Clifford Chance

According to the Court of Justice of the European Union (CJEU) decision of 28 April 2022 in Case C 319/20, consumer protection associations may now bring representative actions (Verbandsklagen) against data protection violations. This ruling will have a particular impact on companies operating in the B2C sector since their compliance with the General Data Protection Regulation (GDPR) will now be closely monitored by consumer protection associations. The decision may also have ramifications for other EU Member States, to the extent that their domestic regulations allow consumer protection associations to bring legal actions. Against this background, companies need to keep a close eye on further developments.

Background

In 2014, the Federation of German Consumer Organisations brought a civil action before the Regional Court of Berlin against Meta Platforms Ireland (formerly Facebook Ireland) with regards to the App Center service available on Facebook German website, whereby users can access free games provided by third parties. The Federation criticized the data protection notice displayed on the App Center: by clicking on a "Play now" button, users were consenting to the processing of their personal data by third-party gaming providers, notably for the purpose of publishing posts and other information on their behalf.

According to the Federation, such practice constituted:

• an infringement of data protection rules,
•  a violation of consumer law,
• an unfair business practice, and
• a violation of the prohibition of the use of ineffective general terms and conditions pursuant to applicable German laws.

The case reached the German Federal Court of Justice, which was of the opinion that the information provided by Facebook on the App Center was insufficient, as the scope and purpose of the data processing was not made sufficiently clear to users. As a result, no effective, informed consent under the applicable data protection law could be obtained from users.

The Federal Court observed that the action brought by the Federation was well founded but was doubtful as to whether the Federation’s action was admissible, given Article 80(2) GDPR does not expressly provide for the possibility to bring "objective" proceedings to secure the application of the GDPR and appears to require an actual violation of data subject's rights in order for associations to bring actions on that ground.

In May 2020, the Federal Court referred the case to the CJEU, seeking clarity on whether a consumer association has standing to bring proceedings before civil courts for violations of the GDPR independently of a specific infringement of rights of data subjects, and without being mandated by them, in order to protect the rights and interests of consumers^[1].

Decision of the CJEU

On 28 April 2022, the CJEU issued its decision on the question referred for a preliminary ruling, finding that Article 80(2) GDPR does not preclude Member States' national legislation from allowing consumer protection associations to bring legal proceedings against persons liable for the infringements of data protection rules, in the absence of a mandate conferred by data subjects for that purpose and independently of the infringement of specific data subject rights.

The CJEU first noted that, although the GDPR notably aims at harmonising data protection legislation at an EU level, Member States have the faculty to provide for specific national rules in relation to certain provisions of the GDPR. This is the case with Article 80(2) GDPR.

Article 80(2) GDPR provides for a representative action mechanism in respect of infringements of the GDPR, conferred to not-for-profit bodies, organisations or associations that have been constituted in accordance with Member State law, that have a statutory objective in the public interest and that are active in the protection of individuals with regard to the processing of personal data concerning them.

In that respect, the CJEU provides a liberal analysis of both the personal and the material scopes of the representative action mechanism set out in Article 80 GDPR, to determine that consumer protection associations have standing to bring such actions against persons allegedly responsible for infringing the data protection rules.

Personal Scope

On the issue of 'personal scope', the CJEU ruled that consumer associations are bodies that have standing to bring proceedings: the Court finds that such associations pursue a public interest objective consisting in safeguarding the rights and freedoms of data subjects who are also consumers. In that respect, the Court underlines that an infringement of data protection rules may constitute at the same time an unfair business practice and a violation of consumer law, and that protecting consumers against such practices is "likely to be related to the protection of personal data of those consumers".

Material Scope

On the issue of 'material scope', the Court stated that the bringing of a representative action by an association that has standing as per the personal scope, merely presupposes that such an association, independently of any mandate conferred on it by individual consumers, 'considers' that the rights of data subjects laid down in the GDPR have been infringed as a result of a processing of their personal data.

The main arguments for the CJEU's decision were the following:

• The entity bringing the representative action cannot be required to carry out a prior individual identification of the person specifically affected by the data processing that is allegedly contrary to the provisions of the GDPR. A data subject within the meaning of Article 4 para. 1 of the GDPR may be not only an identified natural person, but also an identifiable natural person. It is therefore sufficient that the consumer protection association can name a category or group of persons affected by the data processing complained of (para. 68 of the decision).
• The wording of Article 80(2) of the GDPR does not require a specific violation of a person's rights. To bring a representative action, it is sufficient that the affected entity "considers" that the rights of a data subject as set out in that regulation have been infringed as a result of the processing of his or her personal data and therefore alleges the existence of data processing that is contrary to the provisions of the regulation (para. 71 of the decision).
• Such an interpretation is consistent with the requirements stemming from Article 16 TFEU and Article 8 of the Charter of Fundamental Rights of the European Union and thus with the objective pursued by the GDPR of ensuring the effective protection of the fundamental rights and freedoms of natural persons (and, in particular, a high level of protection of the right of every person to the protection of personal data concerning him or her) (para. 73 of the decision).
• A representative action, independent of an infringement with regard to a specific person, enables the preventive protection of consumer interests and the prevention of numerous infringements of rights more effectively than by way of isolated actions brought by single individuals affected by an infringement of their rights against the organisation responsible for that infringement, and without the need for an infringement with regard to a specific person to first occur (para. 75 of the decision).

