CJEU issues opinion in favour of allowing consumer organisations to bring representative actions against GDPR infringement

The AG recommends the CJEU to respond in the affirmative to this question. The opinions of AG are not binding but are highly influential and are typically followed by the CJEU.

In the present case, the AG proposes that the CJEU interpret the GDPR as not precluding national legislation which allows consumer protection associations to bring legal proceedings for alleged violations of personal data protection law. 

The Federation of German Consumer Organisations (Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V., or the Federation) brought proceedings against Facebook Ireland before German courts alleging violation of rules on data protection, unfair competition and consumer protection by Facebook’s App Centre, and sought an injunction to prevent ongoing infringement.

The case reached the German Federal Court of Justice (Federal Court), which found that Facebook Ireland breached the GDPR by not providing users of its App Centre with adequate fair processing information. 

However, the Federal Court was doubtful as to whether the Federation’s action was admissible since the application of GDPR. It asked the CJEU to clarify whether a consumer protection organisation (such as the Federation) had, since the coming into force of the GDPR, standing to bring proceedings for violations of the GDPR independently of any infringements of the rights of data subjects, and without being mandated by them. The Federal Court considered that it was arguable that the supervisory, investigatory and enforcement powers conferred onto supervisory data protection authorities (DPAs) by the GDPR negated the ability of a consumer protection group to bring a claim in its own right (instead, any such compliance with the GDPR should be overseen by the relevant DPA). 

The AG, Richard de la Tour, analyses in detail the relevant GDPR provisions, the CJEU case law (e.g. the Fashion ID case), the new Directive 2020/1828 on representative actions for the protection of the collective interests of consumers and its predecessor Directive 2009/22/EC, as well as relevant German law. The AG also looks into literal, systematic and teleological interpretation of Article 80(2) GDPR and concludes that all that should be required for bringing a representative action on the basis of Article 80(2) is an allegation that personal data have been processed in a manner which is contrary to the provisions of GDPR and therefore liable to affect the rights of individuals, without requiring verification of the violation in each individual case. Comparing requirements of the Directive 2020/1828 and the GDPR, he recommends to step away from a restrictive interpretation of Article 80(2)GDPR that would require a representative entity, in order to bring a representative action without a mandate, to demonstrate or prove that a specific person’s rights had been harmed in a given situation, and the effectiveness of Article 80(2) would be significantly reduced.

The AG interprets the GDPR as not preventing Member States from adopting legislation that allows consumer protection organisations (such as the Federation) to bring an action to protect data protection rights of individuals (in their capacity as consumers) by means of rules that were designed to protect consumers or to combat unfair commercial practices. Noting a possible overlap between the representative action provided under Article 80(2) GDPR and Directive 2020/1828, the AG highlights the complementary nature of the laws and the convergence of laws relating to protection of personal data with other areas of law (such as consumer law and competition law), which should not impede the effective application of the GDPR as a result.

The AG concludes that, in his view, the GDPR does not preclude national legislation which allows consumer protection associations to bring legal proceedings against the person alleged to be responsible for the infringement of the protection of personal data, provided the legal proceedings are based on infringement of rights which data subjects derive directly from the GDPR. According to the AG, the defence of the collective interests of consumers by associations is particularly suited to the objective of the GDPR of establishing a high level of personal data protection.

Read the summary of the opinion and the full AG Opinion.