Consumer protection associations’ capacity to sue for data protection infringements

On 28 April 2022, the Court of Justice of the European Union (“CJEU”), in delivering a ruling in the case of Meta Platforms Ireland Ltd. (“Meta“) vs Federation of German Consumer Organisations e.V. (“VZBV“) (Case C-319/20), cleared the way for consumer protection associations to pursue infringements of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR“), irrespective of whether or not it obtained the corresponding mandate from data subjects.

Background to the case and judicial proceedings before the German Courts

Meta supplies free games from third parties, which are available on a space called “App-Zentrum” on Facebook. When accessing these games, the user is informed, by virtue of a notice, that the use of the application allows the gaming company to:

  1. obtain certain personal data;
  2. publish, on behalf of the user, his/her scores; and
  3. post photos and other information on his or her behalf, in the case of a specific game.

In addition, this use means that the user accepts the general conditions of the application and its data protection policy without having adequate information about the data collected.

The VZBV, a body regulated under German law, considered that these games breached legal requirements of obtaining valid user consent since it failed to explain its data-sharing practices to its users. It successfully filed for an injunction before the Berlin Regional Court on behalf of the data subjects whose rights had allegedly been violated.  Meta appealed this decision before the Higher Regional Court, Berlin, which upheld the action, and then took the case before the Federal Court of Justice, Germany.

Although the Federal Court of Justice initially considered VZBV’s claims as well-founded, it questioned the admissibility of the action due to a possible lack of the locus standi of the VZBV. The German Federal Court of Justice was of the opinion that the information provided by Meta was insufficient, owing to the fact that the scope and purpose of the data processing was not made sufficiently clear to its users. As a result, no effective, informed consent under the applicable data protection law could be obtained from users. However, according to the Federal Court of Justice, the capacity of VZBV to sue did not arise from Article 80 (1) GDPR, since the action for an injunction in the original proceedings was not, as required by law, brought on behalf of or in the name of a data subject to enforce his or her rights. Nor does the capacity to sue follow expressly from Article 80 (2) GDPR, since an actual violation of the rights of the data subjects would be required. Thus, the German Federal Court of Justice considered that the VZBV may have been empowered to sue according to the German Act on Unfair Competition, which could have been superseded by Article 80 GDPR.

Request for preliminary ruling

The Federal Court of Justice, having doubts as to the admissibility of the action,  subsequently referred the matter to the CJEU.  It sought clarity as to whether a consumer association can bring proceedings before civil courts for violations of the GDPR independently of a specific infringement of rights of data subjects, and without being mandated by them, in order to protect the rights and interests of consumers.

CJEU’s legal considerations and ruling

The CJEU held that, although the GDPR is aimed at a comprehensive harmonisation of data protection legislation at an EU level, Member States are allowed a margin of discretion to provide for specific national rules in relation to certain provisions of the GDPR.

The CJEU referred to the case “Fashion ID” (C40/17) on the interpretation of Directive 95/46 (EU Data Protection Directive, “DPR”), whereby the CJEU had ruled that the provisions of DPR did not prevent Member States from implementing a national provision which allows consumer protection associations to bring an action against the alleged data protection violations. Similarly to the GDPR, the DPR did not impose an obligation on Member States to provide for the capacity of consumer protection associations to sue under national law. However, the possibility of a Member State to implement measures in their national law which allow for the possibility of consumer associations to commence legal proceedings against violators of the laws protecting personal data in no way undermines the objectives of that protection and, in fact, contributes to the realisation of those objectives. Therefore, against the backdrop of the full effectiveness of the GDPR, a national provision that supports such possibility was quite conceivable.

Following the reasoning in the Fashion ID case, the CJEU ruled that Article 80(2) of the GDPR, does not preclude Member States’ national legislation from allowing consumer protection associations, such as the VZBV, which pursues a public interest objective consisting in safeguarding the rights and freedoms of data subjects in their capacity as consumers, to bring legal proceedings against persons liable for the infringements of data protection rules. This should be possible even in the absence of a mandate conferred by data subjects for that purpose and independently of the infringement of specific data subject rights.

Furthermore, the CJEU found that the bringing of a representative action neither requires the entity to identify the person specifically concerned by the data processing that is allegedly in violation of the GDPR, nor for there to be a specific infringement of the rights under the GDPR. Rather, the CJEU clarified that it is sufficient to claim that the data processing concerned is liable to affect the rights of identified or identifiable natural persons under the GDPR, without it being necessary to prove actual harm suffered by the data subject, in a given situation, by the infringement of his or her rights. This implies that consumer protection associations such as the Federal Union are able to bring representative actions.

Such an interpretation is consistent with the requirements arising from Article 16 TFEU and Article 8 of the Charter of Fundamental Rights of the European Union and thus with the objective pursued by the GDPR of ensuring the effective protection of the fundamental rights and freedoms of natural persons. This consequently affords a high level of protection of persons’ rights to the protection of personal data concerning them.

The article was first published in The Malta Independent (22 March 2023).