As a result, consumer protection associations can bring civil actions on the basis of alleged infringements of data protection rules and it is not necessary for them to provide evidence of the existence of a specific infringement (i.e., actual harm suffered by individuals in a given situation). As a response to the question referred for a preliminary ruling, the Court considered that Article 80(2) GDPR does not prevent application of Member State laws which allow legal actions from consumer associations (i) in the absence of a specific mandate from data subjects and (ii) independently of the actual infringement of data subjects rights, where the relevant data processing may affect such data subjects' rights.

Legal basis under German law

Under German law, the representative action (Verbandsklage) is regulated by section 8 para. 3 no. 2 of the German Law against Unfair Competition (UWG) in conjunction with section 4 of the German Law on Injunctions (UklaG). According to the decision of the CJEU, the GDPR does not preclude the application of such action. Based on this ruling, German consumer protection associations can - and without doubt will - continue to bring representative actions before German courts on the basis of sections 8 para. 3 no. 3 UWG, 4a UklaG, without a corresponding mandate and independently of effective infringements of the rights of affected consumers or categories of consumers.

It remains to be seen, however, how consumer protection associations in other EU Member States will deal with the confirmed possibility of bringing representative actions without a corresponding mandate and independently of the effective infringement of the rights of affected consumers. To the extent the domestic regulations of Member States already permit legal actions to be brought by consumer protection associations, such proceedings may occur more frequently in the future. However, for Member States regulations that are silent on this point, the new Representative Action Directive will impose a substantial change as it requires that Member States domestic regulations allow for such representative actions (see below).

Key takeaways

• Bridges between data protection and consumer law: This decision provides yet another example of how much data protection is intertwined with numerous other disciplines, and in particular other rules also aiming at the protection of individuals' rights and freedoms, as is the case for consumer law and competition rules.
• Increased litigation risk: From a litigation point of view, this decision is likely to lead to an increasing number of GDPR-related claims before civil courts whereas such claims have historically been mainly addressed to data supervisory authorities across Member States.
• Increased Options for Consumer Protection Bodies: It is reasonable to consider that the CJEU, in line with a previous similar ruling regarding Directive 95/46^[2], wanted to facilitate the enforcement of data protection rules under the GDPR by Member State courts, and not only by data protection supervisory authorities, in the wider goal of ensuring the effectiveness of individuals' rights and freedoms throughout the EU. In the present decision, the CJEU thus provides consumer associations with an alternative mechanism to regulatory enforcement, and the possibility to uphold data protection related arguments even in cases where other set of consumer protection and/or competition rules have been infringed by organisations.
• Representative Actions Directive: This decision is in line with the upcoming Directive 2020/1828 on representative actions for the protection of the collective interests of consumers (Representative Actions Directive), which shall be transposed and implemented by Member States no later than 25 June 2023 and which significantly strengthens the right of consumer associations to bring proceedings in relation to infringements of EU laws, including data protection rules. The Representative Actions Directive will enable consumers associations in all EU countries, to launch injunctions or redress claims against companies that breach the law, including the GDPR, as long as they meet the criteria of "qualified entities" designated by Member States, under that Directive. In particular, consumer organisations are expressly referred to as eligible to be designated as "qualified entities" for the purpose of brining domestic and/or cross-border representative action.
• Forum Shopping: As it stands, this ruling, combined with the upcoming Representative Actions Directive, is likely to lead to an influx of complaints against Big Tech companies in the months to come. That said, until full transposition of the Representative Actions Directive by each Member State, the effect of the ruling is to some extent limited, because it depends on national legislation allowing for such representative actions by consumer protection associations in their capacity as qualified bodies. Indeed, not all national legislations in the EU currently allow for such empowerment of consumer protection associations. As a consequence, this decision is likely to lead to "forum shopping" from EU-wide consumer protection associations acting against organisations operating in several EU Member States.

References

[1] Accordingly, the Federal Court of Justice referred the following question to the CJEU for a preliminary ruling: "Do the rules in Chapter VIII, in particular in Article 80(1) and (2) and Article 84(1), of [the GDPR] preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the Regulation and the options for legal redress for data subjects – empower, on the one hand, competitors and, on the other, associations, entities and chambers entitled under national law, to bring proceedings for breaches of [the GDPR], independently of the infringement of specific rights of individual data subjects and without being mandated to do so by a data subject, against [the person responsible for that infringement] before the civil courts on the basis of the prohibition of unfair commercial practices or breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions?"

[2] The CJEU adopted a similar decision in relation to Directive 95/46 (repealed by the GDPR) in the Fashion ID ruling (Case C-40/17), whereby the CJEU decided that that Directive 95/46 did not preclude national legislation which allowed consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data (para. 47 to 63).