Consumer protection associations may bring actions for data protection infringements in EU
Published on 24th May 2022
Court of Justice of the European Union decision demonstrates the high level of consumer protection granted by European institutions and will have a particular impact on companies operating in the business-to-consumer sector.
The Court of Justice of the European Union ("CJEU") has clarified in its judgment of April 28 that the General Data Protection Regulation ("GDPR") does not preclude national legislation from allowing consumer associations to bring actions against infringements of the protection of personal data. These actions may be brought without a mandate to that effect and irrespective of the specific infringement of a data subject's right.
The dispute giving rise to this decision of the CJEU occurred in Germany in 2014, when a consumer protection association brought an action for an injunction against a social media platform before the Regional Court of Civil and Criminal Law. The association considered that the method used by the platform to obtain consent from users accessing free games provided by third parties through its app centre was invalid and that it had therefore infringed data protection regulations, unfair competition law, consumer protection regulations and the prohibition of the use of invalid general terms and conditions under German law.
Preliminary ruling on standing
Following the dismissal of the appeal, the platform brought an appeal on a point of law (Revision) before the Federal Court of Justice, which doubted the standing of the association to bring proceedings and decided to refer the question to the CJEU for a preliminary ruling. The question was whether the association had standing, under German law, to bring legal actions against the platform, without a mandate to that effect and irrespective of the specific infringement of rights of individual data subjects, contrary to the provisions of Articles 80 and 84 of the GDPR.
In order to answer this preliminary ruling, the CJEU recalled that, although the GDPR has, in general, direct effect in the national legal systems of the Member States, some provisions require for their implementation the adoption of measures of application in the legislation of those states. This is the case for Article 80.2 on which the CJEU focused the analysis of its preliminary ruling: it empowers Member States to recognise in their national legislation the possibility of exercising representative actions without a mandate in terms of data protection, provided that the entities exercising them comply with a series of requirements relating to the personal and material scope of application. In this regard, in the Fashion ID judgment, which we have analysed in this insight "CJEU Judgment C-40/17: what are the implications of the "like" button in terms of data protection? ", the CJEU ruled that German legislation – which is also the subject of this litigation – that enables consumer protection associations to bring actions against data protection infringers was not contrary to Directive 95/46 (replaced by the GDPR).
Regarding the personal scope of application, the CJEU considered that the requirements of Article 80.1 of the GDPR are met insofar as the association pursues a public interest objective consisting in guaranteeing the rights and freedoms of data subjects as consumers and that the pursuit of that objective may be linked to the protection of personal data.
With regard to the material scope, the CJEU interpreted Article 80.2 of the GDPR in the sense that in order to bring such representative actions it is not necessary (i) for the entity representing the data subjects to identify in advance and individually the person who specifically has the status of data subject affected by the data processing contrary to the provisions of the GDPR, it being sufficient to designate a category or group of data subjects, nor (ii) to allege a specific infringement of the rights conferred by the data protection legislation nor the existence of actual harm suffered by the data subject as a result of the infringement of his or her rights.
On this basis, the CJEU concluded that Article 80.2 of the GDPR does not preclude national legislation allowing consumer protection associations to bring legal proceedings without the affected individual having expressly granted a mandate to the association for that purpose. This is regardless of the infringement of specific rights of data subjects, it being possible to invoke the breach of regulations related to the protection of personal data such as consumer protection legislation, unfair commercial practices or the prohibition of the use of invalid general conditions insofar as personal data of the concerned individuals are processed contrary to the GDPR.
Osborne Clarke comment
This decision shows once again the high level of consumer protection granted by European institutions and will have a particular impact on companies operating in the B2C (business-to-consumer) sector, since compliance with the GDPR will be in the spotlight of consumer protection associations who will undoubtedly pursue breaches of this regulation in a proactive manner without any specific mandate to that effect.