld the action. The appeal was rejected by the Berlin Appellate Court. In the appeal proceedings, the Federal Court of Justice (“BGH”) first found that the VZBV's claims were well-founded. However, the BGH doubted the admissibility of the action due to a possible lack of the capacity to sue of the VZBV. According to the BGH, the capacity to sue did not arise from Article 80 (1) GDPR, since the action for an injunction in the original proceedings was not - as required by the wording - brought on behalf of or in the name of a data subject to enforce his or her rights. Nor does the capacity to sue follow expressly from Article 80 (2) GDPR, since an actual violation of the rights of the data subjects would be required. Thus, the VZBV only has capacity to sue under Section 8 (3) No. 3 German Act on Unfair Competition (“UWG”), which could have been superseded by Article 80 GDPR.
The ECJ had to decide whether the GDPR precludes national provisions that provide for a capacity to sue for associations, i.e., whether associations can bring an action against the alleged infringer of the protection of personal data in order to protect consumers' interests.
According to the ECJ, Article 80 GDPR shows a tendency towards the development of representative actions, which are conducted with the aim of defending the general and collective interests of consumers and improving access to justice for the persons affected by the violation of the respective regulations. In the absence of a specific mandate for the VZBV in the present case (cf. Article 80 (1) GDPR), the ECJ focused its comments on a possible capacity to sue under Article 80 (2) GDPR.
The ECJ first referred to its earlier case law on the interpretation of Articles 22 to 24 of Directive 95/46 (EU Data Protection Directive, "DPR"). In the case “Fashion ID” (C40/17), the ECJ had ruled that the aforementioned provisions did not prevent a national provision allowing consumer protection associations to bring an action against the alleged data protection violations. In principle, the DPR did not have an obligation for Member States to provide for capacity to sue for associations in national law. However, against the backdrop of the full effectiveness of the Directive, a national provision that supports such possibility was quite conceivable.
Taking this case law into account, the ECJ specified the question referred for a preliminary ruling as to whether it follows from Article 80 (2) GDPR that the capacity to sue of an association to protect consumers' interests no longer applies. As a result, the ECJ rejected such an interpretation of Article 80 (2) GDPR for the following two reasons:
It must be considered that the GDPR, despite comprehensive harmonisation, gives the Member States leeway in some places. Thus, Article 80 (2) GDPR also grants a margin of discretion. The design of Article 80 (2) GDPR as an “opening clause” also shows a proximity to directives, which always require transposition into national law due to their legal nature.
The ECJ rejects a strict interpretation of the wording of Article 80 (2) GDPR, according to which an association must individualise one or more concretely affected persons in advance in order to achieve capacity to sue. Rather, the capacity to sue was not subject to a case-by-case examination of whether rights of specific individuals had been violated. The association only has to assert that a processing of personal data violates provisions of the GDPR that protect the rights of individuals and is thus likely to violate the rights of identified or identifiable individuals.
Thus, the action had to be based only on the violation of rights that may accrue to a natural person as a result of the processing of his or her personal data. This was the case with the VZBV's action for an injunction against Meta, as there were violations of Art. 12 (1), Art. 13 (1) lit. c), e) GDPR, i.e., provisions that protect the rights of individuals.
With its judgment, the ECJ follows the Advocate General's Opinion of December 2, 2021. The long-awaited judgment is of particular importance in its effects. It sets the procedural course for lawsuits in the area of data protection. With the affirmation of the capacity to sue of consumer protection associations, companies in the B2C sector in particular will have to prepare themselves for warnings and civil proceedings in the future. This may affect, for example, publicly accessible privacy notices and relating information (including cookie banners) or communications for marketing purposes. There could be a wave of warning letters, as consumer associations will be increasingly interested in the judicial interpretation and clarification of consumer-protective data protection standards in the future. The ruling should therefore be taken as an opportunity to finally ensure data protection compliance.
Stephanie Richter and Gabriel Drewek look at the draft Data Act which is intended to unlock industrial data, clarifying who can create value from data and under what conditions.
by Stephanie Richter, LL.M. (Torino), CIPP/E and Gabriel Danyeli, LL.M. (Köln/Istanbul Bilgi)
by multiple authors