Consumer Protection Associations May Bring Representative Actions Against Infringements of Personal Data Protection

Judgment in Case C-319/20 Meta Platforms Ireland– Press Release No 68/22

The Federal Union of Consumer Organisations and Associations (Germany) brought an action[1] for an injunction against Meta Platforms Ireland[2], alleging that it had infringed, in the context of making available to users free games provided by third parties, rules on the protection of personal data, the combat of unfair commercial practices and consumer protection (Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.) 

The Federal Court of Justice (Germany) observes that the Federal Union’s action is well-founded, but it has doubts as to its admissibility. That court asks whether, following the entry into force of the General Data Protection Regulation (“GDPR”), a consumer protection association, such as the Federal Union, still has the standing to bring proceedings in the civil courts against infringements of that Regulation.

By the judgment made on the 28th of April 2022, the Court finds that the GDPR does not preclude national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data.

As a preliminary point, the Court notes that the GDPR brings about harmonization of national legislation on the protection of personal data. However, certain provisions of the GDPR make it possible for the Member States to lay down additional rules which leave them a margin of discretion as to the manner in which those provisions may be implemented.

First, the Court notes that a consumer protection association, such as the Federal Union, falls within the scope of the concept of a “body that has the standing to bring proceedings” for the purposes of the GDPR in that it pursues a public interest objective consisting in safeguarding the rights of consumers. The infringement of the rules on consumer protection and unfair commercial practices may be related to the infringement of a rule on the protection of personal data.

Next, the Court states that the bringing of a representative action presupposes that such an association, ‘considers’ that the rights of a data subject laid down in the GDPR have been infringed as a result of the processing of his or her personal data.

Such an interpretation is consistent with the objective pursued by the GDPR consisting in ensuring a high level of protection of personal data.

Finally, according to the Court, the GDPR does not preclude national provisions which provide for the bringing of representative actions against infringements of the rights.

The full text and the résumé of the judgment are published on the CURIA website on the day of delivery.

For further information click here.

For the Advocate General’s Opinion click here.

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr


[1] Judgment in Case C-319/20.

[2] Meta Platforms Ireland, formerly Facebook Ireland Limited, is the controller of the personal data of users of the online social network Facebook in the European Union.