|
Back to the overview
05-06-2022Article

Update Datenschutz No. 111

ECJ Affirms the Legal Standing of Consumer Associations for the Prosecution of Data Protection Violations

Consumer protection associations have the objective of strengthening and protecting the rights of consumers. In some cases, consumer protection associations also pursue violations of the law judicially in this regard. National regulations – including those in Germany – also enable them to enforce claims for injunctive relief in court in relation to data protection violations by companies. Up until now, the question has been left open as to whether this is compatible with the provisions of the GDPR or whether they are conclusive in this respect.

Due to a submission by the German Federal Court of Justice (BGH), the European Court of Justice (ECJ) had to deal with this question. It has now been decided that the GDPR does not conflict with national regulations that enable consumer protection associations to prosecute violations of the law without being commissioned and independently of a specific violation of the law (ECJ, judgment of April 28, 2022, case C-319/20). In these cases, consumer protection associations therefore have legal standing.

In detail:

Facts of the case

The BGH paved the way for this decision. It was faced with the question of whether and to what extent consumer protection associations are authorized to take legal action against data protection violations.

A lawsuit was filed by the Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e. V. [Federation of German Consumer Organizations] (“Federal Association”) against Meta Platforms Ireland Limited (formally Facebook Ireland Limited). It makes free third-party games available to users on its Facebook platform in the “App Center”. When the games are accessed, various notices appear regarding the collection of the user’s personal data by the game provider when using the game. The Federal Association – as a qualified institution within the meaning of Sec. 4 German Injunctive Relief Act [Unterlassungsklagengesetz, UKlaG] – considers these notices to be unfair. This is, inter alia, due to a disregard of the data protection requirements for effective consent of the user.

The action for injunctive relief brought by the Federal Association before Berlin District Court against Meta Platforms Ireland Limited was upheld as submitted. After its appeal to the Berlin Court of Appeal was unsuccessful, Meta Platforms Ireland Limited appealed to the BGH.

The Federal Court of Justice also considers the Federal Association's lawsuit to be well-founded, but has so far doubted its legal standing. The Senate asked the question of whether the GDPR ultimately regulates the question of legal standing and excludes the legal standing of consumer protection associations. If that were the case, it would have to allow Meta Platforms Ireland Limited's appeal for that reason alone. This was because the Federal Association had brought an action without being specifically commissioned and independently of a specific violation of a data subject’s data protection rights. It submitted this question to the ECJ by way of a preliminary ruling procedure.

So, the crucial underlying question is: Can a consumer protection association file a lawsuit to enforce the elimination of data protection violations without being specifically commissioned and independently of a specific violation of a data subject’s data protection rights?

Evaluation

The ECJ decided that the provisions of the GDPR are not final insofar as they exclude the legal standing of consumer protection associations – such as the Federal Association. If national law grants the consumer protection associations corresponding legal standing, the GDPR does not preclude such. Since this is the case in Germany, consumer protection associations are entitled to file a lawsuit in these situations.

According to the ECJ, being specifically commissioned by a data subject is not required. This is because a data subject within the meaning of Art. 4 No. 1 GDPR is not only an “identified natural person”, but also any “identifiable natural person”. Accordingly, it is sufficient that the rights of identifiable natural persons are affected; it is not necessary to identify a specific data subject in advance.

The primary objective of the GDPR is also to ensure effective protection of the fundamental rights and freedoms of natural persons – and in particular the protection of personal data. According to the ECJ, national regulations that enable consumer protection associations to enforce claims for injunctive relief in court contribute to achieving the required high level of protection and strengthen the rights of data subjects. In addition, a lawsuit filed by a consumer protection association could be significantly more effective in resolving data protection violations than a lawsuit by individual data subjects.

As consumer protection associations are able to prosecute data protection violations under the conditions specified in national regulations, the BGH may now decide on the matter.

However, the question of competitors' rights to file a lawsuit under competition law is expressly excluded from the decision.

Implications for practice

A new player with a strong record has entered the field: The path to legal prosecution of data protection violations by consumer protection associations has now also been paved by the highest courts. It comes alongside administrative procedures conducted by regulators and lawsuits from individual data subjects. In the future, it is to be expected that consumer protection associations will increasingly enforce the elimination of data protection violations in court via civil lawsuits. It is well known from other contexts that consumer protection associations can be quite powerful in this regard.

Although waves of lawsuits should not be expected overnight, it is once again high time for companies to critically question their own data protection compliance. The current developments show the clear trend of data protection violations being fought against vigorously and the risks in this regard should not be underestimated.

Contact persons

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.