Introduction
On the 28th of April 2022, the Court of Justice of the European Union (CJEU) indicated its commitment to expanding the effect of privacy laws. It did so by rejecting strict interpretation of Article 80 (2) of the GDPR according to which an association must ascertain one or more concretely affected data subjects before achieving capacity to pursue data protection claims on a representative basis.
The ruling comes after the Federal Court of Justice in Germany (Bundesgerichtshof) asked the EU’s supreme court whether it was admissible for a Germany’s consumer group to take legal action against Meta over alleged data protection infringements or whether these issues were reserved for national supervisory authorities.
The EU’s Supreme Court clarified that consumer protection associations do not need to specify the existence of specific infringement of data subject right’s under GDPR to raise a representative action. It is adequate for them to merely “consider” that data subjects’ rights have been infringed due to certain processing practices.
The ruling deals a huge blow to tech giants, as it opens them up to more litigation over their failure to protect consumer data.
Background
The Federation of German Consumer Organizations (also known as VZBZ) took legal action against Meta Platforms Ireland, due to the Terms of Service of certain free game apps running on its platform, which force consent from users, by not providing them than an option to decline processing if they play the game.
Initially, the action was upheld by the Berlin Regional Court, however, following uncertainty on whether according to the GDPR, VZBV had capacity to take legal proceeding against Meta, the Germany’s Federal Court of Justice appealed to the European Court of Justice for guidance on the matter.
In assessing this matter, the court particularly focused on the phrasing of article 80 of the Regulation, which address representation of data subjects.
Article 80 (1) effectively grants data subjects the subjective right to mandate organizations to file representation actions on their behalf, so long as the organization has been constituted in accordance with the law of a Member State to fulfill a take in the public interest. In this case, VZVZ acted as a non-mandate, meaning it cannot relay on Article 80 (1) for validating its capacity to take legal action against Meta.
Article 80 (2) goes further and grants EU Member States with discretion in providing organizations with the ability to file judicial remedies, independently of data subjects, should the organization consider that the data subjects rights have been violated as a result of processing.
In its action against Meta, VZBZ had not indicated explicitly that subject rights have been violated, only that Meta had failed to comply with its obligations under the GDPR while processing personal data.
Court’s Ruling
Although it appeared to some that according to the GDPR, VZBZ did not have capacity to take legal actions against Meta, on the 28th of May, the CJEU issued an opinion concluding that consumer protection associations are permitted to bring representative actions against infringements of personal data protection both “independently of the specific infringement of a data subject’s right to the protection of his or her personal data and in the absence of a mandate to that effect.”
This will permit organizations to bring forth cases based only on the violation of rights that may occur to a natural personal as a result of the processing of their data and allows VZBZ to uphold its actions against Meta.
The Importance of this Judgement
The CJEU’s ruling is expected to unblock a slew of lawsuits filed by consumer advocacy groups seeking to apply the bloc’s GDPR standard to tech giants like Facebook and Twitter over issues, such as whether they obtain properly informed consent to process people’s data. So perhaps, it is time for companies, especially those in the B2C sector to reassess whether they are abiding to data protection legislation.
Typically, tech companies have tried to impede similar privacy lawsuits by claiming that national courts lack jurisdiction under the GDPR, which sets to harmonize national regulations in this area and includes a system (the one-stop-shop; OSS) for routing cross-border GDPR complaints to a lead data protection agency in the EU Member State where each entity’s regional headquarters is located (for many most tech giants that means Ireland).
However, despite the OSS being incorporated by EU legislators as means of making compliance easier for corporations, its existence has amplified the anti-consumer rights practice of forum shopping, in which corporate behemoths band together around ‘friendly’ regulators, applying political pressure — for example, by touting the local jobs and wealth created by their presence. This practice has contributed to GDPR enforcement bottlenecks, decision delays, and even investigations being discontinued or never initiated.
Thus, the CJEU’s judgement is set to help national regulatory bodies share the burden of data compliance with national courts, as consumer protection groups and similar bodies begin to action class-action lawsuits on behalf of data subjects.
