Consumer associations can bring a lawsuit for GDPR related violations according to the CJEU, but what is the impact of this decision?
In a judgment of the Court of Justice of the European Union (“CJEU”) dated April 28, 2022, rendered in Case C-319/20, the Court held that consumer protection associations could bring actions against injuries for alleged GDPR violations, even in the absence of specific delegation of authority by the injured party.
The ruling comes in an interesting context: the case dealt with by the CJEU concerned the company Meta Platforms Ireland (formerly Facebook), which allegedly offered free games made available to users on its platforms. Therefore, several German consumer associations would have challenged the violation of rules relating to privacy, the fight against unfair competition, and consumer protection.
The main issue addressed by the judges, however, concerns a legal question that could mean an important turning point for consumer associations: is it, in fact, possible for a consumer association to sue for violations of the GDPR, regardless of whether the rights of individually affected individuals have been concretely infringed upon and in the absence of a mandate given by them? The Court’s answer is yes:
“the GDPR does not preclude national legislation, which allows an association for the protection of consumer interests to take legal action, in the absence of a mandate given to it for this purpose and regardless of the violation of specific data subjects’ rights, against the alleged perpetrator of an act detrimental to the protection of personal data, by claiming violation of the prohibition of unfair commercial practices, violation of a consumer protection law or violation of the prohibition of the use of invalid general terms and conditions, if the data processing in question is likely to adversely affect the rights of identified or identifiable natural persons under the regulation above.”
So, for the Court, an association for the protection of consumer interests falls within the notion of a body entitled to act under the GDPR insofar as it pursues a public interest objective consisting of securing the rights of consumers, thus even without a specific mandate. For the CJEU, each European state can implement Article 80 GDPR and provide that an association has the right to bring a civil action and also a complaint to the supervisory authorities for violations of the GDPR: however, for this action without a mandate to be exercised, it must be provided for in national legislation.
This provision could broaden the scope of class actions, which, as a result of the recent reform, can also be brought for violations related to personal data processing law, without a subject-matter limitation that was previously provided. However, the class action requires the creation of the class before taking action, whereas the action envisaged by the ECJ is independent of the activities of individuals.
However, this could be a dangerous ruling: while it is necessary to prove the identity of the damage suffered by class members in class actions, what will be provided for consumer association actions instead? Will it be a mere injunctive action, like the one already provided for in the Consumer Code, or will associations also be able to claim damages?
On a similar topic, you might be interested in the following article, “Does Lloyd vs. Google mark the end of class action in privacy?“.