DATA PROTECTION
EU Court of Justice: Consumer protection associations may bring representative actions against infringements of personal data protection.
Meta Platforms Ireland, formerly Facebook Ireland Limited, is the controller of the personal data of users of the online social network Facebook in the European Union.
The Federal Union of Consumer Organisations and Associations (Germany) brought an action for an injunction against Meta Platforms Ireland, alleging that it had infringed, in the context of making available to users free games provided by third parties, rules on the protection of personal data, the combat of unfair commercial practices and consumer protection.
The Federal Court of Justice (Germany) observes that the Federal Union’s action is well founded, but it has doubts as to its admissibility. That court asks whether, following the entry into force of the General Data Protection Regulation (GDPR), a consumer protection association, such as the Federal Union, still has standing to bring proceedings in the civil courts against infringements of that regulation, independently of the specific infringement of rights of individual data subjects and without being mandated to do so by those data subjects. Moreover, it observes that it can be inferred from the GDPR that it is principally for the supervisory authorities to verify the application of the provisions of that regulation.
By today’s judgment, the Court finds that the GDPR does not preclude national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.
As a preliminary point, the Court notes that the GDPR brings about harmonisation of national legislation on the protection of personal data which is, in principle, full. However, certain provisions of the GDPR make it possible for Member States to lay down additional rules which leave them a margin of discretion as to the manner in which those provisions may be implemented, provided that the national rules adopted do not undermine the content and objectives of that regulation. In that regard, the Member States also have the option to provide for a representative action mechanism against the person allegedly responsible for an infringement of the laws protecting personal data, while setting out a number of requirements which must be complied with.
The Court notes first that a consumer protection association, such as the Federal Union, falls within the scope of the concept of a “body that has standing to bring proceedings” for the purposes of the GDPR in that it pursues a public interest objective consisting in safeguarding the rights of consumers. The infringement of the rules on consumer protection and unfair commercial practices may be related to the infringement of a rule on the protection of personal data.
Next, the Court states that the bringing of a representative action presupposes that such an association, independently of any mandate conferred on it, ‘considers’ that the rights of a data subject laid down in the GDPR have been infringed as a result of the processing of his or her personal data, without it being necessary to identify, individually and beforehand, the person specifically concerned by that processing and to allege the existence of a specific infringement of the rights deriving from the data protection rules. Such an interpretation is consistent with the objective pursued by the GDPR consisting in, in particular, ensuring a high level of protection of personal data.
Finally, according to the Court, the GDPR does not preclude national provisions which provide for the bringing of representative actions against infringements of the rights conferred by that regulation through, as the case may be, rules intended to protect consumers or combat unfair commercial practices.
(Source: Press Release 68/2022 of the EU Court of Justice - Ownership of contents: EU Court of Justice).
The Federal Union of Consumer Organisations and Associations (Germany) brought an action for an injunction against Meta Platforms Ireland, alleging that it had infringed, in the context of making available to users free games provided by third parties, rules on the protection of personal data, the combat of unfair commercial practices and consumer protection.
The Federal Court of Justice (Germany) observes that the Federal Union’s action is well founded, but it has doubts as to its admissibility. That court asks whether, following the entry into force of the General Data Protection Regulation (GDPR), a consumer protection association, such as the Federal Union, still has standing to bring proceedings in the civil courts against infringements of that regulation, independently of the specific infringement of rights of individual data subjects and without being mandated to do so by those data subjects. Moreover, it observes that it can be inferred from the GDPR that it is principally for the supervisory authorities to verify the application of the provisions of that regulation.
By today’s judgment, the Court finds that the GDPR does not preclude national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.
As a preliminary point, the Court notes that the GDPR brings about harmonisation of national legislation on the protection of personal data which is, in principle, full. However, certain provisions of the GDPR make it possible for Member States to lay down additional rules which leave them a margin of discretion as to the manner in which those provisions may be implemented, provided that the national rules adopted do not undermine the content and objectives of that regulation. In that regard, the Member States also have the option to provide for a representative action mechanism against the person allegedly responsible for an infringement of the laws protecting personal data, while setting out a number of requirements which must be complied with.
The Court notes first that a consumer protection association, such as the Federal Union, falls within the scope of the concept of a “body that has standing to bring proceedings” for the purposes of the GDPR in that it pursues a public interest objective consisting in safeguarding the rights of consumers. The infringement of the rules on consumer protection and unfair commercial practices may be related to the infringement of a rule on the protection of personal data.
Next, the Court states that the bringing of a representative action presupposes that such an association, independently of any mandate conferred on it, ‘considers’ that the rights of a data subject laid down in the GDPR have been infringed as a result of the processing of his or her personal data, without it being necessary to identify, individually and beforehand, the person specifically concerned by that processing and to allege the existence of a specific infringement of the rights deriving from the data protection rules. Such an interpretation is consistent with the objective pursued by the GDPR consisting in, in particular, ensuring a high level of protection of personal data.
Finally, according to the Court, the GDPR does not preclude national provisions which provide for the bringing of representative actions against infringements of the rights conferred by that regulation through, as the case may be, rules intended to protect consumers or combat unfair commercial practices.
(Source: Press Release 68/2022 of the EU Court of Justice - Ownership of contents: EU Court of Justice).
